diff --git a/policy-20070501.patch b/policy-20070501.patch index 0623f88..10b750b 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -2512,7 +2512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-10-18 17:13:23.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-12-21 11:13:05.000000000 -0500 @@ -45,7 +45,6 @@ /etc -d gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) @@ -2539,7 +2539,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -249,3 +250,7 @@ +@@ -239,7 +240,6 @@ + + /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) + /var/run/.* gen_context(system_u:object_r:var_run_t,s0) +-/var/run/.*\.*pid <> + + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) + /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) +@@ -249,3 +249,7 @@ /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0) @@ -3331,8 +3339,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.6.4/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-10-18 17:12:50.000000000 -0400 -@@ -23,6 +23,7 @@ ++++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-12-21 10:02:54.000000000 -0500 +@@ -12,6 +12,7 @@ + /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) +@@ -23,6 +24,7 @@ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) @@ -3340,7 +3356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -38,6 +39,7 @@ +@@ -38,6 +40,7 @@ ') /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0) @@ -3348,7 +3364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -49,9 +51,9 @@ +@@ -49,9 +52,9 @@ /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -3896,7 +3912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-27 09:57:52.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-26 19:16:45.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apache,1.6.0) @@ -4082,7 +4098,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -463,6 +526,18 @@ +@@ -459,10 +522,27 @@ + ') + + optional_policy(` ++ application_exec(httpd_t) ++ application_exec(httpd_sys_script_t) ++') ++ ++optional_policy(` + calamaris_read_www_files(httpd_t) ') optional_policy(` @@ -4101,7 +4126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac daemontools_service_domain(httpd_t, httpd_exec_t) ') -@@ -486,7 +561,6 @@ +@@ -486,7 +566,6 @@ optional_policy(` nagios_read_config(httpd_t) @@ -4109,7 +4134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -506,6 +580,7 @@ +@@ -506,6 +585,7 @@ ') optional_policy(` @@ -4117,7 +4142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -606,6 +681,10 @@ +@@ -606,6 +686,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4128,7 +4153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -668,6 +747,12 @@ +@@ -668,6 +752,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4141,7 +4166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -685,18 +770,6 @@ +@@ -685,18 +775,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4160,7 +4185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -706,7 +779,8 @@ +@@ -706,7 +784,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -4170,7 +4195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -720,21 +794,64 @@ +@@ -720,21 +799,64 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -4240,7 +4265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -754,14 +871,8 @@ +@@ -754,14 +876,8 @@ # Apache unconfined script local policy # @@ -4256,7 +4281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -784,7 +895,19 @@ +@@ -784,7 +900,19 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -6868,7 +6893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.84 2007/12/21 07:58:15 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.85 2007/12/27 01:16:34 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7049,7 +7074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.84 2007/12/21 07:58:15 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.85 2007/12/27 01:16:34 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7493,7 +7518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-10-05 09:47:20.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-12-21 10:08:53.000000000 -0500 @@ -61,8 +61,6 @@ # For backwards compatibility with older kernels allow hald_t self:netlink_socket create_socket_perms; @@ -7503,7 +7528,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. manage_files_pattern(hald_t,hald_cache_t,hald_cache_t) # log files for hald -@@ -115,6 +113,9 @@ +@@ -88,6 +86,7 @@ + kernel_rw_irq_sysctls(hald_t) + kernel_rw_vm_sysctls(hald_t) + kernel_write_proc_files(hald_t) ++kernel_setsched(hald_t) + + auth_read_pam_console_data(hald_t) + +@@ -115,6 +114,9 @@ dev_rw_power_management(hald_t) # hal is now execing pm-suspend dev_rw_sysfs(hald_t) @@ -7513,7 +7546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. domain_use_interactive_fds(hald_t) domain_read_all_domains_state(hald_t) -@@ -132,6 +133,7 @@ +@@ -132,6 +134,7 @@ files_create_boot_flag(hald_t) files_getattr_all_dirs(hald_t) files_read_kernel_img(hald_t) @@ -7521,7 +7554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -170,6 +172,7 @@ +@@ -170,6 +173,7 @@ libs_exec_ld_so(hald_t) libs_exec_lib_files(hald_t) @@ -7529,7 +7562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. logging_send_syslog_msg(hald_t) logging_search_logs(hald_t) -@@ -180,6 +183,7 @@ +@@ -180,6 +184,7 @@ seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) @@ -7537,7 +7570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. sysnet_read_config(hald_t) -@@ -192,6 +196,7 @@ +@@ -192,6 +197,7 @@ ') optional_policy(` @@ -7545,7 +7578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. alsa_read_rw_config(hald_t) ') -@@ -301,7 +306,10 @@ +@@ -301,7 +307,10 @@ corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) @@ -7556,7 +7589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_setattr_sound_dev(hald_acl_t) dev_setattr_generic_usb_dev(hald_acl_t) dev_setattr_usbfs_files(hald_acl_t) -@@ -341,6 +349,8 @@ +@@ -341,6 +350,8 @@ files_read_usr_files(hald_mac_t) @@ -8013,7 +8046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-12-02 21:56:29.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-12-25 07:45:39.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -8108,7 +8141,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -449,11 +486,13 @@ +@@ -433,6 +470,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') + +@@ -449,11 +487,13 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -8125,7 +8166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. allow $1 system_mail_t:fd use; allow system_mail_t $1:fd use; -@@ -847,6 +886,25 @@ +@@ -847,6 +887,25 @@ manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d68171c..ee8973f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 64%{?dist} +Release: 66%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -363,6 +363,12 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Tue Dec 25 2007 Dan Walsh 2.6.4-66 +- Allow mail delivery to append to apache logs. + +* Fri Dec 21 2007 Dan Walsh 2.6.4-65 +- Allow hald to setsched + * Thu Dec 20 2007 Dan Walsh 2.6.4-64 - Allow fsadm_t to read file_t