diff --git a/policy-20071130.patch b/policy-20071130.patch index f71c2c6..e4fa5a7 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -6887,7 +6887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-26 08:23:11.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-05-06 14:02:43.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-05-06 15:59:51.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -9496,7 +9496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-06 14:02:43.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-05-06 16:40:13.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -9724,14 +9724,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') ++ ++tunable_policy(`allow_httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) ++') - manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent) - manage_files_pattern(httpd_t,httpdcontent,httpdcontent) - manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent) -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') -+ +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) @@ -9827,7 +9827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +610,20 @@ +@@ -521,6 +610,22 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -9839,6 +9839,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + ++ role system_r types httpd_unconfined_script_t; ++ + tunable_policy(`httpd_tty_comm',` + unconfined_use_terminals(httpd_helper_t) + ') @@ -9848,7 +9850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +653,24 @@ +@@ -550,18 +655,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -9876,7 +9878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +694,8 @@ +@@ -585,6 +696,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -9885,7 +9887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +704,7 @@ +@@ -593,9 +706,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -9896,7 +9898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +737,7 @@ +@@ -628,6 +739,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -9904,7 +9906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +748,12 @@ +@@ -638,6 +750,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -9917,7 +9919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +771,6 @@ +@@ -655,10 +773,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -9928,7 +9930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +780,8 @@ +@@ -668,7 +782,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -9938,7 +9940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +795,44 @@ +@@ -682,15 +797,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -9984,7 +9986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +842,15 @@ +@@ -700,9 +844,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -10000,7 +10002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +872,47 @@ +@@ -724,3 +874,47 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -30102,6 +30104,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_rw_pipes(mount_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.3.1/policy/modules/system/netlabel.te +--- nsaserefpolicy/policy/modules/system/netlabel.te 2008-02-26 08:23:09.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/netlabel.te 2008-05-06 16:12:12.000000000 -0400 +@@ -9,6 +9,7 @@ + type netlabel_mgmt_t; + type netlabel_mgmt_exec_t; + application_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t) ++role system_r types netlabl_mgmt_t; + + ######################################## + # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.fc serefpolicy-3.3.1/policy/modules/system/qemu.fc --- nsaserefpolicy/policy/modules/system/qemu.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2008-05-06 14:02:43.000000000 -0400