rpms/selinux-policy/devel modules-targeted.conf, 1.93, 1.94 policy-20080710.patch, 1.20, 1.21 selinux-policy.spec, 1.699, 1.700

[Daniel J Walsh]

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28185

Modified Files:
	modules-targeted.conf policy-20080710.patch 
	selinux-policy.spec 
Log Message:
* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.5.5-2
- Update to upstream
- Fix crontab use by unconfined user



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.93
retrieving revision 1.94
diff -u -r1.93 -r1.94
--- modules-targeted.conf	11 Aug 2008 21:19:25 -0000	1.93
+++ modules-targeted.conf	29 Aug 2008 18:58:58 -0000	1.94
@@ -1681,4 +1681,4 @@
 #
 # Snort network intrusion detection system
 # 
-snort = base
+snort = module

policy-20080710.patch:

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.20 -r 1.21 policy-20080710.patch
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20080710.patch	26 Aug 2008 14:46:43 -0000	1.20
+++ policy-20080710.patch	29 Aug 2008 18:58:58 -0000	1.21
@@ -8170,8 +8170,8 @@
 +logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.5/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/roles/staff.te	2008-08-25 10:50:15.000000000 -0400
-@@ -8,18 +8,34 @@
++++ serefpolicy-3.5.5/policy/modules/roles/staff.te	2008-08-28 09:46:16.000000000 -0400
+@@ -8,23 +8,50 @@
  
  role staff_r;
  
@@ -8192,10 +8192,6 @@
  ')
  
  optional_policy(`
-+	cron_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
 +	logadm_role_change_template(staff)
 +')
 +
@@ -8207,7 +8203,12 @@
  	secadm_role_change_template(staff)
  ')
  
-@@ -28,3 +44,14 @@
+ optional_policy(`
++	ssh_per_role_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
+ 	sysadm_role_change_template(staff)
  	sysadm_dontaudit_use_terms(staff_t)
  ')
  
@@ -9639,7 +9640,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.5/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.if	2008-08-25 10:50:15.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.if	2008-08-29 14:16:41.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -10129,7 +10130,7 @@
  ')
  
  ########################################
-@@ -1098,3 +1071,144 @@
+@@ -1098,3 +1071,178 @@
  
  	allow httpd_t $1:process signal;
  ')
@@ -10274,9 +10275,43 @@
 +	allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
 +')
 +')
++
++########################################
++## <summary>
++##	Mark content as being readable by standard apache processes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++template(`apache_ro_content',`
++	gen_require(`
++		attribute httpd_ro_content;
++	')
++	typeattribute $1  httpd_ro_content;
++')
++
++########################################
++## <summary>
++##	Mark content as being read/write by standard apache processes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++template(`apache_rw_content',`
++	gen_require(`
++		attribute httpd_rw_content;
++	')
++	typeattribute $1  httpd_rw_content;
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.5/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.5/policy/modules/services/apache.te	2008-08-26 10:08:47.000000000 -0400
++++ serefpolicy-3.5.5/policy/modules/services/apache.te	2008-08-29 14:24:52.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -10322,7 +10357,7 @@
  ## </p>
  ## </desc>
  gen_tunable(httpd_can_network_connect, false)
-@@ -109,14 +125,33 @@
+@@ -109,14 +125,35 @@
  ## </desc>
  gen_tunable(httpd_unified, false)
  
@@ -10347,6 +10382,8 @@
 +## </desc>
 +gen_tunable(allow_httpd_sys_script_anon_write, false)
 +
++attribute httpd_ro_content;
++attribute httpd_rw_content;
  attribute httpdcontent;
 -attribute httpd_user_content_type;
  
@@ -10358,7 +10395,7 @@
  
  # user script domains
  attribute httpd_script_domains;
-@@ -147,6 +182,9 @@
+@@ -147,6 +184,9 @@
  type httpd_log_t;
  logging_log_file(httpd_log_t)
  
@@ -10368,17 +10405,17 @@
  # httpd_modules_t is the type given to module files (libraries) 
  # that come with Apache /etc/httpd/modules and /usr/lib/apache
  type httpd_modules_t;
-@@ -180,6 +218,9 @@
+@@ -180,6 +220,9 @@
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
-+typeattribute httpd_sys_content_t httpdcontent; # customizable
-+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
 +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -202,12 +243,16 @@
+@@ -202,12 +245,16 @@
  	prelink_object_file(httpd_modules_t)
  ')
  
@@ -10396,7 +10433,7 @@
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -249,6 +294,7 @@
+@@ -249,6 +296,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10404,7 +10441,20 @@
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +335,7 @@
+@@ -260,9 +308,9 @@
+ 
+ allow httpd_t httpd_suexec_exec_t:file { getattr read };
+ 
+-allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
++allow httpd_t httpd_ro_content:dir list_dir_perms;
++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content)
+ 
+ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+ manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+@@ -289,6 +337,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -10412,7 +10462,7 @@
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -312,12 +359,11 @@
+@@ -312,12 +361,11 @@
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -10427,7 +10477,7 @@
  
  domain_use_interactive_fds(httpd_t)
  
