[selinux-policy/f16] * Tue Apr 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-86 - /var/spool/postfix/lib64 should be
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 24 11:11:13 UTC 2012
commit dc0e77c5b49b3e58e9e958311ee1e441b5ec627f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 24 13:10:53 2012 +0200
* Tue Apr 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-86
- /var/spool/postfix/lib64 should be labeled lib_t
- Add filename transitions for system conf files to make sure the
- Allow all user domains to setexec
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
- Allow l2tpd to use pseudo terminals
- Allow l2tpd to bind all udp rpc ports
- Allow dnsmasq to read virt lib lnk files
- Allow cobbler to get SELinux mode and booleans
- Add labels for drupal content
- Allow fenced to read snmp var lib files
policy-F16.patch | 306 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 14 ++-
2 files changed, 207 insertions(+), 113 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 441c676..ac7ec1f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -16790,7 +16790,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..5781edf 100644
+index fae1ab1..9b821b9 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16886,7 +16886,7 @@ index fae1ab1..5781edf 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -158,5 +198,220 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +198,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16895,6 +16895,8 @@ index fae1ab1..5781edf 100644
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
+
++files_filetrans_system_conf_named_files(unconfined_domain_type)
++
+storage_filetrans_all_named_dev(unconfined_domain_type)
+
+term_filetrans_all_named_dev(unconfined_domain_type)
@@ -16908,7 +16910,7 @@ index fae1ab1..5781edf 100644
+')
+
+optional_policy(`
-+ apache_filetrans_home_content(unconfined_domain_type)
++ apache_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -17222,7 +17224,7 @@ index c19518a..12e8e9c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..a7c1eed 100644
+index ff006ea..8e785c1 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17661,7 +17663,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -3900,82 +4115,195 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,82 +4115,223 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17724,14 +17726,15 @@ index ff006ea..a7c1eed 100644
- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
++ files_filetrans_system_conf_named_files($1)
')
-########################################
-+######################################
++#####################################
## <summary>
-## Do not audit attempts to get the
-## attributes of the tmp directory (/tmp).
-+## Relabel manageable system configuration files in /etc.
++## File name transition for system configuration files in /etc.
## </summary>
## <param name="domain">
-## <summary>
@@ -17746,13 +17749,22 @@ index ff006ea..a7c1eed 100644
- gen_require(`
- type tmp_t;
- ')
-+interface(`files_relabelto_system_conf_files',`
++interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
-+ type usr_t;
++ type etc_t, system_conf_t;
+ ')
- dontaudit $1 tmp_t:dir getattr;
-+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
')
-########################################
@@ -17774,16 +17786,34 @@ index ff006ea..a7c1eed 100644
- gen_require(`
- type tmp_t;
- ')
-+interface(`files_relabelfrom_system_conf_files',`
++interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
- allow $1 tmp_t:dir search_dir_perms;
-+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++ relabelto_files_pattern($1, system_conf_t, system_conf_t)
')
-########################################
++######################################
++## <summary>
++## Relabel manageable system configuration files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_system_conf_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
++')
++
+###################################
+## <summary>
+## Create files in /etc with the type used for
@@ -17902,7 +17932,7 @@ index ff006ea..a7c1eed 100644
## <summary>
## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
-@@ -4017,7 +4345,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4373,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -17911,7 +17941,7 @@ index ff006ea..a7c1eed 100644
## </summary>
## </param>
#
-@@ -4029,6 +4357,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4385,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -17936,7 +17966,7 @@ index ff006ea..a7c1eed 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4085,6 +4431,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4459,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -17969,7 +17999,7 @@ index ff006ea..a7c1eed 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4139,6 +4511,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4539,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -18012,7 +18042,7 @@ index ff006ea..a7c1eed 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4202,7 +4610,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4638,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -18021,7 +18051,7 @@ index ff006ea..a7c1eed 100644
## </summary>
## </param>
#
-@@ -4262,7 +4670,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4698,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -18030,7 +18060,7 @@ index ff006ea..a7c1eed 100644
