From ad798591a5b5ab174983678aa8aabfe4d32a8ce9 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 31 2010 16:15:58 +0000 Subject: - Fixes for nagios --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 235c007..e6ae829 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -778,7 +778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-01-18 18:24:22.552539984 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-03-01 13:34:16.025492348 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2010-05-31 17:45:06.948362135 +0200 @@ -132,6 +132,8 @@ kernel_read_system_state(ping_t) @@ -788,7 +788,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ping_t) logging_send_syslog_msg(ping_t) -@@ -158,6 +160,10 @@ +@@ -144,6 +146,7 @@ + init_dontaudit_use_fds(ping_t) + + optional_policy(` ++ nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) + ') + ') +@@ -158,6 +161,10 @@ ') optional_policy(` @@ -1644,10 +1652,82 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.32/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/apps/gpg.if 2010-05-31 17:31:03.749362017 +0200 +@@ -95,3 +95,41 @@ + + allow $1 gpg_t:process signal; + ') ++ ++###################################### ++## ++## Transition to a gpg web domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_domtrans_web',` ++ gen_require(` ++ type gpg_web_t, gpg_exec_t; ++ ') ++ ++ domtrans_pattern($1, gpg_exec_t, gpg_web_t) ++') ++ ++###################################### ++## ++## Make gpg an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which cifs_t is an entrypoint. ++## ++## ++# ++interface(`gpg_entry_type',` ++ gen_require(` ++ type gpg_exec_t; ++ ') ++ ++ domain_entry_file($1, gpg_exec_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-01-18 18:24:22.605530382 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-04-16 09:30:55.883864721 +0200 -@@ -111,11 +111,7 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2010-05-31 17:30:37.334111230 +0200 +@@ -14,6 +14,14 @@ + ## + gen_tunable(gpg_agent_env_file, false) + ++## ++##

