Attached are some patches that will fix many AVC's that are currently happening within our infrastructure. Patch 0010-Fix-our-semanage_fcontext-function-to-work-on-symlin.patch /should/ fix the problem introduced in 41acfbc83c80d12d915a0d6087e841aba2c7e78c that caused restorecon to flip out when trying to apply context to a symlink. The rest should all be fairly straight-forward fixes that involve flipping booleans, setting context, and creating custom policy modules. Apologies for the binary blobs in the diffs :) luke
>From 88b27f114147315ca789b6dda1263353f8582fd5 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2008 15:15:58 +0000 Subject: [PATCH] Add a custom SELinux policy module for our noc systems. This allows ping_t to read from a nagios_spool_t fifo. diff --git a/configs/system/selinux/modules/noc.pp b/configs/system/selinux/modules/noc.pp new file mode 100644 index 0000000000000000000000000000000000000000..1321793adc4bc4c484d1a66ffa6efcaeaba50480 GIT binary patch literal 23375 zcmeI4S#u*fa>v{2yM5o++FN$}VB2bK&#uD{`(n**@5D}o=Lq+XUmOlbsR|U!Dpqmo zkXjB$>?d&8U)N9L|1SZM5J_>^huGomMhIfzN+c4Qi9`Zb|NYf}{_oE`c<|sGiodJ) z%?}?u_%G%ChMu4QF#D&f8DC_dwB=Yks{Dc?)qhEm@Ux0dTl~C!J~(}P`jkAvlMn$( z_)En<4v}=@hPrAlr}<b`!?bUUOE>(A^8bjkdeL7@J6Gp7boWp(UoKr!{+ynubY3;( zFY5PK6^piMTrp6Q;-Yi;;6Mk=uDfb*v;bWIp1XS1wF}A_Mb#EV{mXjzeZ?kUxGA82 zT?ufFc;w}>tF8d^hpSwJOsBu2*bBFzr4NSNx#DW75s?19P)Zt%>G;A8`7m@O0nqy- zk93?Dg<INim;u#omjeTX_!?VDz28(+GnLTCZ;_ghL)l(8q<>ox92h7q>8KWg87DE& zVQ2yMYZO-f;2OyM2a4-alS2TJKM9faP%OiY0pT8|2aqs=rv>8xZ;%VKJ+%90km@#r zZRw{J8rbByYe0baF(wWMg>uGP0r#U!CY=!I9BRg?6dQgCaiB-uOYAC13)Daw*0Mv6 zaX5A1sj;bENFs9+J6N%F{m`{Hz(LRwo~G--(>yX!u_0Kv=F8EIjz@qSVCxDn1VAE= zL_%40z#!Qzl(@}vr0B-uPFsY?y>P|&^=g2IOc9z0K#2I*kh;ZQWWz0;TeMeh%4E_J zb&_!dAdEXoVP2M2o3z&q%e-^VmOLYb$`@RKc%6}V#T@+TX{Yp3faovUu^HNiBzob? zu^sZ(I2^g{uk&SVYC#DbAZ>_*^ZIf+t7_|(8S!fN7&P5aKn9*FyfuN|I7t{ba}yV; zV&1(al7I<pCI;zlmTlDx`-wy;Si|g#))vQCpcy>FiV;L++O*T5%bOnPhq6}`-9J?u zgqldGmIaT1I<B(W)-H%30en&ksAYq^qY}Wh5MY`=3z77)YYW%+XaRJoR9ulSNtr&e z6ircoeRa{x3?T^*C|S(wk`gmf=F)Z${+o*M*WBexriQg$s<Ie6v|&`Q%9-_EkE4`f zCS_f^8=tpQjnzff%+Uxe=;e*1MeJG)Rcj^;qgm&mE?C-TZFfn}^rZpy8egc71T}50 zETLn1oi-ZDWmVS<jDD4D#(HHb3azfL7L^Go+!U4p#tMVcg9dAhC9<XZ44-0<P;ynw zNL77#QCV$<rDBrwON*sOQ#in~m;<LDa&OIH5qU%cMVLmQ%i3ELjX^Mg+=hc$1dxSW zKq>;gKqMkzRx+8S#@?0&GXGYQi6s)2!oivSNzSZpucz&3D;o{5h}TNIxB`8Eu53?` zqJlN7Y`Id(7%pA>{l)-NK)9ps0_gM@HsYF0_h{The**lKs=rw^Yu{D<2jK}!bZP;- zo#g=j{{Ol9M>?YE;IqhUjW%D53jNUK*VR%Rh~g?L8#a+Kjb<22pQZ&f;#;6cXkl8N zZD&Z+CoM?RA9czifQ(331~pK!C>+;l9VpzC%}ccR{#^N~#)*!JMw;p3ez&<024%V1 z3-ME>f0$vy-zhQ^M1od##!1pISkQ#Zwk2eiA<$Lju6d@A-5J$srlk%~3PmtTbdQkk z9UG{)hs>0NwLm1qNfr~9RsL3|8H>a`6Xx`K7u-td2?Ev&mLQQ}t^j!zT)wzpxkJUg zmU{{QvpGAiH))g4@5K!m^&+O^E|KYE<+=NvpZ$9A-4mFoJlRIUyF@}iH@_&{c--wZ zj0h6=rTAsRT|4rk(tV`dT`Ozvq{GJ-Z<B|9s@B%X4$R88Le$R#?b`G6s;&m}(lSTv zEW=)&$}=4pxDL|^Rovh7)AP0+*z>c~Bs~l_Q@O2Yl^tGCqLp(h(+p_LEtT?eQQ6kp zc1y~T3r%o9i>(G#<et*`5shp+tQ^d{7Q2jvyUdHJJgZ$-l~xJGCg0K2@B>rki~Tqr z2&91qtoE}1Smpt2UQ+?qzO)$F<^UXQ&$~7+i@YCzit?~b9rLJhcU2YUp+M7tXcN-x zl8peB_sOD?W+Go@&J6@{aVh&Y+Ab<dcI--xz9K%1+U32C3Z&@U=mjFESbzRy%RYlM zsWR!P7K?Gn&ucTGQOcm>eE|SsqJ3M<k38`;(+C9UhFmgy^Rqx~*SDh#->6uNxhNYI z{a>l#E=6B0|6z9hHih)vQ}m3OaH5z_iQmX*Qk@+P!X!s^g&<$32zGRKLV7Iy2@^wz zqo1EKS^{F0&V=Nb4TxMOox9HK`n`M{^FSItB)}G_7Yi@pyXwV)4g|O~wYJP2D=)hH z-b}?c<sEQhu$mJliYck1Qn+l-|6Ny6rlY&kvBuj}4ad^Y*k-Bc<z9BA(Y}S#c#diO zv@(hYXS*QmpVcmi1l8;?T*oUctTa!q08z}&X?<2iiUDmL<`@hau#wU2yq&s!;HxBd z>DX8jJ;fBPPCKxS34fuuYdLu_>+ad-5wYJbrthAq6=&qHH6y!Zxoo=k672VHZ{}(l z>>mluFG1el_gd2S$gfXh1e^e4qyC5lEl$-8WoP>Do{wQri?@zpz+!a_!