rpms/selinux-policy/F-12 policy-20100106.patch, 1.31, 1.32 selinux-policy.spec, 1.1016, 1.1017
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 9 14:53:37 UTC 2010
- Previous message: rpms/python-wehjit/F-11 .cvsignore, 1.4, 1.5 python-wehjit.spec, 1.4, 1.5 sources, 1.4, 1.5
- Next message: rpms/kdepim/devel kdepim-4.4.1-kontact-startup.patch, NONE, 1.1 kdepim.spec, 1.267, 1.268
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1093
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for nagios plugin policy
- Allow auditctl to set priority of kernel threads
policy-20100106.patch:
modules/admin/dmesg.fc | 1
modules/admin/mcelog.fc | 2
modules/admin/mcelog.if | 20 +
modules/admin/mcelog.te | 31 ++
modules/admin/prelink.te | 1
modules/admin/readahead.te | 2
modules/admin/rpm.if | 20 -
modules/admin/smoltclient.te | 2
modules/admin/usermanage.te | 6
modules/apps/cdrecord.te | 2
modules/apps/chrome.te | 3
modules/apps/firewallgui.te | 4
modules/apps/gnome.fc | 9
modules/apps/gnome.if | 81 +++++-
modules/apps/gnome.te | 8
modules/apps/gpg.fc | 2
modules/apps/gpg.te | 5
modules/apps/kdumpgui.te | 4
modules/apps/mozilla.fc | 1
modules/apps/nsplugin.fc | 1
modules/apps/podsleuth.te | 1
modules/apps/pulseaudio.fc | 2
modules/apps/pulseaudio.if | 4
modules/apps/pulseaudio.te | 8
modules/apps/sambagui.te | 4
modules/apps/sandbox.if | 50 +++
modules/apps/sandbox.te | 43 ++-
modules/apps/vmware.if | 18 +
modules/apps/vmware.te | 9
modules/apps/wine.if | 4
modules/apps/wine.te | 14 +
modules/kernel/corecommands.fc | 3
modules/kernel/corenetwork.if.in | 18 +
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 5
modules/kernel/devices.if | 90 +++++++
modules/kernel/devices.te | 18 +
modules/kernel/files.if | 20 +
modules/kernel/filesystem.if | 58 ++++
modules/roles/unconfineduser.fc | 5
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.if | 5
modules/services/abrt.te | 14 +
modules/services/afs.te | 6
modules/services/aisexec.te | 8
modules/services/amavis.te | 1
modules/services/apache.fc | 1
modules/services/apache.if | 27 ++
modules/services/apache.te | 12
modules/services/apcupsd.te | 2
modules/services/arpwatch.te | 1
modules/services/avahi.fc | 2
modules/services/chronyd.fc | 2
modules/services/chronyd.te | 15 -
modules/services/corosync.te | 6
modules/services/cron.te | 4
modules/services/cups.te | 6
modules/services/dbus.if | 2
modules/services/dovecot.te | 6
modules/services/fail2ban.if | 18 +
modules/services/ftp.if | 37 ++
modules/services/ftp.te | 114 +++++++++
modules/services/git.fc | 17 -
modules/services/git.if | 466 ++++++++++++++++++++++++++++---------
modules/services/git.te | 145 ++++++-----
modules/services/kerberos.if | 2
modules/services/ldap.fc | 8
modules/services/ldap.te | 7
modules/services/lircd.te | 7
modules/services/mailman.te | 1
modules/services/memcached.te | 14 -
modules/services/mta.if | 19 +
modules/services/mta.te | 1
modules/services/munin.te | 1
modules/services/mysql.te | 4
modules/services/nagios.fc | 42 +++
modules/services/nagios.if | 2
modules/services/nagios.te | 47 +++
modules/services/networkmanager.fc | 1
modules/services/networkmanager.te | 1
modules/services/nis.fc | 5
modules/services/nis.te | 6
modules/services/nx.if | 18 +
modules/services/openvpn.te | 4
modules/services/plymouth.te | 32 +-
modules/services/policykit.te | 8
modules/services/postfix.te | 5
modules/services/ppp.fc | 2
modules/services/ppp.te | 6
modules/services/prelude.te | 2
modules/services/rgmanager.if | 2
modules/services/rgmanager.te | 18 +
modules/services/rhcs.fc | 8
