[selinux-policy/f13/master] - Fix labeling for drupal - Allow ssh_keygen_t read and write a user TTYs and PTYs
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Apr 6 10:14:14 UTC 2011
commit c1cc4ae0e904f8fecd07e296332659a201833fe1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Apr 6 12:14:52 2011 +0000
- Fix labeling for drupal
- Allow ssh_keygen_t read and write a user TTYs and PTYs
policy-F13.patch | 51 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 6 +++++-
2 files changed, 35 insertions(+), 22 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 1736ba9..a602f6f 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -16557,16 +16557,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-07-13 07:55:52.000000000 +0000
-@@ -3,6 +3,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2011-04-06 12:12:02.684000003 +0000
+@@ -2,7 +2,9 @@
+
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-@@ -24,7 +25,6 @@
+@@ -24,7 +26,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -16574,23 +16577,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,7 +43,6 @@
+@@ -43,8 +44,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,6 +73,7 @@
+ /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +74,8 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
- /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-@@ -86,7 +86,6 @@
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -86,7 +87,6 @@
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -16598,7 +16605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +108,17 @@
+@@ -109,3 +109,17 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -39679,7 +39686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-04-05 18:18:38.404000001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-04-06 12:03:25.085000001 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39977,12 +39984,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
domain_use_interactive_fds(ssh_keygen_t)
-@@ -397,6 +399,12 @@
+@@ -397,6 +399,13 @@
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_search_admin_dir(ssh_keygen_t)
+userdom_search_user_home_dirs(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
+
+optional_policy(`
+ nscd_socket_use(ssh_keygen_t)
@@ -45066,7 +45074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2011-03-25 08:41:51.030630001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2011-04-06 12:08:10.106000001 +0000
@@ -73,7 +73,7 @@
#
@@ -45103,7 +45111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,13 +190,17 @@
+@@ -186,13 +190,18 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -45118,11 +45126,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
++allow ipsec_t ipsec_mgmt_t:process { rlimitinh sigchld };
+
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -225,7 +233,6 @@
+@@ -225,7 +234,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -45130,7 +45139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +265,13 @@
+@@ -258,7 +266,13 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -45145,7 +45154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +283,25 @@
+@@ -270,19 +284,25 @@
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -45172,7 +45181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +310,38 @@
+@@ -291,15 +311,38 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -45211,7 +45220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -386,6 +428,8 @@
+@@ -386,6 +429,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -45220,7 +45229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +456,7 @@
+@@ -412,6 +457,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -45228,7 +45237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +468,4 @@
+@@ -423,3 +469,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ece179..b4e992d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 104%{?dist}
+Release: 105%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Wed Apr 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-105
+- Fix labeling for drupal
+- Allow ssh_keygen_t read and write a user TTYs and PTYs
+
* Tue Apr 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-104
- Make matahari domains unconfined for now
More information about the scm-commits
mailing list