@iZkRz0!; zX@8Xbo)g{>C&cyfiAc-o36Y=^e_ibuWTCJ=k-J#r%jti(u8kf>+#W1zM1rmhvLaHK zbF}rUSGelRJQLJn)n~&LH%)dh_YUq>k75l$Y{Fy3REXpdsC68s3w`hJOo%jZ;6gOJ zOafw=vUfO{e$U|da}PZ_!Tv^MN1}*?XxxW;Tc|8KTJe6m7v>g=TFT$V_tv?;1<xu3 zm}Ofp@}ZdH$R^+dO=T!<<lak=2=fLcC@w4bp;>c?gx+u2SWe=s9_JD|OCw0E53AUw z5kNKNHoviiabPQ)>Xj~!z?(3ZO1T}v5d^$M!;mF@>|5`&HxBg`wSA2C7~lXC+1&0O z>Wl_Bv?$uek`q>~*5|H62SKKos|$G@H9;cg`HK?_jXoq3;hGEP7MSTKqTFLaP&gu> zYea|q&V7kdKsKa^FvHH3uA!G|>u9K^A!cN)6P2lisVZ*BqHERANOZkDUyx*!5mtT$ zw!}!z;3w(Mlo!KUe9&+DOg8Ok?<Zwy?aq{@7XoF3GyCuVrO)J0hY0m(7u%lcIff>` zsM>zoFE!Sw=@eS*s=2J1i|G*C#oq{*R)qd3IcGeEKuL@dZt)bF#x}(VPrvis2q;#e zb<E@WEW}tI8<U@gGbM<zUi>954dlZv5l$>Six2wcnHXVwMUa1dGe5%E%#X@|{20#S zgMN7?M)>h}Ge5$?yxlDO3WilU3o*hFrvJDrAGY6>ulhgPnIAeoQz3B;-$UBYw{Exa ziS4%Q`;zVayWrnd|7G)c<0(2AMYr)W@@$POkZn6Z40sF910S~X{d8@^dFlMGtmlK_ z-+^c3xh*(%@xxvDcfc2&jSyS#UpoKJdAtMuo%L-5hvTyw&fW60yM7SUt$F{JVZSZc zKe;3SE_w#?8~o7pUY;ZD*ZoDuVWdXGG<{o^vBb!dyM8M(=JJaHz)OE=9#g9q>C!A# z*!VKoW`2AlD$NIkjG{CP5b<rAG#>>LUMWelzoG0|ndV@BcvsM7uD8e2T#S;{-SxD9 z@p3S*na9y}nwL^Fz3Q9RVUTiBrdjM3;$+;uJet<xlFRmO#<WJ-eR`uVtwZ;^;+1Bl z-QT`OmDYkA)|Y?MlC<0Oen(mdi!QlvkQT8Ej-%f=0Z*%$#Tbud(*kzVTj!E#1y0yv z2Rl#G(#i~TeFl`4-~)|dlB1QoswBStv<mRo9_q9Ndrk1GS(=Icbjy>O76NPSe@jc4 zWeI4SMdh^*EiJ+Mv+3wb%h@iZ?uoRFd5ya*?V-~mY~o0-ZCNuubhr2rQT4`n3I+`j zw=-!zqE1;f`$@-gYh#Ca(_0FOI)>IQlRUQK*VKiX;c2c4ERY8bZ-U1f<PZxp%wsOo zxzp_aAAJYm;p>J+4<BXEbX}wv+U_P>>cYC~nm(II13!L9;pc3cv}^17?<w`cX;!w2 zylS%HX6cmiozslHn{r%dtvsa1vHZJgumbPf>_wR_|JhxPb>3x&Pl6K3H-(ddJ^-DE zMuX=!i*xpq8MkW^jN*cFT&y6`<csDp*N)2U^J?k(Z-4ahN1r8#trnlRiJ6zxK0%8d zy9sklv>?~_xpSD6jti9;i*15bG%SvZlV__R=nd4okZ9e3Su|~qkJ(2^9^&EOwzk(- zS0po$2%2KzwZVyGoa!fyySCq=mNK8X{xP^KFbS-!QG0maNI_ERz+lim$&0S-GrcmE z_1Bf$MN+oexf`yXYchYKH1kd%b)7e5hFgdmt06b@w|=vJTrS&g0L}f~TdyCfJAF5S zzJ|G5!O)97ZlPN>KsgkQoMoBxs9vOZ-AwP$_9xlUX8LN1mOtIyyHSbUX+xH0@`8=h zq1n0JXtyr1xvQ6AoY~kEG&srnsu6E5{yw{wI?mjSC1YL~kwk!MCOFbw>ay39oL``u zO&&e|-a!a|EQPP}&c;EnAtyLz{k$FPQiNwLD-wI!_C_*MW?73q6ZF+dr<>NjXNm*J z{Tkh_=(^SKK?D9Q%tPdsxyUK{T^u^Y&sZ{b^IUY9W!Em!iAjf$rJLnrEq=*{u`#Z^ z%Inc(d7t%5S5&h~s{Q=N>aMt0yeD8ZkJr&N-)cPxf?pnr;tyZ&?)H%3J9T<VJ=420 zSt~|qU?1Je<|Xt~q4?vun5J>A?BP&NwQiT{jdfwzw@Fn^cP2@kOR9Nse(v-hdsYY< zl}}9z?45GsmLCUllujz7%k91S1BEI!_4LYKV#d~J84f@4vK56#{GyTd^J+FUlV)6; z@I|82(^IdOE#D@E>`dj^plkW?zHeB~8qM|ulAa9Rs4L2d@yRT&`|#`mNp#Cr6l>Z+ zxL?61RWI@fFw?1yxRK!L)bJ_C#p1>bIJ2@+7Sh1fI?Xb8!StiB*V_yFN>npQPqc<? zQMY2n&6zsKq|?g>nm)BHT73aQpP;%4Sggsk_sP)f+)VRuop;Sd#OU*jV7eI=(m<4; zMMI$<=3cPt!lVO@YbSiMaMwv*0(em)(pCdp<d>4P=0*e-2D7}XUtxe3u9=F$-GqOp z+A_(^ta@>h>3s*igXTo+McwOlUK90N*Dh<Hqc1{SxRdN(7lqzNk!HMTyUO+dc8FHo zAOc8)qmxPaJ)uushv1tNS30>l+1bq+&i*GOwPbk8M;YQ`&$EB~;}uax<9M|kh%+@k z=Al`a&sRz?ZZ}q+(YS3iJYp@AF;e+=iL{ypdHHZ0v{4ykw7)8Z&!oaSO{#rwB-3iU zs7xh#(f*oceoa;zk4=<5<1zWv3%gfurXOwod3uT*7n4t)d=Lon@?9|RTV1S~LA~_W ziz=xXudPL%s>x+MnCMITIkA&9ae*##oe0==r3hiFUCs3^4ZWZ)MdD%1s|#s*Z}}MQ z*CXHiv?7ZMhJc-X;z{Gv8Q)b4*e1xX#U;>d^2sZb>-!p`Hgrg3hWG|k(l+~y(QHNr zCqymm9ZgawGV1TSH!Fh$=FL<cLbASkM?+>Nvbx1iyUko-#kD<ZSlZi02BEDAY3q%) znRHI<@CjP}Mu@NgTWcvNr*&CIVhX||@NKEe1P3kFEO{T+b+UN}PeUmnZgh#&nznhe z-sh*))+^Yj)bU%e-4&kgD+HOaYX}H<$cE{&e8_p3V7o>Z)WLImb9=iy6o1k15k>8K zF3hUoU8dCpY3VNNQF})7U7g4hvbStbq==~Z_+=Ll*dyJ&1hz=%4{42yK3^*xV<BDs z9&F8Gf5yiJs&k#jM=Jrqn=QPqj&1hU<hsDBo^h5qsM2=lkZxjQnB?WVq?LbV3<RVF z;g5*xjzP)5xm3*)Z7IW};cFkMTMa?e5+{F?D0U}-iqV0yr>|9AkQ_}fM(hmyE}}<j zM2XPq{yGHZ{Y$WYL*T;x)hj&_I{}-B)SWb2)8Tf*UBni2d*#4JA6`H3O2qqT_t4#w zI{1(dnaed^U*9MIPjv#Q>>2_Nh8;ZMzXTEV$;-Bt{V$<^$qsKdGOc&O6a`&%0G^&C z8}&`;v`gnVV%q-AbFDCKS<P-TedlX%d&Y1$!1i1wv^G3n2a!v@$bq~ga(D2_us!