rpms/selinux-policy/F-10 policy-20080710.patch,1.137,1.138

Miroslav Grepl mgrepl at fedoraproject.org
Wed Feb 18 10:00:44 UTC 2009 

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7866

Modified Files:
	policy-20080710.patch 
Log Message:
- Fix kismet policy



policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- policy-20080710.patch	11 Feb 2009 10:05:32 -0000	1.137
+++ policy-20080710.patch	18 Feb 2009 10:00:43 -0000	1.138
@@ -559,10 +559,32 @@
  term_use_all_terms(consoletype_t)
  
  init_use_fds(consoletype_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.5.13/policy/modules/admin/kismet.if
+--- nsaserefpolicy/policy/modules/admin/kismet.if	2008-10-17 14:49:14.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/admin/kismet.if	2009-02-18 10:16:20.000000000 +0100
+@@ -16,6 +16,7 @@
+ 	')
+ 
+ 	domtrans_pattern($1, kismet_exec_t, kismet_t)
++	allow kismet_t $1:process signull;
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te	2009-02-10 15:07:15.000000000 +0100
-@@ -25,11 +25,13 @@
++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te	2009-02-18 10:11:52.000000000 +0100
+@@ -20,16 +20,24 @@
+ type kismet_log_t;
+ logging_log_file(kismet_log_t)
+ 
++type kismet_tmpfs_t;
++files_tmpfs_file(kismet_tmpfs_t)
++
++type kismet_tmp_t;
++files_tmp_file(kismet_tmp_t)
++
+ ########################################
+ #
  # kismet local policy
  #
  
@@ -578,12 +600,19 @@
  
  manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
  allow kismet_t kismet_log_t:dir setattr;
-@@ -43,15 +45,35 @@
+@@ -43,15 +51,50 @@
  allow kismet_t kismet_var_run_t:dir manage_dir_perms;
  files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
  
 -kernel_search_debugfs(kismet_t)
--
++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
++
++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+ 
  corecmd_exec_bin(kismet_t)
 +corecmd_exec_shell(kismet_t)
 +
@@ -595,6 +624,7 @@
 +corenet_tcp_bind_all_nodes(kismet_t)
 +corenet_tcp_bind_kismet_port(kismet_t)
 +corenet_tcp_connect_kismet_port(kismet_t)
++corenet_tcp_connect_pulseaudio_port(kismet_t)
 +
 +kernel_search_debugfs(kismet_t)
 +kernel_read_system_state(kismet_t)
@@ -603,12 +633,18 @@
  
  files_read_etc_files(kismet_t)
 +files_read_usr_files(kismet_t)
++
++fs_getattr_tmpfs(kismet_t)
  
  libs_use_ld_so(kismet_t)
  libs_use_shared_libs(kismet_t)
  
  miscfiles_read_localization(kismet_t)
 +
++userdom_read_generic_user_tmpfs_files(kismet_t)
++
++sysadm_dontaudit_manage_home_files(kismet_t)
++
 +optional_policy(`
 +	dbus_system_bus_client_template(kismet, kismet_t)
 +
@@ -8689,6 +8725,7 @@
 +
 +	dontaudit $1 fusefs_t:file manage_file_perms;
 +')
+Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-17 14:49:14.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2009-02-10 15:07:15.000000000 +0100
@@ -9396,7 +9433,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if	2009-02-18 10:14:24.000000000 +0100
 @@ -334,10 +334,10 @@
  #
  interface(`sysadm_getattr_home_dirs',`
@@ -9537,7 +9574,7 @@
  ')
  
  ########################################
-@@ -516,13 +534,33 @@
+@@ -516,12 +534,52 @@
  #
  interface(`sysadm_dontaudit_read_home_content_files',`
  	gen_require(`
@@ -9551,7 +9588,7 @@
 +	dontaudit $1 admin_home_t:dir list_dir_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
 +
- ')
++')
 +########################################
 +## <summary>
 +##	Do not audit attempts to read sym links in the sysadm
@@ -9572,10 +9609,29 @@
 +
 +')
 +
++######################################
++## <summary>
++##      Do not audit attempts to manage files in the sysadm
++##      home directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`sysadm_dontaudit_manage_home_files',`
++        gen_require(`
++                type admin_home_t;
++        ')
++
++        dontaudit $1 admin_home_t:dir manage_dir_perms;
++        dontaudit $1 admin_home_t:file manage_file_perms;
++        dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
+ ')
  
  ########################################
- ## <summary>
-@@ -536,12 +574,12 @@
+@@ -536,12 +594,12 @@
  #
  interface(`sysadm_read_tmp_files',`
  	gen_require(`
@@ -11488,7 +11544,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2009-02-10 15:08:27.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/apache.te	2009-02-18 10:20:44.000000000 +0100
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -11715,7 +11771,8 @@
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+-	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@@ -11726,13 +11783,12 @@
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
--	auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
 +		samba_domtrans_winbind_helper(httpd_t)
  ')
  ')
  
