[selinux-policy/f20] * Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176 - Allow apache to search ipa lib file

Wed Jul 2 11:22:35 UTC 2014

commit 5766956f441842519ad08a78382391bf1a67b331
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Wed Jul 2 13:22:31 2014 +0200

    * Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176
    - Allow apache to search ipa lib files by default

 policy-f20-base.patch    |    8 ++---
 policy-f20-contrib.patch |   82 +++++++++++++++++++++++++++++-----------------
 selinux-policy.spec      |    5 ++-
 3 files changed, 59 insertions(+), 36 deletions(-)
---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index add160b..300776f 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -48981,7 +48981,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..8fc985f 100644
+index 6e91317..018d0a6 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -49043,18 +49043,16 @@ index 6e91317..8fc985f 100644
  define(`create_fifo_file_perms',`{ getattr create open }')
  define(`rename_fifo_file_perms',`{ getattr rename }')
  define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
  define(`setattr_sock_file_perms',`{ setattr }')
  define(`read_sock_file_perms',`{ getattr open read }')
  define(`write_sock_file_perms',`{ getattr write open append }')
 -define(`rw_sock_file_perms',`{ getattr open read write append }')
--define(`create_sock_file_perms',`{ getattr create open }')
 +define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
 +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
-+define(`create_sock_file_perms',`{ getattr setattr create open }')
+ define(`create_sock_file_perms',`{ getattr create open }')
  define(`rename_sock_file_perms',`{ getattr rename }')
  define(`delete_sock_file_perms',`{ getattr unlink }')
- define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
 @@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
  define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
  define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index e57b279..a4a6124 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4966,7 +4966,7 @@ index 83e899c..9426db5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..bce7760 100644
+index 1a82e29..17a51e3 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,381 @@
@@ -6192,7 +6192,7 @@ index 1a82e29..bce7760 100644
  ')
  
  optional_policy(`
-@@ -781,34 +944,53 @@ optional_policy(`
+@@ -781,34 +944,57 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6206,6 +6206,10 @@ index 1a82e29..bce7760 100644
 +')
 +
 +optional_policy(`
++    ipa_search_lib(httpd_t)
++')
++
++optional_policy(`
 +	mirrormanager_manage_pid_files(httpd_t)
 +	mirrormanager_read_lib_files(httpd_t)
 +	mirrormanager_read_log(httpd_t)
@@ -6257,7 +6261,7 @@ index 1a82e29..bce7760 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +998,18 @@ optional_policy(`
+@@ -816,8 +1002,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6276,7 +6280,7 @@ index 1a82e29..bce7760 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +1018,7 @@ optional_policy(`
+@@ -826,6 +1022,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6284,7 +6288,7 @@ index 1a82e29..bce7760 100644
  ')
  
  optional_policy(`
-@@ -836,20 +1029,40 @@ optional_policy(`
+@@ -836,20 +1033,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6331,7 +6335,7 @@ index 1a82e29..bce7760 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1070,35 @@ optional_policy(`
+@@ -857,19 +1074,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6367,7 +6371,7 @@ index 1a82e29..bce7760 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1106,173 @@ optional_policy(`
+@@ -877,65 +1110,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6440,10 +6444,11 @@ index 1a82e29..bce7760 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@@ -6502,11 +6507,10 @@ index 1a82e29..bce7760 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
 +# Apache suexec local policy
  #
  
@@ -6563,7 +6567,7 @@ index 1a82e29..bce7760 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1285,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6718,7 +6722,7 @@ index 1a82e29..bce7760 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1365,106 @@ optional_policy(`
+@@ -1077,172 +1369,106 @@ optional_policy(`
  	')
  ')
  
@@ -6740,11 +6744,11 @@ index 1a82e29..bce7760 100644
 -allow httpd_script_domains self:unix_stream_socket connectto;
 -
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 +allow httpd_sys_script_t self:process getsched;
  
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
 -
@@ -6890,8 +6894,7 @@ index 1a82e29..bce7760 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6917,7 +6920,8 @@ index 1a82e29..bce7760 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6955,7 +6959,7 @@ index 1a82e29..bce7760 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1476,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7052,7 +7056,7 @@ index 1a82e29..bce7760 100644
  
  ########################################
  #
-@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1551,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7069,7 +7073,7 @@ index 1a82e29..bce7760 100644
  ')
  
  ########################################
-@@ -1324,49 +1563,38 @@ optional_policy(`
+@@ -1324,49 +1567,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7134,7 +7138,7 @@ index 1a82e29..bce7760 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1608,100 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -34562,10 +34566,10 @@ index 0000000..48d7322
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..a2af18e
+index 0000000..123e906
 --- /dev/null
 +++ b/ipa.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,94 @@
 +## <summary>Policy for IPA services.</summary>
 +
 +########################################
@@ -34614,6 +34618,24 @@ index 0000000..a2af18e
 +##	</summary>
 +## </param>
 +#
++interface(`ipa_search_lib',`
++	gen_require(`
++		type ipa_var_lib_t;
++	')
++
++    search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`ipa_manage_lib',`
 +	gen_require(`
 +		type ipa_var_lib_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f5087c9..db8bfc6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 175%{?dist}
+Release: 176%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176
+- Allow apache to search ipa lib files by default
+
 * Fri Jun 26 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-175
 - Allow swift to connect to keystone and memcache ports
 - If we can create a socket we need to be able to set the attributes
