diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 13d9388..94b6762 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permission #define KEY__WRITE 0x00000004UL diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.46/src/Makefile --- nsalibselinux/src/Makefile 2007-09-26 19:37:45.000000000 -0400 -+++ libselinux-2.0.46/src/Makefile 2008-01-03 15:24:29.000000000 -0500 ++++ libselinux-2.0.46/src/Makefile 2008-01-05 08:19:27.000000000 -0500 @@ -77,14 +77,14 @@ install: all @@ -50,6 +50,428 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux va_end(ap); } +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.46/src/selinux.py +--- nsalibselinux/src/selinux.py 2007-10-05 13:09:54.000000000 -0400 ++++ libselinux-2.0.46/src/selinux.py 2008-01-08 05:00:39.000000000 -0500 +@@ -1,5 +1,5 @@ + # This file was automatically generated by SWIG (http://www.swig.org). +-# Version 1.3.31 ++# Version 1.3.33 + # + # Don't modify this file, modify the SWIG interface instead. + # This file is compatible with both classic and new-style classes. +Binary files nsalibselinux/src/selinux.pyc and libselinux-2.0.46/src/selinux.pyc differ +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.46/src/selinuxswig.i +--- nsalibselinux/src/selinuxswig.i 2007-10-01 09:54:35.000000000 -0400 ++++ libselinux-2.0.46/src/selinuxswig.i 2008-01-08 05:00:22.000000000 -0500 +@@ -10,6 +10,7 @@ + %apply int *OUTPUT { size_t * }; + + %typedef unsigned mode_t; ++%typedef unsigned pid_t; + + %typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) { + $1 = &temp1; +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.46/src/selinuxswig_wrap.c +--- nsalibselinux/src/selinuxswig_wrap.c 2007-10-05 13:09:54.000000000 -0400 ++++ libselinux-2.0.46/src/selinuxswig_wrap.c 2008-01-08 05:00:39.000000000 -0500 +@@ -1,6 +1,6 @@ + /* ---------------------------------------------------------------------------- + * This file was automatically generated by SWIG (http://www.swig.org). +- * Version 1.3.31 ++ * Version 1.3.33 + * + * This file is not intended to be easily readable and contains a number of + * coding conventions designed to improve portability and efficiency. Do not make +@@ -17,14 +17,14 @@ + + /* template workaround for compilers that cannot correctly implement the C++ standard */ + #ifndef SWIGTEMPLATEDISAMBIGUATOR +-# if defined(__SUNPRO_CC) +-# if (__SUNPRO_CC <= 0x560) +-# define SWIGTEMPLATEDISAMBIGUATOR template +-# else +-# define SWIGTEMPLATEDISAMBIGUATOR +-# endif ++# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560) ++# define SWIGTEMPLATEDISAMBIGUATOR template ++# elif defined(__HP_aCC) ++/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */ ++/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */ ++# define SWIGTEMPLATEDISAMBIGUATOR template + # else +-# define SWIGTEMPLATEDISAMBIGUATOR ++# define SWIGTEMPLATEDISAMBIGUATOR + # endif + #endif + +@@ -107,6 +107,12 @@ + # define _CRT_SECURE_NO_DEPRECATE + #endif + ++/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */ ++#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE) ++# define _SCL_SECURE_NO_DEPRECATE ++#endif ++ ++ + + /* Python.h has to appear first */ + #include +@@ -343,7 +349,7 @@ + while ((*f2 == ' ') && (f2 != l2)) ++f2; + if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1; + } +- return (l1 - f1) - (l2 - f2); ++ return (int)((l1 - f1) - (l2 - f2)); + } + + /* +@@ -1090,14 +1096,14 @@ + /* Unpack the argument tuple */ + + SWIGINTERN int +-SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs) ++SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs) + { + if (!args) { + if (!min && !max) { + return 1; + } else { + PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", +- name, (min == max ? "" : "at least "), min); ++ name, (min == max ? "" : "at least "), (int)min); + return 0; + } + } +@@ -1105,14 +1111,14 @@ + PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple"); + return 0; + } else { +- register int l = PyTuple_GET_SIZE(args); ++ register Py_ssize_t l = PyTuple_GET_SIZE(args); + if (l < min) { + PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", +- name, (min == max ? "" : "at least "), min, l); ++ name, (min == max ? "" : "at least "), (int)min, (int)l); + return 0; + } else if (l > max) { + PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", +- name, (min == max ? "" : "at most "), max, l); ++ name, (min == max ? "" : "at most "), (int)max, (int)l); + return 0; + } else { + register int i; +@@ -1591,9 +1597,11 @@ + (unaryfunc)0, /*nb_float*/ + (unaryfunc)PySwigObject_oct, /*nb_oct*/ + (unaryfunc)PySwigObject_hex, /*nb_hex*/ +-#if PY_VERSION_HEX >= 0x02020000 +- 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ +-#elif PY_VERSION_HEX >= 0x02000000 ++#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */ ++ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */ ++#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */ ++ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ ++#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */ + 0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */ + #endif + }; +@@ -2458,14 +2466,13 @@ + #define SWIGTYPE_p_int swig_types[7] + #define SWIGTYPE_p_p_char swig_types[8] + #define SWIGTYPE_p_p_p_char swig_types[9] +-#define SWIGTYPE_p_pid_t swig_types[10] +-#define SWIGTYPE_p_security_class_mapping swig_types[11] +-#define SWIGTYPE_p_selinux_callback swig_types[12] +-#define SWIGTYPE_p_selinux_opt swig_types[13] +-#define SWIGTYPE_p_unsigned_int swig_types[14] +-#define SWIGTYPE_p_unsigned_short swig_types[15] +-static swig_type_info *swig_types[17]; +-static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0}; ++#define SWIGTYPE_p_security_class_mapping swig_types[10] ++#define SWIGTYPE_p_selinux_callback swig_types[11] ++#define SWIGTYPE_p_selinux_opt swig_types[12] ++#define SWIGTYPE_p_unsigned_int swig_types[13] ++#define SWIGTYPE_p_unsigned_short swig_types[14] ++static swig_type_info *swig_types[16]; ++static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0}; + #define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name) + #define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name) + +@@ -2484,7 +2491,7 @@ + + #define SWIG_name "_selinux" + +-#define SWIGVERSION 0x010331 ++#define SWIGVERSION 0x010333 + #define SWIG_VERSION SWIGVERSION + + +@@ -2577,14 +2584,12 @@ + + + #include +-#ifndef LLONG_MIN +-# define LLONG_MIN LONG_LONG_MIN +-#endif +-#ifndef LLONG_MAX +-# define LLONG_MAX LONG_LONG_MAX +-#endif +-#ifndef ULLONG_MAX +-# define ULLONG_MAX ULONG_LONG_MAX ++#if !defined(SWIG_NO_LLONG_MAX) ++# if !defined(LLONG_MAX) && defined(__GNUC__) && defined (__LONG_LONG_MAX__) ++# define LLONG_MAX __LONG_LONG_MAX__ ++# define LLONG_MIN (-LLONG_MAX - 1LL) ++# define ULLONG_MAX (LLONG_MAX * 2ULL + 1ULL) ++# endif + #endif + + +@@ -2669,13 +2674,18 @@ + + + SWIGINTERN int +-SWIG_AsVal_long (PyObject *obj, long* val) ++SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) + { + if (PyInt_Check(obj)) { +- if (val) *val = PyInt_AsLong(obj); +- return SWIG_OK; ++ long v = PyInt_AsLong(obj); ++ if (v >= 0) { ++ if (val) *val = v; ++ return SWIG_OK; ++ } else { ++ return SWIG_OverflowError; ++ } + } else if (PyLong_Check(obj)) { +- long v = PyLong_AsLong(obj); ++ unsigned long v = PyLong_AsUnsignedLong(obj); + if (!PyErr_Occurred()) { + if (val) *val = v; + return SWIG_OK; +@@ -2686,7 +2696,7 @@ + #ifdef SWIG_PYTHON_CAST_MODE + { + int dispatch = 0; +- long v = PyInt_AsLong(obj); ++ unsigned long v = PyLong_AsUnsignedLong(obj); + if (!PyErr_Occurred()) { + if (val) *val = v; + return SWIG_AddCast(SWIG_OK); +@@ -2696,8 +2706,8 @@ + if (!dispatch) { + double d; + int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d)); +- if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) { +- if (val) *val = (long)(d); ++ if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) { ++ if (val) *val = (unsigned long)(d); + return res; + } + } +@@ -2708,15 +2718,15 @@ + + + SWIGINTERN int +-SWIG_AsVal_int (PyObject * obj, int *val) ++SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val) + { +- long v; +- int res = SWIG_AsVal_long (obj, &v); ++ unsigned long v; ++ int res = SWIG_AsVal_unsigned_SS_long (obj, &v); + if (SWIG_IsOK(res)) { +- if ((v < INT_MIN || v > INT_MAX)) { ++ if ((v > UINT_MAX)) { + return SWIG_OverflowError; + } else { +- if (val) *val = (int)(v); ++ if (val) *val = (unsigned int)(v); + } + } + return res; +@@ -2724,18 +2734,13 @@ + + + SWIGINTERN int +-SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) ++SWIG_AsVal_long (PyObject *obj, long* val) + { + if (PyInt_Check(obj)) { +- long v = PyInt_AsLong(obj); +- if (v >= 0) { +- if (val) *val = v; +- return SWIG_OK; +- } else { +- return SWIG_OverflowError; +- } ++ if (val) *val = PyInt_AsLong(obj); ++ return SWIG_OK; + } else if (PyLong_Check(obj)) { +- unsigned long v = PyLong_AsUnsignedLong(obj); ++ long v = PyLong_AsLong(obj); + if (!PyErr_Occurred()) { + if (val) *val = v; + return SWIG_OK; +@@ -2746,7 +2751,7 @@ + #ifdef SWIG_PYTHON_CAST_MODE + { + int dispatch = 0; +- unsigned long v = PyLong_AsUnsignedLong(obj); ++ long v = PyInt_AsLong(obj); + if (!PyErr_Occurred()) { + if (val) *val = v; + return SWIG_AddCast(SWIG_OK); +@@ -2756,8 +2761,8 @@ + if (!dispatch) { + double d; + int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d)); +- if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) { +- if (val) *val = (unsigned long)(d); ++ if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) { ++ if (val) *val = (long)(d); + return res; + } + } +@@ -2768,15 +2773,15 @@ + + + SWIGINTERN int +-SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val) ++SWIG_AsVal_int (PyObject * obj, int *val) + { +- unsigned long v; +- int res = SWIG_AsVal_unsigned_SS_long (obj, &v); ++ long v; ++ int res = SWIG_AsVal_long (obj, &v); + if (SWIG_IsOK(res)) { +- if ((v > UINT_MAX)) { ++ if ((v < INT_MIN || v > INT_MAX)) { + return SWIG_OverflowError; + } else { +- if (val) *val = (unsigned int)(v); ++ if (val) *val = (int)(v); + } + } + return res; +@@ -2986,24 +2991,18 @@ + pid_t arg1 ; + security_context_t *arg2 = (security_context_t *) 0 ; + int result; +- void *argp1 ; +- int res1 = 0 ; ++ unsigned int val1 ; ++ int ecode1 = 0 ; + security_context_t temp2 = 0 ; + PyObject * obj0 = 0 ; + + arg2 = &temp2; + if (!PyArg_ParseTuple(args,(char *)"O:getpidcon",&obj0)) SWIG_fail; +- { +- res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 ); +- if (!SWIG_IsOK(res1)) { +- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); +- } +- if (!argp1) { +- SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); +- } else { +- arg1 = *((pid_t *)(argp1)); +- } +- } ++ ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1); ++ if (!SWIG_IsOK(ecode1)) { ++ SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); ++ } ++ arg1 = (pid_t)(val1); + result = (int)getpidcon(arg1,arg2); + resultobj = SWIG_From_int((int)(result)); + if (*arg2) { +@@ -3025,24 +3024,18 @@ + pid_t arg1 ; + security_context_t *arg2 = (security_context_t *) 0 ; + int result; +- void *argp1 ; +- int res1 = 0 ; ++ unsigned int val1 ; ++ int ecode1 = 0 ; + security_context_t temp2 = 0 ; + PyObject * obj0 = 0 ; + + arg2 = &temp2; + if (!PyArg_ParseTuple(args,(char *)"O:getpidcon_raw",&obj0)) SWIG_fail; +- { +- res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t, 0 ); +- if (!SWIG_IsOK(res1)) { +- SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); +- } +- if (!argp1) { +- SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); +- } else { +- arg1 = *((pid_t *)(argp1)); +- } +- } ++ ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1); ++ if (!SWIG_IsOK(ecode1)) { ++ SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); ++ } ++ arg1 = (pid_t)(val1); + result = (int)getpidcon_raw(arg1,arg2); + resultobj = SWIG_From_int((int)(result)); + if (*arg2) { +@@ -8149,7 +8142,7 @@ + /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */ + + static swig_type_info _swigt__p_SELboolean = {"_p_SELboolean", "SELboolean *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *|av_decision *", 0, 0, (void*)0, 0}; + static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0}; + static swig_type_info _swigt__p_f_int_p_q_const__char_v_______int = {"_p_f_int_p_q_const__char_v_______int", "int (*)(int,char const *,...)", 0, 0, (void*)0, 0}; + static swig_type_info _swigt__p_f_p_p_char__int = {"_p_f_p_p_char__int", "int (*)(char **)|int (*)(security_context_t *)", 0, 0, (void*)0, 