diff --git a/policy-20080710.patch b/policy-20080710.patch index e5f3e2b..4a2fb2c 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -10545,7 +10545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-22 09:08:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-22 09:53:30.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10639,26 +10639,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -180,6 +220,18 @@ - +@@ -181,6 +221,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; -+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -+ + +typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable +typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable - ++ type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +254,16 @@ + +@@ -202,12 +246,16 @@ prelink_object_file(httpd_modules_t) ') @@ -10676,7 +10668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +305,7 @@ +@@ -249,6 +297,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -10684,7 +10676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -260,9 +317,9 @@ +@@ -260,9 +309,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -10697,7 +10689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -289,6 +346,7 @@ +@@ -289,6 +338,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -10705,7 +10697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -299,6 +357,7 @@ +@@ -299,6 +349,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) @@ -10713,7 +10705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -312,12 +371,11 @@ +@@ -312,12 +363,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -10728,7 +10720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -335,6 +393,10 @@ +@@ -335,6 +385,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -10739,7 +10731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,18 +413,33 @@ +@@ -351,18 +405,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10760,7 +10752,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -10771,13 +10764,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') -@@ -370,20 +447,45 @@ +@@ -370,20 +439,45 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -10824,7 +10816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -394,11 +496,12 @@ +@@ -394,11 +488,12 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -10840,7 +10832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') -@@ -408,6 +511,11 @@ +@@ -408,6 +503,11 @@ fs_read_cifs_symlinks(httpd_t) ') @@ -10852,7 +10844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +549,13 @@ +@@ -441,8 +541,13 @@ ') optional_policy(` @@ -10868,7 +10860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,18 +567,13 @@ +@@ -454,18 +559,13 @@ ') optional_policy(` @@ -10888,7 +10880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -475,6 +583,12 @@ +@@ -475,6 +575,12 @@ openca_kill(httpd_t) ') @@ -10901,7 +10893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +596,7 @@ +@@ -482,6 +588,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -10909,7 +10901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -490,6 +605,7 @@ +@@ -490,6 +597,7 @@ ') optional_policy(` @@ -10917,7 +10909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +635,28 @@ +@@ -519,9 +627,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -10946,7 +10938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +686,27 @@ +@@ -551,22 +678,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10980,7 +10972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,12 +724,14 @@ +@@ -584,12 +716,14 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -10996,7 +10988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +740,7 @@ +@@ -598,9 +732,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -11007,7 +10999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +773,25 @@ +@@ -633,12 +765,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -11036,7 +11028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +800,12 @@ +@@ -647,6 +792,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -11049,7 +11041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,10 +823,6 @@ +@@ -664,10 +815,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11060,7 +11052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache system script local policy -@@ -677,7 +832,8 @@ +@@ -677,7 +824,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -11070,7 +11062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +847,15 @@ +@@ -691,12 +839,15 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11088,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +863,30 @@ +@@ -704,6 +855,30 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11119,7 +11111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +899,10 @@ +@@ -716,10 +891,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11134,7 +11126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +910,8 @@ +@@ -727,6 +902,8 @@ # httpd_rotatelogs local policy # @@ -11143,7 +11135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +926,56 @@ +@@ -741,3 +918,66 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -11200,6 +11192,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) +manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++ ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias httpd_fastcgi_content_t; ++typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; ++typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; ++typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; ++typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; ++typealias httpd_sys_script_t alias httpd_fastcgi_script_t; ++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc --- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc 2008-10-17 10:31:27.000000000 -0400