From 46001dab98c3f4282b0b08b6b4cd9d189ed953e9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 12 2007 18:42:15 +0000 Subject: - Allow apache to read unconfined users content --- diff --git a/policy-20070703.patch b/policy-20070703.patch index daa5ef9..643a2b8 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1747,7 +1747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.8/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2007-11-12 10:26:38.000000000 -0500 @@ -26,7 +26,7 @@ # Local policy # @@ -1797,6 +1797,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) ') +@@ -88,3 +94,7 @@ + optional_policy(` + cron_system_entry(prelink_t, prelink_exec_t) + ') ++ ++optional_policy(` ++ unconfined_domain(prelink_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.8/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2007-10-29 23:59:29.000000000 -0400 @@ -5319,7 +5327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-11-12 10:17:21.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -5421,6 +5429,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; +@@ -345,12 +297,12 @@ + # + template(`apache_read_user_scripts',` + gen_require(` +- type httpd_$1_script_exec_t; ++ attribute httpd_user_script_exec_type; + ') + +- allow $2 httpd_$1_script_exec_t:dir list_dir_perms; +- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) +- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t) ++ allow $2 httpd_user_script_exec_type:dir list_dir_perms; ++ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) ++ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type) + ') + + ######################################## +@@ -371,12 +323,12 @@ + # + template(`apache_read_user_content',` + gen_require(` +- type httpd_$1_content_t; ++ attribute httpd_user_content_type; + ') + +- allow $2 httpd_$1_content_t:dir list_dir_perms; +- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) +- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t) ++ allow $2 httpd_user_content_type:dir list_dir_perms; ++ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type) ++ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type) + ') + + ######################################## @@ -436,6 +388,24 @@ ######################################## @@ -5736,7 +5778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-08 09:25:25.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-12 10:03:38.000000000 -0500 @@ -20,6 +20,9 @@ # Declarations # @@ -5822,22 +5864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -182,6 +223,14 @@ - type httpd_tmpfs_t; - files_tmpfs_file(httpd_tmpfs_t) - -+# Unconfined domain for apache scripts. -+# Only to be used as a last resort -+type httpd_unconfined_script_t; -+type httpd_unconfined_script_exec_t; # customizable -+domain_type(httpd_unconfined_script_t) -+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) -+role system_r types httpd_unconfined_script_t; -+ - # for apache2 memory mapped files - type httpd_var_lib_t; - files_type(httpd_var_lib_t) -@@ -202,9 +251,11 @@ +@@ -202,9 +243,11 @@ # Apache server local policy # @@ -5850,7 +5877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; allow httpd_t self:fifo_file rw_fifo_file_perms; -@@ -244,6 +295,7 @@ +@@ -244,6 +287,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -5858,7 +5885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -284,6 +336,7 @@ +@@ -284,6 +328,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -5866,7 +5893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -330,6 +383,10 @@ +@@ -330,6 +375,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -5877,18 +5904,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -348,7 +405,9 @@ +@@ -348,7 +397,9 @@ userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) +tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_t) ++ userdom_search_unpriv_users_home_dirs(httpd_t) +') tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) -@@ -360,6 +419,7 @@ +@@ -360,6 +411,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -5896,7 +5923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -367,6 +427,16 @@ +@@ -367,6 +419,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -5913,17 +5940,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +457,17 @@ +@@ -387,6 +449,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+ -+ allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop }; -+ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; -+') -+ +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') @@ -5931,7 +5951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +485,21 @@ +@@ -404,11 +470,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -5953,7 +5973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +521,12 @@ +@@ -430,6 +506,12 @@ ') optional_policy(` @@ -5966,7 +5986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -442,8 +539,15 @@ +@@ -442,8 +524,15 @@ ') optional_policy(` @@ -5983,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -457,11 +561,11 @@ +@@ -457,11 +546,11 @@ optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -5996,7 +6016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -481,6 +585,7 @@ +@@ -481,6 +570,7 @@ ') optional_policy(` @@ -6004,7 +6024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -512,10 +617,16 @@ +@@ -512,10 +602,16 @@ tunable_policy(`httpd_tty_comm',` # cjp: this is redundant: term_use_controlling_term(httpd_helper_t) @@ -6022,7 +6042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -553,6 +664,7 @@ +@@ -553,6 +649,7 @@ optional_policy(` mysql_stream_connect(httpd_php_t) @@ -6030,7 +6050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -567,7 +679,6 @@ +@@ -567,7 +664,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -6038,7 +6058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +692,10 @@ +@@ -581,6 +677,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -6049,7 +6069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -606,6 +721,10 @@ +@@ -606,6 +706,10 @@ miscfiles_read_localization(httpd_suexec_t) @@ -6060,7 +6080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -620,10 +739,13 @@ +@@ -620,7 +724,6 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -6068,14 +6088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac sysnet_read_config(httpd_suexec_t) ') -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+') -+ - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) - ') -@@ -634,6 +756,12 @@ +@@ -634,6 +737,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6088,7 +6101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +779,6 @@ +@@ -651,18 +760,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6107,7 +6120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +788,8 @@ +@@ -672,7 +769,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6117,7 +6130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +803,66 @@ +@@ -686,15 +784,66 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6185,28 +6198,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -707,6 +875,20 @@ +@@ -707,6 +856,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) -+') -+ -+######################################## -+# -+# Apache unconfined script local policy -+# -+ -+optional_policy(` -+ nscd_socket_use(httpd_unconfined_script_t) -+') -+ -+optional_policy(` -+ unconfined_domain(httpd_unconfined_script_t) ') ######################################## -@@ -728,3 +910,20 @@ +@@ -728,3 +878,20 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -8719,8 +8719,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-08 13:34:38.000000000 -0500 -@@ -53,6 +53,8 @@ ++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-12 11:36:16.000000000 -0500 +@@ -30,6 +30,10 @@ + type inetd_child_var_run_t; + files_pid_file(inetd_child_var_run_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) ++') ++ + ######################################## + # + # Local policy +@@ -53,6 +57,8 @@ allow inetd_t inetd_var_run_t:file manage_file_perms; files_pid_filetrans(inetd_t,inetd_var_run_t,file) @@ -8729,7 +8740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) kernel_read_proc_symlinks(inetd_t) -@@ -80,16 +82,22 @@ +@@ -80,16 +86,22 @@ corenet_udp_bind_comsat_port(inetd_t) corenet_tcp_bind_dbskkd_port(inetd_t) corenet_udp_bind_dbskkd_port(inetd_t) @@ -8752,7 +8763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet corenet_udp_bind_tftp_port(inetd_t) corenet_tcp_bind_ssh_port(inetd_t) -@@ -132,8 +140,10 @@ +@@ -132,8 +144,10 @@ miscfiles_read_localization(inetd_t) # xinetd needs MLS override privileges to work @@ -8763,7 +8774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet mls_process_set_level(inetd_t) sysnet_read_config(inetd_t) -@@ -141,6 +151,11 @@ +@@ -141,6 +155,11 @@ userdom_dontaudit_use_unpriv_user_fds(inetd_t) userdom_dontaudit_search_sysadm_home_dirs(inetd_t) @@ -8775,7 +8786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet optional_policy(` amanda_search_lib(inetd_t) ') -@@ -154,6 +169,7 @@ +@@ -154,6 +173,7 @@ ') optional_policy(` @@ -8783,7 +8794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet unconfined_domtrans(inetd_t) ') -@@ -170,6 +186,9 @@ +@@ -170,6 +190,9 @@ # for identd allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow inetd_child_t self:capability { setuid setgid }; @@ -8793,7 +8804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet files_search_home(inetd_child_t) manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) -@@ -198,6 +217,8 @@ +@@ -198,6 +221,8 @@ files_read_etc_files(inetd_child_t) @@ -8802,7 +8813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet libs_use_ld_so(inetd_child_t) libs_use_shared_libs(inetd_child_t) -@@ -205,20 +226,11 @@ +@@ -205,20 +230,11 @@ miscfiles_read_localization(inetd_child_t) @@ -10224,6 +10235,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. logrotate_exec(ntpd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.0.8/policy/modules/services/openct.te +--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/openct.te 2007-11-12 10:47:16.000000000 -0500 +@@ -22,6 +22,7 @@ + allow openct_t self:process signal_perms; + + manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) ++manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) + files_pid_filetrans(openct_t,openct_var_run_t,file) + + kernel_read_kernel_sysctls(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-10-29 23:59:29.000000000 -0400 @@ -11165,7 +11187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-11-12 10:52:51.000000000 -0500 @@ -36,6 +36,8 @@ allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty(rlogind_t,rlogind_devpts_t) @@ -12716,7 +12738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-11-12 11:17:12.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -13101,7 +13123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs. dev_read_sysfs(xfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-11-12 11:55:40.000000000 -0500 @@ -32,11 +32,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -13122,9 +13144,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -92,13 +88,16 @@ +@@ -91,14 +87,19 @@ + /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) ++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -13137,12 +13161,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-08 10:56:23.