From 53d90622e6d4316e2c328f33d9ffad03780f2437 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 01 2011 18:18:25 +0000 Subject: - ricci_modclusterd_t needs to bind to rpc ports 500-1023 --- diff --git a/policy-F14.patch b/policy-F14.patch index 92aa479..b830363 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -8422,7 +8422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-28 17:39:37.305455001 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-31 13:25:42.257455001 +0000 @@ -24,6 +24,7 @@ # type tun_tap_device_t; @@ -14949,7 +14949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-01-19 16:15:16.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-01-31 14:38:49.905455001 +0000 @@ -18,130 +18,195 @@ # Declarations # @@ -15349,8 +15349,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracle_port(httpd_t) -+ corenet_sendrecv_oracle_client_packets(httpd_t) ++ corenet_tcp_connect_oracledb_port(httpd_t) ++ corenet_sendrecv_oracledb_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -15599,8 +15599,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracle_port(httpd_php_t) -+ corenet_sendrecv_oracle_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracledb_port(httpd_php_t) ++ corenet_sendrecv_oracledb_client_packets(httpd_php_t) ') optional_policy(` @@ -15656,8 +15656,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracle_port(httpd_suexec_t) -+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracledb_port(httpd_suexec_t) ++ corenet_sendrecv_oracleddb_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -15728,8 +15728,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracle_port(httpd_sys_script_t) -+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) ++ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -15827,6 +15827,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.9.7/policy/modules/services/apcupsd.fc +--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2010-10-12 20:42:48.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/apcupsd.fc 2011-01-31 14:53:42.893455001 +0000 +@@ -13,3 +13,5 @@ + /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) ++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.9.7/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2010-10-12 20:42:50.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/apcupsd.if 2010-11-05 13:02:26.000000000 +0000 @@ -17281,7 +17290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.9.7/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/certmaster.te 2010-11-22 09:21:45.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/certmaster.te 2011-01-31 14:51:47.916455000 +0000 @@ -43,23 +43,23 @@ # log files @@ -21042,8 +21051,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.9.7/policy/modules/services/dirsrv.te --- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-01-14 15:33:36.000000000 +0000 -@@ -0,0 +1,180 @@ ++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-01-31 10:53:16.915455001 +0000 +@@ -0,0 +1,182 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -21154,6 +21163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs + +fs_getattr_all_fs(dirsrv_t) + ++logging_send_syslog_msg(dirsrv_t) ++ +miscfiles_read_localization(dirsrv_t) + +sysnet_dns_name_resolve(dirsrv_t) @@ -24249,7 +24260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/keyb +/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/keyboardd.if serefpolicy-3.9.7/policy/modules/services/keyboardd.if --- nsaserefpolicy/policy/modules/services/keyboardd.if 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/keyboardd.if 2011-01-27 18:16:09.428455000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/keyboardd.if 2011-01-31 13:06:03.027455001 +0000 @@ -0,0 +1,39 @@ + +## policy for system-setup-keyboard daemon @@ -24285,7 +24296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/keyb +# +interface(`keyboardd_read_pipes',` + gen_require(` -+ type sendmail_t; ++ type keyboardd_t; + ') + + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; @@ -31128,7 +31139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. admin_pattern($1, pptp_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.9.7/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ppp.te 2011-01-27 14:11:10.224455001 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ppp.te 2011-01-31 13:11:23.407455000 +0000 @@ -6,16 +6,16 @@ # @@ -31193,8 +31204,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) -+auth_domtrans_chk_passwd(pppd_t -+auth_write_login_record(pppd_t) ++auth_domtrans_chk_passwd(pppd_t) ++auth_write_login_records(pppd_t) logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) @@ -33612,7 +33623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.9.7/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ricci.te 2010-11-05 13:02:26.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ricci.te 2011-02-01 17:45:32.068796001 +0000 @@ -7,9 +7,11 @@ type ricci_t; @@ -33688,7 +33699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +284,7 @@ +@@ -272,12 +284,14 @@ kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -33696,7 +33707,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +457,12 @@ + corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t) + corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t) + corenet_tcp_bind_generic_node(ricci_modclusterd_t) ++corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t) + corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t) + corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) + +@@ -444,6 +458,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -43981,7 +43999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.9.7/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/iscsi.te 2011-01-03 07:52:59.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/iscsi.te 2011-01-31 10:13:53.007455000 +0000 @@ -31,6 +31,7 @@ # @@ -43990,7 +44008,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -76,9 +77,12 @@ +@@ -64,6 +65,7 @@ + + kernel_read_network_state(iscsid_t) + kernel_read_system_state(iscsid_t) ++kernel_setsched(iscsid_t) + + corenet_all_recvfrom_unlabeled(iscsid_t) + corenet_all_recvfrom_netlabel(iscsid_t) +@@ -76,9 +78,12 @@ dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -44003,7 +44029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. files_read_etc_files(iscsid_t) -@@ -91,5 +95,5 @@ +@@ -91,5 +96,5 @@ miscfiles_read_localization(iscsid_t) optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 7c788e2..63c5d08 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,9 @@ exit 0 %endif %changelog +* Tue Feb 1 2011 Miroslav Grepl 3.9.7-27 +- ricci_modclusterd_t needs to bind to rpc ports 500-1023 + * Thu Jan 27 2011 Miroslav Grepl 3.9.7-26 - Add execmem_exec_t label for gimp - Allow nagios plugin to read /proc/meminfo