From f839a7eb2676ac100ed30f54fad6a96a896851c3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 04 2008 21:24:45 +0000 Subject: - Turn off nsplugin transition, by default - Allow httpd_sys_script_t to communicate with postgresql --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 189cef0..0136f5e 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -626,6 +626,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.5.13/policy/modules/admin/mrtg.te +--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/mrtg.te 2008-12-04 14:28:07.000000000 -0500 +@@ -116,6 +116,7 @@ + selinux_dontaudit_getattr_dir(mrtg_t) + + userdom_dontaudit_use_unpriv_user_fds(mrtg_t) ++userdom_dontaudit_list_admin_dir(mrtg_t) + + sysadm_use_terms(mrtg_t) + sysadm_dontaudit_read_home_content_files(mrtg_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-17 08:49:14.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-11-24 10:49:49.000000000 -0500 @@ -11148,7 +11159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-04 14:56:57.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -11568,7 +11579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +695,27 @@ +@@ -551,22 +695,30 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11591,9 +11602,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ') --optional_policy(` + optional_policy(` - nis_use_ypbind(httpd_php_t) --') ++ postgresql_stream_connect(httpd_sys_script_t) + ') optional_policy(` - postgresql_stream_connect(httpd_php_t) @@ -11602,7 +11614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,12 +733,14 @@ +@@ -584,12 +736,14 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -11618,7 +11630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +749,7 @@ +@@ -598,9 +752,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -11629,7 +11641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +782,25 @@ +@@ -633,12 +785,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -11658,7 +11670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +809,12 @@ +@@ -647,6 +812,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -11671,7 +11683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,20 +832,20 @@ +@@ -664,20 +835,20 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11697,7 +11709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +859,22 @@ +@@ -691,12 +862,22 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11722,7 +11734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +882,31 @@ +@@ -704,6 +885,31 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11754,7 +11766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +919,10 @@ +@@ -716,10 +922,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11769,7 +11781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +930,8 @@ +@@ -727,6 +933,8 @@ # httpd_rotatelogs local policy # @@ -11778,7 +11790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +946,66 @@ +@@ -741,3 +949,66 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -17388,7 +17400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-02 15:11:02.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-04 16:13:54.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -17441,7 +17453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) -@@ -73,30 +82,39 @@ +@@ -73,30 +82,40 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) @@ -17463,9 +17475,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(munin_t) fs_search_auto_mountpoints(munin_t) - -+auth_use_nsswitch(munin_t) ++fs_list_inotifyfs(munin_t) + ++auth_use_nsswitch(munin_t) + libs_use_ld_so(munin_t) libs_use_shared_libs(munin_t) @@ -17483,7 +17496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_search_home_dirs(munin_t) optional_policy(` -@@ -109,7 +127,30 @@ +@@ -109,7 +128,30 @@ ') optional_policy(` @@ -17515,7 +17528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,3 +160,9 @@ +@@ -119,3 +161,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -31783,7 +31796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-12-04 15:04:44.000000000 -0500 @@ -198,7 +198,25 @@ type dhcpc_state_t; ') @@ -35939,7 +35952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-12-04 13:40:54.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -36139,7 +36152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) -@@ -358,8 +395,25 @@ +@@ -358,8 +395,30 @@ miscfiles_read_localization(xm_t) @@ -36152,6 +36165,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) + ++optional_policy(` ++ virt_manage_images(xm_t) ++ virt_stream_connect(xm_t) ++') ++ +#Should have a boolean wrapping these +fs_list_auto_mountpoints(xend_t) +files_search_mnt(xend_t)