From 01969cfc26e601c06d00d869f6240bfcbaa79cec Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 09 2014 22:12:05 +0000 Subject: Don't transition roles when executing daemons from unconfined_t --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index d8abe18..5ebe2d9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -19265,10 +19265,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..993b768 +index 0000000..bba3177 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,327 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19338,7 +19338,6 @@ index 0000000..993b768 +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + -+init_run_daemon(unconfined_t, unconfined_r) +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fa0494c..8ef7fb7 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4756,7 +4756,7 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..dd376b5 100644 +index 6649962..8d471e8 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5943,7 +5943,7 @@ index 6649962..dd376b5 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +912,53 @@ optional_policy(` +@@ -786,35 +912,54 @@ optional_policy(` ') optional_policy(` @@ -5985,6 +5985,7 @@ index 6649962..dd376b5 100644 +optional_policy(` + # needed by FreeIPA + ldap_stream_connect(httpd_t) ++ ldap_read_certs(httpd_t) ') optional_policy(` @@ -6010,7 +6011,7 @@ index 6649962..dd376b5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +966,18 @@ optional_policy(` +@@ -822,8 +967,18 @@ optional_policy(` ') optional_policy(` @@ -6029,7 +6030,7 @@ index 6649962..dd376b5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +986,7 @@ optional_policy(` +@@ -832,6 +987,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6037,7 +6038,7 @@ index 6649962..dd376b5 100644 ') optional_policy(` -@@ -842,20 +997,39 @@ optional_policy(` +@@ -842,20 +998,39 @@ optional_policy(` ') optional_policy(` @@ -6063,7 +6064,7 @@ index 6649962..dd376b5 100644 + pki_manage_apache_lib(httpd_t) + pki_manage_apache_log_files(httpd_t) + pki_manage_apache_run(httpd_t) -+ pki_read_tomcat_cert(httpd_t) ++ pki_read_tomcat_cert(httpd_t) +') - tunable_policy(`httpd_can_network_connect_db',` @@ -6083,7 +6084,7 @@ index 6649962..dd376b5 100644 ') optional_policy(` -@@ -863,19 +1037,35 @@ optional_policy(` +@@ -863,19 +1038,35 @@ optional_policy(` ') optional_policy(` @@ -6119,7 +6120,7 @@ index 6649962..dd376b5 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1073,173 @@ optional_policy(` +@@ -883,65 +1074,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6315,7 +6316,7 @@ index 6649962..dd376b5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6470,7 +6471,7 @@ index 6649962..dd376b5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1332,106 @@ optional_policy(` +@@ -1083,172 +1333,106 @@ optional_policy(` ') ') @@ -6707,7 +6708,7 @@ index 6649962..dd376b5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6804,7 +6805,7 @@ index 6649962..dd376b5 100644 ######################################## # -@@ -1321,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6821,7 +6822,7 @@ index 6649962..dd376b5 100644 ') ######################################## -@@ -1330,49 +1530,38 @@ optional_policy(` +@@ -1330,49 +1531,38 @@ optional_policy(` # User content local policy # @@ -6886,7 +6887,7 @@ index 6649962..dd376b5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1571,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1572,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)