^< zsw}b9E=D(kX{zzD8x5*^Pjip`b8im(OZM^SKd|-An*!3#2L_v`Pu+F0y0S`}3CY^| zEc(V1=;VJS1(;+Rm@l+po1j`un(U=)x!KLjAWB$mnm+f8;#(hxrrN3HA$YD%1|lW+ zrSUDN{R9;mt=Ocd;djfKK8Y%Lvo=+CdAW5qam%}%K=+8O8wE;a6BNSA@0>QElP%w{ mdPsf3X?@?rPQR^MrT*HDRtL_5QPTE4d3_hlyb2pcZ2k{H8Q2>D literal 0 HcmV?d00001 diff --git a/configs/system/selinux/modules/noc.te b/configs/system/selinux/modules/noc.te new file mode 100644 index 0000000..fd1b716 --- /dev/null +++ b/configs/system/selinux/modules/noc.te @@ -0,0 +1,10 @@ +policy_module(noc,1.0.0) + +require { + type nagios_spool_t; + type ping_t; + class fifo_file read; +} + +#============= ping_t ============== +allow ping_t nagios_spool_t:fifo_file read; diff --git a/manifests/servergroups/noc.pp b/manifests/servergroups/noc.pp index 862fa2a..337bad2 100644 --- a/manifests/servergroups/noc.pp +++ b/manifests/servergroups/noc.pp @@ -25,4 +25,6 @@ class noc { } selinux_bool { 'httpd_can_network_connect_db': bool => 'on' } + semodule { 'noc': + } } -- 1.5.5.1
>From 970120e458e784396d57279b85fce7382b975929 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2008 15:17:30 +0000 Subject: [PATCH] Create a custom SELinux policy module for hosted, and enable the rsync_export_all_ro boolean. diff --git a/configs/system/selinux/modules/hosted.pp b/configs/system/selinux/modules/hosted.pp new file mode 100644 index 0000000000000000000000000000000000000000..36f27ed44d9dfdc786366be0031e277fb9a0b012 GIT binary patch literal 23544 zcmeI4S(6;OamVTPO<%I)`%=lYrKUX`aV3Wz^x|2GVt6CGM~GU#I2;`{Rp{yRR9E%Z zF~e~<LZ854e<^<`KhghR0_es}_w+W8X@*6D#B>2jBoc|t1du@0f4%sR|NVt~_wIe5 z_<M@~^U=L~|Eav+(etw(Xa7_+<MZs3wj65*$gd~@{%eW^((|?-T=~m-`tbPi@nf<H zk3s}1;ja|`Bt+7U8|tb#pXOs(4b#3Y&fV}E%Ku}^>P3Gx?OdH-(ZYSje7ST@`Ad2N z=(K9eU)Aq#Di&?ixMBd1;-Yi;;2`H06)(GLaMXZe5T3ev*0l@D=}6TUL;dS|_yffz zU$`l#e_IJ?jdbMYva2pY^GB;(!%U;!Q0zt9(9#Co?Obs&RS!u2ekdgk#WZ~8hI|-0 zk|5}Pl1CcOi^46fI}Czg+vPyV;J^A-0{1mVRZ|IV{4S~aIF#*WL;CBA&_GA2Nkg?5 zOh1W%4?_#8-=eV65H_&+4;9zFCWinae;Oj`p;(3y1H&B*4=51?&kOni-4GW>duVr$ zAmBEFZRv*;9@yZyOHe@fAqEZsg>xoaf%bz8CXEni9B#&;lo);qbKpnbOYJIY3*0~( z*1AKENjR{`)Yw$drIER*9imvee(2gO@StdkOw)9bX&xD<SP?2*^X2G9$0NuMu{8x6 z0w_^OBB880aFFa4N?eyYQZ(afr!Gq5p1WfFYBNAZh6qapB2;{ANL>>zvXPd~E!qn= zWiV+7n55qz2>p&)n3ttNllGQjnRl+)&}WoT`N9hlZ!_|)m_r{eZPi{1Q2j+aHbdKx z#4da}wnN^Ugrm3pWxj09EGS_eqz;jATAxp6Rc*~OBHqj%f~UI~NXJuyw`R~AX9?YA zY~n;!%)7V55-35;Bp}_@vaOn7H<KuZYJ`2!+T{2OJVR!fF@nlWn|3;MdDDY^U-62n z`{$~IQWFW)vfvR^hcz~v)&&(LKu@Xxwbmf-s0J`B1cc@<LL|NH+QRicRsdTn6IbL* zQf5yqMODmSU!C<@hLA)Clq}}8Ee36gGMBZ3@qea>e9c|HWN4V%Wh#rY!x~2Os+?Kx z?KnmmVN%w)yYhJ}(^#EV%^ZusgkD}rTO_X4P_?#%p*QOs%mq{1tnJQenYPrSUi}O3 zXi(GU$`Uzd*QukPoL6;C$7ol{W~^5$MUmCj)uJ*5MVi7iKwl9sT2N<gvP8E8PxmQ? z2qjm=^i<%>v&x|9mWoNzE;W|wP2oVxWDcHw$o*=L6_F<-aD-t5yH<N^rqKyHkXv_H z7J+2p7O;vyD=>*jn3W7Bsj;`Ify}>AWXOqxrD$-r{v>Bsx0lm)w3&^Htcce}ytsgT zkgnFA5Cwo$tZcec$^<T*{QbrNR=~J}?gD7^5NpIWo9=LN5B~|sS8D!d)vSG2?H`OM zFwp4=;O$HY$oK!x*+23TONX3AS!=ZUqF305F2Agn+CUT+(b%wwjA<;xSo$<I7!h9s zJ3<Y!>TEkhnl`CHn)ZMxi-0l`VHrSRWHC6d(L7MNDVvwL-ussFQ;QQF6OAm>+1+k) zVGPD{yBFf;%Kk9Iguhi}B!~pf?(~zSpRnKwz_ul1lwr_C<t}-qklh*JRMS+4Cxs#e zB)UgP_l^xz+(Tx{VYNUc#6gx2mR0^%hnW?Lc_z&1^)9%TuoDDUFRTQK1ak$*tKjm* z-Rd1C=C#~Q$e)ebVZBK=<@`?EfYC0pl-#B=omP47ZpUZ0U3~WxCK^w+QOGWl(9g{; ziZmW}dyODM1b!)gnQ+&Ryl8YED0kb;+B@0s@%h`7p`WX{HHrhH^34$Sb5FbW{Isg8 z!MwDL5j)GUmj`&J0|VEwbix$(SN-&~Z3p)J>@-Oa!_`!7>se)o7nEq`oN8$XHpUj9 zyj)ba^|sxTGUP%N9>`*=0f^jFIzpn7ZHJY^@~&lF#>8Fb#Z;cvuB%D|!m!DAG&TC5 zl<{Iejt2s5paQeK)_+X%AU3b55Nlsr3~X~i4z;IUo0mo24`9W3Sf-A7RJpsT3iD84 z=^(TTX?DrRfXe%1F-bGAuQKNbinut}`ZlgzRFdr2l^Q)DK8)Jsz4Z#BXxsP&A(&Wy z{$<lXoinX6?Wh)uamY_=TS8-$A;<dyK*T`%x*8vO;%kNx4Db!Tr2FP)f!VHaM=gA# zVJ+t3Y&7(LEx>JtzFPkM?DB0Y>APp>=`rC*F&z@Wk<p+!I~YVr4(bX)zc3N(=<I~_ zQ1%lch7kupKclw<)GQqd=`R})xlB5Dnb-Au{W#=-G;&BlEK)BPUcz_Piv=GDNNKv- zvh`Sb*4_1HD$XhIfD?n+oG?