[selinux-policy/f13/master] - Fix labeling for drupal - Allow ssh_keygen_t read and write a user TTYs and PTYs

Miroslav Grepl mgrepl at fedoraproject.org
Wed Apr 6 10:14:14 UTC 2011 

commit c1cc4ae0e904f8fecd07e296332659a201833fe1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Wed Apr 6 12:14:52 2011 +0000

    - Fix labeling for drupal
    - Allow ssh_keygen_t read and write a user TTYs and PTYs

 policy-F13.patch    |   51 ++++++++++++++++++++++++++++++---------------------
 selinux-policy.spec |    6 +++++-
 2 files changed, 35 insertions(+), 22 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 1736ba9..a602f6f 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -16557,16 +16557,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/apache.fc	2010-07-13 07:55:52.000000000 +0000
-@@ -3,6 +3,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/apache.fc	2011-04-06 12:12:02.684000003 +0000
+@@ -2,7 +2,9 @@
+ 
  /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
- /etc/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+-/etc/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
++/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
-@@ -24,7 +25,6 @@
+@@ -24,7 +26,6 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -16574,23 +16577,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,7 +43,6 @@
+@@ -43,8 +44,7 @@
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
 -/usr/share/dirsrv(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/usr/share/drupal.*				gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,6 +73,7 @@
+ /usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -74,7 +74,8 @@
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+-/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/dokuwiki(/.*)?         gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
- /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
-@@ -86,7 +86,6 @@
+ /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -86,7 +87,6 @@
  /var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/httpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@@ -16598,7 +16605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  ifdef(`distro_debian', `
  /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +108,17 @@
+@@ -109,3 +109,17 @@
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -39679,7 +39686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-04-05 18:18:38.404000001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-04-06 12:03:25.085000001 +0000
 @@ -34,13 +34,12 @@
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39977,12 +39984,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  domain_use_interactive_fds(ssh_keygen_t)
  
-@@ -397,6 +399,12 @@
+@@ -397,6 +399,13 @@
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 +userdom_search_admin_dir(ssh_keygen_t)
 +userdom_search_user_home_dirs(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
 +
 +optional_policy(`
 +    nscd_socket_use(ssh_keygen_t)
@@ -45066,7 +45074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te	2011-03-25 08:41:51.030630001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te	2011-04-06 12:08:10.106000001 +0000
 @@ -73,7 +73,7 @@
  #
  
@@ -45103,7 +45111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,13 +190,17 @@
+@@ -186,13 +190,18 @@
  
  allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
  dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -45118,11 +45126,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
  
 +allow ipsec_mgmt_t ipsec_t:process { rlimitinh  sigchld };
++allow ipsec_t ipsec_mgmt_t:process { rlimitinh  sigchld };
 +
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
  
-@@ -225,7 +233,6 @@
+@@ -225,7 +234,6 @@
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -45130,7 +45139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # whack needs to connect to pluto
  stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +265,13 @@
+@@ -258,7 +266,13 @@
  
  domain_use_interactive_fds(ipsec_mgmt_t)
  # denials when ps tries to search /proc. Do not audit these denials.
@@ -45145,7 +45154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  # suppress audit messages about unnecessary socket access
  # cjp: this seems excessive
  domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +283,25 @@
+@@ -270,19 +284,25 @@
  files_read_usr_files(ipsec_mgmt_t)
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -45172,7 +45181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  logging_send_syslog_msg(ipsec_mgmt_t)
  
  miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +310,38 @@
+@@ -291,15 +311,38 @@
  
  seutil_dontaudit_search_config(ipsec_mgmt_t)
  
@@ -45211,7 +45220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  	nscd_socket_use(ipsec_mgmt_t)
  ')
  
-@@ -386,6 +428,8 @@
+@@ -386,6 +429,8 @@
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -45220,7 +45229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +456,7 @@
+@@ -412,6 +457,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -45228,7 +45237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +468,4 @@
+@@ -423,3 +469,4 @@
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3ece179..b4e992d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 104%{?dist}
+Release: 105%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Apr 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-105
+- Fix labeling for drupal
+- Allow ssh_keygen_t read and write a user TTYs and PTYs
+
 * Tue Apr 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-104
 - Make matahari domains unconfined for now

More information about the scm-commits mailing list