From 4dea06b10972a2cd610699b96218bbae6f4b4c8e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 13 2012 16:22:46 +0000 Subject: - httpd needs to send signull to openshift init script - Allow prelink_cron_system_t to overide user componant when cp -a- - Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd - Allow setuid/setgid for cupsd-config - New ypbind pkg wants to search /var/run which is caused by sd_notify --- diff --git a/policy-F16.patch b/policy-F16.patch index dcb3be5..2f1e6f9 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -2555,10 +2555,18 @@ index 93ec175..0e42018 100644 ') ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..ec838bd 100644 +index af55369..76fc186 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te -@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) +@@ -18,6 +18,7 @@ type prelink_cron_system_t; + type prelink_cron_system_exec_t; + domain_type(prelink_cron_system_t) + domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) ++domain_obj_id_change_exemption(prelink_cron_system_t) + + type prelink_log_t; + logging_log_file(prelink_log_t) +@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t) # Local policy # @@ -2567,7 +2575,7 @@ index af55369..ec838bd 100644 allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; -@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) +@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) @@ -2580,7 +2588,7 @@ index af55369..ec838bd 100644 kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) +@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -2588,7 +2596,7 @@ index af55369..ec838bd 100644 files_list_all(prelink_t) files_getattr_all_files(prelink_t) -@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t) +@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -2597,7 +2605,7 @@ index af55369..ec838bd 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +103,15 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -2614,7 +2622,7 @@ index af55369..ec838bd 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +121,15 @@ optional_policy(` +@@ -109,6 +122,15 @@ optional_policy(` ') optional_policy(` @@ -2630,7 +2638,7 @@ index af55369..ec838bd 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +150,7 @@ optional_policy(` +@@ -129,6 +151,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -2638,7 +2646,7 @@ index af55369..ec838bd 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +170,29 @@ optional_policy(` +@@ -148,17 +171,29 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -25623,7 +25631,7 @@ index deca9d3..ac92fce 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..203a5aa 100644 +index 9e39aa5..12333a8 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,21 +1,30 @@ @@ -25708,7 +25716,7 @@ index 9e39aa5..203a5aa 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,26 +87,36 @@ ifdef(`distro_suse', ` +@@ -73,26 +87,38 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25722,8 +25730,10 @@ index 9e39aa5..203a5aa 100644 +/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) -+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ +/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25747,7 +25757,7 @@ index 9e39aa5..203a5aa 100644 /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -105,7 +129,31 @@ ifdef(`distro_debian', ` +@@ -105,7 +131,31 @@ ifdef(`distro_debian', ` /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -26474,7 +26484,7 @@ index 6480167..eeb2953 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..fcb45ba 100644 +index 3136c6a..2042513 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,253 @@ policy_module(apache, 2.2.1) @@ -27251,7 +27261,7 @@ index 3136c6a..fcb45ba 100644 ') optional_policy(` -@@ -576,6 +892,51 @@ optional_policy(` +@@ -576,6 +892,55 @@ optional_policy(` openca_kill(httpd_t) ') @@ -27287,6 +27297,10 @@ index 3136c6a..fcb45ba 100644 +') + +optional_policy(` ++ openshift_initrc_signull(httpd_t) ++') ++ ++optional_policy(` + tunable_policy(`httpd_run_stickshift', ` + oddjob_dbus_chat(httpd_t) + ') @@ -27303,7 +27317,7 @@ index 3136c6a..fcb45ba 100644 optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -591,6 +952,11 @@ optional_policy(` +@@ -591,6 +956,11 @@ optional_policy(` ') optional_policy(` @@ -27315,7 +27329,7 @@ index 3136c6a..fcb45ba 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +969,12 @@ optional_policy(` +@@ -603,6 +973,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -27328,7 +27342,7 @@ index 3136c6a..fcb45ba 100644 ######################################## # # Apache helper local policy -@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +992,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -27341,7 +27355,7 @@ index 3136c6a..fcb45ba 100644 ######################################## # -@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1034,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27385,7 +27399,7 @@ index 3136c6a..fcb45ba 100644 ') ######################################## -@@ -685,6 +1063,8 @@ optional_policy(` +@@ -685,6 +1067,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27394,7 +27408,7 @@ index 3136c6a..fcb45ba 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1083,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27420,7 +27434,7 @@ index 3136c6a..fcb45ba 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1129,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27453,7 +27467,7 @@ index 