From 92082fcacb929b3a7de04f82fa3cdc9320ea9f45 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 04 2011 11:13:00 +0000 Subject: - Revert * Change oracle_port_t to oracledb_port_t to prevent conflict with satellite - Fix spec file to make this work --- diff --git a/policy-F14.patch b/policy-F14.patch index 00da058..727115c 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -8451,7 +8451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-31 13:25:42.257455001 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-02-04 10:56:52.881796000 +0000 @@ -24,6 +24,7 @@ # type tun_tap_device_t; @@ -8550,7 +8550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene -network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) +network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) -+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) @@ -10452,7 +10452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/dev/hugepages(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.9.7/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2010-12-15 13:58:40.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.if 2011-02-04 09:55:36.211796002 +0000 @@ -646,11 +646,31 @@ ') @@ -10678,22 +10678,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + -+######################################## ++###################################### +## -+## List hugetlbfs dirs ++## List hugetlbfs dirs +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`fs_list_hugetlbfs',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') ++ gen_require(` ++ type hugetlbfs_t; ++ ') + -+ allow $1 hugetlbfs_t:dir list_dir_perms; ++ allow $1 hugetlbfs_t:dir list_dir_perms; +') ######################################## @@ -14978,7 +14978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.9.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-02-01 18:32:22.145796000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/apache.te 2011-02-04 10:57:23.872796000 +0000 @@ -18,130 +18,195 @@ # Declarations # @@ -15378,8 +15378,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracledb_port(httpd_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -15628,8 +15628,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_php_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ') optional_policy(` @@ -15685,8 +15685,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -15757,8 +15757,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -18801,7 +18801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro ## Allow the specified domain to read corosync's log files. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.9.7/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/corosync.te 2010-11-08 14:07:08.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/corosync.te 2011-02-03 10:42:16.444796002 +0000 @@ -32,8 +32,8 @@ # corosync local policy # @@ -18842,7 +18842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro auth_use_nsswitch(corosync_t) -@@ -83,19 +89,36 @@ +@@ -83,19 +89,37 @@ miscfiles_read_localization(corosync_t) @@ -18871,6 +18871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) ++ lvm_delete_clvmd_tmpfs_files(corosync_t) +') - rhcs_rw_gfs_controld_semaphores(corosync_t) @@ -20848,28 +20849,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +dirsrv_read_share(httpd_dirsrvadmin_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.9.7/policy/modules/services/dirsrv.fc --- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.fc 2010-11-15 13:18:25.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.fc 2011-02-03 10:10:21.947796000 +0000 @@ -0,0 +1,20 @@ -+/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) ++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + -+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) ++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) +/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0) +/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) + -+/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) + -+/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) +/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) + -+/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) + -+/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) + -+/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) + -+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) ++/var/log/dirsrv/ldap-agent\.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.9.7/policy/modules/services/dirsrv.if --- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 00:00:00.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/dirsrv.if 2011-01-20 11:07:52.000000000 +0000 @@ -21088,8 +21089,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.9.7/policy/modules/services/dirsrv.te --- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-01-31 10:53:16.915455001 +0000 -@@ -0,0 +1,182 @@ ++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-02-03 10:11:53.477796001 +0000 +@@ -0,0 +1,185 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -21151,19 +21152,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + -+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +allow dirsrv_t dirsrv_var_log_t:dir { setattr }; +logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) -+ +manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) + +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) @@ -21265,7 +21268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) + snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_manage_var_lib_dirs(dirsrv_snmp_t) ++ snmp_manage_var_lib_files(dirsrv_snmp_t) + snmp_stream_connect(dirsrv_snmp_t) +') + @@ -33268,7 +33272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2010-11-10 08:50:56.