-@@ -370,20 +450,69 @@
+@@ -370,20 +450,68 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -11768,7 +11824,6 @@
 +tunable_policy(`httpd_enable_cgi && httpd_unified',`
 +
 +	allow httpd_user_script_t httpdcontent:file entrypoint;
-+ 	
 +	manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
 +        manage_files_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
 +        manage_files_pattern(httpd_user_script_t, httpd_user_script_ra_t,httpd_user_script_ra_t)
@@ -11803,7 +11858,7 @@
  
  	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
  	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,20 +523,28 @@
+@@ -394,20 +522,28 @@
  	corenet_tcp_bind_ftp_port(httpd_t)
  ')
  
@@ -11836,7 +11891,7 @@
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +578,13 @@
+@@ -441,8 +577,13 @@
  ')
  
  optional_policy(`
@@ -11852,7 +11907,7 @@
  ')
  
  optional_policy(`
-@@ -454,18 +596,13 @@
+@@ -454,18 +595,13 @@
  ')
  
  optional_policy(`
@@ -11872,7 +11927,7 @@
  ')
  
  optional_policy(`
-@@ -475,6 +612,12 @@
+@@ -475,6 +611,12 @@
  	openca_kill(httpd_t)
  ')
  
@@ -11885,7 +11940,7 @@
  optional_policy(`
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
-@@ -482,6 +625,7 @@
+@@ -482,6 +624,7 @@
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		postgresql_tcp_connect(httpd_t)
@@ -11893,7 +11948,7 @@
  	')
  ')
  
-@@ -490,6 +634,7 @@
+@@ -490,6 +633,7 @@
  ')
  
  optional_policy(`
@@ -11901,7 +11956,7 @@
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -519,9 +664,28 @@
+@@ -519,9 +663,28 @@
  logging_send_syslog_msg(httpd_helper_t)
  
  tunable_policy(`httpd_tty_comm',`
@@ -11930,7 +11985,7 @@
  ########################################
  #
  # Apache PHP script local policy
-@@ -551,22 +715,30 @@
+@@ -551,22 +714,30 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -11965,7 +12020,7 @@
  ')
  
  ########################################
-@@ -584,12 +756,14 @@
+@@ -584,12 +755,14 @@
  append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  
@@ -11981,7 +12036,7 @@
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -597,10 +771,9 @@
+@@ -597,10 +770,9 @@
  dev_read_urand(httpd_suexec_t)
  
  fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11994,7 +12049,7 @@
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -616,6 +789,7 @@
+@@ -616,6 +788,7 @@
  logging_send_syslog_msg(httpd_suexec_t)
  
  miscfiles_read_localization(httpd_suexec_t)
@@ -12002,7 +12057,7 @@
  
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -633,12 +807,21 @@
+@@ -633,12 +806,21 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -12014,20 +12069,20 @@
 +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
--')
- 
--tunable_policy(`httpd_enable_homedirs',`
--	userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
++	allow httpd_sys_script_t httpdcontent:file entrypoint;
 +	manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 +	manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
 +	manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+')
+ ')
+-
+-tunable_policy(`httpd_enable_homedirs',`
+-	userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
 +tunable_policy(`httpd_enable_cgi',`
 +	domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +830,12 @@
+@@ -647,6 +829,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -12040,7 +12095,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +853,20 @@
+@@ -664,20 +852,20 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -12066,7 +12121,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +880,27 @@
+@@ -691,12 +879,27 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -12096,7 +12151,7 @@
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +908,31 @@
+@@ -704,6 +907,31 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -12128,7 +12183,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +945,10 @@
+@@ -716,10 +944,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12143,7 +12198,7 @@
  ')
  
  ########################################
-@@ -727,6 +956,8 @@
+@@ -727,6 +955,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -12152,7 +12207,7 @@
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +972,66 @@
+@@ -741,3 +971,66 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -19058,7 +19113,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2009-02-12 23:07:03.000000000 +0100
 @@ -19,6 +19,9 @@
  type NetworkManager_tmp_t;
  files_tmp_file(NetworkManager_tmp_t)
@@ -35247,7 +35302,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if	2009-02-18 10:13:15.000000000 +0100
 @@ -28,10 +28,14 @@
  		class context contains;
  	')
@@ -37467,7 +37522,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5513,3 +5700,601 @@
+@@ -5513,3 +5700,622 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -37812,6 +37867,27 @@
 +
 +#######################################
 +## <summary>
++##      Read user tmpfs files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`userdom_read_generic_user_tmpfs_files',`
++        gen_require(`
++                type user_tmpfs_t;
++        ')
++
++        read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++        read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++        allow $1 user_tmpfs_t:dir list_dir_perms;
++        fs_search_tmpfs($1)
++')
++
++#######################################
++## <summary>
 +##	The template for creating a unprivileged user roughly
 +##	equivalent to a regular linux user.
 +## </summary>

More information about the scm-commits mailing list