From 30bd7934a4a5783c0cdba2479fd893ee4001d13d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 22 2010 11:44:56 +0000 Subject: - Allow apache to read cobbler lib files --- diff --git a/policy-F13.patch b/policy-F13.patch index bddb461..3a8918f 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -15986,7 +15986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-21 07:41:01.483041039 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-22 10:20:47.020041345 +0100 @@ -19,11 +19,13 @@ # Declarations # @@ -16339,17 +16339,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -514,6 +653,9 @@ +@@ -514,6 +653,12 @@ optional_policy(` cobbler_search_lib(httpd_t) ++ cobbler_list_config(httpd_t) ++ cobbler_read_config(httpd_t) ++ cobbler_read_lib_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') optional_policy(` -@@ -528,7 +670,18 @@ +@@ -528,7 +673,18 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -16369,7 +16372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +690,12 @@ +@@ -537,8 +693,12 @@ ') optional_policy(` @@ -16383,7 +16386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -556,7 +713,13 @@ +@@ -556,7 +716,13 @@ ') optional_policy(` @@ -16397,7 +16400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +730,7 @@ +@@ -567,6 +733,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -16405,7 +16408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +741,29 @@ +@@ -577,12 +744,29 @@ ') optional_policy(` @@ -16435,7 +16438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +772,11 @@ +@@ -591,6 +775,11 @@ ') optional_policy(` @@ -16447,7 +16450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -618,6 +804,10 @@ +@@ -618,6 +807,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -16458,7 +16461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +889,18 @@ +@@ -699,17 +892,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -16480,7 +16483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +931,21 @@ +@@ -740,10 +934,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -16503,7 +16506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +971,12 @@ +@@ -769,6 +974,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -16516,7 +16519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -791,10 +999,15 @@ +@@ -791,10 +1002,15 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -16532,7 +16535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1016,28 @@ +@@ -803,6 +1019,28 @@ mta_send_mail(httpd_sys_script_t) ') @@ -16561,7 +16564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1065,16 @@ +@@ -830,6 +1068,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -16578,7 +16581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1087,7 @@ +@@ -842,6 +1090,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -16586,7 +16589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1137,33 @@ +@@ -891,11 +1140,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; diff --git a/selinux-policy.spec b/selinux-policy.spec index 284bf5b..50853c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 79%{?dist} +Release: 80%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,9 @@ exit 0 %endif %changelog +* Wed Dec 22 2010 Miroslav Grepl 3.7.19-80 +- Allow apache to read cobbler lib files + * Tue Dec 21 2010 Miroslav Grepl 3.7.19-79 - Fix label for passenger log files