From 2826a2e547f3d3aa6b18126e93c1574088cc6f35 Mon Sep 17 00:00:00 2001 From: Till Maas Date: Nov 13 2014 19:53:18 +0000 Subject: Update selinux policy, adjust types and other call --- diff --git a/totpcgi-0.5.5-apache-content-template.patch b/totpcgi-0.5.5-apache-content-template.patch new file mode 100644 index 0000000..1c363bf --- /dev/null +++ b/totpcgi-0.5.5-apache-content-template.patch @@ -0,0 +1,419 @@ +diff -up totpcgi-0.5.5/selinux/totpcgi.fc.selinux totpcgi-0.5.5/selinux/totpcgi.fc +--- totpcgi-0.5.5/selinux/totpcgi.fc.selinux 2013-09-20 20:40:19.000000000 +0200 ++++ totpcgi-0.5.5/selinux/totpcgi.fc 2014-11-13 20:46:02.213625417 +0100 +@@ -1,9 +1,9 @@ +-/var/www/totpcgi/.*\.f?cgi -- gen_context(system_u:object_r:httpd_totpcgi_script_exec_t,s0) +-/etc/totpcgi gen_context(system_u:object_r:httpd_totpcgi_etc_t,s0) +-/etc/totpcgi/.*\.conf -- gen_context(system_u:object_r:httpd_totpcgi_etc_t,s0) +-/etc/totpcgi/templates(/.*)? gen_context(system_u:object_r:httpd_totpcgi_etc_t,s0) +-/var/lib/totpcgi(/.*)? gen_context(system_u:object_r:httpd_totpcgi_script_var_lib_t,s0) ++/var/www/totpcgi/.*\.f?cgi -- gen_context(system_u:object_r:totpcgi_script_exec_t,s0) ++/etc/totpcgi gen_context(system_u:object_r:totpcgi_etc_t,s0) ++/etc/totpcgi/.*\.conf -- gen_context(system_u:object_r:totpcgi_etc_t,s0) ++/etc/totpcgi/templates(/.*)? gen_context(system_u:object_r:totpcgi_etc_t,s0) ++/var/lib/totpcgi(/.*)? gen_context(system_u:object_r:totpcgi_script_var_lib_t,s0) + +-/var/www/totpcgi-provisioning/.*\.cgi -- gen_context(system_u:object_r:httpd_totpcgi_provisioning_script_exec_t,s0) +-/etc/totpcgi/pincodes -- gen_context(system_u:object_r:httpd_totpcgi_private_etc_t) +-/etc/totpcgi/totp(/.*)? gen_context(system_u:object_r:httpd_totpcgi_private_etc_t) ++/var/www/totpcgi-provisioning/.*\.cgi -- gen_context(system_u:object_r:totpcgi_provisioning_script_exec_t,s0) ++/etc/totpcgi/pincodes -- gen_context(system_u:object_r:totpcgi_private_etc_t) ++/etc/totpcgi/totp(/.*)? gen_context(system_u:object_r:totpcgi_private_etc_t) +diff -up totpcgi-0.5.5/selinux/totpcgi.if.selinux totpcgi-0.5.5/selinux/totpcgi.if +--- totpcgi-0.5.5/selinux/totpcgi.if.selinux 2013-09-20 20:40:19.000000000 +0200 ++++ totpcgi-0.5.5/selinux/totpcgi.if 2014-11-13 20:46:02.217635365 +0100 +@@ -1,10 +1,10 @@ + +-## policy for httpd_totpcgi_script ++## policy for totpcgi_script + + + ######################################## + ## +-## Transition to httpd_totpcgi_script. ++## Transition to totpcgi_script. + ## + ## + ## +@@ -12,18 +12,18 @@ + ## + ## + # +-interface(`httpd_totpcgi_script_domtrans',` ++interface(`totpcgi_script_domtrans',` + gen_require(` +- type httpd_totpcgi_script_t, httpd_totpcgi_script_exec_t; ++ type totpcgi_script_t, totpcgi_script_exec_t; + ') + + corecmd_search_bin($1) +- domtrans_pattern($1, httpd_totpcgi_script_exec_t, httpd_totpcgi_script_t) ++ domtrans_pattern($1, totpcgi_script_exec_t, totpcgi_script_t) + ') + + ######################################## + ## +-## Transition to httpd_totpcgi_provisioning_script. ++## Transition to totpcgi_provisioning_script. + ## + ## + ## +@@ -31,18 +31,18 @@ interface(`httpd_totpcgi_script_domtrans + ## + ## + # +-interface(`httpd_totpcgi_provisioning_script_domtrans',` ++interface(`totpcgi_provisioning_script_domtrans',` + gen_require(` +- type httpd_totpcgi_provisioning_script_t, httpd_totpcgi_provisioning_script_exec_t; ++ type totpcgi_provisioning_script_t, totpcgi_provisioning_script_exec_t; + ') + + corecmd_search_bin($1) +- domtrans_pattern($1, httpd_totpcgi_provisioning_script_exec_t, httpd_totpcgi_provisioning_script_t) ++ domtrans_pattern($1, totpcgi_provisioning_script_exec_t, totpcgi_provisioning_script_t) + ') + + ######################################## + ## +-## Read httpd_totpcgi conf files. ++## Read totpcgi conf files. + ## + ## + ## +@@ -50,19 +50,19 @@ interface(`httpd_totpcgi_provisioning_sc + ## + ## + # +-interface(`httpd_totpcgi_read_conf_files',` ++interface(`totpcgi_read_conf_files',` + gen_require(` +- type httpd_totpcgi_etc_t; ++ type totpcgi_etc_t; + ') + +- allow $1 httpd_totpcgi_etc_t:file read_file_perms; +- allow $1 httpd_totpcgi_etc_t:dir list_dir_perms; ++ allow $1 totpcgi_etc_t:file read_file_perms; ++ allow $1 totpcgi_etc_t:dir list_dir_perms; + files_search_etc($1) + ') + + ######################################## + ## +-## Read httpd_totpcgi private conf files. ++## Read totpcgi private conf files. + ## + ## + ## +@@ -70,19 +70,19 @@ interface(`httpd_totpcgi_read_conf_files + ## + ## + # +-interface(`httpd_totpcgi_read_private_conf_files',` ++interface(`totpcgi_read_private_conf_files',` + gen_require(` +- type httpd_totpcgi_private_etc_t; ++ type totpcgi_private_etc_t; + ') + +- allow $1 httpd_totpcgi_private_etc_t:file read_file_perms; +- allow $1 httpd_totpcgi_etc_t:dir list_dir_perms; ++ allow $1 totpcgi_private_etc_t:file read_file_perms; ++ allow $1 totpcgi_etc_t:dir list_dir_perms; + files_search_etc($1) + ') + + ######################################## + ## +-## Manage httpd_totpcgi conf files. ++## Manage totpcgi conf files. + ## + ## + ## +@@ -90,18 +90,18 @@ interface(`httpd_totpcgi_read_private_co + ## + ## + # +-interface(`httpd_totpcgi_manage_conf_files',` ++interface(`totpcgi_manage_conf_files',` + gen_require(` +- type httpd_totpcgi_etc_t; ++ type totpcgi_etc_t; + ') + +- manage_files_pattern($1, httpd_totpcgi_etc_t, httpd_totpcgi_etc_t) ++ manage_files_pattern($1, totpcgi_etc_t, totpcgi_etc_t) + files_search_etc($1) + ') + + ######################################## + ## +-## Manage httpd_totpcgi private conf files. ++## Manage totpcgi private conf files. + ## + ## + ## +@@ -109,20 +109,20 @@ interface(`httpd_totpcgi_manage_conf_fil + ## + ## + # +-interface(`httpd_totpcgi_manage_private_conf_files',` ++interface(`totpcgi_manage_private_conf_files',` + gen_require(` +- type httpd_totpcgi_private_etc_t; +- type httpd_totpcgi_etc_t; ++ type totpcgi_private_etc_t; ++ type totpcgi_etc_t; + ') + +- allow $1 httpd_totpcgi_etc_t:dir list_dir_perms; +- manage_files_pattern($1, httpd_totpcgi_private_etc_t, httpd_totpcgi_private_etc_t) ++ allow $1 totpcgi_etc_t:dir list_dir_perms; ++ manage_files_pattern($1, totpcgi_private_etc_t, totpcgi_private_etc_t) + files_search_etc($1) + ') + + ######################################## + ## +-## Search httpd_totpcgi_script lib directories. ++## Search totpcgi_script lib directories. + ## + ## + ## +@@ -130,18 +130,18 @@ interface(`httpd_totpcgi_manage_private_ + ## + ## + # +-interface(`httpd_totpcgi_script_search_lib',` ++interface(`totpcgi_script_search_lib',` + gen_require(` +- type httpd_totpcgi_script_var_lib_t; ++ type totpcgi_script_var_lib_t; + ') + +- allow $1 httpd_totpcgi_script_var_lib_t:dir search_dir_perms; ++ allow $1 totpcgi_script_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) + ') + + ######################################## + ## +-## Read httpd_totpcgi_script lib files. ++## Read totpcgi_script lib files. + ## + ## + ## +@@ -149,18 +149,18 @@ interface(`httpd_totpcgi_script_search_l + ## + ## + # +-interface(`httpd_totpcgi_script_read_lib_files',` ++interface(`totpcgi_script_read_lib_files',` + gen_require(` +- type httpd_totpcgi_script_var_lib_t; ++ type totpcgi_script_var_lib_t; + ') + + files_search_var_lib($1) +- read_files_pattern($1, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) ++ read_files_pattern($1, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) + ') + + ######################################## + ## +-## Manage httpd_totpcgi_script lib files. ++## Manage totpcgi_script lib files. + ## + ## + ## +@@ -168,18 +168,18 @@ interface(`httpd_totpcgi_script_read_lib + ## + ## + # +-interface(`httpd_totpcgi_script_manage_lib_files',` ++interface(`totpcgi_script_manage_lib_files',` + gen_require(` +- type httpd_totpcgi_script_var_lib_t; ++ type totpcgi_script_var_lib_t; + ') + + files_search_var_lib($1) +- manage_files_pattern($1, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) ++ manage_files_pattern($1, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) + ') + + ######################################## + ## +-## Manage httpd_totpcgi_script lib directories. ++## Manage totpcgi_script lib directories. + ## + ## + ## +@@ -187,20 +187,20 @@ interface(`httpd_totpcgi_script_manage_l + ## + ## + # +-interface(`httpd_totpcgi_script_manage_lib_dirs',` ++interface(`totpcgi_script_manage_lib_dirs',` + gen_require(` +- type httpd_totpcgi_script_var_lib_t; ++ type totpcgi_script_var_lib_t; + ') + + files_search_var_lib($1) +- manage_dirs_pattern($1, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) ++ manage_dirs_pattern($1, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) + ') + + + ######################################## + ## + ## All of the rules required to administrate +-## an httpd_totpcgi_script environment ++## an totpcgi_script environment + ## + ## + ## +@@ -214,26 +214,26 @@ interface(`httpd_totpcgi_script_manage_l + ## + ## + # +-interface(`httpd_totpcgi_admin',` ++interface(`totpcgi_admin',` + gen_require(` +- type httpd_totpcgi_script_t; +- type httpd_totpcgi_provisioning_script_t; +- type httpd_totpcgi_etc_t; +- type httpd_totpcgi_private_etc_t; +- type httpd_totpcgi_script_var_lib_t; ++ type totpcgi_script_t; ++ type totpcgi_provisioning_script_t; ++ type totpcgi_etc_t; ++ type totpcgi_private_etc_t; ++ type totpcgi_script_var_lib_t; + ') + +- allow $1 httpd_totpcgi_script_t:process { ptrace signal_perms }; +- allow $1 httpd_totpcgi_provisioning_script_t:process { ptrace signal_perms }; +- ps_process_pattern($1, httpd_totpcgi_script_t) +- ps_process_pattern($1, httpd_totpcgi_provisioning_script_t) ++ allow $1 totpcgi_script_t:process { ptrace signal_perms }; ++ allow $1 totpcgi_provisioning_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, totpcgi_script_t) ++ ps_process_pattern($1, totpcgi_provisioning_script_t) + + files_search_etc($1) +- admin_pattern($1, httpd_totpcgi_etc_t) +- admin_pattern($1, httpd_totpcgi_private_etc_t) ++ admin_pattern($1, totpcgi_etc_t) ++ admin_pattern($1, totpcgi_private_etc_t) + + files_search_var_lib($1) +- admin_pattern($1, httpd_totpcgi_script_var_lib_t) ++ admin_pattern($1, totpcgi_script_var_lib_t) + + ') + +diff -up totpcgi-0.5.5/selinux/totpcgi.sh.selinux totpcgi-0.5.5/selinux/totpcgi.sh +diff -up totpcgi-0.5.5/selinux/totpcgi.te.selinux totpcgi-0.5.5/selinux/totpcgi.te +--- totpcgi-0.5.5/selinux/totpcgi.te.selinux 2013-09-20 20:40:19.000000000 +0200 ++++ totpcgi-0.5.5/selinux/totpcgi.te 2014-11-13 20:46:02.220642827 +0100 +@@ -8,59 +8,59 @@ policy_module(totpcgi, 