[...1977 lines suppressed...]
  	gen_require(`
@@ -34134,7 +34384,7 @@
  ')
  
  ########################################
-@@ -2832,12 +2873,12 @@
+@@ -2832,12 +2874,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -34150,7 +34400,7 @@
  ')
  
  ########################################
-@@ -2869,10 +2910,10 @@
+@@ -2869,10 +2911,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -34163,7 +34413,7 @@
  ')
  
  ########################################
-@@ -2904,12 +2945,12 @@
+@@ -2904,12 +2946,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -34179,7 +34429,7 @@
  ')
  
  ########################################
-@@ -2941,11 +2982,11 @@
+@@ -2941,11 +2983,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -34193,7 +34443,7 @@
  ')
  
  ########################################
-@@ -2977,11 +3018,11 @@
+@@ -2977,11 +3019,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -34207,7 +34457,7 @@
  ')
  
  ########################################
-@@ -3013,11 +3054,11 @@
+@@ -3013,11 +3055,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -34221,7 +34471,7 @@
  ')
  
  ########################################
-@@ -3049,11 +3090,11 @@
+@@ -3049,11 +3091,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -34235,7 +34485,7 @@
  ')
  
  ########################################
-@@ -3085,11 +3126,11 @@
+@@ -3085,11 +3127,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -34249,7 +34499,7 @@
  ')
  
  ########################################
-@@ -3134,10 +3175,10 @@
+@@ -3134,10 +3176,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -34262,7 +34512,7 @@
  	files_search_tmp($2)
  ')
  
-@@ -3178,19 +3219,19 @@
+@@ -3178,19 +3220,19 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -34286,7 +34536,7 @@
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -4616,11 +4657,11 @@
+@@ -4616,11 +4658,11 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -34300,7 +34550,7 @@
  ')
  
  ########################################
-@@ -4640,6 +4681,14 @@
+@@ -4640,6 +4682,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -34315,7 +34565,7 @@
  ')
  
  ########################################
-@@ -4677,6 +4726,8 @@
+@@ -4677,6 +4727,8 @@
  	')
  
  	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -34324,7 +34574,7 @@
  ')
  
  ########################################
-@@ -4721,6 +4772,25 @@
+@@ -4721,6 +4773,25 @@
  
  ########################################
  ## <summary>
@@ -34350,7 +34600,7 @@
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4946,7 +5016,7 @@
+@@ -4946,7 +5017,7 @@
  
  ########################################
  ## <summary>
@@ -34359,7 +34609,7 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5318,6 +5388,42 @@
+@@ -5318,6 +5389,42 @@
  
  ########################################
  ## <summary>
@@ -34402,7 +34652,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5368,7 +5474,7 @@
+@@ -5368,7 +5475,7 @@
  		attribute userdomain;
  	')
  
@@ -34411,7 +34661,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -5483,7 +5589,7 @@
+@@ -5483,7 +5590,7 @@
  
  ########################################
  ## <summary>
@@ -34420,15 +34670,14 @@
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5491,10 +5597,46 @@
+@@ -5491,7 +5598,43 @@
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_dbus_send_all_users',`
 +interface(`userdom_manage_all_users_keys',`
- 	gen_require(`
- 		attribute userdomain;
--		class dbus send_msg;
++	gen_require(`
++		attribute userdomain;
 +	')
 +
 +	allow $1 userdomain:key manage_key_perms;
@@ -34463,13 +34712,10 @@
 +## </param>
 +#
 +interface(`userdom_dbus_send_all_users',`
-+	gen_require(`
-+		attribute userdomain;
-+		class dbus send_msg;
- 	')
- 
- 	allow $1 userdomain:dbus send_msg;
-@@ -5513,3 +5655,506 @@
+ 	gen_require(`
+ 		attribute userdomain;
+ 		class dbus send_msg;
+@@ -5513,3 +5656,506 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.699
retrieving revision 1.700
diff -u -r1.699 -r1.700
--- selinux-policy.spec	26 Aug 2008 14:13:27 -0000	1.699
+++ selinux-policy.spec	29 Aug 2008 18:58:58 -0000	1.700
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,10 @@
 %endif
 
 %changelog
+* Tue Aug 26 2008 Dan Walsh <dwalsh at redhat.com> 3.5.5-2
+- Update to upstream
+- Fix crontab use by unconfined user
+
 * Tue Aug 12 2008 Dan Walsh <dwalsh at redhat.com> 3.5.4-2
 - Allow ifconfig_t to read dhcpc_state_t