From a7bb24d27b4d1c229e40ee6e334618b0e0b70a96 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 02 2011 11:57:06 +0000 Subject: - Make sandbox to work - Fix httpd_selinux man page to refer to httpd_sys_rw_content_t - Allow awstats to read squid logs - Allow dirsrv to send syslog messages --- diff --git a/policy-F14.patch b/policy-F14.patch index b020129..00da058 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -276,6 +276,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 seref +This manual page was written by Dominick Grift . +.SH "SEE ALSO" +selinux(8), git(8), chcon(1), semodule(8), setsebool(8) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.9.7/man/man8/httpd_selinux.8 +--- nsaserefpolicy/man/man8/httpd_selinux.8 2010-10-12 20:42:47.000000000 +0000 ++++ serefpolicy-3.9.7/man/man8/httpd_selinux.8 2011-02-02 10:43:45.636796001 +0000 +@@ -28,9 +28,9 @@ + .EE + - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. + .EX +-httpd_sys_content_rw_t ++httpd_sys_rw_content_t + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. ++- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + .EX + httpd_sys_content_ra_t + .EE diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.9.7/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2010-10-12 20:42:51.000000000 +0000 +++ serefpolicy-3.9.7/policy/flask/access_vectors 2011-01-27 16:22:59.404455000 +0000 @@ -2305,7 +2320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.9.7/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2011-01-07 09:32:45.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2011-02-02 10:30:35.035796002 +0000 @@ -88,9 +88,7 @@ # for SSP dev_read_urand(chfn_t) @@ -2344,7 +2359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) -+corecmd_exec_bin(passwd_t) ++#corecmd_exec_bin(passwd_t) + +corenet_tcp_connect_kerberos_password_port(passwd_t) @@ -2423,6 +2438,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.9.7/policy/modules/apps/awstats.te +--- nsaserefpolicy/policy/modules/apps/awstats.te 2010-10-12 20:42:51.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/apps/awstats.te 2011-02-02 10:47:26.262796002 +0000 +@@ -70,6 +70,10 @@ + nscd_dontaudit_search_pid(awstats_t) + ') + ++optional_policy(` ++ squid_read_log(awstats_t) ++') ++ + ######################################## + # + # awstats cgi script policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.9.7/policy/modules/apps/cdrecord.te --- nsaserefpolicy/policy/modules/apps/cdrecord.te 2010-10-12 20:42:51.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/apps/cdrecord.te 2010-11-23 09:23:26.000000000 +0000 @@ -6338,7 +6367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.9.7/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/apps/sandbox.if 2011-01-19 16:29:02.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/apps/sandbox.if 2011-02-02 10:11:40.139796002 +0000 @@ -0,0 +1,337 @@ + +## policy for sandbox @@ -6503,10 +6532,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process signal_perms; + -+ #domtrans_pattern($1_t, $1_file_t, $1_client_t) -+ #domain_entry_file($1_client_t, $1_file_t) -+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) -+ domain_entry_file($1_client_t, sandbox_exec_t) ++ domtrans_pattern($1_t, $1_file_t, $1_client_t) ++ domain_entry_file($1_client_t, $1_file_t) ++ #domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) ++ #domain_entry_file($1_client_t, sandbox_exec_t) + + # Random tmpfs_t that gets created when you run X. + fs_rw_tmpfs_files($1_t) @@ -17290,7 +17319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.9.7/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/certmaster.te 2011-01-31 14:51:47.916455000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/certmaster.te 2011-02-02 10:59:14.071796002 +0000 @@ -43,23 +43,23 @@ # log files @@ -17319,6 +17348,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert files_list_var(certmaster_t) files_search_var_lib(certmaster_t) +@@ -69,3 +69,7 @@ + + miscfiles_manage_generic_cert_dirs(certmaster_t) + miscfiles_manage_generic_cert_files(certmaster_t) ++ ++optional_policy(` ++ gnome_dontaudit_search_config(certmaster_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.9.7/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 2010-10-12 20:42:48.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/certmonger.if 2010-11-05 13:02:26.000000000 +0000 @@ -23435,8 +23472,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.9.7/policy/modules/services/hddtemp.te --- nsaserefpolicy/policy/modules/services/hddtemp.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/hddtemp.te 2010-11-05 13:02:26.000000000 +0000 -@@ -46,4 +46,3 @@ ++++ serefpolicy-3.9.7/policy/modules/services/hddtemp.te 2011-02-02 09:11:11.565796001 +0000 +@@ -42,8 +42,8 @@ + files_read_usr_files(hddtemp_t) + + storage_raw_read_fixed_disk(hddtemp_t) ++storage_raw_read_removable_device(hddtemp_t) + logging_send_syslog_msg(hddtemp_t) miscfiles_read_localization(hddtemp_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 581bd21..dbe40fa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,12 @@ exit 0 %endif %changelog +* Wed Feb 2 2011 Miroslav Grepl 3.9.7-28 +- Make sandbox to work +- Fix httpd_selinux man page to refer to httpd_sys_rw_content_t +- Allow awstats to read squid logs +- Allow dirsrv to send syslog messages + * Tue Feb 1 2011 Miroslav Grepl 3.9.7-27 - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Fix keyboardd interface