1.1.1) + apache_content_template(totpcgi) + apache_content_template(totpcgi_provisioning) + +-type httpd_totpcgi_etc_t; +-files_type(httpd_totpcgi_etc_t) ++type totpcgi_etc_t; ++files_type(totpcgi_etc_t) + +-type httpd_totpcgi_private_etc_t; +-files_type(httpd_totpcgi_private_etc_t) ++type totpcgi_private_etc_t; ++files_type(totpcgi_private_etc_t) + +-type httpd_totpcgi_script_var_lib_t; +-files_type(httpd_totpcgi_script_var_lib_t) ++type totpcgi_script_var_lib_t; ++files_type(totpcgi_script_var_lib_t) + + ######################################## + # +-# httpd_totpcgi_script local policy ++# totpcgi_script local policy + # + +-search_dirs_pattern(httpd_totpcgi_script_t, httpd_totpcgi_etc_t, httpd_totpcgi_etc_t) +-read_files_pattern(httpd_totpcgi_script_t, httpd_totpcgi_etc_t, httpd_totpcgi_etc_t) +-read_files_pattern(httpd_totpcgi_script_t, httpd_totpcgi_private_etc_t, httpd_totpcgi_private_etc_t) +- +-search_dirs_pattern(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_etc_t, httpd_totpcgi_etc_t) +-read_files_pattern(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_etc_t, httpd_totpcgi_etc_t) +-manage_files_pattern(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_private_etc_t, httpd_totpcgi_private_etc_t) +-files_etc_filetrans(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_private_etc_t, { dir file}) +- +-manage_dirs_pattern(httpd_totpcgi_script_t, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) +-manage_files_pattern(httpd_totpcgi_script_t, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) +-files_var_lib_filetrans(httpd_totpcgi_script_t, httpd_totpcgi_script_var_lib_t, { dir file }) +-manage_dirs_pattern(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) +-manage_files_pattern(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_script_var_lib_t, httpd_totpcgi_script_var_lib_t) +-files_var_lib_filetrans(httpd_totpcgi_provisioning_script_t, httpd_totpcgi_script_var_lib_t, { dir file }) ++search_dirs_pattern(totpcgi_script_t, totpcgi_etc_t, totpcgi_etc_t) ++read_files_pattern(totpcgi_script_t, totpcgi_etc_t, totpcgi_etc_t) ++read_files_pattern(totpcgi_script_t, totpcgi_private_etc_t, totpcgi_private_etc_t) ++ ++search_dirs_pattern(totpcgi_provisioning_script_t, totpcgi_etc_t, totpcgi_etc_t) ++read_files_pattern(totpcgi_provisioning_script_t, totpcgi_etc_t, totpcgi_etc_t) ++manage_files_pattern(totpcgi_provisioning_script_t, totpcgi_private_etc_t, totpcgi_private_etc_t) ++files_etc_filetrans(totpcgi_provisioning_script_t, totpcgi_private_etc_t, { dir file}) ++ ++manage_dirs_pattern(totpcgi_script_t, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) ++manage_files_pattern(totpcgi_script_t, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) ++files_var_lib_filetrans(totpcgi_script_t, totpcgi_script_var_lib_t, { dir file }) ++manage_dirs_pattern(totpcgi_provisioning_script_t, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) ++manage_files_pattern(totpcgi_provisioning_script_t, totpcgi_script_var_lib_t, totpcgi_script_var_lib_t) ++files_var_lib_filetrans(totpcgi_provisioning_script_t, totpcgi_script_var_lib_t, { dir file }) + +-logging_send_syslog_msg(httpd_totpcgi_script_t) +-logging_send_syslog_msg(httpd_totpcgi_provisioning_script_t) ++logging_send_syslog_msg(totpcgi_script_t) ++logging_send_syslog_msg(totpcgi_provisioning_script_t) + + # needed by totp.fcgi +-allow httpd_totpcgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown read write }; ++allow totpcgi_script_t t:unix_stream_socket { ioctl accept getattr shutdown read write }; + # Not sure what