0}; +@@ -8158,12 +8151,11 @@ + static swig_type_info _swigt__p_int = {"_p_int", "int *", 0, 0, (void*)0, 0}; + static swig_type_info _swigt__p_p_char = {"_p_p_char", "char **|security_context_t *", 0, 0, (void*)0, 0}; + static swig_type_info _swigt__p_p_p_char = {"_p_p_p_char", "char ***|security_context_t **", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_pid_t = {"_p_pid_t", "pid_t *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "selinux_opt *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *", 0, 0, (void*)0, 0}; +-static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|security_class_t *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *|security_class_mapping *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *|selinux_callback *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "struct selinux_opt *|selinux_opt *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *|mode_t *|pid_t *", 0, 0, (void*)0, 0}; ++static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "security_class_t *|unsigned short *", 0, 0, (void*)0, 0}; + + static swig_type_info *swig_type_initial[] = { + &_swigt__p_SELboolean, +@@ -8176,7 +8168,6 @@ + &_swigt__p_int, + &_swigt__p_p_char, + &_swigt__p_p_p_char, +- &_swigt__p_pid_t, + &_swigt__p_security_class_mapping, + &_swigt__p_selinux_callback, + &_swigt__p_selinux_opt, +@@ -8194,7 +8185,6 @@ + static swig_cast_info _swigc__p_int[] = { {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}}; + static swig_cast_info _swigc__p_p_char[] = { {&_swigt__p_p_char, 0, 0, 0},{0, 0, 0, 0}}; + static swig_cast_info _swigc__p_p_p_char[] = { {&_swigt__p_p_p_char, 0, 0, 0},{0, 0, 0, 0}}; +-static swig_cast_info _swigc__p_pid_t[] = { {&_swigt__p_pid_t, 0, 0, 0},{0, 0, 0, 0}}; + static swig_cast_info _swigc__p_security_class_mapping[] = { {&_swigt__p_security_class_mapping, 0, 0, 0},{0, 0, 0, 0}}; + static swig_cast_info _swigc__p_selinux_callback[] = { {&_swigt__p_selinux_callback, 0, 0, 0},{0, 0, 0, 0}}; + static swig_cast_info _swigc__p_selinux_opt[] = { {&_swigt__p_selinux_opt, 0, 0, 0},{0, 0, 0, 0}}; +@@ -8212,7 +8202,6 @@ + _swigc__p_int, + _swigc__p_p_char, + _swigc__p_p_p_char, +- _swigc__p_pid_t, + _swigc__p_security_class_mapping, + _swigc__p_selinux_callback, + _swigc__p_selinux_opt, diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.46/utils/matchpathcon.c --- nsalibselinux/utils/matchpathcon.c 2007-07-16 14:20:45.000000000 -0400 +++ libselinux-2.0.46/utils/matchpathcon.c 2008-01-03 15:23:32.000000000 -0500 @@ -79,3 +501,3402 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselin if (rc < 0) { fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, strerror(errno)); +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te +--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500 +@@ -30,6 +30,10 @@ + type inetd_child_var_run_t; + files_pid_file(inetd_child_var_run_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh) ++') ++ + ######################################## + # + # Local policy +@@ -84,6 +88,7 @@ + corenet_udp_bind_ftp_port(inetd_t) + corenet_tcp_bind_inetd_child_port(inetd_t) + corenet_udp_bind_inetd_child_port(inetd_t) ++corenet_tcp_bind_ircd_port(inetd_t) + corenet_udp_bind_ktalkd_port(inetd_t) + corenet_tcp_bind_printer_port(inetd_t) + corenet_udp_bind_rlogind_port(inetd_t) +@@ -137,6 +142,7 @@ + miscfiles_read_localization(inetd_t) + + # xinetd needs MLS override privileges to work ++mls_fd_use_all_levels(inetd_t) + mls_fd_share_all_levels(inetd_t) + mls_socket_read_to_clearance(inetd_t) + mls_socket_write_to_clearance(inetd_t) +@@ -164,6 +170,7 @@ + ') + + optional_policy(` ++ unconfined_domain(inetd_t) + unconfined_domtrans(inetd_t) + ') + +@@ -180,6 +187,9 @@ + # for identd + allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + allow inetd_child_t self:capability { setuid setgid }; ++allow inetd_child_t self:dir search; ++allow inetd_child_t self:{ lnk_file file } { getattr read }; ++ + files_search_home(inetd_child_t) + + manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t) +@@ -226,3 +236,7 @@ + optional_policy(` + unconfined_domain(inetd_child_t) + ') ++ ++optional_policy(` ++ inetd_service_domain(inetd_child_t,bin_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te +--- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500 +@@ -22,7 +22,7 @@ + files_pid_file(innd_var_run_t) + + type news_spool_t; +-files_type(news_spool_t) ++files_mountpoint(news_spool_t) + + ######################################## + # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -16,3 +16,4 @@ + + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500 +@@ -43,7 +43,13 @@ + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + ++ #kerberos libraries are attempting to set the correct file context ++ dontaudit $1 self:process setfscreate; ++ seutil_dontaudit_read_file_contexts($1) ++ + tunable_policy(`allow_kerberos',` ++ fs_rw_tmpfs_files($1) ++ + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + +@@ -61,11 +67,7 @@ + corenet_tcp_connect_ocsp_port($1) + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) +- +- sysnet_read_config($1) +- sysnet_dns_name_resolve($1) + ') +- + optional_policy(` + tunable_policy(`allow_kerberos',` + pcscd_stream_connect($1) +@@ -172,3 +174,51 @@ + allow $1 krb5kdc_conf_t:file read_file_perms; + + ') ++ ++######################################## ++## ++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kerberos_manage_host_rcache',` ++ gen_require(` ++ type krb5_host_rcache_t; ++ ') ++ ++ tunable_policy(`allow_kerberos',` ++ files_search_tmp($1) ++ allow $1 self:process setfscreate; ++ selinux_validate_context($1) ++ seutil_read_file_contexts($1) ++ allow $1 krb5_host_rcache_t:file manage_file_perms; ++ ') ++ # creates files as system_u no matter what the selinux user ++ domain_obj_id_change_exemption($1) ++') ++ ++######################################## ++## ++## Connect to krb524 service ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerberos_524_connect',` ++ tunable_policy(`allow_kerberos',` ++ allow $1 self:udp_socket create_socket_perms; ++ corenet_all_recvfrom_unlabeled($1) ++ corenet_udp_sendrecv_all_if($1) ++ corenet_udp_sendrecv_all_nodes($1) ++ corenet_udp_sendrecv_kerberos_master_port($1) ++ corenet_udp_bind_all_nodes($1) ++ ') ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te +--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500 +@@ -54,6 +54,9 @@ + type krb5kdc_var_run_t; + files_pid_file(krb5kdc_var_run_t) + ++type krb5_host_rcache_t; ++files_tmp_file(krb5_host_rcache_t) ++ + ######################################## + # + # kadmind local policy +@@ -62,7 +65,7 @@ + # Use capabilities. Surplus capabilities may be allowed. + allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; + dontaudit kadmind_t self:capability sys_tty_config; +-allow kadmind_t self:process signal_perms; ++allow kadmind_t self:process { setfscreate signal_perms }; + allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; + allow kadmind_t self:unix_dgram_socket { connect create write }; + allow kadmind_t self:tcp_socket connected_stream_socket_perms; +@@ -91,6 +94,7 @@ + kernel_read_kernel_sysctls(kadmind_t) + kernel_list_proc(kadmind_t) + kernel_read_proc_symlinks(kadmind_t) ++kernel_read_system_state(kadmind_t) + + corenet_all_recvfrom_unlabeled(kadmind_t) + corenet_all_recvfrom_netlabel(kadmind_t) +@@ -118,6 +122,9 @@ + domain_use_interactive_fds(kadmind_t) + + files_read_etc_files(kadmind_t) ++files_read_usr_symlinks(kadmind_t) ++files_read_usr_files(kadmind_t) ++files_read_var_files(kadmind_t) + + libs_use_ld_so(kadmind_t) + libs_use_shared_libs(kadmind_t) +@@ -127,6 +134,7 @@ + miscfiles_read_localization(kadmind_t) + + sysnet_read_config(kadmind_t) ++sysnet_use_ldap(kadmind_t) + + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) + userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) +@@ -137,6 +145,7 @@ + + optional_policy(` + seutil_sigchld_newrole(kadmind_t) ++ seutil_read_file_contexts(kadmind_t) + ') + + optional_policy(` +@@ -151,7 +160,7 @@ + # Use capabilities. Surplus capabilities may be allowed. + allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; + dontaudit krb5kdc_t self:capability sys_tty_config; +-allow krb5kdc_t self:process { setsched getsched signal_perms }; ++allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms }; + allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms; + allow krb5kdc_t self:tcp_socket create_stream_socket_perms; + allow krb5kdc_t self:udp_socket create_socket_perms; +@@ -223,6 +232,7 @@ + miscfiles_read_localization(krb5kdc_t) + + sysnet_read_config(krb5kdc_t) ++sysnet_use_ldap(krb5kdc_t) + + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) + userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) +@@ -233,6 +243,7 @@ + + optional_policy(` + seutil_sigchld_newrole(krb5kdc_t) ++ seutil_read_file_contexts(krb5kdc_t) + ') + + optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if +--- nsaserefpolicy/policy/modules/services/lpd.if 2007-11-16 13:45:14.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/lpd.if 2007-12-31 06:40:50.000000000 -0500 +@@ -336,10 +336,8 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1,print_spool_t,print_spool_t) + manage_files_pattern($1,print_spool_t,print_spool_t) +- +- # cjp: cups wants setattr +- allow $1 print_spool_t:dir setattr; + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if +--- nsaserefpolicy/policy/modules/services/mailman.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailman.if 2007-12-31 14:18:13.000000000 -0500 +@@ -211,6 +211,7 @@ + type mailman_data_t; + ') + ++ manage_dirs_pattern($1,mailman_data_t,mailman_data_t) + manage_files_pattern($1,mailman_data_t,mailman_data_t) + ') + +@@ -252,6 +253,25 @@ + + ####################################### + ## ++## read ++## mailman logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailman_read_log',` ++ gen_require(` ++ type mailman_log_t; ++ ') ++ ++ read_files_pattern($1,mailman_log_t,mailman_log_t) ++') ++ ++####################################### ++## + ## Append to mailman logs. + ## + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te +--- nsaserefpolicy/policy/modules/services/mailman.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailman.te 2007-12-19 05:38:09.000000000 -0500 +@@ -53,10 +53,9 @@ + apache_use_fds(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) ++ apache_read_config(mailman_cgi_t) ++ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) + +- optional_policy(` +- nscd_socket_use(mailman_cgi_t) +- ') + ') + + ######################################## +@@ -65,6 +64,10 @@ + # + + allow mailman_mail_t self:unix_dgram_socket create_socket_perms; ++allow mailman_mail_t initrc_t:process signal; ++allow mailman_mail_t self:capability { setuid setgid }; ++ ++files_search_spool(mailman_mail_t) + + mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc +--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -0,0 +1,2 @@ ++/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if +--- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if 2007-12-19 05:38:09.000000000 -0500 +@@ -0,0 +1,59 @@ ++## Anti-Virus and Anti-Spam Filter ++ ++######################################## ++## ++## Search mailscanner spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailscanner_search_spool',` ++ gen_require(` ++ type mailscanner_spool_t; ++ ') ++ ++ files_search_spool($1) ++ allow $1 mailscanner_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## read mailscanner spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailscanner_read_spool',` ++ gen_require(` ++ type mailscanner_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## mailscanner spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mailscanner_manage_spool',` ++ gen_require(` ++ type mailscanner_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te +--- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te 2007-12-19 05:38:09.000000000 -0500 +@@ -0,0 +1,5 @@ ++ ++policy_module(mailscanner,1.0.0) ++ ++type mailscanner_spool_t; ++files_type(mailscanner_spool_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if +--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500 +@@ -133,6 +133,12 @@ + sendmail_create_log($1_mail_t) + ') + ++ optional_policy(` ++ exim_read_log($1_mail_t) ++ exim_append_log($1_mail_t) ++ exim_manage_spool_files($1_mail_t) ++ ') ++ + ') + + ####################################### +@@ -217,6 +223,15 @@ + tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files($1_mail_t) + fs_manage_cifs_symlinks($1_mail_t) ++ fs_manage_cifs_files(mailserver_delivery) ++ fs_manage_cifs_symlinks(mailserver_delivery) ++ ') ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files($1_mail_t) ++ fs_manage_nfs_symlinks($1_mail_t) ++ fs_manage_nfs_files(mailserver_delivery) ++ fs_manage_nfs_symlinks(mailserver_delivery) + ') + + optional_policy(` +@@ -305,6 +320,42 @@ + + ######################################## + ## ++## Make the specified type usable for a mta_send_mail. ++## ++## ++## ++## Type to be used as a mail client. ++## ++## ++# ++interface(`mta_mailclient',` ++ gen_require(` ++ attribute mailclient_exec_type; ++ ') ++ ++ typeattribute $1 mailclient_exec_type; ++') ++ ++######################################## ++## ++## Make the specified type readable for a system_mail_t ++## ++## ++## ++## Type to be used as a mail client. ++## ++## ++# ++interface(`mta_mailcontent',` ++ gen_require(` ++ attribute mailcontent_type; ++ ') ++ ++ typeattribute $1 mailcontent_type; ++') ++ ++######################################## ++## + ## Modified mailserver interface for + ## sendmail daemon use. + ## +@@ -383,11 +434,13 @@ + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1,mail_spool_t,mail_spool_t) + read_files_pattern($1,mail_spool_t,mail_spool_t) ++ append_files_pattern($1,mail_spool_t,mail_spool_t) + create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) + read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) + + optional_policy(` + dovecot_manage_spool($1) ++ dovecot_domtrans_deliver($1) + ') + + optional_policy(` +@@ -422,6 +475,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') + +@@ -438,20 +492,18 @@ + interface(`mta_send_mail',` + gen_require(` + attribute mta_user_agent; +- type system_mail_t, sendmail_exec_t; ++ type system_mail_t; ++ attribute mailclient_exec_type; + ') + +- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; +- domain_auto_trans($1, sendmail_exec_t, system_mail_t) +- +- allow $1 system_mail_t:fd use; +- allow system_mail_t $1:fd use; +- allow system_mail_t $1:fifo_file rw_file_perms; +- allow system_mail_t $1:process sigchld; ++ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms; ++ domtrans_pattern($1, mailclient_exec_type, system_mail_t) ++ allow system_mail_t mailclient_exec_type:file entrypoint; + + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file { read write }; ++ + ') + + ######################################## +@@ -586,6 +638,25 @@ + files_search_etc($1) + allow $1 etc_aliases_t:file { rw_file_perms setattr }; + ') ++######################################## ++## ++## manage mail aliases. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mta_manage_aliases',` ++ gen_require(` ++ type etc_aliases_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 etc_aliases_t:file manage_file_perms; ++') + + ####################################### + ## +@@ -837,6 +908,25 @@ + + ######################################## + ## ++## read mail queue files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_queue',` ++ gen_require(` ++ type mqueue_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## mail queue files. + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te +--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 +@@ -6,6 +6,8 @@ + # Declarations + # + ++attribute mailcontent_type; ++attribute mailclient_exec_type; + attribute mta_user_agent; + attribute mailserver_delivery; + attribute mailserver_domain; +@@ -27,6 +29,7 @@ + + type sendmail_exec_t; + application_executable_file(sendmail_exec_t) ++mta_mailclient(sendmail_exec_t) + + mta_base_mail_template(system) + role system_r types system_mail_t; +@@ -40,27 +43,40 @@ + allow system_mail_t self:capability { dac_override }; + + read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) ++read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) + + kernel_read_system_state(system_mail_t) + kernel_read_network_state(system_mail_t) + ++dev_read_sysfs(system_mail_t) + dev_read_rand(system_mail_t) + dev_read_urand(system_mail_t) + ++fs_rw_anon_inodefs_files(system_mail_t) ++ ++selinux_getattr_fs(system_mail_t) ++ + init_use_script_ptys(system_mail_t) + + userdom_use_sysadm_terms(system_mail_t) + userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) ++userdom_dontaudit_search_all_users_home_content(system_mail_t) ++ ++optional_policy(` ++ apcupsd_read_tmp_files(system_mail_t) ++') + + optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) ++ apache_search_bugzilla_dirs(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) ++ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) + ') + + optional_policy(` +@@ -73,6 +89,7 @@ + + optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) ++ cron_read_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) + ') + +@@ -81,6 +98,11 @@ + ') + + optional_policy(` ++ exim_domtrans(system_mail_t) ++ exim_manage_log(system_mail_t) ++') ++ ++optional_policy(` + logrotate_read_tmp_files(system_mail_t) + ') + +@@ -136,6 +158,14 @@ + ') + + optional_policy(` ++ clamav_stream_connect(sendmail_t) ++') ++ ++optional_policy(` ++ spamd_stream_connect(system_mail_t) ++') ++ ++optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500 +@@ -6,6 +6,7 @@ + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) + + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500 +@@ -37,14 +37,18 @@ + allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; + allow munin_t self:tcp_socket create_stream_socket_perms; + allow munin_t self:udp_socket create_socket_perms; ++allow munin_t self:fifo_file manage_fifo_file_perms; ++ ++can_exec(munin_t, munin_exec_t) + + allow munin_t munin_etc_t:dir list_dir_perms; + read_files_pattern(munin_t,munin_etc_t,munin_etc_t) + read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t) + files_search_etc(munin_t) + +-allow munin_t munin_log_t:file manage_file_perms; +-logging_log_filetrans(munin_t,munin_log_t,file) ++manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) ++manage_files_pattern(munin_t, munin_log_t, munin_log_t) ++logging_log_filetrans(munin_t,munin_log_t,{ file dir }) + + manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t) + manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t) +@@ -73,6 +77,7 @@ + corenet_udp_sendrecv_all_nodes(munin_t) + corenet_tcp_sendrecv_all_ports(munin_t) + corenet_udp_sendrecv_all_ports(munin_t) ++corenet_tcp_connect_munin_port(munin_t) + + dev_read_sysfs(munin_t) + dev_read_urand(munin_t) +@@ -91,6 +96,7 @@ + + logging_send_syslog_msg(munin_t) + ++miscfiles_read_fonts(munin_t) + miscfiles_read_localization(munin_t) + + sysnet_read_config(munin_t) +@@ -118,3 +124,9 @@ + optional_policy(` + udev_read_db(munin_t) + ') ++ ++#============= http munin policy ============== ++apache_content_template(munin) ++ ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mysql.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -22,3 +22,5 @@ + /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) + + /var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0) ++ ++/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2007-01-02 12:57:43.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mysql.if 2007-12-19 05:38:09.000000000 -0500 +@@ -157,3 +157,79 @@ + logging_search_logs($1) + allow $1 mysqld_log_t:file { write append setattr ioctl }; + ') ++ ++######################################## ++## ++## Execute mysql server in the mysqld domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mysql_script_domtrans',` ++ gen_require(` ++ type mysqld_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,mysqld_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate an mysql environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the mysql domain. ++## ++## ++## ++## ++## The type of the terminal allow the mysql domain to use. ++## ++## ++## ++# ++interface(`mysql_admin',` ++ ++ gen_require(` ++ type mysqld_t; ++ type mysqld_var_run_t; ++ type mysqld_tmp_t; ++ type mysqld_db_t; ++ type mysqld_etc_t; ++ type mysqld_log_t; ++ type mysqld_script_exec_t; ++ ') ++ ++ allow $1 mysqld_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, mysqld_t, mysqld_t) ++ ++ # Allow $1 to restart the apache service ++ mysql_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 mysqld_script_exec_t system_r; ++ allow $2 system_r; ++ ++ manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t) ++ manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t) ++ ++ manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t) ++ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) ++ ++ manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t) ++ manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t) ++ ++ manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t) ++ manage_files_pattern($1,mysqld_log_t,mysqld_log_t) ++ ++ manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t) ++ manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mysql.te 2007-12-31 16:45:48.000000000 -0500 +@@ -1,4 +1,3 @@ +- + policy_module(mysql,1.6.0) + + ######################################## +@@ -25,6 +24,9 @@ + type mysqld_tmp_t; + files_tmp_file(mysqld_tmp_t) + ++type mysqld_script_exec_t; ++init_script_type(mysqld_script_exec_t) ++ + ######################################## + # + # Local policy +@@ -33,7 +35,8 @@ + allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; + dontaudit mysqld_t self:capability sys_tty_config; + allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +-allow mysqld_t self:fifo_file { read write }; ++allow mysqld_t self:fifo_file rw_fifo_file_perms; ++allow mysqld_t self:shm create_shm_perms; + allow mysqld_t self:unix_stream_socket create_stream_socket_perms; + allow mysqld_t self:tcp_socket create_stream_socket_perms; + allow mysqld_t self:udp_socket create_socket_perms; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc +--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nagios.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -4,13 +4,15 @@ + /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) + /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ++/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + + /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++ + ifdef(`distro_debian',` + /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) + ') ++/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if +--- nsaserefpolicy/policy/modules/services/nagios.if 2007-01-02 12:57:43.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nagios.if 2007-12-19 05:38:09.000000000 -0500 +@@ -44,25 +44,6 @@ + + ######################################## + ## +-## Execute the nagios CGI with +-## a domain transition. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`nagios_domtrans_cgi',` +- gen_require(` +- type nagios_cgi_t, nagios_cgi_exec_t; +- ') +- +- domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t) +-') +- +-######################################## +-## + ## Execute the nagios NRPE with + ## a domain transition. + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nagios.te 2007-12-19 05:38:09.000000000 -0500 +@@ -8,11 +8,7 @@ + + type nagios_t; + type nagios_exec_t; +-init_daemon_domain(nagios_t, nagios_exec_t) +- +-type nagios_cgi_t; +-type nagios_cgi_exec_t; +-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) ++init_daemon_domain(nagios_t,nagios_exec_t) + + type nagios_etc_t; + files_config_file(nagios_etc_t) +@@ -26,9 +22,12 @@ + type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + ++type nagios_spool_t; ++files_type(nagios_spool_t) ++ + type nrpe_t; + type nrpe_exec_t; +-init_daemon_domain(nrpe_t, nrpe_exec_t) ++init_daemon_domain(nrpe_t,nrpe_exec_t) + + type nrpe_etc_t; + files_config_file(nrpe_etc_t) +@@ -60,6 +59,8 @@ + manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) + files_pid_filetrans(nagios_t, nagios_var_run_t, file) + ++rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++ + kernel_read_system_state(nagios_t) + kernel_read_kernel_sysctls(nagios_t) + +@@ -130,42 +131,31 @@ + # + # Nagios CGI local policy + # ++apache_content_template(nagios) ++typealias httpd_nagios_script_t alias nagios_cgi_t; ++typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + +-allow nagios_cgi_t self:process signal_perms; +-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; +- +-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +- +-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) ++allow httpd_nagios_script_t self:process signal_perms; + +-allow nagios_cgi_t nagios_log_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + +-kernel_read_system_state(nagios_cgi_t) ++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + +-corecmd_exec_bin(nagios_cgi_t) ++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) ++kernel_read_system_state(httpd_nagios_script_t) + +-files_read_etc_files(nagios_cgi_t) +-files_read_etc_runtime_files(nagios_cgi_t) +-files_read_kernel_symbol_table(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + +-libs_use_ld_so(nagios_cgi_t) +-libs_use_shared_libs(nagios_cgi_t) ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + +-logging_send_syslog_msg(nagios_cgi_t) +-logging_search_logs(nagios_cgi_t) +- +-miscfiles_read_localization(nagios_cgi_t) +- +-optional_policy(` +- apache_append_log(nagios_cgi_t) +-') ++logging_send_syslog_msg(httpd_nagios_script_t) + + ######################################## + # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc 2007-12-31 08:48:44.000000000 -0500 +@@ -1,7 +1,9 @@ + /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if 2007-12-31 08:55:52.000000000 -0500 +@@ -97,3 +97,21 @@ + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Send a generic signal to NetworkManager ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_signal',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:process signal; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500 +@@ -13,6 +13,9 @@ + type NetworkManager_var_run_t; + files_pid_file(NetworkManager_var_run_t) + ++type NetworkManager_log_t; ++logging_log_file(NetworkManager_log_t) ++ + ######################################## + # + # Local policy +@@ -20,7 +23,7 @@ + + # networkmanager will ptrace itself if gdb is installed + # and it receives a unexpected signal (rh bug #204161) +-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; + dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; + allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; +@@ -38,6 +41,9 @@ + manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) + files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) + ++manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t) ++logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file) ++ + kernel_read_system_state(NetworkManager_t) + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) +@@ -86,6 +92,8 @@ + init_read_utmp(NetworkManager_t) + init_domtrans_script(NetworkManager_t) + ++auth_use_nsswitch(NetworkManager_t) ++ + libs_use_ld_so(NetworkManager_t) + libs_use_shared_libs(NetworkManager_t) + +@@ -129,8 +137,11 @@ + ') + + optional_policy(` ++ allow NetworkManager_t self:dbus send_msg; ++ + dbus_system_bus_client_template(NetworkManager,NetworkManager_t) + dbus_connect_system_bus(NetworkManager_t) ++ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) + ') + + optional_policy(` +@@ -138,12 +149,9 @@ + ') + + optional_policy(` +- nis_use_ypbind(NetworkManager_t) +-') +- +-optional_policy(` +- nscd_socket_use(NetworkManager_t) + nscd_signal(NetworkManager_t) ++ nscd_script_domtrans(NetworkManager_t) ++ nscd_domtrans(NetworkManager_t) + ') + + optional_policy(` +@@ -155,6 +163,7 @@ + ppp_domtrans(NetworkManager_t) + ppp_read_pid_files(NetworkManager_t) + ppp_signal(NetworkManager_t) ++ ppp_read_config(NetworkManager_t) + ') + + optional_policy(` +@@ -166,11 +175,6 @@ + ') + + optional_policy(` +- # Read gnome-keyring +- unconfined_read_home_content_files(NetworkManager_t) +-') +- +-optional_policy(` + vpn_domtrans(NetworkManager_t) + vpn_signal(NetworkManager_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc +--- nsaserefpolicy/policy/modules/services/nis.fc 2007-02-19 11:32:53.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nis.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -4,6 +4,7 @@ + /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) ++/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + + /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/nis.if 2007-12-19 05:38:09.000000000 -0500 +@@ -49,8 +49,8 @@ + corenet_udp_bind_all_nodes($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) +- corenet_tcp_bind_reserved_port($1) +- corenet_udp_bind_reserved_port($1) ++ corenet_dontaudit_tcp_bind_all_reserved_ports($1) ++ corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) +@@ -87,6 +87,25 @@ + + ######################################## + ## ++## Use the nis to authenticate passwords ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++# ++interface(`nis_authenticate',` ++ tunable_policy(`allow_ypbind',` ++ nis_use_ypbind_uncond($1) ++ corenet_tcp_bind_all_rpc_ports($1) ++ corenet_udp_bind_all_rpc_ports($1) ++ ') ++') ++ ++######################################## ++## + ## Execute ypbind in the ypbind domain. + ## + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te +--- nsaserefpolicy/policy/modules/services/nis.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nis.te 2007-12-19 05:38:09.000000000 -0500 +@@ -113,6 +113,17 @@ + userdom_dontaudit_use_unpriv_user_fds(ypbind_t) + userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) + ++ ++optional_policy(` ++ dbus_system_bus_client_template(ypbind,ypbind_t) ++ dbus_connect_system_bus(ypbind_t) ++ init_dbus_chat_script(ypbind_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(ypbind_t) ++ ') ++') ++ + optional_policy(` + seutil_sigchld_newrole(ypbind_t) + ') +@@ -126,6 +137,7 @@ + # yppasswdd local policy + # + ++allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; + allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { setfscreate signal_perms }; +@@ -156,8 +168,8 @@ + corenet_udp_sendrecv_all_ports(yppasswdd_t) + corenet_tcp_bind_all_nodes(yppasswdd_t) + corenet_udp_bind_all_nodes(yppasswdd_t) +-corenet_tcp_bind_reserved_port(yppasswdd_t) +-corenet_udp_bind_reserved_port(yppasswdd_t) ++corenet_tcp_bind_all_rpc_ports(yppasswdd_t) ++corenet_udp_bind_all_rpc_ports(yppasswdd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) + corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) + corenet_sendrecv_generic_server_packets(yppasswdd_t) +@@ -247,6 +259,8 @@ + corenet_udp_bind_all_nodes(ypserv_t) + corenet_tcp_bind_reserved_port(ypserv_t) + corenet_udp_bind_reserved_port(ypserv_t) ++corenet_tcp_bind_all_rpc_ports(ypserv_t) ++corenet_udp_bind_all_rpc_ports(ypserv_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) + corenet_sendrecv_generic_server_packets(ypserv_t) +@@ -315,6 +329,8 @@ + corenet_udp_bind_all_nodes(ypxfr_t) + corenet_tcp_bind_reserved_port(ypxfr_t) + corenet_udp_bind_reserved_port(ypxfr_t) ++corenet_tcp_bind_all_rpc_ports(ypxfr_t) ++corenet_udp_bind_all_rpc_ports(ypxfr_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + corenet_tcp_connect_all_ports(ypxfr_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc +--- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nscd.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -9,3 +9,5 @@ + /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) + + /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++ ++/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/nscd.if 2007-12-19 05:38:09.000000000 -0500 +@@ -70,15 +70,14 @@ + interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; +- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; +- ++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) + dontaudit $1 nscd_var_run_t:file { getattr read }; +@@ -204,3 +203,22 @@ + role $2 types nscd_t; + dontaudit nscd_t $3:chr_file rw_term_perms; + ') ++ ++######################################## ++## ++## Execute nscd server in the ntpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`nscd_script_domtrans',` ++ gen_require(` ++ type nscd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,nscd_script_exec_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te +--- nsaserefpolicy/policy/modules/services/nscd.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/nscd.te 2007-12-19 05:38:09.000000000 -0500 +@@ -23,19 +23,22 @@ + type nscd_log_t; + logging_log_file(nscd_log_t) + ++type nscd_script_exec_t; ++init_script_type(nscd_script_exec_t) ++ + ######################################## + # + # Local policy + # + +-allow nscd_t self:capability { kill setgid setuid audit_write }; ++allow nscd_t self:capability { kill setgid setuid }; + dontaudit nscd_t self:capability sys_tty_config; +-allow nscd_t self:process { getattr setsched signal_perms }; ++allow nscd_t self:process { getattr setcap setsched signal_perms }; + allow nscd_t self:fifo_file { read write }; + allow nscd_t self:unix_stream_socket create_stream_socket_perms; + allow nscd_t self:unix_dgram_socket create_socket_perms; + allow nscd_t self:netlink_selinux_socket create_socket_perms; +-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ + allow nscd_t self:tcp_socket create_socket_perms; + allow nscd_t self:udp_socket create_socket_perms; + +@@ -50,6 +53,8 @@ + manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) + files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) + ++can_exec(nscd_t, nscd_exec_t) ++ + kernel_read_kernel_sysctls(nscd_t) + kernel_list_proc(nscd_t) + kernel_read_proc_symlinks(nscd_t) +@@ -73,6 +78,8 @@ + corenet_udp_sendrecv_all_nodes(nscd_t) + corenet_tcp_sendrecv_all_ports(nscd_t) + corenet_udp_sendrecv_all_ports(nscd_t) ++corenet_udp_bind_all_nodes(nscd_t) ++corenet_udp_bind_all_nodes(nscd_t) + corenet_tcp_connect_all_ports(nscd_t) + corenet_sendrecv_all_client_packets(nscd_t) + corenet_rw_tun_tap_dev(nscd_t) +@@ -93,6 +100,7 @@ + libs_use_ld_so(nscd_t) + libs_use_shared_libs(nscd_t) + ++logging_send_audit_msgs(nscd_t) + logging_send_syslog_msg(nscd_t) + + miscfiles_read_localization(nscd_t) +@@ -114,3 +122,12 @@ + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) + ') ++ ++optional_policy(` ++ tunable_policy(`samba_domain_controller',` ++ samba_append_log(nscd_t) ++ samba_dontaudit_use_fds(nscd_t) ++ ') ++ samba_read_config(nscd_t) ++ samba_read_var_files(nscd_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc +--- nsaserefpolicy/policy/modules/services/ntp.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/ntp.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -17,3 +17,8 @@ + /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + + /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++ ++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) ++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++ ++/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2007-03-26 10:39:05.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/ntp.if 2007-12-19 05:38:09.000000000 -0500 +@@ -53,3 +53,22 @@ + corecmd_search_bin($1) + domtrans_pattern($1,ntpdate_exec_t,ntpd_t) + ') ++ ++######################################## ++## ++## Execute ntp server in the ntpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ntp_script_domtrans',` ++ gen_require(` ++ type ntpd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,ntpd_script_exec_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/ntp.te 2007-12-19 05:38:09.000000000 -0500 +@@ -25,6 +25,12 @@ + type ntpdate_exec_t; + init_system_domain(ntpd_t,ntpdate_exec_t) + ++type ntpd_key_t; ++files_type(ntpd_key_t) ++ ++type ntpd_script_exec_t; ++init_script_type(ntpd_script_exec_t) ++ + ######################################## + # + # Local policy +@@ -36,6 +42,7 @@ + dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; + allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; + allow ntpd_t self:fifo_file { read write getattr }; ++allow ntpd_t self:shm create_shm_perms; + allow ntpd_t self:unix_dgram_socket create_socket_perms; + allow ntpd_t self:unix_stream_socket create_socket_perms; + allow ntpd_t self:tcp_socket create_stream_socket_perms; +@@ -49,6 +56,8 @@ + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) + logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) + ++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) ++ + # for some reason it creates a file in /tmp + manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) + manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) +@@ -82,6 +91,8 @@ + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) ++# Necessary to communicate with gpsd devices ++fs_rw_tmpfs_files(ntpd_t) + + auth_use_nsswitch(ntpd_t) + +@@ -105,6 +116,10 @@ + + miscfiles_read_localization(ntpd_t) + ++sysnet_dontaudit_dhcpc_use_fds(ntpd_t) ++ ++term_use_ptmx(ntpd_t) ++ + userdom_dontaudit_use_unpriv_user_fds(ntpd_t) + userdom_list_sysadm_home_dirs(ntpd_t) + userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) +@@ -120,6 +135,10 @@ + ') + + optional_policy(` ++ hal_dontaudit_write_log(ntpd_t) ++') ++ ++optional_policy(` + logrotate_exec(ntpd_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500 +@@ -15,6 +15,7 @@ + type oddjob_mkhomedir_t; + type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) ++domain_obj_id_change_exemption(oddjob_mkhomedir_t) + init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + +@@ -68,20 +69,38 @@ + # oddjob_mkhomedir local policy + # + ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; ++allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file { read write }; + allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + files_read_etc_files(oddjob_mkhomedir_t) + ++kernel_read_system_state(oddjob_mkhomedir_t) ++ ++auth_use_nsswitch(oddjob_mkhomedir_t) ++ + libs_use_ld_so(oddjob_mkhomedir_t) + libs_use_shared_libs(oddjob_mkhomedir_t) + ++logging_send_syslog_msg(oddjob_mkhomedir_t) ++ + miscfiles_read_localization(oddjob_mkhomedir_t) + ++selinux_get_fs_mount(oddjob_mkhomedir_t) ++selinux_validate_context(oddjob_mkhomedir_t) ++selinux_compute_access_vector(oddjob_mkhomedir_t) ++selinux_compute_create_context(oddjob_mkhomedir_t) ++selinux_compute_relabel_context(oddjob_mkhomedir_t) ++selinux_compute_user_contexts(oddjob_mkhomedir_t) ++ ++seutil_read_config(oddjob_mkhomedir_t) ++seutil_read_file_contexts(oddjob_mkhomedir_t) ++seutil_read_default_contexts(oddjob_mkhomedir_t) ++ + # Add/remove user home directories ++userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t) + userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) +-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) ++userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) ++userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te +--- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500 +@@ -22,6 +22,7 @@ + allow openct_t self:process signal_perms; + + manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) ++manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t) + files_pid_filetrans(openct_t,openct_var_run_t,file) + + kernel_read_kernel_sysctls(openct_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc +--- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-06-11 16:05:22.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -11,5 +11,5 @@ + # + # /var + # +-/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) ++/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te +--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500 +@@ -8,7 +8,7 @@ + + ## + ##

+-## Allow openvpn to read home directories ++## Allow openvpn service access to users home directories + ##

+ ## + gen_tunable(openvpn_enable_homedirs,false) +@@ -35,7 +35,7 @@ + # openvpn local policy + # + +-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config }; ++allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; + allow openvpn_t self:process { signal getsched }; + + allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -110,3 +110,12 @@ + + networkmanager_dbus_chat(openvpn_t) + ') ++ ++ ++# Need to interact with terminals if config option "auth-user-pass" is used ++userdom_use_sysadm_terms(openvpn_t) ++ ++optional_policy(` ++ unconfined_use_terminals(openvpn_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te +--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pcscd.te 2007-12-19 05:38:09.000000000 -0500 +@@ -45,6 +45,7 @@ + files_read_etc_files(pcscd_t) + files_read_etc_runtime_files(pcscd_t) + ++term_use_unallocated_ttys(pcscd_t) + term_dontaudit_getattr_pty_dirs(pcscd_t) + + libs_use_ld_so(pcscd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te +--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pegasus.te 2007-12-19 05:38:09.000000000 -0500 +@@ -42,6 +42,7 @@ + allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; + allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; + ++manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) +@@ -95,13 +96,12 @@ + + auth_use_nsswitch(pegasus_t) + auth_domtrans_chk_passwd(pegasus_t) ++auth_read_shadow(pegasus_t) + + domain_use_interactive_fds(pegasus_t) + domain_read_all_domains_state(pegasus_t) + +-files_read_etc_files(pegasus_t) +-files_list_var_lib(pegasus_t) +-files_read_var_lib_files(pegasus_t) ++files_read_all_files(pegasus_t) + files_read_var_lib_symlinks(pegasus_t) + + hostname_exec(pegasus_t) +@@ -113,19 +113,16 @@ + libs_use_shared_libs(pegasus_t) + + logging_send_audit_msgs(pegasus_t) ++logging_send_syslog_msg(pegasus_t) + + miscfiles_read_localization(pegasus_t) + +-sysnet_read_config(pegasus_t) ++sysnet_domtrans_ifconfig(pegasus_t) + + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) + userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) + + optional_policy(` +- logging_send_syslog_msg(pegasus_t) +-') +- +-optional_policy(` + rpm_exec(pegasus_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc +--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/polkit.fc 2007-12-19 09:37:14.000000000 -0500 +@@ -0,0 +1,6 @@ ++ ++/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) ++ ++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) ++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) ++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if +--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/polkit.if 2007-12-19 05:38:09.000000000 -0500 +@@ -0,0 +1,60 @@ ++ ++## policy for polkit_auth ++ ++######################################## ++## ++## Execute a domain transition to run polkit_auth. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`polkit_domtrans_auth',` ++ gen_require(` ++ type polkit_auth_t; ++ type polkit_auth_exec_t; ++ ') ++ ++ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t) ++') ++ ++######################################## ++## ++## Search polkit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_search_lib',` ++ gen_require(` ++ type polkit_var_lib_t; ++ ') ++ ++ allow $1 polkit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## read polkit lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_read_lib',` ++ gen_require(` ++ type polkit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te +--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/polkit.te 2007-12-19 15:17:09.000000000 -0500 +@@ -0,0 +1,63 @@ ++policy_module(polkit_auth,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type polkit_auth_t; ++type polkit_auth_exec_t; ++domain_type(polkit_auth_t) ++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) ++ ++type polkit_var_lib_t; ++files_type(polkit_var_lib_t) ++ ++type polkit_var_run_t; ++files_pid_file(polkit_var_run_t) ++ ++######################################## ++# ++# polkit_auth local policy ++# ++ ++allow polkit_auth_t self:process getattr; ++ ++allow polkit_auth_t self:unix_dgram_socket create_socket_perms; ++allow polkit_auth_t self:fifo_file rw_file_perms; ++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(polkit_auth_t, polkit_auth_exec_t) ++corecmd_search_bin(polkit_auth_t) ++ ++domain_use_interactive_fds(polkit_auth_t) ++ ++files_read_etc_files(polkit_auth_t) ++files_read_usr_files(polkit_auth_t) ++ ++auth_use_nsswitch(polkit_auth_t) ++ ++libs_use_ld_so(polkit_auth_t) ++libs_use_shared_libs(polkit_auth_t) ++ ++miscfiles_read_localization(polkit_auth_t) ++ ++logging_send_syslog_msg(polkit_auth_t) ++ ++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) ++ ++# pid file ++manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) ++manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) ++files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) ++ ++optional_policy(` ++ dbus_system_bus_client_template(polkit_auth, polkit_auth_t) ++ consolekit_dbus_chat(polkit_auth_t) ++') ++ ++optional_policy(` ++ hal_getattr(polkit_auth_t) ++ hal_read_state(polkit_auth_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc +--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -29,12 +29,10 @@ + /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) + /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) + /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) +-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) + ') + /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) + /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) + /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +-/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) + /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) + /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if +--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500 +@@ -416,7 +416,7 @@ + ## + ## + # +-interface(`postfix_create_pivate_sockets',` ++interface(`postfix_create_private_sockets',` + gen_require(` + type postfix_private_t; + ') +@@ -427,6 +427,26 @@ + + ######################################## + ## ++## manage named socket in a postfix private directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_manage_private_sockets',` ++ gen_require(` ++ type postfix_private_t; ++ ') ++ ++ allow $1 postfix_private_t:dir list_dir_perms; ++ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) ++') ++ ++ ++######################################## ++## + ## Execute the master postfix program in the + ## postfix_master domain. + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te +--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500 +@@ -6,6 +6,14 @@ + # Declarations + # + ++## ++##

++## Allow postfix_local domain full write access to mail_spool directories ++## ++##

++## ++gen_tunable(allow_postfix_local_write_mail_spool,false) ++ + attribute postfix_user_domains; + # domains that transition to the + # postfix user domains +@@ -27,6 +35,10 @@ + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) + ++tunable_policy(`allow_postfix_local_write_mail_spool', ` ++ mta_rw_spool(postfix_local_t) ++') ++ + type postfix_local_tmp_t; + files_tmp_file(postfix_local_tmp_t) + +@@ -34,6 +46,7 @@ + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t,postfix_map_exec_t) ++role system_r types postfix_map_t; + + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) +@@ -99,6 +112,7 @@ + allow postfix_master_t self:fifo_file rw_fifo_file_perms; + allow postfix_master_t self:tcp_socket create_stream_socket_perms; + allow postfix_master_t self:udp_socket create_socket_perms; ++allow postfix_master_t self:process setrlimit; + + allow postfix_master_t postfix_etc_t:file rw_file_perms; + +@@ -174,6 +188,7 @@ + + mta_rw_aliases(postfix_master_t) + mta_read_sendmail_bin(postfix_master_t) ++mta_getattr_spool(postfix_master_t) + + optional_policy(` + cyrus_stream_connect(postfix_master_t) +@@ -248,6 +263,10 @@ + + corecmd_exec_bin(postfix_cleanup_t) + ++optional_policy(` ++ mailman_read_data_files(postfix_cleanup_t) ++') ++ + ######################################## + # + # Postfix local local policy +@@ -273,6 +292,8 @@ + + files_read_etc_files(postfix_local_t) + ++logging_dontaudit_search_logs(postfix_local_t) ++ + mta_read_aliases(postfix_local_t) + mta_delete_spool(postfix_local_t) + # For reading spamassasin +@@ -285,6 +306,8 @@ + optional_policy(` + # for postalias + mailman_manage_data_files(postfix_local_t) ++ mailman_append_log(postfix_local_t) ++ mailman_read_log(postfix_local_t) + ') + + optional_policy(` +@@ -295,8 +318,7 @@ + # + # Postfix map local policy + # +- +-allow postfix_map_t self:capability setgid; ++allow postfix_map_t self:capability { dac_override setgid setuid }; + allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; + allow postfix_map_t self:unix_dgram_socket create_socket_perms; + allow postfix_map_t self:tcp_socket create_stream_socket_perms; +@@ -346,8 +368,6 @@ + + miscfiles_read_localization(postfix_map_t) + +-seutil_read_config(postfix_map_t) +- + tunable_policy(`read_default_t',` + files_list_default(postfix_map_t) + files_read_default_files(postfix_map_t) +@@ -360,6 +380,11 @@ + locallogin_dontaudit_use_fds(postfix_map_t) + ') + ++optional_policy(` ++# for postalias ++ mailman_manage_data_files(postfix_map_t) ++') ++ + ######################################## + # + # Postfix pickup local policy +@@ -392,6 +417,10 @@ + rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) + + optional_policy(` ++ dovecot_domtrans_deliver(postfix_pipe_t) ++') ++ ++optional_policy(` + procmail_domtrans(postfix_pipe_t) + ') + +@@ -400,6 +429,10 @@ + ') + + optional_policy(` ++ mta_manage_spool(postfix_pipe_t) ++') ++ ++optional_policy(` + uucp_domtrans_uux(postfix_pipe_t) + ') + +@@ -532,9 +565,6 @@ + # connect to master process + stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) + +-# Connect to policy server +-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +- + # for prng_exch + allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; + allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; +@@ -557,6 +587,10 @@ + sasl_connect(postfix_smtpd_t) + ') + ++optional_policy(` ++ dovecot_auth_stream_connect(postfix_smtpd_t) ++') ++ + ######################################## + # + # Postfix virtual local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc +--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -38,3 +38,5 @@ + ') + + /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) ++ ++/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if +--- nsaserefpolicy/policy/modules/services/postgresql.if 2007-11-29 13:29:35.