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-12 11:59:59.000000000 -0500 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -13214,7 +13239,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -353,12 +356,6 @@ +@@ -324,13 +327,6 @@ + userhelper_search_config($1_xserver_t) + ') + +- ifdef(`TODO',` +- ifdef(`xdm.te', ` +- allow $1_t xdm_tmp_t:sock_file unlink; +- allow $1_xserver_t xdm_var_run_t:dir search; +- ') +- ') dnl end TODO +- + ############################## + # + # $1_xauth_t Local policy +@@ -353,12 +349,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -13227,7 +13266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +384,14 @@ +@@ -387,6 +377,14 @@ ') optional_policy(` @@ -13242,7 +13281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -536,17 +541,15 @@ +@@ -536,17 +534,15 @@ template(`xserver_user_client_template',` gen_require(` @@ -13266,7 +13305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +558,54 @@ +@@ -555,25 +551,54 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -13329,7 +13368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +658,24 @@ +@@ -626,6 +651,24 @@ ######################################## ## @@ -13354,7 +13393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +709,73 @@ +@@ -659,6 +702,73 @@ ######################################## ## @@ -13428,7 +13467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -927,6 +1044,7 @@ +@@ -927,6 +1037,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -13436,7 +13475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1105,37 @@ +@@ -987,6 +1098,37 @@ ######################################## ## @@ -13474,7 +13513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1285,7 @@ +@@ -1136,7 +1278,7 @@ type xdm_xserver_tmp_t; ') @@ -13483,7 +13522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1474,63 @@ +@@ -1325,3 +1467,82 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -13528,6 +13567,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +######################################## +## ++## Connect to apmd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_stream_connect',` ++ gen_require(` ++ type xdm_xserver_t, xserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t) ++') ++ ++######################################## ++## +## xdm xserver RW shared memory socket. +## +## @@ -13549,7 +13607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-12 11:58:08.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -13564,7 +13622,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Allow xdm logins as sysadm ##

## -@@ -96,7 +103,7 @@ +@@ -56,6 +63,9 @@ + type xdm_var_run_t; + files_pid_file(xdm_var_run_t) + ++type xserver_var_run_t; ++files_pid_file(xserver_var_run_t) ++ + type xdm_tmp_t; + files_tmp_file(xdm_tmp_t) + typealias xdm_tmp_t alias ice_tmp_t; +@@ -67,6 +77,9 @@ + type xkb_var_lib_t; + files_type(xkb_var_lib_t) + ++type xserver_var_lib_t; ++files_type(xserver_var_lib_t) ++ + # Type for the executable used to start the X server, e.g. Xwrapper. + type xserver_exec_t; + corecmd_executable_file(xserver_exec_t) +@@ -96,7 +109,7 @@ # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; @@ -13573,7 +13651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -132,15 +139,20 @@ +@@ -132,15 +145,20 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -13595,7 +13673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +197,7 @@ +@@ -185,6 +203,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -13603,7 +13681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -197,6 +210,7 @@ +@@ -197,6 +216,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -13611,7 +13689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -246,6 +260,7 @@ +@@ -246,6 +266,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -13619,7 +13697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,6 +272,7 @@ +@@ -257,6 +278,7 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -13627,7 +13705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -268,9 +284,14 @@ +@@ -268,9 +290,14 @@ userdom_create_all_users_keys(xdm_t) # for .dmrc userdom_read_unpriv_users_home_content_files(xdm_t) @@ -13642,7 +13720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +327,11 @@ +@@ -306,6 +333,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -13654,7 +13732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -348,12 +374,8 @@ +@@ -348,12 +380,8 @@ ') optional_policy(` @@ -13668,7 +13746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +407,7 @@ +@@ -385,7 +413,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -13677,7 +13755,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -425,6 +447,14 @@ +@@ -397,6 +425,15 @@ + can_exec(xdm_xserver_t, xkb_var_lib_t) + files_search_var_lib(xdm_xserver_t) + ++manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) ++manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t) ++files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir) ++ ++manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) ++manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t) ++manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) ++files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir) ++ + # VNC v4 module in X server + corenet_tcp_bind_vnc_port(xdm_xserver_t) + +@@ -425,6 +462,14 @@ ') optional_policy(` @@ -13692,7 +13786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +464,26 @@ +@@ -434,47 +479,26 @@ ') optional_policy(` @@ -16372,7 +16466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.8/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/raid.