From 4d67b40db10b65994e6cb4193ddc98d9178d5342 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 27 2010 21:54:00 +0000 Subject: - Add getsched to hald_t - Add file context for Fedora/Redhat Directory Server --- diff --git a/policy-F13.patch b/policy-F13.patch index 1c98a43..ffa76ce 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -10856,7 +10856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_use_ldap(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 11:16:47.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 15:19:37.000000000 -0500 @@ -2,12 +2,17 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10877,12 +10877,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -21,10 +26,13 @@ +@@ -21,10 +26,16 @@ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -10891,7 +10894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,14 +40,28 @@ +@@ -32,14 +43,28 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10920,7 +10923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,16 +69,21 @@ +@@ -47,16 +72,21 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -10942,7 +10945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +91,33 @@ +@@ -64,11 +94,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -17453,7 +17456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.8/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/hal.te 2010-01-27 13:13:18.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17464,6 +17467,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local policy +@@ -63,7 +66,7 @@ + # execute openvt which needs setuid + allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; + dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; +-allow hald_t self:process { getattr signal_perms }; ++allow hald_t self:process { getsched getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; + allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow hald_t self:unix_dgram_socket create_socket_perms; @@ -100,7 +103,9 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) @@ -17817,15 +17829,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.8/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -1,5 +1,7 @@ ++++ serefpolicy-3.7.8/policy/modules/services/ldap.fc 2010-01-27 15:28:08.000000000 -0500 +@@ -1,8 +1,12 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) ++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + + ifdef(`distro_debian',` + /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) +@@ -10,8 +14,12 @@ + + /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++ ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0) + + /var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) + /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) + /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) + /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) ++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.8/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/services/ldap.if 2010-01-18 15:18:03.000000000 -0500 @@ -17873,6 +17903,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.8/policy/modules/services/ldap.te +--- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/services/ldap.te 2010-01-27 15:24:00.000000000 -0500 +@@ -28,6 +28,9 @@ + type slapd_replog_t; + files_type(slapd_replog_t) + ++type slapd_log_t; ++logging_log_file(slapd_log_t) ++ + type slapd_tmp_t; + files_tmp_file(slapd_tmp_t) + +@@ -68,6 +71,10 @@ + manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) + manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) + ++manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) ++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) ++files_log_filetrans(slapd_t, slapd_log_t, { file dir }) ++ + manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) + manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) + files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.8/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/services/lircd.te 2010-01-18 15:18:03.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index eed8a7b..cfd4a3e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.8 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -459,6 +459,10 @@ exit 0 %endif %changelog +* Wed Jan 27 2010 Dan Walsh 3.7.8-4 +- Add getsched to hald_t +- Add file context for Fedora/Redhat Directory Server + * Mon Jan 25 2010 Dan Walsh 3.7.8-3 - Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so