triggers this, but it's not needed +-files_dontaudit_list_tmp(httpd_totpcgi_script_t) +-files_dontaudit_list_tmp(httpd_totpcgi_provisioning_script_t) ++files_dontaudit_list_tmp(totpcgi_script_t) ++files_dontaudit_list_tmp(totpcgi_provisioning_script_t) + + # This should be upstream, really. +-allow httpd_suexec_t httpd_t:unix_stream_socket { read write }; ++allow suexec_t t:unix_stream_socket { read write }; + # + # Allow binding to ldap +-sysnet_dns_name_resolve(httpd_totpcgi_script_t) +-miscfiles_read_certs(httpd_totpcgi_script_t) +-sysnet_use_ldap(httpd_totpcgi_script_t) +-sysnet_dns_name_resolve(httpd_totpcgi_provisioning_script_t) +-miscfiles_read_certs(httpd_totpcgi_provisioning_script_t) +-sysnet_use_ldap(httpd_totpcgi_provisioning_script_t) ++sysnet_dns_name_resolve(totpcgi_script_t) ++miscfiles_read_certs(totpcgi_script_t) ++sysnet_use_ldap(totpcgi_script_t) ++sysnet_dns_name_resolve(totpcgi_provisioning_script_t) ++miscfiles_read_certs(totpcgi_provisioning_script_t) ++sysnet_use_ldap(totpcgi_provisioning_script_t) + + # Allow connecting to postgresql +-postgresql_tcp_connect(httpd_totpcgi_script_t) +-postgresql_stream_connect(httpd_totpcgi_script_t) +-postgresql_tcp_connect(httpd_totpcgi_provisioning_script_t) +-postgresql_stream_connect(httpd_totpcgi_provisioning_script_t) ++postgresql_tcp_connect(totpcgi_script_t) ++postgresql_stream_connect(totpcgi_script_t) ++postgresql_tcp_connect(totpcgi_provisioning_script_t) ++postgresql_stream_connect(totpcgi_provisioning_script_t) + diff --git a/totpcgi-0.5.5-miscfiles_read_generic_certs.patch b/totpcgi-0.5.5-miscfiles_read_generic_certs.patch new file mode 100644 index 0000000..dea0789 --- /dev/null +++ b/totpcgi-0.5.5-miscfiles_read_generic_certs.patch @@ -0,0 +1,16 @@ +diff -up totpcgi-0.5.5/selinux/totpcgi.te.miscfiles_read_generic_certs totpcgi-0.5.5/selinux/totpcgi.te +--- totpcgi-0.5.5/selinux/totpcgi.te.miscfiles_read_generic_certs 2014-11-13 20:49:53.238792636 +0100 ++++ totpcgi-0.5.5/selinux/totpcgi.te 2014-11-13 20:50:53.244665531 +0100 +@@ -52,10 +52,10 @@ allow suexec_t t:unix_stream_socket { re + # + # Allow binding to ldap + sysnet_dns_name_resolve(totpcgi_script_t) +-miscfiles_read_certs(totpcgi_script_t) ++miscfiles_read_generic_certs(totpcgi_script_t) + sysnet_use_ldap(totpcgi_script_t) + sysnet_dns_name_resolve(totpcgi_provisioning_script_t) +-miscfiles_read_certs(totpcgi_provisioning_script_t) ++miscfiles_read_generic_certs(totpcgi_provisioning_script_t) + sysnet_use_ldap(totpcgi_provisioning_script_t) + + # Allow connecting to postgresql diff --git a/totpcgi.spec b/totpcgi.spec index 87ceb66..e27128d 100644 --- a/totpcgi.spec +++ b/totpcgi.spec @@ -17,12 +17,14 @@ Name: totpcgi Version: 0.5.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A centralized totp solution based on google-authenticator License: GPLv2+ URL: https://github.com/mricon/totp-cgi Source0: https://github.com/mricon/totp-cgi/releases/download/0.5.5/totpcgi-0.5.5.tar.bz2 +Patch1: totpcgi-0.5.5-apache-content-template.patch +Patch2: totpcgi-0.5.5-miscfiles_read_generic_certs.patch BuildArch: noarch @@ -68,6 +70,8 @@ This package includes SELinux policy for totpcgi and totpcgi-provisioning. %prep %setup -q +%patch1 -p1 -b .apache-content-template +%patch2 -p1 -b .miscfiles_read_generic_certs %build @@ -211,6 +215,9 @@ fi %changelog +* Thu Nov 13 2014 Till Maas - 0.5.5-4 +- Update selinux policy, adjust types and other call + * Sun Jun 08 2014 Fedora Release Engineering - 0.5.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild