trunk: 8 patches from dan.

man/man8/httpd_selinux.8

@@ -92,6 +92,11 @@ httpd can be configured to not differentiate file controls based on context, i.e
 setsebool -P httpd_unified 0
 .EE
 
+.PP
+httpd can be configured to turn on sending email. By default http is not allowed to send mail.  This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
 .PP
 httpd can be configured to turn off internal scripting (PHP).  PHP and other
 loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

policy/modules/services/aide.if

@@ -49,3 +49,40 @@ interface(`aide_run',`
 	role $2 types aide_t;
 	allow aide_t $3:chr_file rw_chr_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an aide environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the aide domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_admin',`
+	gen_require(`
+		type aide_t, aide_db_t, aide_log_t;
+	')
+
+	allow $1 aide_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aide_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, aide_db_t, aide_db_t)
+
+	logging_list_logs($1)
+	manage_all_pattern($1, aide_log_t, aide_log_t)
+')

policy/modules/services/aide.te

@@ -1,5 +1,5 @@
 
-policy_module(aide,1.3.0)
+policy_module(aide,1.3.1)
 
 ########################################
 #

policy/modules/services/amavis.if

@@ -186,3 +186,56 @@ interface(`amavis_create_pid_files',`
 	allow $1 amavis_var_run_t:file create_file_perms;
 	files_search_pids($1)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an amavis environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the amavis domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amavis_admin',`
+	gen_require(`
+		type amavis_t, amavis_tmp_t, amavis_log_t;
+		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+		type amavis_etc_t, amavis_quarantine_t;
+	')
+
+	allow $1 amavis_t:process { ptrace signal_perms };
+	ps_process_pattern($1, amavis_t)
+        
+	files_list_tmp($1)
+	manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
+
+	manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
+
+	logging_list_logs($1)
+	manage_files_pattern($1, amavis_log_t, amavis_log_t)
+
+	files_list_spool($1)
+	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+
+	files_list_var_lib($1)
+	manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
+')

policy/modules/services/amavis.te

@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.5.0)
+policy_module(amavis,1.5.1)
 
 ########################################
 #
@@ -65,6 +65,7 @@ manage_sock_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t)
 # Spool Files
 manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
 manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
 filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
 files_search_spool(amavis_t)
@@ -116,6 +117,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t)
 # bind to incoming port
 corenet_tcp_bind_amavisd_recv_port(amavis_t)
 corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
 
 dev_read_rand(amavis_t)

policy/modules/system/fstools.if

@@ -81,10 +81,10 @@ interface(`fstools_exec',`
 #
 interface(`fstools_read_pipes',`
 	gen_require(`
-		type fsdaemon_t;
+		type fsadm_t;
 	')
 
-	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
+	allow $1 fsadm_t:fifo_file read_fifo_file_perms;
 ')
 
 ########################################

policy/modules/system/fstools.te

@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.9.0)
+policy_module(fstools,1.9.1)
 
 ########################################
 #
@@ -109,8 +109,7 @@ storage_swapon_fixed_disk(fsadm_t)
 
 term_use_console(fsadm_t)
 
-corecmd_list_bin(fsadm_t)
-corecmd_read_bin_symlinks(fsadm_t)
+corecmd_exec_bin(fsadm_t)
 #RedHat bug #201164
 corecmd_exec_shell(fsadm_t)
 
@@ -132,6 +131,8 @@ files_etc_filetrans_etc_runtime(fsadm_t,file)
 # Access to /initrd devices
 files_rw_isid_type_dirs(fsadm_t)
 files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs

policy/modules/system/getty.te

@@ -1,5 +1,5 @@
 
-policy_module(getty,1.5.0)
+policy_module(getty,1.5.1)
 
 ########################################
 #
@@ -114,6 +114,11 @@ ifdef(`distro_gentoo',`
 	sysnet_dontaudit_read_config(getty_t)
 ')
 
+ifdef(`distro_redhat',`
+	# getty requires sys_admin #209426
+	allow getty_t self:capability sys_admin;
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(getty_t)

policy/modules/system/hostname.te

@@ -1,5 +1,5 @@
 
-policy_module(hostname,1.4.0)
+policy_module(hostname,1.4.1)
 
 ########################################
 #
@@ -60,3 +60,11 @@ optional_policy(`
 	xen_append_log(hostname_t)
 	xen_dontaudit_use_fds(hostname_t)
 ')
+
+optional_policy(`
+	xen_append_log(hostname_t)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(hostname_t)
+')

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.5.0)
+policy_module(ipsec,1.5.1)
 
 ########################################
 #
@@ -297,11 +297,14 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 
+kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
 
 dev_read_urand(racoon_t)
 

policy/modules/system/iscsi.te

@@ -1,5 +1,5 @@
 
-policy_module(iscsid,1.3.0)
+policy_module(iscsid,1.3.1)
 
 ########################################
 #
@@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process setsched;
+allow iscsid_t self:process { setrlimit setsched };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;