The attached patch updates the (unused) yam policy to work with the changes in the FC strict/1.23.10-2 policy. It also fixes httpd access the the files yam distributes, and suppresses an access denied error message when webalizer runs. David
Index: domains/program/unused/yam.te =================================================================== RCS file: /home/cvs/starfury/etc/selinux/strict/src/policy/domains/program/unused/yam.te,v retrieving revision 1.1 diff -u -r1.1 yam.te --- domains/program/unused/yam.te 31 Mar 2005 15:50:47 -0000 1.1 +++ domains/program/unused/yam.te 14 Apr 2005 21:12:19 -0000 @@ -57,7 +57,9 @@ # Rsync and lftp need to network. They also set files attributes to # match whats on the remote server. can_network_client($1_t) +allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect; allow $1_t self:capability { chown fowner fsetid dac_override }; +allow $1_t self:process execmem; # access to sysctl_kernel_t ( proc/sys/kernel/* ) read_sysctl($1_t) @@ -94,9 +96,10 @@ allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; # Reading dotfiles... -dontaudit yam_t staff_home_dir_t:dir search; # /root +allow yam_t sysadm_home_dir_t:dir search; # /root +allow yam_t sysadm_home_t:dir search; # /root/xxx allow yam_t home_root_t:dir search; # /home -allow yam_t user_home_dir_t:dir { getattr search }; # /home/user +allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user ########## @@ -131,9 +134,11 @@ # The whole point of this program is to make updates available on a # local web server. Allow apache access to these files. ifdef(`apache.te', ` -allow httpd_t yam_content_t:dir { getattr search }; -allow httpd_t yam_content_t:file { getattr read }; -allow httpd_t yam_content_t:lnk_file { getattr read }; +r_dir_file(httpd_t, yam_content_t) +') + +ifdef(`webalizer.te', ` +dontaudit webalizer_t yam_content_t:dir search; ') # Mount needs access to the yam directories in order to mount the ISO
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list