modules/services/rhcs.te | 47 ++-
modules/services/samba.te | 13 -
modules/services/sendmail.te | 4
modules/services/setroubleshoot.te | 4
modules/services/snmp.te | 4
modules/services/snort.te | 1
modules/services/spamassassin.if | 18 +
modules/services/spamassassin.te | 6
modules/services/ssh.te | 80 ------
modules/services/sssd.fc | 2
modules/services/sssd.if | 85 +++---
modules/services/sssd.te | 14 -
modules/services/tftp.te | 1
modules/services/tgtd.te | 1
modules/services/tuned.fc | 3
modules/services/tuned.te | 9
modules/services/usbmuxd.fc | 6
modules/services/usbmuxd.if | 64 +++++
modules/services/usbmuxd.te | 44 +++
modules/services/virt.te | 5
modules/services/xserver.fc | 7
modules/services/xserver.te | 16 +
modules/system/application.te | 12
modules/system/fstools.fc | 1
modules/system/hostname.te | 3
modules/system/hotplug.te | 4
modules/system/init.if | 33 ++
modules/system/init.te | 20 +
modules/system/ipsec.te | 2
modules/system/iptables.if | 7
modules/system/iptables.te | 2
modules/system/iscsi.fc | 3
modules/system/iscsi.te | 10
modules/system/libraries.fc | 14 -
modules/system/locallogin.te | 5
modules/system/logging.fc | 2
modules/system/logging.if | 18 +
modules/system/logging.te | 5
modules/system/miscfiles.if | 37 ++
modules/system/modutils.te | 1
modules/system/mount.te | 15 +
modules/system/selinuxutil.te | 1
modules/system/sysnetwork.te | 1
modules/system/udev.te | 5
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +
modules/system/xen.te | 7
support/obj_perm_sets.spt | 5
users | 2
144 files changed, 1999 insertions(+), 448 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -p -r1.31 -r1.32
--- policy-20100106.patch 9 Feb 2010 12:22:30 -0000 1.31
+++ policy-20100106.patch 9 Feb 2010 14:53:36 -0000 1.32
@@ -1678,6 +1678,18 @@ diff -b -B --ignore-all-space --exclude-
allow cups_pdf_t self:fifo_file rw_file_perms;
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if
+--- nsaserefpolicy/policy/modules/services/dbus.if 2010-01-18 18:24:22.774530577 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2010-02-09 15:13:10.361616292 +0100
+@@ -375,6 +375,8 @@
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
++ ps_process_pattern(system_dbusd_t, $1)
++
+ userdom_dontaudit_search_admin_dir($1)
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-02-08 11:55:25.971336166 +0100
@@ -3025,8 +3037,14 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100
-@@ -27,26 +27,62 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-09 13:30:45.031616023 +0100
+@@ -23,30 +23,66 @@
+ /usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+ /usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+-
++# admin plugins
++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
@@ -3044,7 +3062,6 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
@@ -3105,8 +3122,20 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-22 16:03:19.932604694 +0100
-@@ -118,6 +118,9 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-09 13:29:19.023616028 +0100
+@@ -45,6 +45,11 @@
+ type nrpe_var_run_t;
+ files_pid_file(nrpe_var_run_t)
+
++# creates nagios_admin_plugin_exec_t for executable
++# and nagios_admin_plugin_t for domain
++nagios_plugin_template(admin)
++permissive nagios_admin_plugin_t;
++
+ # creates nagios_checkdisk_plugin_exec_t for executable
+ # and nagios_checkdisk_plugin_t for domain
+ nagios_plugin_template(checkdisk)
+@@ -118,6 +123,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
@@ -3116,7 +3145,49 @@ diff -b -B --ignore-all-space --exclude-
