diff --git a/policy-20071130.patch b/policy-20071130.patch index 2234fa9..03c2bf1 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -7892,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-10 13:50:44.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-11 14:40:04.000000000 -0400 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') @@ -8971,7 +8971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-07 14:54:08.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-11 14:48:54.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -9302,13 +9302,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +610,19 @@ +@@ -521,6 +610,20 @@ userdom_use_sysadm_terms(httpd_helper_t) ') +optional_policy(` + type httpd_unconfined_script_t; + type httpd_unconfined_script_exec_t; ++ domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) @@ -9322,7 +9323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +652,24 @@ +@@ -550,18 +653,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -9350,7 +9351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +693,8 @@ +@@ -585,6 +694,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -9359,7 +9360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +703,7 @@ +@@ -593,9 +704,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -9370,7 +9371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +736,7 @@ +@@ -628,6 +737,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -9378,7 +9379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +747,12 @@ +@@ -638,6 +748,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -9391,7 +9392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +770,6 @@ +@@ -655,10 +771,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -9402,7 +9403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +779,8 @@ +@@ -668,7 +780,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -9412,7 +9413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +794,44 @@ +@@ -682,15 +795,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -9458,7 +9459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +841,15 @@ +@@ -700,9 +842,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -9474,7 +9475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +871,47 @@ +@@ -724,3 +872,47 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -29586,7 +29587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-04 17:19:53.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-11 14:03:28.000000000 -0400 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -29673,7 +29674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -435,67 +432,21 @@ +@@ -435,67 +432,22 @@ # semodule local policy # @@ -29692,13 +29693,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) -+seutil_semanage_policy(semanage_t) -+can_exec(semanage_t, semanage_exec_t) - +- -dev_read_urand(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -29713,13 +29710,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: --selinux_set_boolean(semanage_t) -- ++seutil_semanage_policy(semanage_t) + selinux_set_boolean(semanage_t) ++can_exec(semanage_t, semanage_exec_t) + -term_use_all_terms(semanage_t) - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -libs_use_ld_so(semanage_t) -libs_use_shared_libs(semanage_t) - @@ -29748,7 +29749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) -@@ -507,6 +458,11 @@ +@@ -507,6 +459,11 @@ ') ') @@ -29760,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -514,26 +470,44 @@ +@@ -514,26 +471,44 @@ # Handle pp files created in homedir and /tmp userdom_read_sysadm_home_content_files(semanage_t) userdom_read_sysadm_tmp_files(semanage_t) @@ -29810,7 +29811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) -@@ -555,9 +529,13 @@ +@@ -555,9 +530,13 @@ files_read_etc_files(setfiles_t) files_list_all(setfiles_t) files_relabel_all_files(setfiles_t) @@ -29824,7 +29825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -617,16 +595,8 @@ +@@ -617,16 +596,8 @@ ') ') @@ -34435,8 +34436,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-04 12:06:56.000000000 -0400 -@@ -0,0 +1,173 @@ ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-11 14:40:17.000000000 -0400 +@@ -0,0 +1,174 @@ + +policy_module(virt,1.0.0) + @@ -34491,7 +34492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +# +# virtd local policy +# -+allow virtd_t self:capability { sys_module dac_override kill net_admin setgid }; ++allow virtd_t self:capability { dac_override kill net_admin setgid }; +allow virtd_t self:process { sigkill signal }; +allow virtd_t self:fifo_file rw_file_perms; +allow virtd_t self:unix_stream_socket create_stream_socket_perms; @@ -34541,6 +34542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +kernel_rw_net_sysctls(virtd_t) +kernel_read_xen_state(virtd_t) +kernel_write_xen_state(virtd_t) ++kernel_load_module(virtd_t) + +# Init script handling +domain_use_interactive_fds(virtd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 010f8cb..e3744a7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -157,7 +157,7 @@ fi %define loadpolicy() \ ( cd /usr/share/selinux/%1; \ semodule -b base.pp %{expand:%%moduleList %1} -s %1; \ -) > /dev/null 2>&1; \ +); \ %define relabel() \ . %{_sysconfdir}/selinux/config; \ @@ -383,6 +383,8 @@ exit 0 %endif %changelog +* Thu Apr 10 2008 Dan Walsh 3.3.1-34 + * Thu Apr 10 2008 Dan Walsh 3.3.1-33 - Allow dhcpd to read kernel network state