## </summary>
## </param>
#
-@@ -4318,7 +4726,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4754,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -18039,7 +18069,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -4342,6 +4750,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4778,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -18056,7 +18086,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -4681,7 +5099,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5127,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -18065,7 +18095,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5084,7 +5502,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5530,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -18074,7 +18104,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5219,7 +5637,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5665,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18083,7 +18113,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5259,6 +5677,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5705,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -18109,7 +18139,7 @@ index ff006ea..a7c1eed 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5741,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5769,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -18135,7 +18165,7 @@ index ff006ea..a7c1eed 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5317,6 +5773,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5801,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -18144,7 +18174,7 @@ index ff006ea..a7c1eed 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5794,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5822,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -18160,7 +18190,7 @@ index ff006ea..a7c1eed 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5349,12 +5809,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5837,30 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -18193,7 +18223,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5373,6 +5851,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5879,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -18201,7 +18231,7 @@ index ff006ea..a7c1eed 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5864,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5892,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -18209,7 +18239,7 @@ index ff006ea..a7c1eed 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5890,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5918,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -18218,7 +18248,7 @@ index ff006ea..a7c1eed 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5906,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5934,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -18235,7 +18265,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5452,7 +5930,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5958,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -18244,7 +18274,7 @@ index ff006ea..a7c1eed 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5971,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5999,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -18253,7 +18283,7 @@ index ff006ea..a7c1eed 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5993,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6021,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18262,7 +18292,7 @@ index ff006ea..a7c1eed 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6025,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6053,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18273,7 +18303,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5608,6 +6086,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6114,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18317,7 +18347,7 @@ index ff006ea..a7c1eed 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5629,26 +6144,27 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,16 +6172,35 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -18335,39 +18365,17 @@ index ff006ea..a7c1eed 100644
#
-interface(`files_list_pids',`
+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
-+## List the contents of the runtime process
-+## ID directories (/var/run).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5656,7 +6172,25 @@ interface(`files_list_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_pids',`
-+interface(`files_list_pids',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute pidfile;
+ ')
+
-+ list_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read generic process ID files.
++## List the contents of the runtime process
++## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -18375,11 +18383,11 @@ index ff006ea..a7c1eed 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_generic_pids',`
++interface(`files_list_pids',`
gen_require(`
type var_t, var_run_t;
')
-@@ -5736,7 +6270,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6298,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18388,7 +18396,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5815,6 +6349,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6377,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -18505,7 +18513,7 @@ index ff006ea..a7c1eed 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6476,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6504,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -18568,7 +18576,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -5900,6 +6600,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6628,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -18659,7 +18667,7 @@ index ff006ea..a7c1eed 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6826,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6854,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18668,7 +18676,7 @@ index ff006ea..a7c1eed 100644
