From 04f749c8f0a7891a9ac8ff0b6aa6609d02c9b476 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 15 2015 09:45:00 +0000 Subject: * Wed Jul 15 2015 Lukas Vrabec 3.13.1-137 - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. --- diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fcb9f3d..583900d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5208,7 +5208,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..fc23c8a 100644 +index 6649962..4516b9a 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6218,26 +6218,19 @@ index 6649962..fc23c8a 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +804,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) --') -- --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) -- fs_read_cifs_files(httpd_t) -- fs_read_cifs_symlinks(httpd_t) ++ fs_list_auto_mountpoints(httpd_t) + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_t) ++') ++ + +optional_policy(` + tunable_policy(`httpd_use_nfs',` @@ -6245,35 +6238,52 @@ index 6649962..fc23c8a 100644 + ') ') --tunable_policy(`httpd_execmem',` -- allow httpd_t self:process { execmem execstack }; -+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` -+ fs_read_cifs_files(httpd_t) -+ fs_read_cifs_symlinks(httpd_t) + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +- fs_list_auto_mountpoints(httpd_t) + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) ') - tunable_policy(`httpd_can_sendmail',` -- corenet_sendrecv_smtp_client_packets(httpd_t) +-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) ++tunable_policy(`httpd_can_sendmail',` + # allow httpd to connect to mail servers - corenet_tcp_connect_smtp_port(httpd_t) ++ corenet_tcp_connect_smtp_port(httpd_t) ++ corenet_sendrecv_smtp_client_packets(httpd_t) ++ corenet_tcp_connect_pop_port(httpd_t) ++ corenet_sendrecv_pop_client_packets(httpd_t) + ') + +-tunable_policy(`httpd_execmem',` +- allow httpd_t self:process { execmem execstack }; +-') +- +-tunable_policy(`httpd_can_sendmail',` +- corenet_sendrecv_smtp_client_packets(httpd_t) +- corenet_tcp_connect_smtp_port(httpd_t) - corenet_tcp_sendrecv_smtp_port(httpd_t) - corenet_sendrecv_pop_client_packets(httpd_t) -+ corenet_sendrecv_smtp_client_packets(httpd_t) - corenet_tcp_connect_pop_port(httpd_t) +- corenet_tcp_connect_pop_port(httpd_t) - corenet_tcp_sendrecv_pop_port(httpd_t) - -+ corenet_sendrecv_pop_client_packets(httpd_t) - mta_send_mail(httpd_t) - mta_signal_system_mail(httpd_t) -+ postfix_rw_spool_maildrop_files(httpd_t) +- mta_send_mail(httpd_t) +- mta_signal_system_mail(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_can_sendmail',` ++ mta_send_mail(httpd_t) ++ mta_signal_system_mail(httpd_t) ++ ') ') --optional_policy(` + optional_policy(` - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') --') -- ++ tunable_policy(`httpd_can_sendmail',` ++ postfix_rw_spool_maildrop_files(httpd_t) ++ ') + ') + -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) @@ -6311,7 +6321,7 @@ index 6649962..fc23c8a 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +853,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6392,7 +6402,7 @@ index 6649962..fc23c8a 100644 ') optional_policy(` -@@ -749,24 +906,32 @@ optional_policy(` +@@ -749,24 +916,32 @@ optional_policy(` ') optional_policy(` @@ -6431,7 +6441,7 @@ index 6649962..fc23c8a 100644 ') optional_policy(` -@@ -775,6 +940,10 @@ optional_policy(` +@@ -775,6 +950,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6442,7 +6452,7 @@ index 6649962..fc23c8a 100644 ') optional_policy(` -@@ -786,35 +955,60 @@ optional_policy(` +@@ -786,35 +965,60 @@ optional_policy(` ') optional_policy(` @@ -6516,7 +6526,7 @@ index 6649962..fc23c8a 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1016,30 @@ optional_policy(` +@@ -822,8 +1026,30 @@ optional_policy(` ') optional_policy(` @@ -6547,7 +6557,7 @@ index 6649962..fc23c8a 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1048,8 @@ optional_policy(` +@@ -832,6 +1058,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6556,7 +6566,7 @@ index 6649962..fc23c8a 100644 ') optional_policy(` -@@ -842,20 +1060,40 @@ optional_policy(` +@@ -842,20 +1070,40 @@ optional_policy(` ') optional_policy(` @@ -6603,7 +6613,7 @@ index 6649962..fc23c8a 100644 ') optional_policy(` -@@ -863,16 +1101,31 @@ optional_policy(` +@@ -863,16 +1111,31 @@ optional_policy(` ') optional_policy(` @@ -6623,21 +6633,21 @@ index 6649962..fc23c8a 100644 optional_policy(` smokeping_read_lib_files(httpd_t) + smokeping_read_pid_files(httpd_t) ++') ++ ++optional_policy(` ++ files_dontaudit_rw_usr_dirs(httpd_t) ++ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t) ') optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) -+ files_dontaudit_rw_usr_dirs(httpd_t) -+ snmp_dontaudit_manage_snmp_var_lib_files(httpd_t) -+') -+ -+optional_policy(` + thin_stream_connect(httpd_t) ') optional_policy(` -@@ -883,65 +1136,189 @@ optional_policy(` +@@ -883,65 +1146,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6849,7 +6859,7 @@ index 6649962..fc23c8a 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1327,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1337,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7004,7 +7014,7 @@ index 6649962..fc23c8a 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1411,107 @@ optional_policy(` +@@ -1083,172 +1421,107 @@ optional_policy(` ') ') @@ -7171,7 +7181,8 @@ index 6649962..fc23c8a 100644 -# -# System script local policy -# -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -7187,8 +7198,7 @@ index 6649962..fc23c8a 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -7242,7 +7252,7 @@ index 6649962..fc23c8a 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1519,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1529,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7339,7 +7349,7 @@ index 6649962..fc23c8a 100644 ######################################## # -@@ -1321,8 +1594,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1604,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7356,7 +7366,7 @@ index 6649962..fc23c8a 100644 ') ######################################## -@@ -1330,49 +1610,38 @@ optional_policy(` +@@ -1330,49 +1620,38 @@ optional_policy(` # User content local policy # @@ -7421,7 +7431,7 @@ index 6649962..fc23c8a 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1651,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1661,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -36113,7 +36123,7 @@ index eb87f23..d3d32c3 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index d39f0cc..889dfd5 100644 +index d39f0cc..d141652 100644 --- a/inn.te +++ b/inn.te @@ -15,6 +15,9 @@ files_config_file(innd_etc_t) @@ -36144,7 +36154,7 @@ index d39f0cc..889dfd5 100644 -setattr_files_pattern(innd_t, innd_log_t, innd_log_t) +manage_files_pattern(innd_t, innd_log_t, innd_log_t) +manage_dirs_pattern(innd_t, innd_log_t, innd_log_t) -+logging_log_filetrans(innd_t, innd_var_run_t, { dir file }) ++logging_log_filetrans(innd_t, innd_log_t, { dir file }) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 792dfe9..cfcbbbf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 136%{?dist} +Release: 137%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 15 2015 Lukas Vrabec 3.13.1-137 +- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t +- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib. + * Tue Jul 14 2015 Lukas Vrabec 3.13.1-136 - Add samba_unconfined_script_exec_t to samba_admin header. - Add jabberd_lock_t label to jabberd_admin header.