*LSsjhSd3*YAx{5L#-Gz=d-ll0dlznDxmU>?9WJem; zw@4b#F^!*Ai=x5VE{OHdY8ONTFgpy_@d^_w)srhg6ti<$pB0g!LpKg{42Kr5QPAzY z9a!J-Rg!h-*jN%f#SpAcJ6IVL{!($<bn<-G-LcOjQomhI-@T<)9FcEpM7HU2*>vwU z*ze!o%+)f)KQfwMg1o=)t)%UdU!TV)I03=N{1FM7oT?ed&g|bEAH!f4uN}ic#p)P_ zeJg>jdK3lH{wVpqB)lO>i1Xtkv6j;lB0(qqy4o>lg~I$q?qZQIr~mG{HhLIwdoZmL z3A!%Gj0h~}XzN+8aMgu*CV*nrXTuaXO?EK%4(?VDvKoTfgolc$63HP@>o`mo`rhA} z5NqDRg=lt}1k^GW?{G5xUcm3>9(r_weMf9ZqlkpKxDWTXFj;c6;{9~b%`FzKl)s7Z zSLgl~JhKpJmTkSrhhmN+n}7>6)uFhNd#^!a%p1_4IIZA^X3ilJdcS33I*Frtm`mtP zjS#UutYVu+fYeml{KgW&L9B49SGqicY$8}H<#q^15Xcf0Lzd*RZ@tsrB-8_H`xw__ zpaV@5bGvt_GaB$vqi7dPPFOWtpSlhk1e;>6F64DULPX5-7boZ%ZAd4=H5Zm!P^O!R za*qW?;fR2yQ62I-_a%!0vSCHU8FsET4Zj4fqoJCLEF){3s7$3yRdGcYO$$Oj(e?Ix zL6TlZT=@mm5+gf<pQJlcUJNJkLBHuU+0>)HAC#%pJ5ice2$T^{?63cmK9d7)i4j+< zd!oD;`gyLGXr=>w1a=#Y_%<Cl#iDQ<z<d~%I$P4Qi!QTP%V9bQ@LGs9Bia39a!wK$ zN@9#{6ptY*)+s)G{Jrl-L=glG0L1i(o{2FXf5}V3i4w$Ej?@rN?C<&y<%q=B^e@7m zC{2v%_)A_IPLv?V@(=V(II+L$Ka?Yhah(%OPU3@pc_v0&F9>qg-^~9&Focs3BRqW| zoY-Ig=jJo%2p@mROY@Nt0xRv45F_l1(8xyqix>YO&<%JrkZ=;>3eSrdKiirg8sCKX zm^SmR*$w=$olSUOvYCGy{@dVRHh(*v8e!w;COyWUjeZ5TZRUp#Z{WG-!$!Uzu1!2I zo&UmG-W&fdbVixmz;l~C+?Ia}e(~8Dv4Q`k^KTu;TkzisZ#~$bp6z&U*RSpHK}|Qt z{hLPprk?)nmi*iJ8Q5?5L)ANZj<{d<7aPZVIj)h@7kBAPjLiP)7er$&zsxGUf0*Vm zw0fs6&0>O%@1@<$k1uDX`JmAHEX@K%e6c6Z$AE;lThi<glszlc93~*|mAaYhw+3l0 z>!Z~*`m})laz=48k5lwCFXd`_>o|p>lk%3PS!`V5U|he)nnJNs*}PbpLZr>7m-|u} zn%8Z!G%IcX`i-s>3Tas1LrP21X49)CDGZCt<nBXS#D+Zf{>EW^3TBJfcsiUGu&LiT zB257}?28R-J=jZu>E`-4DlNes8_^`EJhy=)#||k7_}9+zw1hRG@K>`mla>E9r)pXV zuC*&LEn$?UplKGsYj<8+!usr{&nYcu=aPC#(lW+1Zv3>JPm9>xM1F1Rn#rNNCWol1 z-xs84umEvqmFA=Bl*Jtg=~!-c>^yOL%^=aJm4)3wgy$Fb+m0a3MCUel0V#w4ERY8Y zeg_aC$RQTCFNnD`wRP41-}+#~{nrf-?mx($=u%5DwB1#<)U|roHGMXbaejE8!q3^- zX>Zx}KTzt!<E(5KdDUdY)zT^Bd&e0&Oy#)FYI#f#WBK=0VTIn;*-0`@{=}V)b>3xY zRzecVH${`7-h-U`#)D^9i&J*J8FzpZisD>zSgK&r<csDZm!rz;^J?k(?>_zb>1PRH zt9j{dQs&jTPsk$2?&}<qEZFr!ZboLM<JxD&Je&{}*BpnW$&1yG^qy>9NVRUEEUtPE zPuWv65B2cxgxgEDE0&o`1WPgT*5F7w4){^yF73CdW#=cZe+cag3<A?`v>skIQj`Gg z84TMedC|3frWd=i{<4x&t7^`&Q#V{X*JS?MYvx^5YC3Pq4CfX1YC~@3?<QycxLmf~ z0GYd+w^pC3Iep!MwuZS|;n3?yZlSwBVA&UqTzZ-8s9yJX-Ar%#_D9*!X8N{^W=7pG zyi$prenXaL^3{#9q1mb3ySFB?xvQ5FoY~kER5;4|s*!9j{w}+eInLbkC4F8Plf-~( zCOooUYO>dpTy&6|O&&b_!CnM^EQ7E9&c;D6OD8mE{k$FPQjDiBD;9g+_Qo=CW?73r z6YSMdr~BZ&7m7XD{Tj`#_`1>VULF1{j6;-`x!5WGo$WiqPna@wKVE#9WtT4Ui9v^v zrJLnrEqTd?u`#K<$m`K%d7t%5S5&h~rv3EFU{_Ks*%LCV$4m2>ueBZo;V<_k@yE}3 z!+gl_@H)LppXm*std*cNh>z}$^Q!!@Nc`zsLen@`_DHCPT6bXeUcD&n+XPg@ok<ht z(rRAspF6#6pB2Ie@UdBeokMQY^3%YM(#eE$xxL-Lr&7hLo?qEZjM$niqv0RDZbjvh zyr^gWyqXQoq!|}Sd^hR%_}H6e%eO%xJ5zZ!=;Z-q-&d?=jYfL{OOJ+b)J1C4_-K~b zeR%eWq`GA*jy3Hd+Aolksu%kMn(0&r@o4aLYV?%jVsYgaoKaaB3t3>Gj<XC|F#9O# z^^S$UWz`I_6Ri<j)U8DE=185gq|+-B8a~x6T79QMAIiE4RIJ&w^U28T+)U$enRm@Z z%;@v8uyivjWPvEbiiSep&7El1g-HYI*H-)z;jWXu1oYxY<gGfm$j_x|&6OA|3TAm# zzd{GkTr(Aiy9s~Hv}MwnS@rxV(_0yOQ_hLmi@MiK$ENDFE{E1WN8hbDb4S^~EDF6d zBg=T!c9rY@bswvEg9#834tOTv_lP!iX@f6gT<Co1XlpZTJiDKa)zaZ9pN@!=J<t9f zl~*Jgi{s65V9wO+n8#*KK3f^VxZPNN?Bn{P;Q@1*79*8^<4Lnw(3g+KK^v7pi}qK= z@R>|lr$M!^qGXzF7nPYrui9TR&9B*N{jq`4$3`ZfdS&<K&FrI%KTnU*<6`pZqYnck zUcL#&eWQuBFsPN@S`m<1@zz@GshV7i2UC4%Kj(^CO`KuNTqg#$T`5MGX;*c9@k6iC z%aC{+^Xg2N-miR&_v@bTd|I)^6hp|4KJl#a>5Q+x1!@yw*Xk1ZHTmQf+4V#9Q5!n6 zGDCgCQqueY^wHLgbWVg?*x8$;P;AuyXMR~3R$zXas-sfoSMP(!Y>BL9S*KkWt}x@; z9yLtuZKDOD%?fGl8+9|;oY>$ato)S-VFI?=GEPqOvKEOc3QxdyWhxUIG+8s{eN@-U z<{dhXq(HdwC4x0=^Ju-#Pr=qR*r&kwE!cK|C%XzEChQsl0Uona`XnE6UU}Gr$bva| zX7878mWSdm8b0-?UC)`VYIx&nH9(rWi+a?a(cD@`S_#>^Ku0n}z&(7~$pi67cP~LK z68^(llcLYpM#n@*SJVfav)G^U354oYcLw4r0mL_Jcv~Io?1JP{!wSwMOA=IRyR%O- zu`)vP@=a39zt{!