[selinux-policy/f13/master] - Fixes for dirsrv-admin policy
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Nov 18 19:32:13 UTC 2010
commit 2b5aecffdbb49a5cf7630885c614ca3ce77cb4cf
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Nov 18 20:32:05 2010 +0100
- Fixes for dirsrv-admin policy
policy-F13.patch | 73 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 5 +++-
2 files changed, 47 insertions(+), 31 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index b777f7c..ed834d1 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -15916,7 +15916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-11-11 16:12:33.885398972 +0100
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-11-18 16:15:14.895397629 +0100
@@ -19,11 +19,13 @@
# Declarations
#
@@ -16236,14 +16236,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal(httpd_t)
- ')
-
++')
++
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
+ ')
+
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
@@ -16276,16 +16276,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +669,7 @@
+@@ -528,7 +669,18 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
- optional_policy(`
+optional_policy(`
++ dirsrv_manage_config(httpd_t)
++ dirsrv_manage_log(httpd_t)
++ dirsrv_manage_var_run(httpd_t)
++ dirsrv_read_share(httpd_t)
++ dirsrv_signal(httpd_t)
++ dirsrv_signull(httpd_t)
++ dirsrvadmin_manage_config(httpd_t)
++ dirsrvadmin_manage_tmp(httpd_t)
++')
++
++optional_policy(`
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +678,12 @@
+@@ -537,8 +689,12 @@
')
optional_policy(`
@@ -16299,7 +16310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +701,13 @@
+@@ -556,7 +712,13 @@
')
optional_policy(`
@@ -16313,7 +16324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +718,7 @@
+@@ -567,6 +729,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -16321,7 +16332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +729,23 @@
+@@ -577,12 +740,23 @@
')
optional_policy(`
@@ -16345,7 +16356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +754,11 @@
+@@ -591,6 +765,11 @@
')
optional_policy(`
@@ -16357,7 +16368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +786,10 @@
+@@ -618,6 +797,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -16368,7 +16379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +871,18 @@
+@@ -699,17 +882,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -16390,7 +16401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +913,21 @@
+@@ -740,10 +924,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -16413,7 +16424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +953,12 @@
+@@ -769,6 +964,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -16426,7 +16437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +982,13 @@
+@@ -792,9 +993,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -16440,7 +16451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +997,28 @@
+@@ -803,6 +1008,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -16469,7 +16480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1046,16 @@
+@@ -830,6 +1057,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16486,7 +16497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1068,7 @@
+@@ -842,6 +1079,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16494,7 +16505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1118,33 @@
+@@ -891,11 +1129,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -19815,7 +19826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-08-24 15:32:42.307335306 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-11-18 15:47:35.785397612 +0100
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -20029,15 +20040,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +451,7 @@
+@@ -387,6 +451,9 @@
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
++
++mls_file_read_to_clearance(system_cronjob_t)
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -411,6 +476,8 @@
+@@ -411,6 +478,8 @@
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -20046,7 +20059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -435,6 +502,8 @@
+@@ -435,6 +504,8 @@
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -20055,7 +20068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -442,6 +511,14 @@
+@@ -442,6 +513,14 @@
')
optional_policy(`
@@ -20070,7 +20083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ftp_read_log(system_cronjob_t)
')
-@@ -452,15 +529,24 @@
+@@ -452,15 +531,24 @@
')
optional_policy(`
@@ -20095,7 +20108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -476,7 +562,7 @@
+@@ -476,7 +564,7 @@
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -20104,7 +20117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -491,6 +577,7 @@
+@@ -491,6 +579,7 @@
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -20112,7 +20125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
optional_policy(`
-@@ -498,6 +585,9 @@
+@@ -498,6 +587,9 @@
')
optional_policy(`
@@ -20122,7 +20135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -591,6 +681,7 @@
+@@ -591,6 +683,7 @@
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 446580a..d4da75d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
%endif
%changelog
+* Thu Nov 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-73
+- Fixes for dirsrv-admin policy
+
* Mon Nov 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-72
- Allow mysqld-safe to send system log messages
- Add dirsrv and dirsrv-admin policy
More information about the scm-commits
mailing list