From 9ac3bc40b99097c62dea36322accb3f493bd78f8 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 31 2012 11:30:17 +0000 Subject: - Add httpd_verify_dns boolean - Add label for log directory under /var/www/stickshift - Allow openshift domains to use /dev/shm - Dontaudit leaked fifo files from openshift to ping - Allow nsswitch domains to read SAMBA conf files --- diff --git a/policy-F16.patch b/policy-F16.patch index 084d39f..054953e 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1815,7 +1815,7 @@ index c6ca761..46e0767 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index e0791b9..d84d16a 100644 +index e0791b9..faaa201 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) @@ -1864,7 +1864,7 @@ index e0791b9..d84d16a 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -145,11 +150,29 @@ ifdef(`hide_broken_symptoms',` +@@ -145,11 +150,30 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -1888,13 +1888,14 @@ index e0791b9..d84d16a 100644 + +optional_policy(` + openshift_rw_inherited_content(ping_t) ++ openshift_dontaudit_rw_inherited_fifo_files(ping_t) +') + +optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') -@@ -157,6 +180,10 @@ optional_policy(` +@@ -157,6 +181,10 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -1905,7 +1906,7 @@ index e0791b9..d84d16a 100644 ######################################## # # Traceroute local policy -@@ -194,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -194,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -1913,7 +1914,7 @@ index e0791b9..d84d16a 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -204,9 +232,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +233,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -25622,7 +25623,7 @@ index deca9d3..ac92fce 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..726e9d6 100644 +index 9e39aa5..203a5aa 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,21 +1,30 @@ @@ -25746,7 +25747,7 @@ index 9e39aa5..726e9d6 100644 /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -105,7 +129,30 @@ ifdef(`distro_debian', ` +@@ -105,7 +129,31 @@ ifdef(`distro_debian', ` /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -25769,6 +25770,7 @@ index 9e39aa5..726e9d6 100644 +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + ++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -26472,22 +26474,15 @@ index 6480167..eeb2953 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..a77ef51 100644 +index 3136c6a..fcb45ba 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,246 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,253 @@ policy_module(apache, 2.2.1) # Declarations # +selinux_genbool(httpd_bool_t) + -+## -+##

-+## Allow Apache to run in stickshift mode, not transition to passenger -+##

-+## -+gen_tunable(httpd_run_stickshift, false) -+ ## -##

-## Allow Apache to modify public files @@ -26612,17 +26607,17 @@ index 3136c6a..a77ef51 100644 gen_tunable(httpd_can_sendmail, false) + -+## + ## +-##

+-## Allow Apache to communicate with avahi service via dbus +-##

+##

+## Allow http daemon to connect to zabbix +##

+## +gen_tunable(httpd_can_connect_zabbix, false) + - ## --##

--## Allow Apache to communicate with avahi service via dbus --##

++## +##

+## Allow http daemon to check spam +##

@@ -26686,7 +26681,6 @@ index 3136c6a..a77ef51 100644 ## -##

-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. --##

+##

+## Allow httpd to read user content +##

@@ -26695,9 +26689,23 @@ index 3136c6a..a77ef51 100644 + +## +##

-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ++## Allow Apache to run in stickshift mode, not transition to passenger +##

