[selinux-policy/f20] * Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176 - Allow apache to search ipa lib file
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Jul 2 11:22:35 UTC 2014
commit 5766956f441842519ad08a78382391bf1a67b331
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Jul 2 13:22:31 2014 +0200
* Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176
- Allow apache to search ipa lib files by default
policy-f20-base.patch | 8 ++---
policy-f20-contrib.patch | 82 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 5 ++-
3 files changed, 59 insertions(+), 36 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index add160b..300776f 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -48981,7 +48981,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..8fc985f 100644
+index 6e91317..018d0a6 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -49043,18 +49043,16 @@ index 6e91317..8fc985f 100644
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
-define(`rw_sock_file_perms',`{ getattr open read write append }')
--define(`create_sock_file_perms',`{ getattr create open }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
-+define(`create_sock_file_perms',`{ getattr setattr create open }')
+ define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
- define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index e57b279..a4a6124 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4966,7 +4966,7 @@ index 83e899c..9426db5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..bce7760 100644
+index 1a82e29..17a51e3 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
@@ -6192,7 +6192,7 @@ index 1a82e29..bce7760 100644
')
optional_policy(`
-@@ -781,34 +944,53 @@ optional_policy(`
+@@ -781,34 +944,57 @@ optional_policy(`
')
optional_policy(`
@@ -6206,6 +6206,10 @@ index 1a82e29..bce7760 100644
+')
+
+optional_policy(`
++ ipa_search_lib(httpd_t)
++')
++
++optional_policy(`
+ mirrormanager_manage_pid_files(httpd_t)
+ mirrormanager_read_lib_files(httpd_t)
+ mirrormanager_read_log(httpd_t)
@@ -6257,7 +6261,7 @@ index 1a82e29..bce7760 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +998,18 @@ optional_policy(`
+@@ -816,8 +1002,18 @@ optional_policy(`
')
optional_policy(`
@@ -6276,7 +6280,7 @@ index 1a82e29..bce7760 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +1018,7 @@ optional_policy(`
+@@ -826,6 +1022,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6284,7 +6288,7 @@ index 1a82e29..bce7760 100644
')
optional_policy(`
-@@ -836,20 +1029,40 @@ optional_policy(`
+@@ -836,20 +1033,40 @@ optional_policy(`
')
optional_policy(`
@@ -6331,7 +6335,7 @@ index 1a82e29..bce7760 100644
')
optional_policy(`
-@@ -857,19 +1070,35 @@ optional_policy(`
+@@ -857,19 +1074,35 @@ optional_policy(`
')
optional_policy(`
@@ -6367,7 +6371,7 @@ index 1a82e29..bce7760 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1106,173 @@ optional_policy(`
+@@ -877,65 +1110,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6440,10 +6444,11 @@ index 1a82e29..bce7760 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6502,11 +6507,10 @@ index 1a82e29..bce7760 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6563,7 +6567,7 @@ index 1a82e29..bce7760 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1281,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1285,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6718,7 +6722,7 @@ index 1a82e29..bce7760 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1365,106 @@ optional_policy(`
+@@ -1077,172 +1369,106 @@ optional_policy(`
')
')
@@ -6740,11 +6744,11 @@ index 1a82e29..bce7760 100644
-allow httpd_script_domains self:unix_stream_socket connectto;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6890,8 +6894,7 @@ index 1a82e29..bce7760 100644
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6917,7 +6920,8 @@ index 1a82e29..bce7760 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6955,7 +6959,7 @@ index 1a82e29..bce7760 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1472,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1476,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7052,7 +7056,7 @@ index 1a82e29..bce7760 100644
########################################
#
-@@ -1315,8 +1547,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1551,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7069,7 +7073,7 @@ index 1a82e29..bce7760 100644
')
########################################
-@@ -1324,49 +1563,38 @@ optional_policy(`
+@@ -1324,49 +1567,38 @@ optional_policy(`
# User content local policy
#
@@ -7134,7 +7138,7 @@ index 1a82e29..bce7760 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1604,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1608,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -34562,10 +34566,10 @@ index 0000000..48d7322
+
diff --git a/ipa.if b/ipa.if
new file mode 100644
-index 0000000..a2af18e
+index 0000000..123e906
--- /dev/null
+++ b/ipa.if
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,94 @@
+## <summary>Policy for IPA services.</summary>
+
+########################################
@@ -34614,6 +34618,24 @@ index 0000000..a2af18e
+## </summary>
+## </param>
+#
++interface(`ipa_search_lib',`
++ gen_require(`
++ type ipa_var_lib_t;
++ ')
++
++ search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++## Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`ipa_manage_lib',`
+ gen_require(`
+ type ipa_var_lib_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f5087c9..db8bfc6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 175%{?dist}
+Release: 176%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-176
+- Allow apache to search ipa lib files by default
+
* Fri Jun 26 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-175
- Allow swift to connect to keystone and memcache ports
- If we can create a socket we need to be able to set the attributes
More information about the scm-commits
mailing list