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postgresql.if 2007-12-19 05:38:09.000000000 -0500 +@@ -120,3 +120,77 @@ + # Some versions of postgresql put the sock file in /tmp + allow $1 postgresql_tmp_t:sock_file write; + ') ++ ++######################################## ++## ++## Execute postgresql server in the posgresql domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`postgresql_script_domtrans',` ++ gen_require(` ++ type postgresql_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,postgresql_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate an postgresql environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the postgresql domain. ++## ++## ++## ++## ++## The type of the terminal allow the postgresql domain to use. ++## ++## ++## ++# ++interface(`postgresql_admin',` ++ gen_require(` ++ type postgresql_t; ++ type postgresql_var_run_t; ++ type postgresql_tmp_t; ++ type postgresql_db_t; ++ type postgresql_etc_t; ++ type postgresql_log_t; ++ ') ++ ++ allow $1 postgresql_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, postgresql_t, postgresql_t) ++ ++ # Allow $1 to restart the apache service ++ postgresql_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 postgresql_script_exec_t system_r; ++ allow $2 system_r; ++ ++ manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t) ++ manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t) ++ ++ manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t) ++ manage_files_pattern($1,postgresql_db_t,postgresql_db_t) ++ ++ manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t) ++ manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t) ++ ++ manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t) ++ manage_files_pattern($1,postgresql_log_t,postgresql_log_t) ++ ++ manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t) ++ manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te +--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postgresql.te 2007-12-19 05:38:09.000000000 -0500 +@@ -27,6 +27,9 @@ + type postgresql_var_run_t; + files_pid_file(postgresql_var_run_t) + ++type postgresql_script_exec_t; ++init_script_type(postgresql_script_exec_t) ++ + ######################################## + # + # postgresql Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc +--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -25,7 +25,7 @@ + # + # /var + # +-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) ++/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) + # Fix pptp sockets +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te +--- nsaserefpolicy/policy/modules/services/ppp.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/ppp.te 2007-12-31 17:30:15.000000000 -0500 +@@ -162,6 +162,8 @@ + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) + ++auth_use_nsswitch(pppd_t) ++ + libs_use_ld_so(pppd_t) + libs_use_shared_libs(pppd_t) + +@@ -194,14 +196,12 @@ + + optional_policy(` + mta_send_mail(pppd_t) ++ mta_mailcontent(pppd_etc_t) ++ mta_mailcontent(pppd_etc_rw_t) + ') + + optional_policy(` +- nis_use_ypbind(pppd_t) +-') +- +-optional_policy(` +- nscd_socket_use(pppd_t) ++ networkmanager_signal(pppd_t) + ') + + optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if +--- nsaserefpolicy/policy/modules/services/procmail.if 2007-01-02 12:57:43.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/procmail.if 2007-12-31 15:18:55.000000000 -0500 +@@ -39,3 +39,22 @@ + corecmd_search_bin($1) + can_exec($1,procmail_exec_t) + ') ++ ++######################################## ++## ++## Read procmail tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`procmail_read_tmp_files',` ++ gen_require(` ++ type procmail_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 procmail_tmp_t:file read_file_perms; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te +--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500 +@@ -129,7 +129,9 @@ + corenet_udp_bind_generic_port(procmail_t) + corenet_dontaudit_udp_bind_all_ports(procmail_t) + +- spamassassin_exec(procmail_t) +- spamassassin_exec_client(procmail_t) +- spamassassin_read_lib_files(procmail_t) ++ spamassassin_domtrans(procmail_t) ++') ++ ++optional_policy(` ++ mailscanner_read_spool(procmail_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -1,6 +1,6 @@ + /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) + +-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) ++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:user_pyzor_home_t,s0) + + /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) + /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if +--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500 +@@ -25,16 +25,18 @@ + # + template(`pyzor_per_role_template',` + gen_require(` +- type pyzord_t; ++ type pyzor_t; ++ type user_pyzor_home_t; + ') + +- type $1_pyzor_home_t; +- userdom_user_home_content($1, $1_pyzor_home_t) ++ ifelse(`$1',`user',`',` ++ typealias user_pyzor_home_t alias $1_pyzor_home_t; ++ ') + +- manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) +- manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) +- manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t) +- userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file }) ++ manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) ++ manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) ++ manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t) ++ userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file }) + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-31 15:19:10.000000000 -0500 +@@ -28,6 +28,9 @@ + type pyzor_var_lib_t; + files_type(pyzor_var_lib_t) + ++type user_pyzor_home_t; ++userdom_user_home_content(user,user_pyzor_home_t) ++ + ######################################## + # + # Pyzor local policy +@@ -68,6 +71,8 @@ + + miscfiles_read_localization(pyzor_t) + ++mta_read_queue(pyzor_t) ++ + userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) + + optional_policy(` +@@ -76,8 +81,13 @@ + ') + + optional_policy(` ++ procmail_read_tmp_files(pyzor_t) ++') ++ ++optional_policy(` + spamassassin_signal_spamd(pyzor_t) + spamassassin_read_spamd_tmp_files(pyzor_t) ++ userdom_read_user_home_content_files(unconfined,pyzor_t) + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te +--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500 +@@ -85,6 +85,8 @@ + libs_use_ld_so(qmail_inject_t) + libs_use_shared_libs(qmail_inject_t) + ++miscfiles_read_localization(qmail_inject_t) ++ + qmail_read_config(qmail_inject_t) + + ######################################## +@@ -106,15 +108,25 @@ + + kernel_read_system_state(qmail_local_t) + ++corecmd_exec_bin(qmail_local_t) + corecmd_exec_shell(qmail_local_t) ++can_exec(qmail_local_t, qmail_local_exec_t) + + files_read_etc_files(qmail_local_t) + files_read_etc_runtime_files(qmail_local_t) + ++auth_use_nsswitch(qmail_local_t) ++ ++logging_send_syslog(qmail_local_t) ++ + mta_append_spool(qmail_local_t) + + qmail_domtrans_queue(qmail_local_t) + ++optional_policy(` ++ spamassassin_domtrans_spamc(qmail_local_t) ++') ++ + ######################################## + # + # qmail-lspawn local policy +@@ -155,6 +167,10 @@ + manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) + rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) + ++corecmd_exec_bin(qmail_queue_t) ++ ++logging_send_syslog(qmail_queue_t) ++ + optional_policy(` + daemontools_ipc_domain(qmail_queue_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc +--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -1,4 +1,4 @@ +-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) ++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:user_razor_home_t,s0) + + /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if +--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/razor.if 2007-12-19 05:38:09.000000000 -0500 +@@ -137,6 +137,7 @@ + template(`razor_per_role_template',` + gen_require(` + type razor_exec_t; ++ type user_razor_home_t, user_razor_tmp_t; + ') + + type $1_razor_t; +@@ -145,12 +146,10 @@ + razor_common_domain_template($1_razor) + role $3 types $1_razor_t; + +- type $1_razor_home_t alias $1_razor_rw_t; +- files_poly_member($1_razor_home_t) +- userdom_user_home_content($1,$1_razor_home_t) +- +- type $1_razor_tmp_t; +- files_tmp_file($1_razor_tmp_t) ++ ifelse(`$1',`user',`',` ++ typealias user_razor_home_t alias $1_razor_home_t; ++ typealias user_razor_tmp_t alias $1_razor_tmp_t; ++ ') + + ############################## + # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te +--- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/razor.te 2007-12-19 05:38:09.000000000 -0500 +@@ -23,6 +23,12 @@ + + razor_common_domain_template(razor) + ++type user_razor_home_t; ++userdom_user_home_content(user,user_razor_home_t) ++ ++type user_razor_tmp_t; ++files_tmp_file(user_razor_tmp_t) ++ + ######################################## + # + # Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if +--- nsaserefpolicy/policy/modules/services/remotelogin.if 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if 2007-12-19 05:38:09.000000000 -0500 +@@ -18,3 +18,20 @@ + auth_domtrans_login_program($1,remote_login_t) + ') + ++######################################## ++## ++## allow Domain to signal remote login domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`remotelogin_signal',` ++ gen_require(` ++ type remote_login_t; ++ ') ++ ++ allow $1 remote_login_t:process signal; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te +--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te 2007-12-19 05:38:09.000000000 -0500 +@@ -85,6 +85,7 @@ + + miscfiles_read_localization(remote_login_t) + ++userdom_read_all_users_home_dirs_symlinks(remote_login_t) + userdom_use_unpriv_users_fds(remote_login_t) + userdom_search_all_users_home_content(remote_login_t) + # Only permit unprivileged user domains to be entered via rlogin, +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te +--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rlogin.te 2007-12-19 05:38:09.000000000 -0500 +@@ -36,6 +36,8 @@ + allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty(rlogind_t,rlogind_devpts_t) + ++domain_interactive_fd(rlogind_t) ++ + # for /usr/lib/telnetlogin + can_exec(rlogind_t, rlogind_exec_t) + +@@ -82,23 +84,21 @@ + + miscfiles_read_localization(rlogind_t) + +-seutil_dontaudit_search_config(rlogind_t) ++seutil_read_config(rlogind_t) + + userdom_setattr_unpriv_users_ptys(rlogind_t) + # cjp: this is egregious + userdom_read_all_users_home_content_files(rlogind_t) + + remotelogin_domtrans(rlogind_t) ++remotelogin_signal(rlogind_t) + + optional_policy(` ++ kerberos_use(rlogind_t) + kerberos_read_keytab(rlogind_t) ++ kerberos_manage_host_rcache(rlogind_t) + ') + + optional_policy(` + tcpd_wrapped_domain(rlogind_t, rlogind_exec_t) + ') +- +-ifdef(`TODO',` +-# Allow krb5 rlogind to use fork and open /dev/tty for use +-allow rlogind_t userpty_type:chr_file setattr; +-') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te 2007-12-19 05:38:09.000000000 -0500 +@@ -21,11 +21,13 @@ + # rpcbind local policy + # + +-allow rpcbind_t self:capability setuid; ++allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; + allow rpcbind_t self:fifo_file rw_file_perms; + allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; + allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; + allow rpcbind_t self:udp_socket create_socket_perms; ++# BROKEN ... ++dontaudit rpcbind_t self:udp_socket listen; + allow