diff --git a/policy-F13.patch b/policy-F13.patch index ec17a8c..78717b0 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -696,7 +696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-08-02 08:55:03.161641361 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-10-25 10:18:24.897901204 +0200 @@ -20,6 +20,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -718,7 +718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -93,8 +100,8 @@ +@@ -93,12 +100,13 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -728,7 +728,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ifdef(`distro_redhat',` files_search_all(logwatch_t) -@@ -146,3 +153,26 @@ + files_getattr_all_file_type_fs(logwatch_t) ++ files_getattr_all_files(logwatch_t) + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -146,3 +154,26 @@ samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -9910,7 +9915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-07-13 08:46:23.033752948 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-10-25 11:09:58.145663420 +0200 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9946,11 +9951,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -72,7 +81,8 @@ +@@ -71,8 +80,9 @@ + /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/sysconfig/ip6?tables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) + +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -15833,7 +15840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-08 10:48:07.118901432 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-25 09:58:11.608650337 +0200 @@ -19,11 +19,13 @@ # Declarations # @@ -16145,7 +16152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,9 +603,22 @@ +@@ -484,9 +603,23 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -16163,12 +16170,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; ++ allow httpd_t self:capability sys_resource; +') + tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -500,8 +632,13 @@ +@@ -500,8 +633,13 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -16182,7 +16190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -514,6 +651,9 @@ +@@ -514,6 +652,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -16192,7 +16200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +668,7 @@ +@@ -528,7 +669,7 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -16201,7 +16209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +677,12 @@ +@@ -537,8 +678,12 @@ ') optional_policy(` @@ -16215,7 +16223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -556,7 +700,13 @@ +@@ -556,7 +701,13 @@ ') optional_policy(` @@ -16229,7 +16237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +717,7 @@ +@@ -567,6 +718,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -16237,7 +16245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +728,23 @@ +@@ -577,12 +729,23 @@ ') optional_policy(` @@ -16261,7 +16269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +753,11 @@ +@@ -591,6 +754,11 @@ ') optional_policy(` @@ -16273,7 +16281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -618,6 +785,10 @@ +@@ -618,6 +786,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -16284,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +870,18 @@ +@@ -699,17 +871,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -16306,7 +16314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +912,21 @@ +@@ -740,10 +913,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -16329,7 +16337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +952,12 @@ +@@ -769,6 +953,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -16342,7 +16350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -792,9 +981,13 @@ +@@ -792,9 +982,13 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -16356,7 +16364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +996,28 @@ +@@ -803,6 +997,28 @@ mta_send_mail(httpd_sys_script_t) ') @@ -16385,7 +16393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1045,16 @@ +@@ -830,6 +1046,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -16402,7 +16410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1067,7 @@ +@@ -842,6 +1068,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -16410,7 +16418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1117,33 @@ +@@ -891,11 +1118,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -26153,8 +26161,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.19/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-05-28 09:42:00.133610558 +0200 -@@ -1,12 +1,32 @@ ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-10-25 13:45:54.246900872 +0200 +@@ -1,12 +1,33 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) @@ -26179,6 +26187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + +/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) ++/var/log/wicd\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -35004,7 +35013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-08-04 15:01:13.430084931 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-10-25 12:31:52.241650895 +0200 @@ -34,6 +34,9 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -35015,7 +35024,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. type sshd_key_t; files_type(sshd_key_t) -@@ -114,6 +117,7 @@ +@@ -97,6 +100,8 @@ + allow ssh_t self:msg { send receive }; + allow ssh_t self:tcp_socket create_stream_socket_perms; + ++can_exec(ssh_t, ssh_exec_t) ++ + # Read the ssh key file. + allow ssh_t sshd_key_t:file read_file_perms; + +@@ -114,6 +119,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -35023,7 +35041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -125,9 +129,10 @@ +@@ -125,9 +131,10 @@ read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -35037,7 +35055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -139,6 +144,8 @@ +@@ -139,6 +146,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -35046,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -170,8 +177,10 @@ +@@ -170,8 +179,10 @@ userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -35058,7 +35076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -282,6 +291,8 @@ +@@ -282,6 +293,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -35067,7 +35085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -290,24 +301,34 @@ +@@ -290,24 +303,34 @@ kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -35106,7 +35124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -315,7 +336,12 @@ +@@ -315,7 +338,12 @@ ') optional_policy(` @@ -35120,7 +35138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -323,6 +349,10 @@ +@@ -323,6 +351,10 @@ ') optional_policy(` @@ -35131,7 +35149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +363,18 @@ +@@ -333,10 +365,18 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index f70331c..444a548 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 67%{?dist} +Release: 68%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Mon Oct 25 2010 Miroslav Grepl 3.7.19-68 +- Fix httpd_setrlimit boolean to allow sys_resource capability +- Allow lowatch to use zz-disk_space logwatch script +- Fix label for ip6tables.save +- Allow ssh_t to exec ssh_exec_t + * Mon Oct 18 2010 Miroslav Grepl 3.7.19-67 - Fixes for sandbox policy - Allow chromium-browser to read gnome homedir content