From 236d3cc19a4aaa6ba76e4621555585e5107255a4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 21 2008 18:31:38 +0000 Subject: - Remove mod_fcgid-selinux package --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 110afb5..0493f77 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -6940,7 +6940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -6955,7 +6955,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Mark process types as domains attribute domain; -@@ -85,6 +92,7 @@ +@@ -80,11 +87,14 @@ + allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; + allow domain self:file rw_file_perms; + kernel_read_proc_symlinks(domain) ++kernel_read_crypto_sysctls(domain) ++ + # Every domain gets the key ring, so we should default + # to no one allowed to look at it; afs kernel support creates # a keyring kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) @@ -6963,7 +6970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # create child processes in the domain allow domain self:process { fork sigchld }; -@@ -131,6 +139,9 @@ +@@ -131,6 +141,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -6973,7 +6980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -140,7 +151,7 @@ +@@ -140,7 +153,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -6982,7 +6989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -148,3 +159,39 @@ +@@ -148,3 +161,39 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -7913,7 +7920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-21 10:34:57.000000000 -0400 @@ -1198,6 +1198,7 @@ ') @@ -7934,7 +7941,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1768,6 +1771,7 @@ +@@ -1569,6 +1572,26 @@ + + ######################################## + ## ++## Read generic crypto sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_crypto_sysctls',` ++ gen_require(` ++ type proc_t, sysctl_t, sysctl_crypto_t; ++ ') ++ ++ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) ++ ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) ++') ++ ++######################################## ++## + ## Read generic kernel sysctls. + ## + ## +@@ -1768,6 +1791,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -7942,7 +7976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2582,6 +2586,24 @@ +@@ -2582,6 +2606,24 @@ ######################################## ## @@ -7969,7 +8003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-21 10:34:03.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -7986,7 +8020,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # kvmFS # -@@ -160,6 +169,7 @@ +@@ -120,6 +129,10 @@ + type sysctl_rpc_t, sysctl_type; + genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) + ++# /proc/sys/crypto directory and files ++type sysctl_crypto_t, sysctl_type; ++genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) ++ + # /proc/sys/fs directory and files + type sysctl_fs_t, sysctl_type; + files_mountpoint(sysctl_fs_t) +@@ -160,6 +173,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -7994,7 +8039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -274,6 +284,8 @@ +@@ -274,6 +288,8 @@ fs_rw_tmpfs_chr_files(kernel_t) ') @@ -10499,7 +10544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-21 09:18:28.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10593,18 +10638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -180,6 +220,10 @@ +@@ -180,6 +220,13 @@ # setup the system domain for system CGI scripts apache_content_template(sys) +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias httpd_fastcgi_content_t; ++typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; ++ +typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable +typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +246,16 @@ +@@ -202,12 +249,16 @@ prelink_object_file(httpd_modules_t) ') @@ -10622,7 +10670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +297,7 @@ +@@ -249,6 +300,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -10630,7 +10678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -260,9 +309,9 @@ +@@ -260,9 +312,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -10643,7 +10691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -289,6 +338,7 @@ +@@ -289,6 +341,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -10651,7 +10699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -299,6 +349,7 @@ +@@ -299,6 +352,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) @@ -10659,7 +10707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -312,12 +363,11 @@ +@@ -312,12 +366,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -10674,7 +10722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -335,6 +385,10 @@ +@@ -335,6 +388,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -10685,7 +10733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,18 +405,33 @@ +@@ -351,18 +408,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10723,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -370,20 +439,45 @@ +@@ -370,20 +442,45 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -10770,7 +10818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -394,11 +488,12 @@ +@@ -394,11 +491,12 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -10786,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') -@@ -408,6 +503,11 @@ +@@ -408,6 +506,11 @@ fs_read_cifs_symlinks(httpd_t) ') @@ -10798,7 +10846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +541,13 @@ +@@ -441,8 +544,13 @@ ') optional_policy(` @@ -10814,7 +10862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,18 +559,13 @@ +@@ -454,18 +562,13 @@ ') optional_policy(` @@ -10834,7 +10882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -475,6 +575,12 @@ +@@ -475,6 +578,12 @@ openca_kill(httpd_t) ') @@ -10847,7 +10895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +588,7 @@ +@@ -482,6 +591,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -10855,7 +10903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -490,6 +597,7 @@ +@@ -490,6 +600,7 @@ ') optional_policy(` @@ -10863,7 +10911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +627,28 @@ +@@ -519,9 +630,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -10892,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +678,27 @@ +@@ -551,22 +681,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10926,7 +10974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,12 +716,14 @@ +@@ -584,12 +719,14 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -10942,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +732,7 @@ +@@ -598,9 +735,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10953,7 +11001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +765,25 @@ +@@ -633,12 +768,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10982,7 +11030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +792,12 @@ +@@ -647,6 +795,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10995,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,10 +815,6 @@ +@@ -664,10 +818,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11006,7 +11054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache system script local policy -@@ -677,7 +824,8 @@ +@@ -677,7 +827,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -11016,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +839,15 @@ +@@ -691,12 +842,15 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11034,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +855,30 @@ +@@ -704,6 +858,30 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11065,7 +11113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +891,10 @@ +@@ -716,10 +894,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11080,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +902,8 @@ +@@ -727,6 +905,8 @@ # httpd_rotatelogs local policy # @@ -11089,7 +11137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +918,56 @@ +@@ -741,3 +921,56 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -17120,25 +17168,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-17 10:31:27.000000000 -0400 -@@ -20,6 +20,42 @@ ++++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-20 16:13:12.000000000 -0400 +@@ -2,7 +2,27 @@ ######################################## ## -+## Send signulls to NSCD. +-## Send generic signals to NSCD. ++## Execute NSCD in the nscd domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`nscd_signull',` ++interface(`nscd_domtrans',` + gen_require(` -+ type nscd_t; ++ type nscd_t, nscd_exec_t; + ') + -+ allow $1 nscd_t:process signull; ++ corecmd_search_bin($1) ++ domtrans_pattern($1, nscd_exec_t, nscd_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to execute nscd ++## in the caller domain. + ## + ## + ## +@@ -10,37 +30,53 @@ + ## + ## + # +-interface(`nscd_signal',` ++interface(`nscd_exec',` ++ gen_require(` ++ type nscd_exec_t; ++ ') ++ ++ can_exec($1, nscd_exec_t) +') + +######################################## @@ -17152,18 +17222,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +# +interface(`nscd_sigkill',` -+ gen_require(` -+ type nscd_t; -+ ') -+ + gen_require(` + type nscd_t; + ') + +- allow $1 nscd_t:process signal; + allow $1 nscd_t:process sigkill; -+') -+ -+######################################## -+## - ## Execute NSCD in the nscd domain. + ') + + ######################################## + ## +-## Execute NSCD in the nscd domain. ++## Send generic signals to NSCD. ## ## + ## +-## The type of the process performing this action. ++## Domain allowed access. + ## + ## + # +-interface(`nscd_domtrans',` ++interface(`nscd_signal',` + gen_require(` +- type nscd_t, nscd_exec_t; ++ type nscd_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, nscd_exec_t, nscd_t) ++ allow $1 nscd_t:process signal; + ') + + ######################################## + ## +-## Allow the specified domain to execute nscd +-## in the caller domain. ++## Send signulls to NSCD. + ## + ## + ## +@@ -48,12 +84,12 @@ + ## + ## + # +-interface(`nscd_exec',` ++interface(`nscd_signull',` + gen_require(` +- type nscd_exec_t; ++ type nscd_t; + ') + +- can_exec($1, nscd_exec_t) ++ allow $1 nscd_t:process signull; + ') + + ######################################## @@ -70,15 +106,14 @@ interface(`nscd_socket_use',` gen_require(` @@ -18481,7 +18595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-21 11:23:16.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -22987,7 +23101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-21 10:06:54.