rpcbind_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +39,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if +--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rpc.if 2007-12-19 05:38:09.000000000 -0500 +@@ -88,8 +88,11 @@ + # bind to arbitary unused ports + corenet_tcp_bind_generic_port($1_t) + corenet_udp_bind_generic_port($1_t) +- corenet_udp_bind_reserved_port($1_t) ++ corenet_dontaudit_tcp_bind_all_ports($1_t) ++ corenet_dontaudit_udp_bind_all_ports($1_t) + corenet_sendrecv_generic_server_packets($1_t) ++ corenet_tcp_bind_all_rpc_ports($1_t) ++ corenet_udp_bind_all_rpc_ports($1_t) + + fs_rw_rpc_named_pipes($1_t) + fs_search_auto_mountpoints($1_t) +@@ -208,6 +211,24 @@ + + ######################################## + ## ++## Execute domain in nfsd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rpc_domtrans_rpcd',` ++ gen_require(` ++ type rpcd_t, rpcd_exec_t; ++ ') ++ ++ domtrans_pattern($1,rpcd_exec_t,rpcd_t) ++') ++ ++######################################## ++## + ## Read NFS exported content. + ## + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te +--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500 +@@ -60,10 +60,14 @@ + manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) + files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) + ++corecmd_exec_bin(rpcd_t) ++ + kernel_read_system_state(rpcd_t) +-kernel_search_network_state(rpcd_t) ++kernel_read_network_state(rpcd_t) + # for rpc.rquotad + kernel_read_sysctl(rpcd_t) ++kernel_rw_fs_sysctls(rpcd_t) ++kernel_getattr_core_if(nfsd_t) + + fs_list_rpc(rpcd_t) + fs_read_rpc_files(rpcd_t) +@@ -77,11 +81,17 @@ + miscfiles_read_certs(rpcd_t) + + seutil_dontaudit_search_config(rpcd_t) ++selinux_dontaudit_read_fs(rpcd_t) + + optional_policy(` + nis_read_ypserv_config(rpcd_t) + ') + ++# automount -> mount -> rpcd ++optional_policy(` ++ automount_dontaudit_use_fds(rpcd_t) ++') ++ + ######################################## + # + # NFSD local policy +@@ -92,9 +102,13 @@ + allow nfsd_t exports_t:file { getattr read }; + allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; + ++dev_dontaudit_getattr_all_blk_files(nfsd_t) ++dev_dontaudit_getattr_all_chr_files(nfsd_t) ++ + # for /proc/fs/nfs/exports - should we have a new type? + kernel_read_system_state(nfsd_t) + kernel_read_network_state(nfsd_t) ++kernel_dontaudit_getattr_core_if(nfsd_t) + + corenet_tcp_bind_all_rpc_ports(nfsd_t) + corenet_udp_bind_all_rpc_ports(nfsd_t) +@@ -124,6 +138,7 @@ + tunable_policy(`nfs_export_all_rw',` + fs_read_noxattr_fs_files(nfsd_t) + auth_manage_all_files_except_shadow(nfsd_t) ++ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir }) + ') + + tunable_policy(`nfs_export_all_ro',` +@@ -144,6 +159,7 @@ + manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) + files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + ++kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_search_network_sysctl(gssd_t) +@@ -157,8 +173,13 @@ + files_list_tmp(gssd_t) + files_read_usr_symlinks(gssd_t) + ++auth_read_cache(gssd_t) ++ + miscfiles_read_certs(gssd_t) + ++userdom_dontaudit_search_users_home_dirs(rpcd_t) ++userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) ++ + tunable_policy(`allow_gssd_read_tmp',` + userdom_list_unpriv_users_tmp(gssd_t) + userdom_read_unpriv_users_tmp_files(gssd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te +--- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rshd.te 2007-12-19 05:38:09.000000000 -0500 +@@ -16,7 +16,7 @@ + # + # Local policy + # +-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override }; ++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; + allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; + allow rshd_t self:fifo_file rw_fifo_file_perms; + allow rshd_t self:tcp_socket create_stream_socket_perms; +@@ -33,6 +33,9 @@ + corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_all_nodes(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) ++corenet_tcp_bind_all_rpc_ports(rshd_t) ++corenet_tcp_connect_all_ports(rshd_t) ++corenet_tcp_connect_all_rpc_ports(rshd_t) + corenet_sendrecv_rsh_server_packets(rshd_t) + + dev_read_urand(rshd_t) +@@ -44,20 +47,22 @@ + selinux_compute_relabel_context(rshd_t) + selinux_compute_user_contexts(rshd_t) + +-auth_domtrans_chk_passwd(rshd_t) ++auth_login_pgm_domain(rshd_t) ++auth_write_login_records(rshd_t) + + corecmd_read_bin_symlinks(rshd_t) + + files_list_home(rshd_t) + files_read_etc_files(rshd_t) +-files_search_tmp(rshd_t) ++files_manage_generic_tmp_dirs(rshd_t) + +-auth_use_nsswitch(rshd_t) ++init_rw_utmp(rshd_t) + + libs_use_ld_so(rshd_t) + libs_use_shared_libs(rshd_t) + + logging_send_syslog_msg(rshd_t) ++logging_search_logs(rshd_t) + + miscfiles_read_localization(rshd_t) + +@@ -78,6 +83,8 @@ + + optional_policy(` + kerberos_use(rshd_t) ++ kerberos_read_keytab(rshd_t) ++ kerberos_manage_host_rcache(rshd_t) + ') + + optional_policy(` +@@ -86,4 +93,5 @@ + + optional_policy(` + unconfined_shell_domtrans(rshd_t) ++ unconfined_signal(rshd_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc +--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rsync.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -1,2 +1,4 @@ + + /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) ++ ++/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te +--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rsync.te 2007-12-19 05:38:09.000000000 -0500 +@@ -31,6 +31,9 @@ + type rsync_data_t; + files_type(rsync_data_t) + ++type rsync_log_t; ++logging_log_file(rsync_log_t) ++ + type rsync_tmp_t; + files_tmp_file(rsync_tmp_t) + +@@ -42,7 +45,7 @@ + # Local policy + # + +-allow rsync_t self:capability sys_chroot; ++allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; + allow rsync_t self:process signal_perms; + allow rsync_t self:fifo_file rw_fifo_file_perms; + allow rsync_t self:tcp_socket create_stream_socket_perms; +@@ -52,7 +55,6 @@ + # cjp: this should probably only be inetd_child_t rules? + # search home and kerberos also. + allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow rsync_t self:capability { setuid setgid }; + #end for identd + + allow rsync_t rsync_data_t:dir list_dir_perms; +@@ -95,7 +97,8 @@ + libs_use_shared_libs(rsync_t) + + logging_send_syslog_msg(rsync_t) +-logging_dontaudit_search_logs(rsync_t) ++manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) ++logging_log_filetrans(rsync_t,rsync_log_t,file) + + miscfiles_read_localization(rsync_t) + miscfiles_read_public_files(rsync_t) +@@ -117,7 +120,6 @@ + ') + + tunable_policy(`rsync_export_all_ro',` +- allow rsync_t self:capability dac_override; + fs_read_noxattr_fs_files(rsync_t) + auth_read_all_files_except_shadow(rsync_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc +--- nsaserefpolicy/policy/modules/services/samba.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/samba.fc 2007-12-19 05:38:09.000000000 -0500 +@@ -15,6 +15,7 @@ + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) + /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) ++/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) + /usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) + + /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +@@ -30,6 +31,8 @@ + /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) + /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + ++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) ++ + /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) + + /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if +--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500 +@@ -331,6 +331,25 @@ + + ######################################## + ## ++## dontaudit the specified domain to ++## write samba /var files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_dontaudit_write_var_files',` ++ gen_require(` ++ type samba_var_t; ++ ') ++ ++ dontaudit $1 samba_var_t:file write; ++') ++ ++######################################## ++## + ## Allow the specified domain to + ## read and write samba /var files. + ## +@@ -348,6 +367,7 @@ + files_search_var($1) + files_search_var_lib($1) + manage_files_pattern($1,samba_var_t,samba_var_t) ++ manage_lnk_files_pattern($1,samba_var_t,samba_var_t) + ') + + ######################################## +@@ -492,3 +512,102 @@ + allow $1 samba_var_t:dir search_dir_perms; + stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) + ') ++ ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`samba_helper_template',` ++ gen_require(` ++ type smbd_t; ++ ') ++ #This type is for samba helper scripts ++ type samba_$1_script_t; ++ domain_type(samba_$1_script_t) ++ role system_r types samba_$1_script_t; ++ ++ # This type is used for executable scripts files ++ type samba_$1_script_exec_t; ++ corecmd_shell_entry_type(samba_$1_script_t) ++ domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) ++ ++ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) ++ allow smbd_t samba_$1_script_exec_t:file ioctl; ++ ++') ++ ++######################################## ++## ++## Allow the specified domain to read samba's shares ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_read_share_files',` ++ gen_require(` ++ type samba_share_t; ++ ') ++ ++ read_files_pattern($1, samba_share_t, samba_share_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run smbcontrol. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_domtrans_smbcontrol',` ++ gen_require(` ++ type smbcontrol_t; ++ type smbcontrol_exec_t; ++ ') ++ ++ domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t) ++') ++ ++ ++######################################## ++## ++## Execute smbcontrol in the smbcontrol domain, and ++## allow the specified role the smbcontrol domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the smbcontrol domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`samba_run_smbcontrol',` ++ gen_require(` ++ type smbcontrol_t; ++ ') ++ ++ samba_domtrans_smbcontrol($1) ++ role $2 types smbcontrol_t; ++ dontaudit smbcontrol_t $3:chr_file rw_term_perms; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te +--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500 +@@ -26,28 +26,28 @@ + + ## + ##

+-## Allow samba to share users home directories. ++## Allow Samba to share users home directories + ##

+ ## + gen_tunable(samba_enable_home_dirs,false) + + ## + ##

+-## Allow samba to share any file/directory read only. ++## Allow Samba to share any file/directory read only + ##

+ ## + gen_tunable(samba_export_all_ro,false) + + ## + ##

+-## Allow samba to share any file/directory read/write. ++## Allow Samba to share any file/directory read/write + ##

+ ## + gen_tunable(samba_export_all_rw,false) + + ## + ##

+-## Allow samba to run unconfined scripts ++## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory + ##