++## ++gen_tunable(httpd_run_stickshift, false) ++ ++## ++##

++## Allow Apache to query NS records + ##

## ++gen_tunable(httpd_verify_dns, false) ++ ++## ++##

++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ++##

++## gen_tunable(httpd_ssi_exec, false) ## @@ -26778,7 +26786,7 @@ index 3136c6a..a77ef51 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +282,7 @@ files_type(httpd_cache_t) +@@ -166,7 +289,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26787,7 +26795,7 @@ index 3136c6a..a77ef51 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +293,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +300,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26797,7 +26805,7 @@ index 3136c6a..a77ef51 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +335,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +342,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26816,7 +26824,7 @@ index 3136c6a..a77ef51 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +355,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +362,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26827,7 +26835,7 @@ index 3136c6a..a77ef51 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +366,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +373,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26835,7 +26843,7 @@ index 3136c6a..a77ef51 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +388,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +395,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26859,7 +26867,7 @@ index 3136c6a..a77ef51 100644 ######################################## # # Apache server local policy -@@ -281,11 +424,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +431,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26873,7 +26881,7 @@ index 3136c6a..a77ef51 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +474,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +481,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26884,7 +26892,7 @@ index 3136c6a..a77ef51 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -339,8 +485,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -339,8 +492,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26895,7 +26903,7 @@ index 3136c6a..a77ef51 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -355,6 +502,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +509,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26905,7 +26913,7 @@ index 3136c6a..a77ef51 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +515,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +522,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26926,7 +26934,7 @@ index 3136c6a..a77ef51 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +536,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +543,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26942,7 +26950,7 @@ index 3136c6a..a77ef51 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +549,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +556,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26950,7 +26958,7 @@ index 3136c6a..a77ef51 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +561,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +568,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -27054,7 +27062,7 @@ index 3136c6a..a77ef51 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -454,27 +666,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -454,27 +673,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -27118,7 +27126,7 @@ index 3136c6a..a77ef51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +730,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +737,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -27141,7 +27149,7 @@ index 3136c6a..a77ef51 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +760,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +767,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -27162,7 +27170,7 @@ index 3136c6a..a77ef51 100644 ') optional_policy(` -@@ -513,7 +784,13 @@ optional_policy(` +@@ -513,7 +791,13 @@ optional_policy(` ') optional_policy(` @@ -27177,7 +27185,7 @@ index 3136c6a..a77ef51 100644 ') optional_policy(` -@@ -528,7 +805,19 @@ optional_policy(` +@@ -528,7 +812,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -27198,7 +27206,7 @@ index 3136c6a..a77ef51 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +826,13 @@ optional_policy(` +@@ -537,8 +833,13 @@ optional_policy(` ') optional_policy(` @@ -27213,7 +27221,7 @@ index 3136c6a..a77ef51 100644 ') ') -@@ -556,7 +850,21 @@ optional_policy(` +@@ -556,7 +857,21 @@ optional_policy(` ') optional_policy(` @@ -27235,7 +27243,7 @@ index 3136c6a..a77ef51 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +875,7 @@ optional_policy(` +@@ -567,6 +882,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -27243,10 +27251,15 @@ index 3136c6a..a77ef51 100644 ') optional_policy(` -@@ -577,6 +886,47 @@ optional_policy(` +@@ -576,6 +892,51 @@ optional_policy(` + openca_kill(httpd_t) ') - optional_policy(` ++tunable_policy(`httpd_verify_dns',` ++ corenet_udp_bind_all_ephemeral_ports(httpd_t) ++') ++ ++optional_policy(` + tunable_policy(`httpd_run_stickshift', ` + allow httpd_t self:capability { fowner fsetid sys_resource }; + dontaudit httpd_t self:capability sys_ptrace; @@ -27287,11 +27300,10 @@ index 3136c6a..a77ef51 100644 + rpc_search_nfs_state_data(httpd_t) +') + -+optional_policy(` + optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) -@@ -591,6 +941,11 @@ optional_policy(` +@@ -591,6 +952,11 @@ optional_policy(` ') optional_policy(` @@ -27303,7 +27315,7 @@ index 3136c6a..a77ef51 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +958,12 @@ optional_policy(` +@@ -603,6 +969,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -27316,7 +27328,7 @@ index 3136c6a..a77ef51 100644 ######################################## # # Apache helper local policy -@@ -616,7 +977,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -27329,7 +27341,7 @@ index 3136c6a..a77ef51 100644 ######################################## # -@@ -654,28 +1019,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27373,7 +27385,7 @@ index 3136c6a..a77ef51 100644 ') ######################################## -@@ -685,6 +1052,8 @@ optional_policy(` +@@ -685,6 +1063,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27382,7 +27394,7 @@ index 3136c6a..a77ef51 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +1068,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27408,7 +27420,7 @@ index 3136c6a..a77ef51 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1114,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27441,7 +27453,7 @@ index 3136c6a..a77ef51 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1161,25 @@ optional_policy(` +@@ -769,6 +1172,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27467,7 +27479,7 @@ index 3136c6a..a77ef51 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1200,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27485,7 +27497,7 @@ index 3136c6a..a77ef51 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1219,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27542,7 +27554,7 @@ index 3136c6a..a77ef51 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1270,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27583,7 +27595,7 @@ index 3136c6a..a77ef51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1315,20 @@ optional_policy(` +@@ -842,10 +1326,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27604,7 +27616,7 @@ index 3136c6a..a77ef51 100644 ') ######################################## -@@ -891,11 +1374,49 @@ optional_policy(` +@@ -891,11 +1385,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -27622,13 +27634,13 @@ index 3136c6a..a77ef51 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) - ') ++') + +######################################## +# @@ -50574,10 +50586,10 @@ index 0000000..681f8a0 +') diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te new file mode 100644 -index 0000000..fa79ac6 +index 0000000..d41f31a --- /dev/null +++ b/policy/modules/services/openshift.te -@@ -0,0 +1,355 @@ +@@ -0,0 +1,362 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -50607,6 +50619,9 @@ index 0000000..fa79ac6 +oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t) +domain_obj_id_change_exemption(openshift_initrc_t) + ++type openshift_tmpfs_t; ++files_tmpfs_file(openshift_tmpfs_t) ++ +type openshift_initrc_tmp_t; +files_tmp_file(openshift_initrc_tmp_t) + @@ -50714,6 +50729,10 @@ index 0000000..fa79ac6 +dontaudit openshift_domain openshift_file_type:dir search_dir_perms +; + ++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file }) ++ +manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) +manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) +manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) @@ -70782,7 +70801,7 @@ index 73554ec..cd2c7cc 100644 + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..c175fd9 100644 +index b7a5f00..b2cdd68 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) @@ -70863,7 +70882,7 @@ index b7a5f00..c175fd9 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -388,10 +409,72 @@ ifdef(`distro_ubuntu',` +@@ -388,10 +409,73 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -70937,6 +70956,7 @@ index b7a5f00..c175fd9 100644 +optional_policy(` + samba_stream_connect_winbind(nsswitch_domain) + samba_read_var_files(nsswitch_domain) ++ samba_read_config(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) ') diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if diff --git a/selinux-policy.spec b/selinux-policy.spec index d965116..2c8b14a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 93%{?dist} +Release: 94%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Oct 31 2012 Miroslav Grepl 3.10.0-94 +- Add httpd_verify_dns boolean +- Add label for log directory under /var/www/stickshift +- Allow openshift domains to use /dev/shm +- Dontaudit leaked fifo files from openshift to ping +- Allow nsswitch domains to read SAMBA conf files + * Mon Oct 22 2012 Miroslav Grepl 3.10.0-93 - Add labeling for mcollectived - Allow openshift domains to read localization