3136c6a..fcb45ba 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1172,25 @@ optional_policy(` +@@ -769,6 +1176,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27479,7 +27493,7 @@ index 3136c6a..fcb45ba 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1215,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27497,7 +27511,7 @@ index 3136c6a..fcb45ba 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1234,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27554,7 +27568,7 @@ index 3136c6a..fcb45ba 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1285,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27595,7 +27609,7 @@ index 3136c6a..fcb45ba 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1326,20 @@ optional_policy(` +@@ -842,10 +1330,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27616,7 +27630,7 @@ index 3136c6a..fcb45ba 100644 ') ######################################## -@@ -891,11 +1385,49 @@ optional_policy(` +@@ -891,11 +1389,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -34300,7 +34314,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..0dd5c5d 100644 +index 0f28095..bbf685f 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -34439,6 +34453,15 @@ index 0f28095..0dd5c5d 100644 ') optional_policy(` +@@ -341,7 +361,7 @@ optional_policy(` + # Cups configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_override setuid setgid sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process { getsched signal_perms }; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -371,8 +391,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -45932,7 +45955,7 @@ index 256166a..2320c87 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..4099451 100644 +index 343cee3..db50ceb 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -46059,7 +46082,8 @@ index 343cee3..4099451 100644 allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; - allow mta_user_agent $2:fifo_file { read write }; +- allow mta_user_agent $2:fifo_file { read write }; ++ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; + + optional_policy(` + exim_run($2, $1) @@ -46129,6 +46153,15 @@ index 343cee3..4099451 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; +@@ -361,7 +304,7 @@ interface(`mta_send_mail',` + + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; +- allow mta_user_agent $1:fifo_file rw_fifo_file_perms; ++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## @@ -391,12 +334,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` @@ -48666,7 +48699,7 @@ index abe3f7f..2214d71 100644 + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..8db6004 100644 +index 4876cae..bfebbec 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) @@ -48707,7 +48740,16 @@ index 4876cae..8db6004 100644 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms; allow ypbind_t self:netlink_route_socket r_netlink_socket_perms; allow ypbind_t self:tcp_socket create_stream_socket_perms; -@@ -142,8 +149,8 @@ optional_policy(` +@@ -108,6 +115,8 @@ domain_use_interactive_fds(ypbind_t) + files_read_etc_files(ypbind_t) + files_list_var(ypbind_t) + ++init_search_pid_dirs(ypbind_t) ++ + logging_send_syslog_msg(ypbind_t) + + miscfiles_read_localization(ypbind_t) +@@ -142,8 +151,8 @@ optional_policy(` allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; @@ -48717,7 +48759,7 @@ index 4876cae..8db6004 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -156,6 +163,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -156,6 +165,8 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -48726,7 +48768,7 @@ index 4876cae..8db6004 100644 kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) -@@ -211,6 +220,10 @@ optional_policy(` +@@ -211,6 +222,10 @@ optional_policy(` ') optional_policy(` @@ -48737,7 +48779,7 @@ index 4876cae..8db6004 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -224,8 +237,8 @@ optional_policy(` +@@ -224,8 +239,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -50024,10 +50066,10 @@ index 0000000..c9a5f74 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/policy/modules/services/openshift.if b/policy/modules/services/openshift.if new file mode 100644 -index 0000000..681f8a0 +index 0000000..71d6f47 --- /dev/null +++ b/policy/modules/services/openshift.if -@@ -0,0 +1,556 @@ +@@ -0,0 +1,574 @@ + +## policy for openshift + @@ -50050,6 +50092,24 @@ index 0000000..681f8a0 + domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) +') + ++###################################### ++## ++## Send a null signal to openshift init scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_initrc_signull',` ++ gen_require(` ++ type openshift_initrc_t; ++ ') ++ ++ allow $1 openshift_initrc_t:process signull; ++') ++ +######################################## +## +## Search openshift cache directories. diff --git a/selinux-policy.spec b/selinux-policy.spec index 9605a00..f87e921 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 95%{?dist} +Release: 96%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 13 2012 Miroslav Grepl 3.10.0-96 +- httpd needs to send signull to openshift init script +- Allow prelink_cron_system_t to overide user componant when cp -a- +- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd +- Allow setuid/setgid for cupsd-config +- New ypbind pkg wants to search /var/run which is caused by sd_notify + * Fri Nov 1 2012 Miroslav Grepl 3.10.0-95 - Add support for OpenShift sbin labeling