++## Allow gpg web domain to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(gpg_web_anon_write, false) ++ + type gpg_t; + type gpg_exec_t; + typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; +@@ -53,6 +61,11 @@ + application_domain(gpg_pinentry_t, pinentry_exec_t) + ubac_constrained(gpg_pinentry_t) + ++type gpg_web_t; ++domain_type(gpg_web_t) ++gpg_entry_type(gpg_web_t) ++role system_r types gpg_web_t; ++ + ######################################## + # + # GPG local policy +@@ -111,11 +124,7 @@ mta_write_config(gpg_t) userdom_use_user_terminals(gpg_t) @@ -1660,7 +1740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -156,6 +152,7 @@ +@@ -156,6 +165,7 @@ # sign/encrypt user files userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) @@ -1668,7 +1748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -185,6 +182,8 @@ +@@ -185,6 +195,8 @@ # GPG agent local policy # @@ -1677,7 +1757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -@@ -205,6 +204,7 @@ +@@ -205,6 +217,7 @@ # allow gpg to connect to the gpg agent stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) @@ -1685,12 +1765,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin(gpg_agent_t) domain_use_interactive_fds(gpg_agent_t) -@@ -271,6 +271,6 @@ +@@ -271,6 +284,26 @@ ') optional_policy(` - xserver_common_app(gpg_pinentry_t) + xserver_stream_connect(gpg_pinentry_t) ++') ++ ++############################# ++# ++# gpg web local policy ++# ++ ++allow gpg_web_t self:process setrlimit; ++ ++can_exec(gpg_web_t, gpg_exec_t) ++ ++files_read_usr_files(gpg_web_t) ++ ++miscfiles_read_localization(gpg_web_t) ++ ++apache_dontaudit_rw_tmp_files(gpg_web_t) ++apache_manage_sys_content_rw(gpg_web_t) ++ ++tunable_policy(`gpg_web_anon_write',` ++ miscfiles_manage_public_files(gpg_web_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if @@ -2157,7 +2257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-21 20:47:43.404568303 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-04-21 14:10:04.244409189 +0200 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2010-05-31 10:35:24.189362243 +0200 @@ -1,5 +1,5 @@ -policy_module(pulseaudio, 1.0.1) @@ -2214,8 +2314,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(pulseaudio_t, pulseaudio_exec_t) kernel_getattr_proc(pulseaudio_t) -@@ -54,8 +81,8 @@ +@@ -52,10 +79,11 @@ + + fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) ++fs_read_tmpfs_files(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) -term_use_all_user_ttys(pulseaudio_t) @@ -2225,7 +2328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(pulseaudio_t) -@@ -63,6 +90,8 @@ +@@ -63,6 +91,8 @@ miscfiles_read_localization(pulseaudio_t) @@ -2234,7 +2337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` bluetooth_stream_connect(pulseaudio_t) ') -@@ -72,6 +101,8 @@ +@@ -72,6 +102,8 @@ ') optional_policy(` @@ -2243,7 +2346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) dbus_connect_session_bus(pulseaudio_t) -@@ -105,10 +136,13 @@ +@@ -105,10 +137,13 @@ optional_policy(` udev_read_db(pulseaudio_t) @@ -6027,6 +6130,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_pulseaudio_port(xguest_usertype) corenet_all_recvfrom_unlabeled(xguest_usertype) corenet_all_recvfrom_netlabel(xguest_usertype) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc +--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-01-18 18:24:22.725543271 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2010-05-31 18:07:17.167111902 +0200 +@@ -13,5 +13,7 @@ + /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) + + /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) +-/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) + /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) ++ ++var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100 @@ -6044,7 +6159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-04-16 09:34:12.464614739 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-05-31 17:54:25.188362074 +0200 @@ -96,16 +96,19 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) @@ -6098,7 +6213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol permissive abrt_t; ######################################## -@@ -183,7 +201,7 @@ +@@ -183,12 +201,13 @@ # abrt--helper local policy # @@ -6107,7 +6222,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow abrt_helper_t self:process signal; read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) -@@ -200,10 +218,16 @@ + domain_read_all_domains_state(abrt_helper_t) + ++files_search_spool(abrt_helper_t) + manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -200,10 +219,16 @@ files_read_etc_files(abrt_helper_t) files_dontaudit_all_non_security_leaks(abrt_helper_t) @@ -6216,7 +6337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(amavis_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-03-23 13:02:01.304641071 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-05-31 17:36:34.710362091 +0200 @@ -8,10 +8,12 @@ /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) @@ -6238,13 +6359,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -@@ -66,11 +69,14 @@ +@@ -66,11 +69,15 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +#/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -6254,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) -@@ -82,6 +88,8 @@ +@@ -82,6 +89,8 @@ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -6263,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -108,6 +116,7 @@ +@@ -108,6 +117,7 @@ /usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) /usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) /var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) @@ -6273,7 +6395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-11 17:59:31.278624767 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-05-31 18:00:35.141362064 +0200 @@ -16,6 +16,7 @@ attribute httpd_exec_scripts; attribute httpd_script_exec_type; @@ -6327,7 +6449,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Allow the specified domain to manage -@@ -1112,6 +1137,45 @@ +@@ -857,6 +882,29 @@ + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + ') + ++###################################### ++## ++## Allow the specified domain to manage ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_manage_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_content_rw_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ manage_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ manage_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++') ++ + ######################################## + ## + ## Allow the specified domain to delete +@@ -1112,6 +1160,64 @@ allow $1 httpd_sys_script_t:dir search_dir_perms; ') @@ -6351,6 +6503,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) +') + ++###################################### ++## ++## Dontaudit attempts to read and write ++## apache tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_dontaudit_rw_tmp_files',` ++ gen_require(` ++ type httpd_tmp_t; ++ ') ++ ++ dontaudit $1 httpd_tmp_t:file { read write }; ++') ++ +####################################### +## +## Dontaudit attempts to write @@ -6373,7 +6544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute CGI in the specified domain. -@@ -1167,6 +1231,29 @@ +@@ -1167,6 +1273,29 @@ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; ') @@ -6405,7 +6576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-04-06 08:21:30.569541120 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-05-31 17:35:23.798361783 +0200 @@ -67,6 +67,13 @@ ## @@ -6420,7 +6591,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -309,7 +316,7 @@ +@@ -154,6 +161,13 @@ + + ## + ##

