From 389dfed62c9dc88efc67149f0ea0c9daa9f1801e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 04 2011 11:15:22 +0000 Subject: - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv - Fix for dirsrv policy missing manage_dirs_pattern - corosync needs to delete clvm_tmpfs_t files - qdiskd needs to list hugetlbfs --- diff --git a/policy-F13.patch b/policy-F13.patch index 551d0df..6c6ff05 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -163,6 +163,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .SH BOOLEANS .PP +diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.7.19/man/man8/httpd_selinux.8 +--- nsaserefpolicy/man/man8/httpd_selinux.8 2010-04-13 18:44:36.000000000 +0000 ++++ serefpolicy-3.7.19/man/man8/httpd_selinux.8 2011-02-02 10:43:48.036796001 +0000 +@@ -28,9 +28,9 @@ + .EE + - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. + .EX +-httpd_sys_content_rw_t ++httpd_sys_rw_content_t + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. ++- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + .EX + httpd_sys_content_ra_t + .EE diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.7.19/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/flask/access_vectors 2011-01-19 18:02:35.000000000 +0000 @@ -3495,7 +3510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.7.19/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/awstats.te 2010-07-13 07:35:08.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/apps/awstats.te 2011-02-02 10:47:23.009796002 +0000 @@ -45,6 +45,7 @@ dev_read_urand(awstats_t) @@ -3504,6 +3519,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats. files_read_etc_files(awstats_t) # e.g. /usr/share/awstats/lang/awstats-en.txt files_read_usr_files(awstats_t) +@@ -70,6 +71,10 @@ + nscd_dontaudit_search_pid(awstats_t) + ') + ++optional_policy(` ++ squid_read_log(awstats_t) ++') ++ + ######################################## + # + # awstats cgi script policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.19/policy/modules/apps/cdrecord.te --- nsaserefpolicy/policy/modules/apps/cdrecord.te 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/apps/cdrecord.te 2010-11-23 09:23:24.000000000 +0000 @@ -9724,7 +9750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-28 17:49:08.663455001 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-02-04 10:57:54.385796000 +0000 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -9828,7 +9854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) +network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) -+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) @@ -11869,7 +11895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-01-18 16:41:41.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-02-04 09:52:43.632796001 +0000 @@ -559,6 +559,24 @@ ######################################## @@ -11908,11 +11934,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## list dirs on cgroup -## file systems. -## @@ -11929,10 +11954,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -12176,7 +12202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write hugetlbfs files. ## ## -@@ -1847,6 +1992,24 @@ +@@ -1847,6 +1992,42 @@ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -12198,10 +12224,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + ++####################################### ++## ++## List hugetlbfs dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++') ++ ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. -@@ -1899,6 +2062,7 @@ +@@ -1899,6 +2080,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -12209,7 +12253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2459,25 @@ +@@ -2295,6 +2477,25 @@ ######################################## ## @@ -12235,7 +12279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2333,6 +2516,24 @@ +@@ -2333,6 +2534,24 @@ dontaudit $1 nfs_t:file append_file_perms; ') @@ -12260,7 +12304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Do not audit attempts to read or -@@ -2349,7 +2550,7 @@ +@@ -2349,7 +2568,7 @@ type nfs_t; ') @@ -12269,7 +12313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2738,24 @@ +@@ -2537,6 +2756,24 @@ ######################################## ## @@ -12294,7 +12338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2964,7 @@ +@@ -2745,7 +2982,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -12303,7 +12347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3812,6 +4031,24 @@ +@@ -3812,6 +4049,24 @@ rw_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -12328,7 +12372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Read tmpfs link files. -@@ -3870,6 +4107,24 @@ +@@ -3870,6 +4125,24 @@ ######################################## ## @@ -12353,7 +12397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4687,44 @@ +@@ -4432,6 +4705,44 @@ ######################################## ## @@ -12398,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4842,24 @@ +@@ -4549,3 +4860,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -16666,7 +16710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-01-31 13:57:28.691455001 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-02-04 10:58:08.393796000 +0000 @@ -19,11 +19,13 @@ # Declarations # @@ -17147,14 +17191,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + + -+ corenet_tcp_connect_oracledb_port(httpd_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_t) -+ corenet_tcp_connect_oracledb_port(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) + ') @@ -20589,8 +20633,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-11-08 14:05:45.000000000 +0000 -@@ -0,0 +1,145 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2011-02-03 10:42:14.750796002 +0000 +@@ -0,0 +1,146 @@ + +policy_module(corosync,1.0.0) + @@ -20716,6 +20760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) ++ lvm_delete_clvmd_tmpfs_files(corosync_t) +') + +optional_policy(` @@ -22716,9 +22761,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +dirsrv_read_share(httpd_dirsrvadmin_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.7.19/policy/modules/services/dirsrv.fc --- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.fc 2010-11-15 13:19:02.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.fc 2011-02-03 10:10:05.611796000 +0000 @@ -0,0 +1,20 @@ -+/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) ++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + +/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) +/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -22726,18 +22771,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) + -+/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) + -+/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) +/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) + -+/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) + -+/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) + -+/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) + -+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) ++/var/log/dirsrv/ldap-agent\.