diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 index 42f96b9..cfc51ec 100644 --- a/man/man8/ftpd_selinux.8 +++ b/man/man8/ftpd_selinux.8 @@ -12,7 +12,7 @@ If you want to share files anonymously, you must label the files and directories .TP chcon -R -t public_content_t /var/ftp .TP -If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. +If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool. .TP chcon -t public_content_rw_t /var/ftp/incoming .TP diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 index 4bacdfc..7f14925 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -30,7 +30,7 @@ httpd_sys_script_exec_t .EX httpd_sys_script_ro_t .EE -- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access. +- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access. .EX httpd_sys_script_rw_t .EE diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te index cbd336c..da13ae5 100644 --- a/policy/modules/admin/dmidecode.te +++ b/policy/modules/admin/dmidecode.te @@ -1,5 +1,5 @@ -policy_module(dmidecode,1.2.1) +policy_module(dmidecode,1.2.2) ######################################## # @@ -18,6 +18,7 @@ role system_r types dmidecode_t; allow dmidecode_t self:capability sys_rawio; +dev_read_sysfs(dmidecode_t) # Allow dmidecode to read /dev/mem dev_read_raw_memory(dmidecode_t) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index b0f5d5f..b0a25be 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.11) +policy_module(corenetwork,1.2.12) ######################################## # @@ -164,6 +164,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) network_port(xen, tcp,8002,s0) +network_port(xfs, tcp,7100,s0) network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) network_port(zope, tcp,8021,s0) diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te index 743692d..90704b3 100644 --- a/policy/modules/services/ktalk.te +++ b/policy/modules/services/ktalk.te @@ -1,5 +1,5 @@ -policy_module(ktalk,1.5.1) +policy_module(ktalk,1.5.2) ######################################## # @@ -68,6 +68,10 @@ fs_getattr_xattr_fs(ktalkd_t) files_read_etc_files(ktalkd_t) +term_search_ptys(ktalkd_t) + +auth_use_nsswitch(ktalkd_t) + init_read_utmp(ktalkd_t) libs_use_ld_so(ktalkd_t) @@ -75,13 +79,3 @@ libs_use_shared_libs(ktalkd_t) logging_send_syslog_msg(ktalkd_t) miscfiles_read_localization(ktalkd_t) - -sysnet_read_config(ktalkd_t) - -optional_policy(` - nis_use_ypbind(ktalkd_t) -') - -optional_policy(` - nscd_socket_use(ktalkd_t) -') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index a069f65..25c0238 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.5.0) +policy_module(rsync,1.5.1) ######################################## # @@ -17,6 +17,7 @@ gen_tunable(allow_rsync_anon_write,false) type rsync_t; type rsync_exec_t; init_daemon_domain(rsync_t,rsync_exec_t) +application_executable_file(rsync_exec_t) role system_r types rsync_t; type rsync_data_t; diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index fd0a84d..00c722f 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot,1.5.1) +policy_module(setroubleshoot,1.5.2) ######################################## # @@ -67,6 +67,7 @@ corenet_tcp_connect_smtp_port(setroubleshootd_t) corenet_sendrecv_smtp_client_packets(setroubleshootd_t) dev_read_urand(setroubleshootd_t) +dev_read_sysfs(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) @@ -107,6 +108,12 @@ sysnet_read_config(setroubleshootd_t) userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t) optional_policy(` + dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) + dbus_send_system_bus(setroubleshootd_t) + dbus_connect_system_bus(setroubleshootd_t) +') + +optional_policy(` rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index 2c01c89..4edddfb 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -1,5 +1,5 @@ -policy_module(tftp,1.5.1) +policy_module(tftp,1.5.2) ######################################## # @@ -26,6 +26,7 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms; allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms; +allow tftpd_t self:netlink_route_socket r_netlink_socket_perms; dontaudit tftpd_t self:capability sys_tty_config; allow tftpd_t tftpdir_t:dir { getattr read search }; diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index a7693d6..33f81dd 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -1,5 +1,5 @@ -policy_module(xfs,1.2.1) +policy_module(xfs,1.2.2) ######################################## # @@ -37,6 +37,15 @@ files_pid_filetrans(xfs_t,xfs_var_run_t,file) kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) +corenet_all_recvfrom_unlabeled(xfs_t) +corenet_all_recvfrom_netlabel(xfs_t) +corenet_tcp_sendrecv_generic_if(xfs_t) +corenet_tcp_sendrecv_all_nodes(xfs_t) +corenet_tcp_sendrecv_all_ports(xfs_t) +corenet_tcp_bind_all_nodes(xfs_t) +corenet_tcp_bind_xfs_port(xfs_t) +corenet_sendrecv_xfs_server_packets(xfs_t) + corecmd_list_bin(xfs_t) dev_read_sysfs(xfs_t) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index c5c3837..8005483 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,5 +1,5 @@ -policy_module(ipsec,1.4.1) +policy_module(ipsec,1.4.2) ######################################## # @@ -321,6 +321,7 @@ libs_use_shared_libs(racoon_t) locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) +logging_send_audit_msgs(racoon_t) miscfiles_read_localization(racoon_t)