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/raid.te 2007-11-12 10:34:49.000000000 -0500 @@ -19,7 +19,7 @@ # Local policy # @@ -16390,6 +16484,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) +@@ -83,5 +84,10 @@ + ') + + optional_policy(` ++ unconfined_domain(mdadm_t) ++') ++ ++optional_policy(` + udev_read_db(mdadm_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-10-22 13:21:40.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc 2007-10-29 23:59:29.000000000 -0400 @@ -16680,7 +16785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-09 14:27:22.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-12 11:41:10.000000000 -0500 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -16700,7 +16805,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type semanage_store_t; files_type(semanage_store_t) -@@ -194,10 +197,19 @@ +@@ -170,6 +173,7 @@ + files_read_etc_runtime_files(load_policy_t) + + fs_getattr_xattr_fs(load_policy_t) ++fs_list_inotifyfs(load_policy_t) + + mls_file_read_all_levels(load_policy_t) + +@@ -194,10 +198,19 @@ # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; optional_policy(` @@ -16721,7 +16834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Newrole local policy -@@ -215,7 +227,7 @@ +@@ -215,7 +228,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -16730,7 +16843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t,selinux_config_t,selinux_config_t) read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t) -@@ -252,8 +264,11 @@ +@@ -252,8 +265,11 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -16742,7 +16855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) -@@ -273,6 +288,7 @@ +@@ -273,6 +289,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -16750,7 +16863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -294,14 +310,6 @@ +@@ -294,14 +311,6 @@ files_polyinstantiate_all(newrole_t) ') @@ -16765,7 +16878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Restorecond local policy -@@ -309,11 +317,12 @@ +@@ -309,11 +318,12 @@ allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:fifo_file rw_fifo_file_perms; @@ -16779,7 +16892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) -@@ -343,15 +352,12 @@ +@@ -343,15 +353,12 @@ miscfiles_read_localization(restorecond_t) @@ -16797,7 +16910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ################################# # -@@ -361,7 +367,7 @@ +@@ -361,7 +368,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -16806,7 +16919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -375,6 +381,7 @@ +@@ -375,6 +382,7 @@ term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -16814,7 +16927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) -@@ -423,77 +430,52 @@ +@@ -423,77 +431,52 @@ nscd_socket_use(run_init_t) ') @@ -16918,7 +17031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -521,6 +503,11 @@ +@@ -521,6 +504,11 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; @@ -16930,7 +17043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) -@@ -537,6 +524,7 @@ +@@ -537,6 +525,7 @@ fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) @@ -16938,7 +17051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -590,8 +578,16 @@ +@@ -590,8 +579,16 @@ fs_relabel_tmpfs_chr_file(setfiles_t) ') @@ -17529,7 +17642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-08 17:36:37.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-12 10:02:10.000000000 -0500 @@ -5,36 +5,52 @@ # # Declarations @@ -17590,7 +17703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,37 +58,37 @@ +@@ -42,37 +58,39 @@ logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -17620,7 +17733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` - bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) -+ apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ++ apache_per_role_template(unconfined, unconfined_t, unconfined_r) ++ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ unconfined_domain(httpd_unconfined_script_t) ') optional_policy(` @@ -17637,7 +17752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -107,22 +123,22 @@ +@@ -107,22 +125,22 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -17666,7 +17781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -130,15 +146,10 @@ +@@ -130,15 +148,10 @@ ') optional_policy(` @@ -17684,7 +17799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -155,32 +166,23 @@ +@@ -155,32 +168,23 @@ optional_policy(` postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -17721,7 +17836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +207,22 @@ +@@ -205,11 +209,22 @@ ') optional_policy(` @@ -17746,7 +17861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +232,28 @@ +@@ -219,14 +234,28 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index ab3712d..90e5647 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 51%{?dist} +Release: 52%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -380,6 +380,9 @@ exit 0 %endif %changelog +* Mon Nov 11 2007 Dan Walsh 3.0.8-52 +- Allow apache to read unconfined users content + * Sat Nov 10 2007 Dan Walsh 3.0.8-51 - Allow login programs to run mount - Dontaudit writes to user_home_t for semanage