++## Allow httpd to run gpg in gpg-web domain ++##

++## ++gen_tunable(httpd_use_gpg, false) ++ ++## ++##

+ ## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. + ##

+ ## +@@ -309,7 +323,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -6429,7 +6614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -351,7 +358,8 @@ +@@ -351,7 +365,8 @@ manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -6439,7 +6624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -363,10 +371,10 @@ +@@ -363,10 +378,10 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -6452,7 +6637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -400,7 +408,9 @@ +@@ -400,7 +415,9 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) @@ -6462,7 +6647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_iso9660_files(httpd_t) auth_use_nsswitch(httpd_t) -@@ -458,6 +468,7 @@ +@@ -458,6 +475,7 @@ tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chkpwd(httpd_t) @@ -6470,7 +6655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ## -@@ -483,8 +494,14 @@ +@@ -483,8 +501,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) @@ -6486,7 +6671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_can_network_relay',` -@@ -588,6 +605,9 @@ +@@ -588,6 +612,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -6496,7 +6681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -612,6 +632,11 @@ +@@ -612,6 +639,17 @@ avahi_dbus_chat(httpd_t) ') ') @@ -6505,10 +6690,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gitosis_read_var_lib(httpd_t) +') + ++optional_policy(` ++ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` ++ gpg_domtrans_web(httpd_t) ++ ') ++') ++ optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -756,8 +781,14 @@ +@@ -756,8 +794,14 @@ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) corenet_tcp_connect_mysqld_port(httpd_suexec_t) corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) @@ -6524,7 +6715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_stream_connect(httpd_php_t) -@@ -895,6 +926,9 @@ +@@ -895,6 +939,9 @@ sysnet_read_config(httpd_sys_script_t) @@ -6534,7 +6725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -906,6 +940,7 @@ +@@ -906,6 +953,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) @@ -6542,7 +6733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) -@@ -945,6 +979,7 @@ +@@ -945,6 +992,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) @@ -10835,11 +11026,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-03-01 16:06:40.837490351 +0100 -@@ -119,6 +119,26 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-05-31 17:45:40.693112592 +0200 +@@ -119,6 +119,44 @@ read_files_pattern($1, nagios_log_t, nagios_log_t) ') ++#################################### ++## ++## dontaudit Read and write nagios logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_dontaudit_rw_log',` ++ gen_require(` ++ type nagios_log_t; ++ ') ++ ++ dontaudit $1 nagios_log_t:file { read write }; ++') ++ +####################################### +## +## Allow the specified domain to read @@ -10863,7 +11072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create a set of derived types for various -@@ -134,6 +154,7 @@ +@@ -134,6 +172,7 @@ gen_require(` type nagios_t, nrpe_t; @@ -10871,7 +11080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') type nagios_$1_plugin_t; -@@ -150,8 +171,15 @@ +@@ -150,8 +189,15 @@ # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) @@ -10889,7 +11098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-03-19 07:58:48.047611543 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-05-31 17:44:49.383361808 +0200 @@ -45,10 +45,18 @@ type nrpe_var_run_t; files_pid_file(nrpe_var_run_t) @@ -10949,7 +11158,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -253,6 +264,11 @@ +@@ -133,9 +144,6 @@ + fs_getattr_all_fs(nagios_t) + fs_search_auto_mountpoints(nagios_t) + +-# for who +-init_read_utmp(nagios_t) +- + auth_use_nsswitch(nagios_t) + + logging_send_syslog_msg(nagios_t) +@@ -148,12 +156,6 @@ + mta_send_mail(nagios_t) + + optional_policy(` +- netutils_domtrans_ping(nagios_t) +- netutils_signal_ping(nagios_t) +- netutils_kill_ping(nagios_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(nagios_t) + ') + +@@ -253,6 +255,11 @@ ') optional_policy(` @@ -10961,7 +11193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(nrpe_t) ') -@@ -264,6 +280,66 @@ +@@ -264,6 +271,66 @@ udev_read_db(nrpe_t) ') @@ -11028,7 +11260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### # -@@ -290,6 +366,8 @@ +@@ -290,6 +357,8 @@ allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; @@ -11037,7 +11269,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(nagios_services_plugin_t) corenet_tcp_connect_all_ports(nagios_services_plugin_t) -@@ -315,6 +393,10 @@ +@@ -309,12 +378,18 @@ + + optional_policy(` + netutils_domtrans_ping(nagios_services_plugin_t) ++ netutils_signal_ping(nagios_services_plugin_t) ++ netutils_kill_ping(nagios_services_plugin_t) + ') + + optional_policy(` mysql_stream_connect(nagios_services_plugin_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 50f29f0..b739ff3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 116%{?dist} +Release: 117%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Mon May 31 2010 Miroslav Grepl 3.6.32-117 +- Fixes for nagios + * Fri May 21 2010 Miroslav Grepl 3.6.32-116 - Allow denyhosts to connect to tcp port 9911 - Fixes for munin