[selinux-policy/f13/master] - Allow smbd sys_admin capability - Allow certmonger to search through directories that contain cert
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 8 09:25:58 UTC 2010
commit 2999e7749790641cdda044695032fa28905a6498
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 8 11:25:36 2010 +0200
- Allow smbd sys_admin capability
- Allow certmonger to search through directories that contain certs
- Allow fail2ban the DAC Override so it can read log files owned by non root users
- Allow boinc_project to use shm
- Alllow vpnc to be able to read /root/.cert
- Add mediawiki policy
modules-targeted.conf | 8 ++
policy-F13.patch | 329 ++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 10 ++-
3 files changed, 276 insertions(+), 71 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index b6ed855..f17558d 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2201,3 +2201,11 @@ pingd = module
#
#
milter = module
+
+# Layer: apps
+# Module: mediawiki
+#
+# mediawiki is the software used for Wikipedia and the other Wikimedia
+# Foundation websites.
+#
+mediawiki = module
diff --git a/policy-F13.patch b/policy-F13.patch
index 9590022..6a63f66 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2942,7 +2942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-06-08 14:44:13.503860559 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-10-08 10:44:30.399901187 +0200
@@ -31,7 +31,7 @@
allow vpnc_t self:rawip_socket create_socket_perms;
allow vpnc_t self:unix_dgram_socket create_socket_perms;
@@ -2960,15 +2960,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
-@@ -107,6 +108,7 @@
+@@ -107,6 +108,8 @@
userdom_use_all_users_fds(vpnc_t)
userdom_dontaudit_search_user_home_content(vpnc_t)
+userdom_read_home_certs(vpnc_t)
++userdom_search_admin_dir(vpnc_t)
optional_policy(`
dbus_system_bus_client(vpnc_t)
-@@ -115,3 +117,7 @@
+@@ -115,3 +118,7 @@
networkmanager_dbus_chat(vpnc_t)
')
')
@@ -5179,6 +5180,103 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mediawiki.fc serefpolicy-3.7.19/policy/modules/apps/mediawiki.fc
+--- nsaserefpolicy/policy/modules/apps/mediawiki.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/mediawiki.fc 2010-10-08 10:46:51.423650902 +0200
+@@ -0,0 +1,10 @@
++
++/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++
++/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
++
++/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
++
++/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mediawiki.if serefpolicy-3.7.19/policy/modules/apps/mediawiki.if
+--- nsaserefpolicy/policy/modules/apps/mediawiki.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/mediawiki.if 2010-10-08 10:48:32.947650792 +0200
+@@ -0,0 +1,40 @@
++## <summary>Mediawiki policy</summary>
++
++#######################################
++## <summary>
++## Allow the specified domain to read
++## mediawiki tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mediawiki_read_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
++
++#######################################
++## <summary>
++## Delete mediawiki tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mediawiki_delete_tmp_files',`
++ gen_require(`
++ type httpd_mediawiki_tmp_t;
++ ')
++
++ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mediawiki.te serefpolicy-3.7.19/policy/modules/apps/mediawiki.te
+--- nsaserefpolicy/policy/modules/apps/mediawiki.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/apps/mediawiki.te 2010-10-08 10:46:51.423650902 +0200
+@@ -0,0 +1,35 @@
++
++policy_module(mediawiki, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++apache_content_template(mediawiki)
++
++type httpd_mediawiki_tmp_t;
++files_tmp_file(httpd_mediawiki_tmp_t)
++
++permissive httpd_mediawiki_script_t;
++
++########################################
++#
++# mediawiki local policy
++#
++
++manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
++files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
++
++files_search_var_lib(httpd_mediawiki_script_t)
++
++userdom_read_user_tmp_files(httpd_mediawiki_script_t)
++
++miscfiles_read_tetex_data(httpd_mediawiki_script_t)
++
++optional_policy(`
++ apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.19/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/mono.if 2010-05-28 09:41:59.988610625 +0200
@@ -8655,7 +8753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-10-01 15:21:03.204349381 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-10-08 10:50:45.012651252 +0200
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8769,7 +8867,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +359,21 @@
+@@ -305,6 +333,7 @@
+ /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+ ifdef(`distro_suse', `
+@@ -331,3 +360,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8793,8 +8899,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-05-28 09:42:00.018610892 +0200
-@@ -931,6 +931,7 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-10-08 11:10:25.398900803 +0200
+@@ -179,6 +179,24 @@
+ dontaudit $1 bin_t:dir write;
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to write bin files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corecmd_dontaudit_write_bin_files',`
++ gen_require(`
++ type bin_t;
++ ')
++
++ dontaudit $1 bin_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ## Get the attributes of files in bin directories.