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -23008,16 +23122,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -65,7 +67,7 @@ +@@ -65,8 +67,7 @@ allow $1_ssh_t self:sem create_sem_perms; allow $1_ssh_t self:msgq create_msgq_perms; allow $1_ssh_t self:msg { send receive }; - allow $1_ssh_t self:tcp_socket create_socket_perms; +- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; + allow $1_ssh_t self:tcp_socket create_stream_socket_perms; - allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms; # for rsync -@@ -93,20 +95,21 @@ + allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; +@@ -93,20 +94,21 @@ ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config @@ -23047,7 +23162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) -@@ -115,6 +118,8 @@ +@@ -115,6 +117,8 @@ corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) @@ -23056,7 +23171,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand($1_ssh_t) -@@ -212,7 +217,7 @@ +@@ -133,6 +137,8 @@ + files_read_etc_files($1_ssh_t) + files_read_var_files($1_ssh_t) + ++ auth_use_nsswitch($1_ssh_t) ++ + libs_use_ld_so($1_ssh_t) + libs_use_shared_libs($1_ssh_t) + +@@ -143,9 +149,6 @@ + + seutil_read_config($1_ssh_t) + +- sysnet_read_config($1_ssh_t) +- sysnet_dns_name_resolve($1_ssh_t) +- + tunable_policy(`read_default_t',` + files_list_default($1_ssh_t) + files_read_default_files($1_ssh_t) +@@ -157,14 +160,6 @@ + optional_policy(` + kerberos_use($1_ssh_t) + ') +- +- optional_policy(` +- nis_use_ypbind($1_ssh_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_ssh_t) +- ') + ') + + ####################################### +@@ -212,7 +207,7 @@ ssh_basic_client_template($1, $2, $3) @@ -23065,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type $1_ssh_agent_t; application_domain($1_ssh_agent_t, ssh_agent_exec_t) -@@ -240,9 +245,9 @@ +@@ -240,9 +235,9 @@ manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t) fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -23078,7 +23227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) -@@ -254,6 +259,8 @@ +@@ -254,6 +249,8 @@ userdom_use_unpriv_users_fds($1_ssh_t) userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) userdom_search_user_home_dirs($1,$1_ssh_t) @@ -23087,7 +23236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_t) # needs to read krb tgt -@@ -279,24 +286,14 @@ +@@ -279,24 +276,14 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port($1_ssh_t) @@ -23114,7 +23263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_agent_t local policy -@@ -381,12 +378,9 @@ +@@ -381,12 +368,9 @@ optional_policy(` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) @@ -23128,7 +23277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_keysign_t local policy -@@ -413,6 +407,25 @@ +@@ -413,6 +397,25 @@ ') ') @@ -23154,7 +23303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## The template to define a ssh server. -@@ -443,13 +456,14 @@ +@@ -443,13 +446,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -23170,7 +23319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -478,7 +492,12 @@ +@@ -478,7 +482,12 @@ corenet_udp_bind_all_nodes($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -23183,7 +23332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +525,14 @@ +@@ -506,9 +515,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -23198,7 +23347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +541,7 @@ +@@ -517,11 +531,7 @@ optional_policy(` kerberos_use($1_t) @@ -23211,7 +23360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -710,3 +730,22 @@ +@@ -710,3 +720,22 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -23236,7 +23385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-21 10:05:20.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -23297,6 +23446,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') +@@ -176,6 +197,8 @@ + init_use_fds(ssh_keygen_t) + init_use_script_ptys(ssh_keygen_t) + ++auth_use_nsswitch(ssh_keygen_t) ++ + libs_use_ld_so(ssh_keygen_t) + libs_use_shared_libs(ssh_keygen_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc --- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-17 10:31:27.000000000 -0400 @@ -23701,7 +23859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-17 17:26:09.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-21 11:39:30.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -23946,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -441,16 +385,16 @@ +@@ -441,16 +385,17 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -23965,10 +24123,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow xdm_t $1_iceauth_home_t:file read_file_perms; + xserver_use_xdm($2) ++ xserver_rw_xdm_xserver_shm($2) fs_search_auto_mountpoints($1_iceauth_t) -@@ -473,33 +417,12 @@ +@@ -473,33 +418,12 @@ # # Device rules @@ -24005,7 +24164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # xrdb X11:ChangeProperty prop=RESOURCE_MANAGER allow $2 info_xproperty_t:x_property { create write append }; -@@ -548,7 +471,7 @@ +@@ -548,7 +472,7 @@ allow $2 $1_xserver_t:process signal; # Read /tmp/.X0-lock @@ -24014,7 +24173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Client read xserver shm allow $2 $1_xserver_t:fd use; -@@ -616,7 +539,7 @@ +@@ -616,7 +540,7 @@ # refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t, xdm_tmp_t; @@ -24023,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $2 self:shm create_shm_perms; -@@ -624,12 +547,12 @@ +@@ -624,12 +548,12 @@ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -24039,7 +24198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $2 xdm_tmp_t:dir search; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -649,13 +572,210 @@ +@@ -649,13 +573,210 @@ xserver_read_xdm_tmp_files($2) @@ -24091,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property }; + # X Windows + # operations allowed on root windows -+ allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive override destroy hide }; ++ allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide }; +# type_transition $3 $1_rootwindow_t:x_drawable $2_t; + + allow $3 $1_xproperty_t:x_property { write read }; @@ -24254,7 +24413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## Interface to provide X object permissions on a given X server to -@@ -682,7 +802,7 @@ +@@ -682,7 +803,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -24263,7 +24422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -691,7 +811,6 @@ +@@ -691,7 +812,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -24271,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -708,6 +827,7 @@ +@@ -708,6 +828,7 @@ class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -24279,7 +24438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -715,20 +835,22 @@ +@@ -715,20 +836,22 @@ # Declarations # @@ -24305,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -746,7 +868,7 @@ +@@ -746,7 +869,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -24314,7 +24473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -755,36 +877,30 @@ +@@ -755,36 +878,30 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -24361,7 +24520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Input # can receive own events -@@ -811,6 +927,12 @@ +@@ -811,6 +928,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; @@ -24374,7 +24533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -819,13 +941,15 @@ +@@ -819,13 +942,15 @@ # Other X Objects # can create and use cursors @@ -24394,7 +24553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -885,24 +1009,17 @@ +@@ -885,24 +1010,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -24426,7 +24585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow connections to X server. files_search_tmp($3) -@@ -917,16 +1034,16 @@ +@@ -917,16 +1035,16 @@ xserver_rw_session_template($1, $3, $4) xserver_use_user_fonts($1, $3) @@ -24450,7 +24609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -958,26 +1075,43 @@ +@@ -958,26 +1076,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -24501,7 +24660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Transition to a user Xauthority domain. ## ## -@@ -1003,10 +1137,77 @@ +@@ -1003,10 +1138,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -24581,7 +24740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1036,10 +1237,10 @@ +@@ -1036,10 +1238,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -24594,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1180,7 +1381,7 @@ +@@ -1180,7 +1382,7 @@ type xdm_t; ') @@ -24603,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1225,6 +1426,25 @@ +@@ -1225,6 +1427,25 @@ ######################################## ## @@ -24629,7 +24788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read xdm-writable configuration files. ## ## -@@ -1239,7 +1459,7 @@ +@@ -1239,7 +1460,7 @@ ') files_search_etc($1) @@ -24638,7 +24797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1279,6 +1499,7 @@ +@@ -1279,6 +1500,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24646,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1297,7 +1518,7 @@ +@@ -1297,7 +1519,7 @@ ') files_search_pids($1) @@ -24655,7 +24814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1315,7 +1536,25 @@ +@@ -1315,7 +1537,25 @@ type xdm_var_lib_t; ') @@ -24682,7 +24841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1330,15 +1569,47 @@ +@@ -1330,15 +1570,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -24731,7 +24890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1488,7 +1759,7 @@ +@@ -1488,7 +1760,7 @@ type xdm_xserver_tmp_t; ') @@ -24740,7 +24899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1680,6 +1951,26 @@ +@@ -1680,6 +1952,26 @@ ######################################## ## @@ -24767,7 +24926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## xdm xserver RW shared memory socket. ## ## -@@ -1698,6 +1989,24 @@ +@@ -1698,6 +1990,24 @@ ######################################## ## @@ -24792,7 +24951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1710,8 +2019,157 @@ +@@ -1710,8 +2020,157 @@ # interface(`xserver_unconfined',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 4b801c0..2d7a401 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -312,6 +312,7 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 +Obsoletes: mod_fcgid-selinux %description targeted SELinux Reference policy targeted base module. @@ -461,6 +462,9 @@ exit 0 %endif %changelog +* Tue Oct 21 2008 Dan Walsh 3.5.13-3 +- Remove mod_fcgid-selinux package + * Mon Oct 20 2008 Dan Walsh 3.5.13-2 - Fix dovecot access