=vVzD*q;*TDw7@wR<dL?N;nC=|PwB0?pkaxFf0HS8a{|EVz}eB( z3Kk+qvx|{BL%)sbksDDXG`qhJLwQRSYTppLuz&SNPs~oxCMtC+&(?gnUU3_<h236^ zu-=E4B)k#vuG<}a_pA;+q<zM6P1jdf3dmEN04dwLfP-O+4EXO=1bgzbb+!JN(!XSb z*D9IS+hd4=t=fZ5&ypMPW^~%6^BXa3|K_=7n6|8DSDC&>Hn<&q*dJkgswK2GJYR*8 ztH|hqyd!dV@L{tZ^0NY#+G-c0d&^W+|JaQN)4ij*r~a8=4*YZW@#jCX`OYr|WS#d6 zHcp?q%Vc(CmbN7%bLW%j8&9y4|5OGr$ucxwXu~$aw3s&8tK)LBo0mbHFleei^Mc}Q z?@6ZWspdX(u1*FbC-|lEHK+Xq6B$>r38c|?&6z%lCio^apxeCMI-9uW-A=H3Le`Z6 zC$b3!VdZyDE6~V>Z&)p)KH(JJx3JZ3t6HhQ_C~Ee$H6#hd!M|%O=Mn03?eoE2N2ff AiU0rr literal 0 HcmV?d00001 diff --git a/configs/system/selinux/modules/hosted.te b/configs/system/selinux/modules/hosted.te new file mode 100644 index 0000000..2d0a8df --- /dev/null +++ b/configs/system/selinux/modules/hosted.te @@ -0,0 +1,8 @@ +policy_module(hosted,1.0.0) + +require { + type httpd_sys_script_t; +} + +#============= httpd_sys_script_t ============== +auth_getattr_shadow(httpd_sys_script_t) diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp index 0172046..81548c2 100644 --- a/manifests/servergroups/hosted.pp +++ b/manifests/servergroups/hosted.pp @@ -74,4 +74,11 @@ class hosted { semodule { 'git': } + semodule { 'hosted': + } + + selinux_bool { 'rsync_export_all_ro': + bool => 'on' + } + } -- 1.5.5.1
>From ea3f73b3971316a4ad8040769c08e232db6a728a Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2008 15:18:12 +0000 Subject: [PATCH] Set the context of /home/fedoramail/procmail.log to postfix_var_run_t on bastion diff --git a/manifests/servergroups/gateway.pp b/manifests/servergroups/gateway.pp index 03f6b16..a29995c 100644 --- a/manifests/servergroups/gateway.pp +++ b/manifests/servergroups/gateway.pp @@ -30,4 +30,9 @@ class gateway{ ensure => running, hasstatus => true, } + + semanage_fcontext { '/home/fedoramail/procmail.log': + type => 'postfix_var_run_t' + } + } -- 1.5.5.1
>From 23642165938b5c6aea2f241e151c608cc2163101 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2008 15:18:33 +0000 Subject: [PATCH] Enable the rsync_export_all_ro SELinux boolean on cvs. diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp index f3aad3e..c2c884f 100644 --- a/manifests/servergroups/cvs.pp +++ b/manifests/servergroups/cvs.pp @@ -24,5 +24,8 @@ class cvs { hasstatus => true, } + selinux_bool { 'rsync_export_all_ro': + bool => 'on' + } } -- 1.5.5.1
>From f8e7911733b2a22729fabc0c175dda75d1d34e62 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Date: Fri, 21 Nov 2008 15:18:53 +0000 Subject: [PATCH] Enable the nfs_export_all_rw and httpd_use_nfs booleans on appRelEng diff --git a/manifests/servergroups/appRelEng.pp b/manifests/servergroups/appRelEng.pp index 88f2684..926f161 100644 --- a/manifests/servergroups/appRelEng.pp +++ b/manifests/servergroups/appRelEng.pp @@ -31,6 +31,8 @@ class appRelEng { } selinux_bool { 'use_nfs_home_dirs': bool => 'on' } + selinux_bool { 'nfs_export_all_rw': bool => 'on' } + selinux_bool { 'httpd_use_nfs': bool => 'on' } selinux_bool { 'httpd_enable_homedirs': bool => 'on' } selinux_bool { 'httpd_can_network_connect_db': bool => 'on' } -- 1.5.5.1