+@@ -931,6 +949,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
can_exec($1, chroot_exec_t)
@@ -8802,7 +8933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
########################################
-@@ -1030,6 +1031,7 @@
+@@ -1030,6 +1049,7 @@
type bin_t;
')
@@ -15127,7 +15258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-09-09 13:49:57.498085155 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-10-08 10:37:53.972901045 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -15343,7 +15474,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
## </summary>
## <param name="domain">
-@@ -756,6 +791,28 @@
+@@ -542,6 +577,26 @@
+ delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+ ')
+
++#######################################
++## <summary>
++## Allow the specified domain to search
++## apache configuration dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_search_config',`
++ gen_require(`
++ type httpd_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 httpd_config_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to read
+@@ -756,6 +811,28 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -15372,7 +15530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -814,6 +871,7 @@
+@@ -814,6 +891,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -15380,7 +15538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -836,11 +894,62 @@
+@@ -836,11 +914,62 @@
')
files_search_var($1)
@@ -15443,7 +15601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +967,11 @@
+@@ -858,6 +987,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -15455,7 +15613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1059,7 @@
+@@ -945,7 +1079,7 @@
type httpd_squirrelmail_t;
')
@@ -15464,7 +15622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1099,24 @@
+@@ -985,6 +1119,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -15489,7 +15647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Read apache system content.
-@@ -1086,6 +1218,25 @@
+@@ -1086,6 +1238,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -15515,7 +15673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1253,7 @@
+@@ -1102,7 +1273,7 @@
type httpd_tmp_t;
')
@@ -15524,7 +15682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1323,7 @@
+@@ -1172,7 +1343,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -15533,7 +15691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1353,62 @@
+@@ -1202,12 +1373,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -15599,7 +15757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-05 16:57:44.624651594 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-08 10:48:07.118901432 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -15919,14 +16077,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_pop_client_packets(httpd_t)
mta_send_mail(httpd_t)
+ mta_signal(httpd_t)
-+')
-+
+ ')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
++')
++
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+')
@@ -15981,15 +16139,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +701,7 @@
+@@ -556,7 +700,13 @@
+ ')
optional_policy(`
++ mediawiki_read_tmp_files(httpd_t)
++ mediawiki_delete_tmp_files(httpd_t)
++')
++
++optional_policy(`
# Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +712,7 @@
+@@ -567,6 +717,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15997,7 +16161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +723,23 @@
+@@ -577,12 +728,23 @@
')
optional_policy(`
@@ -16021,7 +16185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +748,11 @@
+@@ -591,6 +753,11 @@
')
optional_policy(`
@@ -16033,7 +16197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +780,10 @@
+@@ -618,6 +785,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -16044,7 +16208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +865,18 @@
+@@ -699,17 +870,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -16066,7 +16230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +907,21 @@
+@@ -740,10 +912,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -16089,7 +16253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +947,12 @@
+@@ -769,6 +952,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -16102,7 +16266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +976,13 @@
+@@ -792,9 +981,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -16116,7 +16280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +991,28 @@
+@@ -803,6 +996,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -16145,7 +16309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1040,16 @@
+@@ -830,6 +1045,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16162,7 +16326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1062,7 @@
+@@ -842,6 +1067,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16170,7 +16334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1112,33 @@
+@@ -891,11 +1117,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -17583,8 +17747,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-08-24 15:45:24.605099189 +0200
-@@ -0,0 +1,73 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-10-08 10:39:56.442913129 +0200
+@@ -0,0 +1,83 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -17645,6 +17809,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+sysnet_dns_name_resolve(certmonger_t)
+
++userdom_search_user_home_content(certmonger_t)
++
++optional_policy(`
++ apache_search_config(certmonger_t)
++')
++
++optional_policy(`
++ bind_search_cache(certmonger_t)
++')
++
+optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
@@ -21500,8 +21674,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.19/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/fail2ban.te 2010-08-13 08:08:26.382085092 +0200