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
-@@ -315,6 +318,10 @@
+@@ -264,6 +272,41 @@
+ udev_read_db(nrpe_t)
+ ')
+
++######################################
++#
++# local policy for admin check plugins
++#
++
++allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
++
++allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(nagios_admin_plugin_t)
++kernel_read_kernel_sysctls(nagios_admin_plugin_t)
++
++corecmd_read_bin_files(nagios_admin_plugin_t)
++corecmd_read_bin_symlinks(nagios_admin_plugin_t)
++
++dev_read_urand(nagios_admin_plugin_t)
++
++files_read_etc_files(nagios_admin_plugin_t)
++
++libs_use_lib_files(nagios_admin_plugin_t)
++libs_use_ld_so(nagios_admin_plugin_t)
++
++logging_send_syslog_msg(nagios_admin_plugin_t)
++
++sysnet_read_config(nagios_admin_plugin_t)
++
++nscd_dontaudit_search_pid(nagios_admin_plugin_t)
++
++optional_policy(`
++ mta_read_config(nagios_admin_plugin_t)
++ mta_list_queue(nagios_admin_plugin_t)
++ mta_read_queue(nagios_admin_plugin_t)
++ mta_sendmail_exec(nagios_admin_plugin_t)
++')
+
+ ######################################
+ #
+@@ -315,6 +358,10 @@
mysql_stream_connect(nagios_services_plugin_t)
')
@@ -3710,7 +3781,16 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-18 18:27:02.771531176 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-02-09 15:04:54.083866070 +0100
+@@ -30,7 +30,7 @@
+ #
+
+ allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+-allow sendmail_t self:process { setpgid setrlimit signal signull };
++allow sendmail_t self:process { setpgid setsched setrlimit signal signull };
+ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -136,6 +136,8 @@
optional_policy(`
@@ -4704,7 +4784,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-09 09:59:50.702615499 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-09 15:33:01.072616199 +0100
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
@@ -4713,6 +4793,15 @@ diff -b -B --ignore-all-space --exclude-
# Mark process types as daemons
attribute daemon;
+@@ -47,7 +48,7 @@
+ #
+ # init_t is the domain of the init process.
+ #
+-type init_t;
++type init_t, initrc_transition_domain;
+ type init_exec_t;
+ domain_type(init_t)
+ domain_entry_file(init_t, init_exec_t)
@@ -118,6 +119,7 @@
allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -4996,8 +5085,16 @@ diff -b -B --ignore-all-space --exclude-
## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-02 14:39:43.439068166 +0100
-@@ -489,6 +489,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-09 15:09:42.278616082 +0100
+@@ -101,6 +101,7 @@
+
+ kernel_read_kernel_sysctls(auditctl_t)
+ kernel_read_proc_symlinks(auditctl_t)
++kernel_setsched(auditctl_t)
+
+ domain_read_all_domains_state(auditctl_t)
+ domain_use_interactive_fds(auditctl_t)
+@@ -489,6 +490,10 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.1016
retrieving revision 1.1017
diff -u -p -r1.1016 -r1.1017
--- selinux-policy.spec 9 Feb 2010 12:22:30 -0000 1.1016
+++ selinux-policy.spec 9 Feb 2010 14:53:36 -0000 1.1017
@@ -477,6 +477,8 @@ exit 0
- Add label for /usr/sbin/ns-slapd
- Allow munin to list mail queue
- Add label for shorewall compiler
+- Fixes for nagios plugin policy
+- Allow auditctl to set priority of kernel threads
* Fri Feb 5 2010 Dan Walsh <dwalsh at redhat.com> 3.6.32-85
- Cleanup spec file
- Previous message: rpms/python-wehjit/F-11 .cvsignore, 1.4, 1.5 python-wehjit.spec, 1.4, 1.5 sources, 1.4, 1.5
- Next message: rpms/kdepim/devel kdepim-4.4.1-kontact-startup.patch, NONE, 1.1 kdepim.spec, 1.267, 1.268
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list