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.7.19/policy/modules/services/dirsrv.if --- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 00:00:00.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/dirsrv.if 2011-01-20 11:07:54.000000000 +0000 @@ -22956,8 +23001,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te --- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-01-31 10:53:20.942455001 +0000 -@@ -0,0 +1,182 @@ ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-02-03 10:11:55.317796001 +0000 +@@ -0,0 +1,185 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -23019,19 +23064,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + -+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +allow dirsrv_t dirsrv_var_log_t:dir { setattr }; +logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) -+ +manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) + +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) @@ -23133,7 +23180,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) + snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_manage_var_lib_dirs(dirsrv_snmp_t) ++ snmp_manage_var_lib_files(dirsrv_snmp_t) + snmp_stream_connect(dirsrv_snmp_t) +') + @@ -25155,6 +25203,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.7.19/policy/modules/services/hddtemp.te +--- nsaserefpolicy/policy/modules/services/hddtemp.te 2010-04-13 18:44:36.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/hddtemp.te 2011-02-02 09:11:41.768796000 +0000 +@@ -31,6 +31,7 @@ + files_read_usr_files(hddtemp_t) + + storage_raw_read_fixed_disk(hddtemp_t) ++storage_raw_read_removable_device(hddtemp_t) + + logging_send_syslog_msg(hddtemp_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.19/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/icecast.if 2010-09-16 12:50:20.000000000 +0000 @@ -34779,8 +34838,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-11-10 08:52:06.000000000 +0000 -@@ -0,0 +1,259 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-02-03 10:44:54.678796002 +0000 +@@ -0,0 +1,261 @@ + +policy_module(rhcs,1.1.0) + @@ -35002,6 +35061,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +files_dontaudit_getattr_all_sockets(qdiskd_t) +files_dontaudit_getattr_all_pipes(qdiskd_t) + ++fs_list_hugetlbfs(qdiskd_t) ++ +auth_use_nsswitch(qdiskd_t) + +files_read_etc_files(qdiskd_t) @@ -36556,7 +36617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-05-28 07:42:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2011-02-04 09:45:50.268796002 +0000 @@ -20,6 +20,9 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -36616,17 +36677,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -148,7 +155,9 @@ +@@ -148,7 +155,10 @@ ') optional_policy(` + postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) ++ postfix_rw_local_pipes(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -167,6 +176,10 @@ +@@ -167,6 +177,10 @@ ') optional_policy(` @@ -36637,7 +36699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -182,5 +195,6 @@ +@@ -182,5 +196,6 @@ optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t) @@ -37018,8 +37080,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-11-15 16:53:35.000000000 +0000 -@@ -62,11 +62,32 @@ ++++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2011-02-03 10:15:52.305796002 +0000 +@@ -62,11 +62,71 @@ type snmpd_var_lib_t; ') @@ -37029,6 +37091,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ') ++###################################### ++## ++## Manage snmpd libraries directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_dirs',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) ++') ++ +####################################### +## +## Append snmpd libraries. @@ -37049,10 +37130,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp + append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + ++##################################### ++## ++## Manage snmpd libraries files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_files',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; ++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++') ++ ######################################## ## ## dontaudit Read snmpd libraries. -@@ -83,7 +104,7 @@ +@@ -83,7 +143,7 @@ ') dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; @@ -37061,7 +37162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') ######################################## -@@ -128,7 +149,7 @@ +@@ -128,7 +188,7 @@ type snmpd_initrc_exec_t; ') @@ -37072,7 +37173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.19/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-12-01 10:26:42.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2011-02-03 10:16:49.264796002 +0000 @@ -25,14 +25,15 @@ # # Local policy @@ -37091,6 +37192,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t snmpd_log_t:file manage_file_perms; logging_log_filetrans(snmpd_t, snmpd_log_t, file) +@@ -42,7 +43,7 @@ + manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) + files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) + files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) +-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) ++files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) + + manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) + files_pid_filetrans(snmpd_t, snmpd_var_run_t, file) @@ -98,6 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t) @@ -44089,7 +44199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-09-02 11:55:45.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2011-02-03 10:53:53.597796001 +0000 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -44099,7 +44209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') -@@ -123,3 +123,22 @@ +@@ -123,3 +123,40 @@ corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -44122,9 +44232,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if + allow $1 clvmd_tmpfs_t:file rw_file_perms; + allow $1 clvmd_tmpfs_t:file unlink; +') ++ ++######################################## ++## ++## Delete lvm temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_delete_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file unlink; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-09-02 11:43:13.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2011-02-03 10:53:43.756796001 +0000 @@ -13,6 +13,9 @@ type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 66e51d9..005d181 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 88%{?dist} +Release: 89%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -181,7 +181,7 @@ fi %define loadpolicy() \ ( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i %2 -s %1; \ +semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v "oracle-port"; \ ); \ %define relabel() \ @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Fri Feb 4 2011 Miroslav Grepl 3.7.19-89 +- dirsrv needs to be able to create /var/lib/snmp +- Fix labeling for dirsrv +- Fix for dirsrv policy missing manage_dirs_pattern +- corosync needs to delete clvm_tmpfs_t files +- qdiskd needs to list hugetlbfs + * Tue Feb 1 2011 Miroslav Grepl 3.7.19-88 - Add label for /var/www/cgi-bin/apcgui