-@@ -91,9 +91,17 @@
++++ serefpolicy-3.7.19/policy/modules/services/fail2ban.te 2010-10-08 10:29:01.304899702 +0200
+@@ -29,8 +29,9 @@
+ # fail2ban local policy
+ #
+
+-allow fail2ban_t self:capability { sys_tty_config };
++allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+ allow fail2ban_t self:process signal;
++
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+ allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+@@ -91,9 +92,17 @@
')
optional_policy(`
@@ -32596,7 +32781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-05 16:48:57.914651451 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-08 10:26:42.307649666 +0200
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -32644,7 +32829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource kill lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_admin sys_nice sys_resource kill lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -36797,7 +36982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-11 15:18:48.297085092 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-10-08 10:31:31.109650747 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -37197,7 +37382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +507,21 @@
+@@ -371,18 +507,25 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -37220,7 +37405,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +536,14 @@
++corecmd_dontaudit_write_bin_files(xdm_t)
+
+ corenet_all_recvfrom_unlabeled(xdm_t)
+ corenet_all_recvfrom_netlabel(xdm_t)
+@@ -394,11 +537,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -37235,7 +37424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +551,7 @@
+@@ -406,6 +552,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -37243,7 +37432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +560,22 @@
+@@ -414,18 +561,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -37269,7 +37458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +586,17 @@
+@@ -436,9 +587,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -37287,7 +37476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +605,21 @@
+@@ -447,14 +606,21 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -37309,7 +37498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +630,12 @@
+@@ -465,10 +631,12 @@
logging_read_generic_logs(xdm_t)
@@ -37324,7 +37513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +644,12 @@
+@@ -477,6 +645,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -37337,7 +37526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +681,17 @@
+@@ -508,11 +682,17 @@
')
optional_policy(`
@@ -37355,7 +37544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +699,51 @@
+@@ -520,12 +700,51 @@
')
optional_policy(`
@@ -37407,7 +37596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +761,63 @@
+@@ -543,20 +762,63 @@
')
optional_policy(`
@@ -37473,7 +37662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +826,6 @@
+@@ -565,7 +827,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -37481,7 +37670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +836,10 @@
+@@ -576,6 +837,10 @@
')
optional_policy(`
@@ -37492,7 +37681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +864,9 @@
+@@ -600,10 +865,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -37504,7 +37693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +878,18 @@
+@@ -615,6 +879,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -37523,7 +37712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +909,19 @@
+@@ -634,12 +910,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -37545,7 +37734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -647,6 +929,7 @@
+@@ -647,6 +930,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -37553,7 +37742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -673,7 +956,6 @@
+@@ -673,7 +957,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -37561,7 +37750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +965,12 @@
+@@ -683,9 +966,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -37575,7 +37764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +985,13 @@
+@@ -700,8 +986,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -37589,7 +37778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1013,14 @@
+@@ -723,11 +1014,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -37604,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1072,28 @@
+@@ -779,12 +1073,28 @@
')
optional_policy(`
@@ -37634,7 +37823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1120,7 @@
+@@ -811,7 +1121,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -37643,7 +37832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1141,14 @@
+@@ -832,9 +1142,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -37658,7 +37847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1163,14 @@
+@@ -849,11 +1164,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -37675,7 +37864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1316,33 @@
+@@ -999,3 +1317,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7b14e27..0102f2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,14 @@ exit 0
%endif
%changelog
+* Fri Oct 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-65
+- Allow smbd sys_admin capability
+- Allow certmonger to search through directories that contain certs
+- Allow fail2ban the DAC Override so it can read log files owned by non root users
+- Allow boinc_project to use shm
+- Alllow vpnc to be able to read /root/.cert
+- Add mediawiki policy
+
* Tue Oct 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-64
- Allow smartd to read usr files
- Allow devicekit-power transition to dhcpc
More information about the scm-commits
mailing list