>From a0b54ada732c3f9141c6be0c94c9e1230ae8a1c7 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 19:01:28 +0000 Subject: [PATCH] Update our masher SELinux policy module to allow cvs/rpm usage diff --git a/configs/system/selinux/modules/masher.pp b/configs/system/selinux/modules/masher.pp index 6dfc9e2be5b4866a95a414f137fd8fb2054bdc71..4fccc6d9fadba7a527a40c132a8237a5f6f85b19 100644 GIT binary patch delta 394 zcmZ3nlX1p=Mxp-yH9r{{7#Ns<SOkbuT{jBdG~s0jGC`OPh*>5-FcqK7Z_38X1>~`U zc>Kv_#qp^Xsmbvryg)G~keE<WL2i6mVo`ifW>S0!D^QpnB+QkRnHOIIGK&$!<;f^1 zDM*Pg0U5;xHVUK-Vid?S=E=6EU5uQQADBx|<~P@1<d|GwCO=u*%w;mSnZo3LFfB9r zy_pA)FT=<-`Gc7|qX1BiG&@LlumaO$Ju^o}2aqnH_yjX&Mg=t4M6h`L<Y4mz#`?(t zHp-L#oAONFZy_-`--=^1v&B8m2$;_cit>Rz1O*QagPe`<J4_TrgTetN1dt^`p#cns T$!{H1c|b<M{JfdPX^9j7YCvGC delta 150 zcmbQSpK--bMxp-yH9r{{7#Ns<SOkbmoi+;HG~s0iGC`OPL{D}w6`#y+%ErnL<S~MH zJQ*b=1u5|*AZez_mrc7EStiGsIZr-oE;D(rnaAW<ONGg*<}N^5W^$`Jh%Ynwu4Muv n`{a$L!js?H2~3VP=h>WV^^cR0d2)`6<m8Jk;+vUVr%3?-6)Gw> diff --git a/configs/system/selinux/modules/masher.te b/configs/system/selinux/modules/masher.te index b133a5c..d31f1d2 100644 --- a/configs/system/selinux/modules/masher.te +++ b/configs/system/selinux/modules/masher.te @@ -2,6 +2,14 @@ policy_module(masher,1.0.0) gen_require(` type httpd_t; + type rpm_var_lib_t; ') domain_read_all_domains_state(httpd_t) + +cvs_exec(httpd_t) +rpm_exec(httpd_t) + +allow httpd_t rpm_var_lib_t:dir { getattr search }; +allow httpd_t rpm_var_lib_t:file { read_file_perms }; + -- 1.5.5.1
>From b056b1f93b6d05b3de48675deebf372a2cdf53d7 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 19:03:50 +0000 Subject: [PATCH] Add a collab SELinux module for our mailman setup diff --git a/configs/system/selinux/modules/collab.pp b/configs/system/selinux/modules/collab.pp new file mode 100644 index 0000000000000000000000000000000000000000..7afa4d1019fde644afcd205f4f658135e92cbcf2 GIT binary patch literal 23390 zcmeI4S(78VamUB<J-+YTDtRoMWA(IVC5IpM;$CSqp^fk!;nDiVp<q;3fz5IktGIRa z;c$dLfy4f~ep>&334la5*<8-ioRDS^jb`CWBodj4L;_X+^W}g2-!D9P@Zf8Tf2jDa z4<9`EZ{_`to?rYh`<JR2ud<KZa;zOyenpY$zotkaU9@$bpZ>C*J~)1Q{FH3MlMsPQ z_*=z450P}^hPrCbr}<b`!?bUUb2t2k^8bvodeNUvJ6Gq|^zcwIUoKr!{*s=kbXqm# zuj=<V6^piMTrp6Q;-Yi;;6UdW6)(GLaI^qp0G_&f*0l@D8A#O@L;dS|_+!N;U$`lt ze_IJ~jd<kcva2ot^QWs^gG{G?px6typ`{Oo+qvRmsu7U>qfkm3jOqBy4f!y1BmvO- zB#(5Q7lm8eaF_(uZI=TBgZ>&@Nxk1yR5O*($M2Dvk3-pBHl%-F5gZsOE$OHhff*+; z&|zo+^;;BH{ooqN{3nX*QIkUek-rF$^iV9ri~->urU#HPf~N)J0B?{BvpuxCXOQYP zgKg=j6dKs%xl2HR_aP<@28D9QS^@WiOeUQW=p1UssT3Q20db&5-b?H%Nek3K8rHHy zj&V43;i<8yt|XDUi5;w1x_;=|Yv3Sg2~X2?;AtM2sMruJT=T`~M#m$-4X||u7y=*> zM<SuDI$)6O7E0XYIZ|}vai=Xp<gQ#Xezh8)Ayb4V0uUlTHl%K_7uj%2=N9dSn=+Yn zM4e>Z00`rbQka*e)h6vV!!qw&vmwt2q4EV6AYNzWT`>ngdfF<z6d?MGc5H^WA&Fl2 zVr+-JH4aB^`^$XUnp#l821pws;j})V&Z^qFWk$T3Jp@g66Oe(Y3U5uIH%=0U&D_L= zs+f0gi6meGn~6cX>t$Ot!)_u`3f3_DqP4~G6=(*}uwn#}nKtco=<=oq`o8QHMfb1N z2B9Vrs%60=pbo2SHnj^PNC2Ny0&3YH@2CVYEd-e6uR|og?ApThJz4-=Div4cOH!s! zEJah)UtgW|GDAqh14<V2x}?NRl)1DWg#SxL_-pR+B~!!NE>&5K9ojIeSLMulug6i! zFq5**-L=nKsmAK8YUXGJ7WDF3(js=PhN?9ahS98ZP!}w1v$i{@XZq5BdW|pCM}nF* zSC-H*y-pjA<h-hD21dV1He<cA6opn-SBuI76mAO30Aq#0=s|<E#S+<4eTGjlNGQ1~ zW~8dVJgclW!%{Ix`lZEEqbVF<S<Hdc54pGIu!uY&fg(&J&}HqdiN+upKyJgqECR^F zEg%(vULX>YFe{l%Qe$sR1DXGz$ixx}OX1+m{v>Bsx0lm)w3Us9Sj1~3UR;1aKv%XW zNKwHWR<>LzWek@t{(fTsDInZIcL8*I2pe%trh7E*p+5osO4Z-2nziq${)6xYCOWkM z-p+CWfB$T*{*jJoI`}N|TBFSuqe4G)`DL}#2BNr#%7#s3Orsgb(x+*`jQAGl5n7m5 zXWJRl^hpcS^hcet2p}U8mO%}aEDFapS_cX@W%Cm4y>BQ#)i}{H(MU6$-S0LR!k{d- zdm(<V^ba#k_?99wK_qB(XPhMcf(1>eY+FKR83J8Y?viH;*_~0HW?Jg-q)-HdME3~k z-m!s-d&o>VSPMi#oMbU!S><nanz2aCGht4zcfqZMo*-boU<ncl<_eHk!R3qll{-|- zYq^);Kby0|dXsMR`MtOSqh7?6+$J)etUPzW^RrtozIy@_l_%RMc$Y}%=jIoM8xOm^ zh7mymzZAbLxNApVRJxCpyKQCdopktk^)`9v=W1<@?7*yiJw*LH(5^i{t?FtpFD-M# z&NA%fsXWtxf$K1xP{sXqKRs>RfjvJvP13_~J(b&fR@vbNC0aSBGR=U-+)^no7nN<j zZMUQhxzGd$wAgA;MeZpbA<@XT!^*+DYq85%xXZkl%Cp*aRcVz_Z1NpV4L>ktzSxiB zfj}B)z-ll1k7XXf<~0>y?MsV+Z4SV}_OxsBvdH@Zs3;H1)G?15cNbM*9tt!ah&Cb3 zF4+iBd7msQX(sYj=G;IK7w58XqwS)SWXG=5=quvGs9oOMs6dLojb0#viuLDTw(K)F zlPZ&rYOxrH{IoU`8l?<6-WLEMCfc{v{KykuGmSuiZpbCWH$Mx+c6~d_@QsSKn2WMe z(SK7Fw<-E+`A@UUw<)CWo}y>Ogd@dtO8iDflj`hX5GFaOD+KvMMX;l@6VgNJPnZ}& z9Q^!@(Gn1|bS5OfY(V5P>D*;r*YD-ykO$K6Apy2Xy;yh&-&HRbbRfW`skLSHSb5gn z_hu@tDer(2gVmfcQA|l4mBM*@`X9QAG9BH8jy2w<YB-dB#x_emFZZ$|jrJ{^#&b;L zr<GAOINJqb|EzXFB&cSG;W}PnVWoL;1&CsHPV2KGQVi(UVUEF&0UH_J&fBT$2fj*T zmyV4k(Nj#p>a+vPnD94>+m@57S$EGqkBI$tF@5(;tvDlpry1EM%VpEOmtentdox$d zVE;&HehKpazSokrM}B=8Bj5xW8}&ydXmP4$C_B@C_k0Y4TD)-#0~V`e81}6Mw(5}; zNc*GY_nh#CI3cc&PefWyPlyDa`0HxNAPa@{iQL5^Urztib#3%8;`U%!BNB97kQI@- zoTIH*y~0%&=9!=tt3Dg1xM{M3xp#24dJt;}ViO)Kra~l#K&|62UFds%XF{ZT0~ey% zWfBm}l)b~r^m_)spL^)h3HJ9QI}$}CMB_f(+d^f@(TexeU71@fYAJsc-&^PY7CfsE zV3uvY$cJK%Bb$H=G?k&ak$W#eBFr0*pt!8yhi1(o5_-R7V>yYldYDV-ER7(sKCEJ! zMgY~6+x*57#(}MHs#m%^0&l`tD&=+vM-cE54MUdrv2VT8-Z<1()b=sjV}JupWOKWB zs52Vi(4uG;OHNp|TA#WO9R!(Tt}f(t)C7r`=Pyn$H2RQCgljICTVSS}h;okwLE(si zt`QybJNE@f0ojlu!VEiCx`tk=t)rouhM1AHPE@86rmDCmi>_5eBhmHtd_j^?Mp*d; z*b*Z-gP){3QC<uu@j<`oGugDGy`Pk+wL4LoUI>&CPVB$`mp+q29U|1DU2J=z=NJ}w zB?Zw;`JE2Xo)+6`R!uc@#dKIKr$cNVe<O6-68fj)obVU|B{4?m#ZxF7+Y}!>{myqI zpjd_0F^}hy5Mz1#B|i-(N)Tgt?1a2DP!1Esda>*zKIoTcVyyEeL0<CP`Dq_%{iqVi zi{T_b=$B_=gdcxz=SMggxwp%{gl!d0LX0qk=|6AFhxxbVtNu^7=7-KtR7hOI_mDR8 zt=kQJV!O@yzGO51F8FuVf7$%)c!~~2(M^1eJR9Q*WZTRS1Kxo1z=w@|KV6$}UON9v z>v?bZci<U$ZUfF;{BT$P9q>hGBg6*$m(IU)9`AsEXMG#N{`hQ%bGLkLuOGy8W8S}R z*l)`9Pw&XTi=Kh}20t{tm*)ukb$`)un5xk{P2ZViEHSe1uHVg!x%^@V@akWh$JFX| zx-^S*Hog*eJ3qb`mF5FNrcs&&i1<!TnvVhrFP5a)UsLw1OmkR(yhG@AuD8n5TuhVI z4feEv@p3$HJC6hGG%uxUdf_*%!yx6TOtaWC#L2jMg*2_jRhP{>jcJXv`}AI2T8Hj+ z(JReLyT5svDy;=Ktgis2C26<mEswMgc3pDqAT44q97lia96YUNc4Iu4O$*phZ=6o1 z6*y;$9c(>QODi+X^+`}#f+sYBNe)=<s*-s8(<;DU`>E3s>@~r!W@#oy_YHq$S_rJQ z7cMPfmL;HR7M0hYw6p{l&~0~5T8`nGIw{gJ<~8oQw3AMYu#6+UHf7ED(B0reMAe(* zDHt?B+|;D`h&pA__$M99t&JV!O>Zb9>VVcw!#uX)m$9bCcv_|+3*-UG8{)ABImE)u z^O(z|ZZ*FDSD!_A_`2cI!$;XOT^%Wgw!6-jy1eeXrq3qQ!;c?Q_!%20?clopdrEz9 zoRzJ{-ekk|(kbIR#~J%L<+#pTc}S0A`FGV|1>U#Wi85XOt2-O(yvq=x1SOJh3MT`- z2RaXp1~0A`r|c~=ZrUUm#bxENSV5x6=gniTAeGr?)zbCfe*V$(PZPveOVHcI%u8&a zphb?|ia8`&kn8*0Kg>$U<;sjDH$f_z7l*{jv(*puHfml-wC=zx8aRi?>^YK$c=$K3 z?N!zl$xI}IrkHqba3mS0`cdO9?YF3<(kHHe4DJd{0xN9P9-cQ+kW|_;7_^V`qHFt1 zuTN$DWhK{9)tqIgZn$)=$^7Ng%sYhCb>5U2E+THPhTP2G0M7bxxoo=uG<SDzy*^iW z`i2614Rg1Gp_hK#LN{!HvM(4p&NAsyy;SeInck=EkFuf7^aT|yg1X0dtrEG`hAhwI z5gVmLvs1g>Ze3(^S1-jlv#}{?aFq2`Bi>&8V|FQZoVlwdV_q1MM1X20IMQC~ve%Ow zVW68$9zFivUI>3Ag|G3>#zC(nCpc&QydCROgl8-(5_{VAMlw-mS&Kds^wm+PTi3m3 ziap5v8r`nwy3y}m1O7D3L*$mZ$SL}r?K{KISTc1BU38gcmoCzYNr#Z7o8@CIe#wTh zF|NGG>(OO-pY=;uRI^H|{q)-EuDDpdCtx&>SJN}!YCQ>pU+#<I53hKSd&uykI=!%- z={=gP6{9q;k8Wu5Li({#{PA2&(>Pc5aHytQH%;~Sx-jh9q^hPnlO)b1)x1PMcY3Ei zD+G<o$EF2#PPuW*j{`YMCl%7=_744?LKT~OdSx#$V{5bwhaY*_iozp)(a8FFH5-~q zGcJz!I??g*u~*BMZ<9iHrt)mi6@7T$H>_rjW_tojkA`m4b!Ei(XqMM~c=muKx@9Yh zHSHkWFW{4^7x@F2=~TzvNbq!O_>|*faqR`1Sy?FyX<%v{XBoU;`cc^HO$L22su`pw zT0^#|Te0HpnL5R!(~Ah2KD8}ceGNgMqq+`QtjV<V$<XWEO!IJ=cg;k^=<~B+x)~PI zK$M_GL!lq$PO$63qyvp>D}1qV*GXOicu^zLRs&q*=aRJMS_BpbGr87ZVSs0@nTo>Q zgny>mGRe%Wx;o1A?t|V(b0YSl?)7S~iF&Oon6=N**CEc_QTFePLT{!>GoH0w<@%rO zqZMxv0VKjP$|U?A(WkCP@coGko#GsA?Pd*U_mh!YGCbu24RNvO*}n<$iYTLTyjl*# znVKH+(5%ZBD<v4W8>>%h+%y^<v6jggsr-9ITFrvId^ir;s0=dNUlqcqQemAY)xJHF zX|-KcrV_nqf5kGtCaaCdCQ6_5n0(@e-K#g#k2e22Jw=X-$tO=f2!wd~E|~X?F4oMT zUV7_AmDG#Z)*?^U<T4&i^d<eA-pQIcLzlTu1Z=xfgfP{v=K8LNURIYP@i6AqnKZq( ze2n(%k?(w3k;Mc<z>Yrlr19yDZ>$Au6J*!o66iJg_!Y_ZeT`8YI;1i~e1j=zTYko9 zHY0-*q84_JCMgsd_4mS?mB9k@W~vS(Szo=oAu|(M-D0QRWUjE{+8#A5?QJ82&{l=C z^{uv<bWZH>30nSIh_C=#YbhtEby-GY3c@4sZK=ux2QAhtc^}qwvUvwjLn$C`bcxlP zwt2GN=cm=yE7&L0@msL%6`t)X1evgF2ncw{hUv3>$a%3~vql!w!3%qfd$T+gf8Ovx zMeTad%&OtNrqu*#=`QL~dq(qM9mx{1H*Sukh^Y7YWfu?FBi+3Own*p?X^o3MTPq!7 zAzcI?Y|UbS#)k%~Q=QC5D*?c_TX<a^+w7{z)qzz#<1BGdrR~l>-NeQ)$;)?1EC2c! z2uKUU9}(9rgOY)Bu9`>MQieyv*FIRc8iJ-JPX2A8*!