')
########################################
-@@ -6117,3 +6901,302 @@ interface(`files_unconfined',`
+@@ -6117,3 +6929,302 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -21955,17 +21963,14 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..e47e0f0 100644
+index 2be17d2..2825cdf 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,52 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
-+
-+# needed for sandbox
-+allow staff_t self:process setexec;
########################################
#
@@ -22014,7 +22019,7 @@ index 2be17d2..e47e0f0 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +70,107 @@ optional_policy(`
+@@ -27,19 +67,107 @@ optional_policy(`
')
optional_policy(`
@@ -22124,7 +22129,7 @@ index 2be17d2..e47e0f0 100644
')
optional_policy(`
-@@ -48,10 +179,52 @@ optional_policy(`
+@@ -48,10 +176,52 @@ optional_policy(`
')
optional_policy(`
@@ -22177,7 +22182,7 @@ index 2be17d2..e47e0f0 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +259,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22196,7 +22201,7 @@ index 2be17d2..e47e0f0 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +283,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22207,7 +22212,7 @@ index 2be17d2..e47e0f0 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +295,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22218,7 +22223,7 @@ index 2be17d2..e47e0f0 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +326,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -22227,7 +22232,7 @@ index 2be17d2..e47e0f0 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..37cd589 100644
+index e14b961..eee5d0c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
@@ -22295,7 +22300,7 @@ index e14b961..37cd589 100644
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
-+ apache_filetrans_home_content(sysadm_t)
++ apache_filetrans_named_content(sysadm_t)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
@@ -25356,7 +25361,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a9021c8 100644
+index 9e39aa5..a5571ff 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25470,7 +25475,7 @@ index 9e39aa5..a9021c8 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +125,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +125,30 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -25482,6 +25487,9 @@ index 9e39aa5..a9021c8 100644
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
++/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -25499,7 +25507,7 @@ index 9e39aa5..a9021c8 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..e12bbc0 100644
+index 6480167..6ecc96d 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -26077,7 +26085,7 @@ index 6480167..e12bbc0 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1406,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1406,91 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -26104,6 +26112,8 @@ index 6480167..e12bbc0 100644
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+ ')
++
++ apache_filetrans_named_content($1)
+')
+
+########################################
@@ -26139,6 +26149,26 @@ index 6480167..e12bbc0 100644
+## </summary>
+## </param>
+#
++interface(`apache_filetrans_named_content',`
++ gen_require(`
++ type httpd_sys_content_t, httpd_sys_rw_content_t;
++ ')
++
++
++ apache_filetrans_home_content($1)
++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++')
++
++########################################
++## <summary>
++## Transition to apache home content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`apache_filetrans_home_content',`
+ gen_require(`
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
@@ -31195,7 +31225,7 @@ index 116d60f..82306eb 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..c6dcdfe 100644
+index 0258b48..b011fcf 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -31336,7 +31366,7 @@ index 0258b48..c6dcdfe 100644
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
-+selinux_dontaudit_read_fs(cobblerd_t)
++selinux_get_enforce_mode(cobblerd_t)
+
sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
@@ -36847,7 +36877,7 @@ index 9bd812b..982c0ea 100644
+ dnsmasq_systemctl($1)
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..b1ea136 100644
+index fdaeeba..1a2a666 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -36906,9 +36936,11 @@ index fdaeeba..b1ea136 100644
')
optional_policy(`
-@@ -114,4 +135,5 @@ optional_policy(`
+@@ -113,5 +134,7 @@ optional_policy(`
+
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
++ virt_read_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
@@ -42717,10 +42749,10 @@ index 0000000..cd14d24
+')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..d3ce22f
+index 0000000..5d5f56e
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,97 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -42786,6 +42818,7 @@ index 0000000..d3ce22f
+corenet_udp_sendrecv_generic_node(l2tpd_t)
+
+corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_all_rpc_ports(l2tpd_t)
+corenet_udp_bind_generic_port(l2tpd_t)
+
+corenet_udp_bind_l2tp_port(l2tpd_t)
@@ -42805,6 +42838,8 @@ index 0000000..d3ce22f
+
+files_read_etc_files(l2tpd_t)
+
++term_use_ptmx(l2tpd_t)
++
+logging_send_syslog_msg(l2tpd_t)
+
+miscfiles_read_localization(l2tpd_t)
@@ -47594,7 +47629,7 @@ index 386543b..9cb5afa 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..4f46ff8 100644
+index 2324d9e..da53904 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -47669,7 +47704,7 @@ index 2324d9e..4f46ff8 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +236,96 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +236,109 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -47753,6 +47788,7 @@ index 2324d9e..4f46ff8 100644
+interface(`networkmanager_filetrans_named_content',`
+ gen_require(`
+ type NetworkManager_var_run_t;
++ type NetworkManager_var_lib_t;
+ ')
+
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
@@ -47765,6 +47801,18 @@ index 2324d9e..4f46ff8 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..293aaca 100644
@@ -55960,7 +56008,7 @@ index de37806..a21e737 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..8c29c39 100644
+index 93c896a..7893efb 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@@ -56040,7 +56088,7 @@ index 93c896a..8c29c39 100644
can_exec(fenced_t, fenced_exec_t)
-@@ -82,8 +95,13 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,13 +95,19 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -56054,7 +56102,21 @@ index 93c896a..8c29c39 100644
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
-@@ -105,8 +123,24 @@ tunable_policy(`fenced_can_network_connect',`
+ dev_read_urand(fenced_t)
+
++files_read_usr_files(fenced_t)
+ files_read_usr_symlinks(fenced_t)
+
+ storage_raw_read_fixed_disk(fenced_t)
+@@ -97,6 +116,7 @@ storage_raw_read_removable_device(fenced_t)
+
+ term_getattr_pty_fs(fenced_t)
+ term_use_ptmx(fenced_t)
++term_use_generic_ptys(fenced_t)
+
+ auth_use_nsswitch(fenced_t)
+
+@@ -105,8 +125,28 @@ tunable_policy(`fenced_can_network_connect',`
')
optional_policy(`
@@ -56077,13 +56139,23 @@ index 93c896a..8c29c39 100644
+optional_policy(`
ccs_read_config(fenced_t)
- ccs_stream_connect(fenced_t)
++')
++
++optional_policy(`
++ gnome_read_generic_data_home_files(fenced_t)
')
optional_policy(`
-@@ -114,13 +148,37 @@ optional_policy(`
+@@ -114,13 +154,43 @@ optional_policy(`
lvm_read_config(fenced_t)
')
++optional_policy(`
++ snmp_read_snmp_var_lib_dirs(fenced_t)
++ snmp_read_snmp_var_lib_files(fenced_t)
++')
++
++
+#######################################
+#
+# foghorn local policy
@@ -56119,7 +56191,7 @@ index 93c896a..8c29c39 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +197,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +209,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -56130,7 +56202,7 @@ index 93c896a..8c29c39 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +208,10 @@ optional_policy(`
+@@ -154,9 +220,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -56142,7 +56214,7 @@ index 93c896a..8c29c39 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +223,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +235,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -56152,7 +56224,7 @@ index 93c896a..8c29c39 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +265,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -56161,7 +56233,7 @@ index 93c896a..8c29c39 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +263,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +275,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -56172,7 +56244,7 @@ index 93c896a..8c29c39 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +275,28 @@ optional_policy(`
+@@ -223,18 +287,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -71988,7 +72060,7 @@ index ddbd8be..8ba922e 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..5b99ce0 100644
+index 560dc48..964d353 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -28,7 +28,9 @@ ifdef(`distro_redhat',`
@@ -72292,7 +72364,7 @@ index 560dc48..5b99ce0 100644
') dnl end distro_redhat
#
-@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +305,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -72319,6 +72391,7 @@ index 560dc48..5b99ce0 100644
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -77050,10 +77123,10 @@ index 0000000..1688a39
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..75fc546
+index 0000000..d0fcf7c
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,393 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -77277,6 +77350,8 @@ index 0000000..75fc546
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
+files_getattr_all_files(systemd_tmpfiles_t)
++files_getattr_all_sockets(systemd_tmpfiles_t)
++files_getattr_all_symlinks(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
@@ -78659,7 +78734,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..11fb936 100644
+index 4b2878a..48bc324 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -79532,7 +79607,14 @@ index 4b2878a..11fb936 100644
userdom_change_password_template($1)
-@@ -736,72 +915,80 @@ template(`userdom_login_user_template', `
+@@ -730,78 +909,86 @@ template(`userdom_login_user_template', `
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
+- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++ allow $1_t self:process ~{ ptrace setcurrent setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
allow $1_t self:context contains;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d8628b2..428dd52 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 85%{?dist}
+Release: 86%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-86
+- /var/spool/postfix/lib64 should be labeled lib_t
+- Add filename transitions for system conf files to make sure they will have system_conf
+- Allow all user domains to setexec
+- Allow systemd_tmpfiles_t to getattr all pipes and sockets
+- Allow l2tpd to use pseudo terminals
+- Allow l2tpd to bind all udp rpc ports
+- Allow dnsmasq to read virt lib lnk files
+- Allow cobbler to get SELinux mode and booleans
+- Add labels for drupal content
+- Allow fenced to read snmp var lib files
+
* Fri Apr 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-85
- Add ~/.orc as a gstreamer_home_t
- Allow mcelog to exec shel
More information about the scm-commits
mailing list