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-02-03 10:44:52.503796002 +0000 @@ -6,13 +6,15 @@ # @@ -33389,7 +33393,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +212,6 @@ +@@ -199,6 +204,8 @@ + files_dontaudit_getattr_all_pipes(qdiskd_t) + files_read_etc_files(qdiskd_t) + ++fs_list_hugetlbfs(qdiskd_t) ++ + storage_raw_read_removable_device(qdiskd_t) + storage_raw_write_removable_device(qdiskd_t) + storage_raw_read_fixed_disk(qdiskd_t) +@@ -207,10 +214,6 @@ auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -33400,7 +33413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +224,24 @@ +@@ -223,18 +226,24 @@ # rhcs domains common policy # @@ -35027,7 +35040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.9.7/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/sendmail.te 2010-11-05 13:02:26.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/sendmail.te 2011-02-04 09:42:04.599796001 +0000 @@ -19,6 +19,9 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -35062,17 +35075,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -149,7 +154,9 @@ +@@ -149,7 +154,10 @@ ') optional_policy(` + postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) + postfix_domtrans_postqueue(sendmail_t) ++ postfix_rw_local_pipes(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,6 +175,10 @@ +@@ -168,6 +176,10 @@ ') optional_policy(` @@ -35083,7 +35097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -183,5 +194,5 @@ +@@ -183,5 +195,5 @@ optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t) @@ -35303,7 +35317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.9.7/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/snmp.if 2010-11-15 16:52:51.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/snmp.if 2011-02-03 10:15:54.055796002 +0000 @@ -11,12 +11,12 @@ ## # @@ -35341,12 +35355,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') ######################################## -@@ -104,6 +106,26 @@ +@@ -104,6 +106,65 @@ dontaudit $1 snmpd_var_lib_t:file write; ') +####################################### +## ++## Manage snmpd libraries directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_dirs',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) ++') ++ ++####################################### ++## +## Append snmpd libraries. +## +## @@ -35365,10 +35398,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp + append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + ++###################################### ++## ++## Manage snmpd libraries files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_files',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 snmpd_var_lib_t:dir list_dir_perms; ++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++') ++ ######################################## ## ## All of the rules required to administrate -@@ -123,12 +145,11 @@ +@@ -123,12 +184,11 @@ # interface(`snmp_admin',` gen_require(` @@ -35385,7 +35438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.9.7/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/snmp.te 2010-12-01 10:26:39.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/snmp.te 2011-02-03 10:16:51.248796002 +0000 @@ -4,6 +4,7 @@ # # Declarations @@ -35412,9 +35465,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t snmpd_log_t:file manage_file_perms; logging_log_filetrans(snmpd_t, snmpd_log_t, file) -@@ -43,8 +45,9 @@ +@@ -41,10 +43,11 @@ + manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) + files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) - files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) +-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) ++files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) +manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) @@ -44753,7 +44809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2010-11-15 17:53:42.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-02-04 09:41:45.995796001 +0000 @@ -60,6 +60,7 @@ type syslogd_t; type syslogd_exec_t; @@ -44891,8 +44947,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.9.7/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/lvm.if 2010-11-05 13:02:26.000000000 +0000 -@@ -123,3 +123,21 @@ ++++ serefpolicy-3.9.7/policy/modules/system/lvm.if 2011-02-03 10:59:01.448796000 +0000 +@@ -123,3 +123,39 @@ corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -44914,15 +44970,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if + + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') ++ ++######################################## ++## ++## Delete lvm temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_delete_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file unlink; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.9.7/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/lvm.te 2010-11-05 13:02:26.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/lvm.te 2011-02-03 10:59:48.609796001 +0000 @@ -12,6 +12,9 @@ type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) -+type clmvd_tmpfs_t; -+files_tmpfs_file(clmvd_tmpfs_t) ++type clvmd_tmpfs_t alias clmvd_tmpfs_t; ++files_tmpfs_file(clvmd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -44931,9 +45005,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t) -+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t) -+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file }) ++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) ++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) diff --git a/selinux-policy.spec b/selinux-policy.spec index dbe40fa..be274b7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -182,7 +182,7 @@ fi %define loadpolicy() \ ( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i %2 -s %1; \ +semodule -r oracle-port -b base.pp.bz2 -i %2 -s %1 2>&1 | grep -v "oracle-port"; \ ); \ %define relabel() \ @@ -472,6 +472,10 @@ exit 0 %endif %changelog +* Fri Feb 4 2011 Miroslav Grepl 3.9.7-29 +- Revert * Change oracle_port_t to oracledb_port_t to prevent conflict with satellite +- Fix spec file to make this work + * Wed Feb 2 2011 Miroslav Grepl 3.9.7-28 - Make sandbox to work - Fix httpd_selinux man page to refer to httpd_sys_rw_content_t