From 8f2532e24992ae008ff1a731615532b98cd81a82 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 25 2008 11:53:34 +0000 Subject: - Fixes for logrotate, alsa --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 8a162d7..a7baeb3 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -10389,7 +10389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-07-10 11:38:46.000000000 -0400 -+++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 07:41:00.000000000 -0400 ++++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 07:51:49.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10399,20 +10399,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## ##

## Allow Apache to modify public files -@@ -31,10 +33,10 @@ +@@ -31,10 +33,17 @@ ## ##

-## Allow Apache to use mod_auth_pam -+## Allow Apache to communicate with avahi service via dbus ++## Allow httpd scripts and modules execmem/execstack ##

##
-gen_tunable(allow_httpd_mod_auth_pam,false) ++gen_tunable(httpd_execmem,false) ++ ++## ++##

++## Allow Apache to communicate with avahi service via dbus ++##

++##
+gen_tunable(allow_httpd_dbus_avahi,false) ## ##

-@@ -45,7 +47,14 @@ +@@ -45,7 +54,14 @@ ## ##

@@ -10428,7 +10435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ##

##
gen_tunable(httpd_can_network_connect,false) -@@ -109,14 +118,33 @@ +@@ -109,14 +125,33 @@ ## gen_tunable(httpd_unified,false) @@ -10464,7 +10471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # user script domains attribute httpd_script_domains; -@@ -147,6 +175,9 @@ +@@ -147,6 +182,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -10474,7 +10481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -180,6 +211,9 @@ +@@ -180,6 +218,9 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -10484,7 +10491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +236,16 @@ +@@ -202,12 +243,16 @@ prelink_object_file(httpd_modules_t) ') @@ -10502,7 +10509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +287,7 @@ +@@ -249,6 +294,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -10510,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -289,6 +328,7 @@ +@@ -289,6 +335,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -10518,7 +10525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -312,12 +352,11 @@ +@@ -312,12 +359,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -10533,7 +10540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -335,6 +374,10 @@ +@@ -335,6 +381,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -10544,7 +10551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,25 +394,50 @@ +@@ -351,25 +401,50 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10599,7 +10606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,23 +450,34 @@ +@@ -382,23 +457,34 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -10642,7 +10649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') -@@ -408,6 +487,11 @@ +@@ -408,6 +494,11 @@ fs_read_cifs_symlinks(httpd_t) ') @@ -10654,7 +10661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +525,13 @@ +@@ -441,8 +532,13 @@ ') optional_policy(` @@ -10670,7 +10677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -454,19 +543,13 @@ +@@ -454,19 +550,13 @@ ') optional_policy(` @@ -10691,7 +10698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -476,6 +559,12 @@ +@@ -476,6 +566,12 @@ openca_kill(httpd_t) ') @@ -10704,7 +10711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -483,6 +572,7 @@ +@@ -483,6 +579,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -10712,7 +10719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -491,6 +581,7 @@ +@@ -491,6 +588,7 @@ ') optional_policy(` @@ -10720,7 +10727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -520,9 +611,28 @@ +@@ -520,9 +618,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -10749,7 +10756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -552,22 +662,27 @@ +@@ -552,22 +669,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10783,7 +10790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -591,6 +706,8 @@ +@@ -591,6 +713,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -10792,7 +10799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -599,9 +716,7 @@ +@@ -599,9 +723,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10803,7 +10810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -634,12 +749,21 @@ +@@ -634,12 +756,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10828,7 +10835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -648,6 +772,12 @@ +@@ -648,6 +779,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10841,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -665,10 +795,6 @@ +@@ -665,10 +802,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10852,7 +10859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -678,7 +804,8 @@ +@@ -678,7 +811,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -10862,7 +10869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -692,19 +819,44 @@ +@@ -692,19 +826,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10910,7 +10917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -717,10 +869,10 @@ +@@ -717,10 +876,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10925,7 +10932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,6 +880,8 @@ +@@ -728,6 +887,8 @@ # httpd_rotatelogs local policy # @@ -10934,7 +10941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -742,3 +896,48 @@ +@@ -742,3 +903,48 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8d07146..766f0a9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -375,6 +375,9 @@ exit 0 %endif %changelog +* Fri Jul 25 2008 Dan Walsh 3.5.1-3 +- Fixes for logrotate, alsa + * Thu Jul 25 2008 Dan Walsh 3.5.1-2 - Eliminate vbetool duplicate entry