=`5MhDK0zE*WXax}ddu`}@7 zh#sjCB|@wF>kyQ8F~Rl?feZUruk=Lh1Z*NwchYQ4hno$z5nIsh^#dDycoo4b5$~nl zL3dB;;6vJHF4uT{b)x`0)d`@oZ3s9Rw(x-eDn!sHFWXl3zl8oJJG{}zwB8<56m-=d zczTlDs&7iCT{^!J)AnzkYlUgcYIdFJn_q+5F^2sCwx=?owc+_Hh+OzZ4&)t?yMxb% z?ckqPWr?kJF}fX0Q;m<^Xi(idntSYDcyr+2vX4IdfvtDm6p(h_GuS+R;x3cbl~vkI zNY>70(KntzC;zz=V3K8EKG%kAf@(2ovKO@FW;ZW`C}Fi}`oc4cZ@nj)YNwX_;JG>( zh?L-$#y6by6I5ihVw0MN-wkK_B&y)swW+$z%dNAC8{X{%x<_Q)C{QAspb%Dm=d=Nx qZ1{%NL+TSw>-!$I`fb%J_1E5NwdXt-C2jAM*LShZtFS@D=Kle4c-|ZU literal 0 HcmV?d00001 diff --git a/configs/system/selinux/modules/collab.te b/configs/system/selinux/modules/collab.te new file mode 100644 index 0000000..f6a6196 --- /dev/null +++ b/configs/system/selinux/modules/collab.te @@ -0,0 +1,11 @@ +policy_module(collab,1.0.0) + +require { + type mailman_mail_t; + type initrc_tmp_t; + class file ioctl; +} + +#============= mailman_mail_t ============== +allow mailman_mail_t initrc_tmp_t:file ioctl; + diff --git a/manifests/servergroups/collab.pp b/manifests/servergroups/collab.pp index 988d57e..e46e392 100644 --- a/manifests/servergroups/collab.pp +++ b/manifests/servergroups/collab.pp @@ -31,4 +31,7 @@ class collab { type => 'mailman_data_t' } + semodule { 'collab': + } + } -- 1.5.5.1
>From 5a58dc586baec0eef83dc36558dfe14a50d64dce Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 19:04:22 +0000 Subject: [PATCH] Set the proper context of /cvs and /srv/cache on cvs diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp index c2c884f..6f0a721 100644 --- a/manifests/servergroups/cvs.pp +++ b/manifests/servergroups/cvs.pp @@ -28,4 +28,12 @@ class cvs { bool => 'on' } + semanage_fcontext { '/cvs': + type => 'httpd_sys_content_t' + } + + semanage_fcontext { '/srv/cache(/.*)?': + type => 'httpd_sys_script_rw_t' + } + } -- 1.5.5.1
>From a0e6a8f2453dd1f990acdc4c78790d1985323518 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 19:05:08 +0000 Subject: [PATCH] Set the httpd_sys_script_rw_t context to various bodhi locations diff --git a/manifests/services/bodhi.pp b/manifests/services/bodhi.pp index 5a7a5d6..a0789a0 100644 --- a/manifests/services/bodhi.pp +++ b/manifests/services/bodhi.pp @@ -163,6 +163,14 @@ class bodhi-masher inherits bodhi-wsgi-server { mode => '0440' } + semanage_fcontext { '/home/masher/.cvspass': + type => 'httpd_sys_script_rw_t' + } + + semanage_fcontext { '/usr/share/bodhi/comps(/.*)?': + type => 'httpd_sys_script_rw_t' + } + } class bodhi-dev inherits bodhi-wsgi-server { -- 1.5.5.1
>From 67016e61225de15224afeeccd49653101869be8c Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 19:06:53 +0000 Subject: [PATCH] Fix our semanage_fcontext function to work on symlinks diff --git a/manifests/filetypes/selinux.pp b/manifests/filetypes/selinux.pp index 97140ec..dcafde3 100644 --- a/manifests/filetypes/selinux.pp +++ b/manifests/filetypes/selinux.pp @@ -7,7 +7,7 @@ define selinux_bool($bool) { } define semanage_fcontext($type) { - exec { "/usr/sbin/semanage fcontext -a -t $type '$name'; /sbin/restorecon -R `/usr/bin/dirname '$name' | /bin/sed 's/(//'`": + exec { "/usr/sbin/semanage fcontext -a -t $type '$name'; /sbin/restorecon -R `/usr/bin/dirname '$name/' | /bin/sed 's/(.*//'`": unless => "/usr/sbin/matchpathcon `/usr/bin/dirname '$name' | /bin/sed 's/(//'` | grep -qe $type", cwd => '/', } -- 1.5.5.1
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list