##
## Allow Apache to modify public files
-@@ -31,10 +33,17 @@
+@@ -31,10 +32,17 @@
##
##
@@ -10871,7 +10876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
-@@ -45,7 +54,14 @@
+@@ -45,7 +53,14 @@
##
##
@@ -10887,7 +10892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
gen_tunable(httpd_can_network_connect, false)
-@@ -109,14 +125,35 @@
+@@ -109,14 +124,35 @@
##
gen_tunable(httpd_unified, false)
@@ -10925,7 +10930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# user script domains
attribute httpd_script_domains;
-@@ -141,6 +178,9 @@
+@@ -141,6 +177,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@@ -10935,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -181,6 +221,10 @@
+@@ -181,6 +220,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -10946,7 +10951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +246,16 @@
+@@ -202,12 +245,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10964,7 +10969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +297,7 @@
+@@ -249,6 +296,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10972,7 +10977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -260,9 +309,9 @@
+@@ -260,9 +308,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -10985,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -278,6 +327,7 @@
+@@ -278,6 +326,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -10993,7 +10998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -289,6 +339,7 @@
+@@ -289,6 +338,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -11001,7 +11006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -299,6 +350,7 @@
+@@ -299,6 +349,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
@@ -11009,7 +11014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -312,12 +364,11 @@
+@@ -312,12 +363,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -11024,7 +11029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +386,10 @@
+@@ -335,6 +385,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -11035,7 +11040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,18 +406,33 @@
+@@ -351,18 +405,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -11056,8 +11061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -11068,12 +11072,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -370,20 +440,54 @@
+@@ -370,20 +439,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -11129,35 +11134,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +498,12 @@
+@@ -394,20 +497,26 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_t)
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_read_nfs_files(httpd_t)
-+ fs_read_nfs_symlinks(httpd_t)
- ')
-
--tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+tunable_policy(`httpd_use_nfs',`
+-')
+-
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +513,11 @@
+
++tunable_policy(`httpd_use_nfs',`
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_cifs',`
-+ fs_read_cifs_files(httpd_t)
-+ fs_read_cifs_symlinks(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +551,13 @@
+@@ -441,8 +550,13 @@
')
optional_policy(`
@@ -11173,7 +11181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -454,18 +569,13 @@
+@@ -454,18 +568,13 @@
')
optional_policy(`
@@ -11193,7 +11201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -475,6 +585,12 @@
+@@ -475,6 +584,12 @@
openca_kill(httpd_t)
')
@@ -11206,7 +11214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +598,7 @@
+@@ -482,6 +597,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -11214,7 +11222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -490,6 +607,7 @@
+@@ -490,6 +606,7 @@
')
optional_policy(`
@@ -11222,7 +11230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +637,28 @@
+@@ -519,9 +636,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -11251,7 +11259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -551,22 +688,27 @@
+@@ -551,22 +687,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11285,7 +11293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -584,12 +726,14 @@
+@@ -584,12 +725,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -11301,7 +11309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +742,7 @@
+@@ -598,9 +741,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11312,7 +11320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +775,25 @@
+@@ -633,12 +774,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -11341,20 +11349,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +802,12 @@
+@@ -647,6 +801,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
+tunable_policy(`httpd_use_cifs',`
-+ fs_read_cifs_files(httpd_suexec_t)
-+ fs_read_cifs_symlinks(httpd_suexec_t)
++ fs_manage_cifs_files(httpd_suexec_t)
++ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +825,20 @@
+@@ -664,20 +824,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11380,7 +11388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +852,15 @@
+@@ -691,12 +851,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11393,12 +11401,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-tunable_policy(`httpd_enable_homedirs',`
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
+tunable_policy(`httpd_use_nfs',`
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +868,30 @@
+@@ -704,6 +867,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11422,14 +11430,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+
+tunable_policy(`httpd_use_cifs',`
-+ fs_read_cifs_files(httpd_sys_script_t)
-+ fs_read_cifs_symlinks(httpd_sys_script_t)
++ fs_manage_cifs_files(httpd_sys_script_t)
++ fs_manage_cifs_symlinks(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +904,10 @@
+@@ -716,10 +903,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11444,7 +11452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -727,6 +915,8 @@
+@@ -727,6 +914,8 @@
# httpd_rotatelogs local policy
#
@@ -11453,7 +11461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +931,66 @@
+@@ -741,3 +930,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -13635,7 +13643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-10-28 11:16:34.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-11-06 12:45:55.000000000 -0500
@@ -20,6 +20,30 @@
########################################
@@ -19786,7 +19794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-11-06 08:49:50.000000000 -0500
@@ -32,6 +32,9 @@
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
@@ -19814,7 +19822,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
-@@ -288,7 +292,7 @@
+@@ -174,6 +178,7 @@
+ corenet_udp_sendrecv_all_nodes(postgresql_t)
+ corenet_tcp_sendrecv_all_ports(postgresql_t)
+ corenet_udp_sendrecv_all_ports(postgresql_t)
++corenet_udp_bind_all_nodes(postgresql_t)
+ corenet_tcp_bind_all_nodes(postgresql_t)
+ corenet_tcp_bind_postgresql_port(postgresql_t)
+ corenet_tcp_connect_auth_port(postgresql_t)
+@@ -288,7 +293,7 @@
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
@@ -19823,7 +19839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
-@@ -329,7 +333,7 @@
+@@ -329,7 +334,7 @@
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fa6f8bb..a63710f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,9 @@ exit 0
%endif
%changelog
+* Thu Nov 5 2008 Dan Walsh