+ ## + gen_tunable(samba_run_unconfined,false) +@@ -139,6 +139,11 @@ + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + ++type smbcontrol_t; ++type smbcontrol_exec_t; ++application_domain(smbcontrol_t, smbcontrol_exec_t) ++role system_r types smbcontrol_t; ++ + ######################################## + # + # Samba net local policy +@@ -193,6 +198,8 @@ + + miscfiles_read_localization(samba_net_t) + ++samba_read_var_files(samba_net_t) ++ + userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) + + optional_policy(` +@@ -213,7 +220,7 @@ + allow smbd_t self:msgq create_msgq_perms; + allow smbd_t self:sem create_sem_perms; + allow smbd_t self:shm create_shm_perms; +-allow smbd_t self:sock_file read_file_perms; ++allow smbd_t self:sock_file read_sock_file_perms; + allow smbd_t self:tcp_socket create_stream_socket_perms; + allow smbd_t self:udp_socket create_socket_perms; + allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -221,10 +228,8 @@ + + allow smbd_t samba_etc_t:file { rw_file_perms setattr }; + +-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) +-create_files_pattern(smbd_t,samba_log_t,samba_log_t) +-allow smbd_t samba_log_t:dir setattr; +-dontaudit smbd_t samba_log_t:dir remove_name; ++manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t) ++manage_files_pattern(smbd_t,samba_log_t,samba_log_t) + + allow smbd_t samba_net_tmp_t:file getattr; + +@@ -251,7 +256,7 @@ + manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) + files_pid_filetrans(smbd_t,smbd_var_run_t,file) + +-allow smbd_t winbind_var_run_t:sock_file { read write getattr }; ++allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; + + kernel_getattr_core_if(smbd_t) + kernel_getattr_message_if(smbd_t) +@@ -340,6 +345,17 @@ + tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) ++ fs_manage_nfs_symlinks(smbd_t) ++ fs_manage_nfs_named_pipes(smbd_t) ++ fs_manage_nfs_named_sockets(smbd_t) ++') ++ ++optional_policy(` ++ kerberos_read_keytab(smbd_t) ++') ++ ++optional_policy(` ++ lpd_exec_lpr(smbd_t) + ') + + optional_policy(` +@@ -391,7 +407,7 @@ + allow nmbd_t self:msgq create_msgq_perms; + allow nmbd_t self:sem create_sem_perms; + allow nmbd_t self:shm create_shm_perms; +-allow nmbd_t self:sock_file read_file_perms; ++allow nmbd_t self:sock_file read_sock_file_perms; + allow nmbd_t self:tcp_socket create_stream_socket_perms; + allow nmbd_t self:udp_socket create_socket_perms; + allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -403,8 +419,7 @@ + read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) + + manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) +-append_files_pattern(nmbd_t,samba_log_t,samba_log_t) +-allow nmbd_t samba_log_t:file unlink; ++manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) + + read_files_pattern(nmbd_t,samba_log_t,samba_log_t) + create_files_pattern(nmbd_t,samba_log_t,samba_log_t) +@@ -439,6 +454,7 @@ + dev_getattr_mtrr_dev(nmbd_t) + + fs_getattr_all_fs(nmbd_t) ++fs_list_inotifyfs(nmbd_t) + fs_search_auto_mountpoints(nmbd_t) + + domain_use_interactive_fds(nmbd_t) +@@ -522,6 +538,7 @@ + storage_raw_write_fixed_disk(smbmount_t) + + term_list_ptys(smbmount_t) ++term_use_controlling_term(smbmount_t) + + corecmd_list_bin(smbmount_t) + +@@ -546,28 +563,37 @@ + + userdom_use_all_users_fds(smbmount_t) + ++optional_policy(` ++ cups_read_rw_config(smbmount_t) ++') ++ + ######################################## + # + # SWAT Local policy + # + +-allow swat_t self:capability { setuid setgid }; +-allow swat_t self:process signal_perms; ++allow swat_t self:capability { setuid setgid sys_resource }; ++allow swat_t self:process { setrlimit signal_perms }; + allow swat_t self:fifo_file rw_file_perms; + allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + allow swat_t self:tcp_socket create_stream_socket_perms; + allow swat_t self:udp_socket create_socket_perms; + +-allow swat_t nmbd_exec_t:file { execute read }; ++allow swat_t self:unix_stream_socket connectto; ++can_exec(swat_t, smbd_exec_t) ++allow swat_t smbd_port_t:tcp_socket name_bind; ++allow swat_t smbd_t:process { signal signull }; ++allow swat_t smbd_var_run_t:file { lock unlink }; ++ ++can_exec(swat_t, nmbd_exec_t) ++allow swat_t nmbd_port_t:udp_socket name_bind; ++allow swat_t nmbd_t:process { signal signull }; ++allow swat_t nmbd_var_run_t:file { lock read unlink }; + + rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) + + append_files_pattern(swat_t,samba_log_t,samba_log_t) + +-allow swat_t smbd_exec_t:file execute ; +- +-allow swat_t smbd_t:process signull; +- + allow swat_t smbd_var_run_t:file read; + + manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) +@@ -577,7 +603,9 @@ + manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) + files_pid_filetrans(swat_t,swat_var_run_t,file) + +-allow swat_t winbind_exec_t:file execute; ++can_exec(swat_t, winbind_exec_t) ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; + + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -602,6 +630,7 @@ + + dev_read_urand(swat_t) + ++files_list_var_lib(swat_t) + files_read_etc_files(swat_t) + files_search_home(swat_t) + files_read_usr_files(swat_t) +@@ -614,6 +643,7 @@ + libs_use_shared_libs(swat_t) + + logging_send_syslog_msg(swat_t) ++logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) + + miscfiles_read_localization(swat_t) +@@ -631,6 +661,17 @@ + kerberos_use(swat_t) + ') + ++init_read_utmp(swat_t) ++init_dontaudit_write_utmp(swat_t) ++ ++manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) ++create_files_pattern(swat_t,samba_log_t,samba_log_t) ++ ++manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) ++ ++manage_files_pattern(swat_t,samba_var_t,samba_var_t) ++files_list_var_lib(swat_t) ++ + ######################################## + # + # Winbind local policy +@@ -679,6 +720,8 @@ + manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) + files_pid_filetrans(winbind_t,winbind_var_run_t,file) + ++corecmd_exec_bin(winbind_t) ++ + kernel_read_kernel_sysctls(winbind_t) + kernel_list_proc(winbind_t) + kernel_read_proc_symlinks(winbind_t) +@@ -766,6 +809,7 @@ + optional_policy(` + squid_read_log(winbind_helper_t) + squid_append_log(winbind_helper_t) ++ squid_rw_stream_sockets(winbind_helper_t) + ') + + ######################################## +@@ -790,3 +834,37 @@ + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + ') + ') ++ ++######################################## ++# ++# smbcontrol local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++allow smbcontrol_t self:fifo_file rw_file_perms; ++allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(smbcontrol_t) ++ ++libs_use_ld_so(smbcontrol_t) ++libs_use_shared_libs(smbcontrol_t) ++ ++miscfiles_read_localization(smbcontrol_t) ++ ++files_search_var_lib(smbcontrol_t) ++samba_read_config(smbcontrol_t) ++samba_rw_var_files(smbcontrol_t) ++samba_search_var(smbcontrol_t) ++samba_read_winbind_pid(smbcontrol_t) ++ ++allow smbcontrol_t smbd_t:process signal; ++domain_use_interactive_fds(smbcontrol_t) ++allow smbd_t smbcontrol_t:process { signal signull }; ++ ++allow nmbd_t smbcontrol_t:process signal; ++allow smbcontrol_t nmbd_t:process { signal signull }; ++ ++allow smbcontrol_t winbind_t:process { signal signull }; ++allow winbind_t smbcontrol_t:process signal; ++ ++allow smbcontrol_t nmbd_var_run_t:file { read lock }; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te +--- nsaserefpolicy/policy/modules/services/sasl.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/sasl.te 2007-12-19 05:38:09.000000000 -0500 +@@ -107,6 +107,10 @@ + ') + + optional_policy(` ++ nis_authenticate(saslauthd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(saslauthd_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if +--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/sendmail.if 2007-12-19 05:38:09.000000000 -0500 +@@ -149,3 +149,85 @@ + + logging_log_filetrans($1,sendmail_log_t,file) + ') ++ ++######################################## ++## ++## Execute the sendmail program in the sendmail domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to allow the sendmail domain. ++## ++## ++## ++## ++## The type of the terminal allow the sendmail domain to use. ++## ++## ++## ++# ++interface(`sendmail_run',` ++ gen_require(` ++ type sendmail_t; ++ ') ++ ++ sendmail_domtrans($1) ++ role $2 types sendmail_t; ++ allow sendmail_t $3:chr_file rw_term_perms; ++') ++ ++######################################## ++## ++## Execute sendmail in the unconfined sendmail domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sendmail_domtrans_unconfined',` ++ gen_require(` ++ type unconfined_sendmail_t, sendmail_exec_t; ++ ') ++ ++ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t) ++') ++ ++######################################## ++## ++## Execute sendmail in the unconfined sendmail domain, and ++## allow the specified role the unconfined sendmail domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the unconfined sendmail domain. ++## ++## ++## ++## ++## The type of the terminal allow the unconfined sendmail domain to use. ++## ++## ++## ++# ++interface(`sendmail_run_unconfined',` ++ gen_require(` ++ type unconfined_sendmail_t; ++ ') ++ ++ sendmail_domtrans_unconfined($1) ++ role $2 types unconfined_sendmail_t; ++ allow unconfined_sendmail_t $3:chr_file rw_file_perms; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te +--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500 +@@ -20,13 +20,17 @@ + mta_mailserver_delivery(sendmail_t) + mta_mailserver_sender(sendmail_t) + ++type unconfined_sendmail_t; ++application_domain(unconfined_sendmail_t,sendmail_exec_t) ++role system_r types unconfined_sendmail_t; ++ + ######################################## + # + # Sendmail local policy + # + +-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config }; +-allow sendmail_t self:process signal; ++allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; ++allow sendmail_t self:process { signal signull }; + allow sendmail_t self:fifo_file rw_fifo_file_perms; + allow sendmail_t self:unix_stream_socket create_stream_socket_perms; + allow sendmail_t self:unix_dgram_socket create_socket_perms; +@@ -47,6 +51,7 @@ + kernel_read_kernel_sysctls(sendmail_t) + # for piping mail to a command + kernel_read_system_state(sendmail_t) ++kernel_read_network_state(sendmail_t) + + corenet_all_recvfrom_unlabeled(sendmail_t) + corenet_all_recvfrom_netlabel(sendmail_t) +@@ -97,20 +102,35 @@ + + userdom_dontaudit_use_unpriv_user_fds(sendmail_t) + userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) ++userdom_read_all_users_home_content_files(sendmail_t) + + mta_read_config(sendmail_t) + mta_etc_filetrans_aliases(sendmail_t) + # Write to /etc/aliases and /etc/mail. +-mta_rw_aliases(sendmail_t) ++mta_manage_aliases(sendmail_t) + # Write to /var/spool/mail and /var/spool/mqueue. + mta_manage_queue(sendmail_t) + mta_manage_spool(sendmail_t) ++mta_sendmail_exec(sendmail_t) ++ ++optional_policy(` ++ cron_read_pipes(sendmail_t) ++') + + optional_policy(` + clamav_search_lib(sendmail_t) + ') + + optional_policy(` ++ cyrus_stream_connect(sendmail_t) ++ clamav_stream_connect(sendmail_t) ++') ++ ++optional_policy(` ++ munin_dontaudit_search_lib(sendmail_t) ++') ++ ++optional_policy(` + postfix_exec_master(sendmail_t) + postfix_read_config(sendmail_t) + postfix_search_spool(sendmail_t) +@@ -125,24 +145,25 @@ + ') + + optional_policy(` ++ sasl_connect(sendmail_t) ++') ++ ++optional_policy(` ++ spamd_stream_connect(sendmail_t) ++') ++ ++optional_policy(` + udev_read_db(sendmail_t) + ') + +-ifdef(`TODO',` +-allow sendmail_t etc_mail_t:dir rw_dir_perms; +-allow sendmail_t etc_mail_t:file manage_file_perms; +-# for the start script to run make -C /etc/mail +-allow initrc_t etc_mail_t:dir rw_dir_perms; +-allow initrc_t etc_mail_t:file manage_file_perms; +-allow system_mail_t initrc_t:fd use; +-allow system_mail_t initrc_t:fifo_file write; +- +-# When sendmail runs as user_mail_domain, it needs some extra permissions +-# to update /etc/mail/statistics. +-allow user_mail_domain etc_mail_t:file rw_file_perms; ++######################################## ++# ++# Unconfined sendmail local policy ++# Allow unconfined domain to run newalias and have transitions work ++# + +-# Silently deny attempts to access /root. +-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; ++optional_policy(` ++ mta_etc_filetrans_aliases(unconfined_sendmail_t) ++ unconfined_domain(unconfined_sendmail_t) ++') + +-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; +-') dnl end TODO +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500 +@@ -27,8 +27,8 @@ + # setroubleshootd local policy + # + +-allow setroubleshootd_t self:capability { dac_override sys_tty_config }; +-allow setroubleshootd_t self:process { signull signal getattr getsched }; ++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; + allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; + allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; + allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -52,7 +52,9 @@ + + kernel_read_kernel_sysctls(setroubleshootd_t) + kernel_read_system_state(setroubleshootd_t) ++kernel_read_net_sysctls(setroubleshootd_t) + kernel_read_network_state(setroubleshootd_t) ++kernel_dontaudit_list_all_proc(setroubleshootd_t) + + corecmd_exec_bin(setroubleshootd_t) + corecmd_exec_shell(setroubleshootd_t) +@@ -73,7 +75,7 @@ + + files_read_usr_files(setroubleshootd_t) + files_read_etc_files(setroubleshootd_t) +-files_getattr_all_dirs(setroubleshootd_t) ++files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) + + fs_getattr_all_dirs(setroubleshootd_t) +@@ -110,6 +112,7 @@ + optional_policy(` + dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) + dbus_connect_system_bus(setroubleshootd_t) ++ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) + ') + + optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te +--- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500 +@@ -81,8 +81,7 @@ + files_read_usr_files(snmpd_t) + files_read_etc_runtime_files(snmpd_t) + files_search_home(snmpd_t) +-files_getattr_boot_dirs(snmpd_t) +-files_dontaudit_getattr_home_dir(snmpd_t) ++auth_read_all_dirs_except_shadow(snmpd_t) + + fs_getattr_all_dirs(snmpd_t) + fs_getattr_all_fs(snmpd_t)