From 65c6e4c421dbd9713106612b135556b75fb7bed6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 27 2010 16:14:50 +0000 Subject: - Fix label on /var/lib/dokwiki - Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls --- diff --git a/policy-F14.patch b/policy-F14.patch index 17be220..29d1734 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -226,8 +226,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.1/policy/modules/admin/accountsd.te --- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/admin/accountsd.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,56 @@ ++++ serefpolicy-3.8.1/policy/modules/admin/accountsd.te 2010-05-27 12:01:15.000000000 -0400 +@@ -0,0 +1,55 @@ +policy_module(accountsd,1.0.0) + +######################################## @@ -239,8 +239,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) + -+permissive accountsd_t; -+ +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) + @@ -271,6 +269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +logging_set_loginuid(accountsd_t) + +usermanage_domtrans_useradd(accountsd_t) ++usermanage_domtrans_passwd(accountsd_t) + +optional_policy(` + consolekit_read_log(accountsd_t) @@ -1129,8 +1128,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.1/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/admin/shutdown.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,63 @@ ++++ serefpolicy-3.8.1/policy/modules/admin/shutdown.te 2010-05-27 12:00:05.000000000 -0400 +@@ -0,0 +1,61 @@ +policy_module(shutdown,1.0.0) + +######################################## @@ -1149,8 +1148,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +type shutdown_var_run_t; +files_pid_file(shutdown_var_run_t) + -+permissive shutdown_t; -+ +######################################## +# +# shutdown local policy @@ -1325,7 +1322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.1/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.8.1/policy/modules/admin/usermanage.if 2010-05-26 16:28:29.000000000 -0400 ++++ serefpolicy-3.8.1/policy/modules/admin/usermanage.if 2010-05-27 12:00:25.000000000 -0400 @@ -18,6 +18,10 @@ files_search_usr($1) corecmd_search_bin($1) @@ -5994,8 +5991,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.te serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te --- nsaserefpolicy/policy/modules/apps/telepathysofiasip.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,45 @@ ++++ serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te 2010-05-27 11:58:52.000000000 -0400 +@@ -0,0 +1,43 @@ + +policy_module(telepathysofiasip,1.0.0) + @@ -6008,8 +6005,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath +type telepathysofiasip_exec_t; +application_domain(telepathysofiasip_t, telepathysofiasip_exec_t) + -+permissive telepathysofiasip_t; -+ +######################################## +# +# telepathy-sofiasip local policy @@ -11330,8 +11325,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.1/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/services/aiccu.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,44 @@ ++++ serefpolicy-3.8.1/policy/modules/services/aiccu.te 2010-05-27 11:58:06.000000000 -0400 +@@ -0,0 +1,42 @@ +policy_module(aiccu,1.0.0) + +######################################## @@ -11343,8 +11338,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +type aiccu_exec_t; +init_daemon_domain(aiccu_t, aiccu_exec_t) + -+permissive aiccu_t; -+ +type aiccu_initrc_exec_t; +init_script_file(aiccu_initrc_exec_t) + @@ -11388,7 +11381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +userdom_rw_unpriv_user_shared_mem(aisexec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.8.1/policy/modules/services/apache.fc 2010-05-26 16:28:29.000000000 -0400 ++++ serefpolicy-3.8.1/policy/modules/services/apache.fc 2010-05-27 12:12:06.000000000 -0400 @@ -24,7 +24,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -11409,7 +11402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_rw_t,s0) ++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -12633,8 +12626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.1/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/services/boinc.te 2010-05-27 10:11:10.000000000 -0400 -@@ -0,0 +1,95 @@ ++++ serefpolicy-3.8.1/policy/modules/services/boinc.te 2010-05-27 11:58:08.000000000 -0400 +@@ -0,0 +1,93 @@ + +policy_module(boinc,1.0.0) + @@ -12647,8 +12640,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) + -+permissive boinc_t; -+ +type boinc_initrc_exec_t; +init_script_file(boinc_initrc_exec_t) + @@ -17229,8 +17220,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.1/policy/modules/services/piranha.te --- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/services/piranha.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,187 @@ ++++ serefpolicy-3.8.1/policy/modules/services/piranha.te 2010-05-27 11:58:27.000000000 -0400 +@@ -0,0 +1,182 @@ + +policy_module(piranha,1.0.0) + @@ -17259,11 +17250,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + +piranha_domain_template(web) + -+permissive piranha_fos_t; -+permissive piranha_lvs_t; -+permissive piranha_pulse_t; -+permissive piranha_web_t; -+ +type piranha_etc_rw_t; +files_type(piranha_etc_rw_t) + @@ -18684,8 +18670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.1/policy/modules/services/qpidd.te --- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.1/policy/modules/services/qpidd.te 2010-05-26 16:28:29.000000000 -0400 -@@ -0,0 +1,61 @@ ++++ serefpolicy-3.8.1/policy/modules/services/qpidd.te 2010-05-27 11:58:34.000000000 -0400 +@@ -0,0 +1,59 @@ +policy_module(qpidd,1.0.0) + +######################################## @@ -18697,8 +18683,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +type qpidd_exec_t; +init_daemon_domain(qpidd_t, qpidd_exec_t) + -+permissive qpidd_t; -+ +type qpidd_initrc_exec_t; +init_script_file(qpidd_initrc_exec_t) + @@ -25250,7 +25234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.1/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.8.1/policy/modules/system/mount.te 2010-05-26 16:28:29.000000000 -0400 ++++ serefpolicy-3.8.1/policy/modules/system/mount.te 2010-05-27 12:01:47.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -25267,7 +25251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -29,6 +36,19 @@ +@@ -29,6 +36,17 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -25282,12 +25266,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +type showmount_exec_t; +application_domain(showmount_t, showmount_exec_t) +role system_r types showmount_t; -+ -+permissive showmount_t; ######################################## # -@@ -36,7 +56,11 @@ +@@ -36,7 +54,11 @@ # # setuid/setgid needed to mount cifs @@ -25300,7 +25282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,30 +71,50 @@ +@@ -47,30 +69,50 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -25353,7 +25335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +124,18 @@ +@@ -80,15 +122,18 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -25375,7 +25357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +146,7 @@ +@@ -99,6 +144,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -25383,7 +25365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +155,8 @@ +@@ -107,6 +153,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -25392,7 +25374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +167,12 @@ +@@ -117,6 +165,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -25405,7 +25387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +188,17 @@ +@@ -132,10 +186,17 @@ ') ') @@ -25423,7 +25405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +228,8 @@ +@@ -165,6 +226,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -25432,7 +25414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +237,25 @@ +@@ -172,6 +235,25 @@ ') optional_policy(` @@ -25458,7 +25440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +263,11 @@ +@@ -179,6 +261,11 @@ ') ') @@ -25470,7 +25452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +275,19 @@ +@@ -186,6 +273,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -25490,7 +25472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +296,42 @@ +@@ -194,6 +294,42 @@ # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 656b09b..416146b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Thu May 27 2010 Dan Walsh 3.8.1-2 +- Fix label on /var/lib/dokwiki +- Change permissive domains to enforcing +- Fix libvirt policy to allow it to run on mls + * Tue May 25 2010 Dan Walsh 3.8.1-1 - Update to upstream