rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Update to upstream

Browse Source
This commit is contained in:
Daniel J Walsh 2007-11-12 22:47:17 +00:00
parent 7330e86b90
commit 06da2697cc
1 changed files with 283 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

383
policy-20071023.patch
View File

@ -1087,7 +1087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.1.0/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/admin/prelink.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/admin/prelink.te 2007-11-12 10:43:25.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
@ -1137,6 +1137,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(`
amanda_manage_lib(prelink_t)
')
@@ -88,3 +94,7 @@
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
+
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.1.0/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/admin/rpm.fc 2007-11-06 09:28:35.000000000 -0500
@ -2967,7 +2975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-08 14:28:51.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-12 16:37:44.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@ -2977,7 +2985,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -2787,6 +2787,97 @@
@@ -167,6 +167,25 @@
########################################
## <summary>
+## Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to relabel.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1,device_t,device_t)
+')
+
+
+########################################
+## <summary>
## Delete a directory in the device directory.
## </summary>
## <param name="domain">
@@ -2787,6 +2806,97 @@
########################################
## <summary>
@ -3075,7 +3109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
@@ -3322,3 +3413,4 @@
@@ -3322,3 +3432,4 @@
typeattribute $1 devices_unconfined_type;
')
@ -3400,7 +3434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-08 09:03:24.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-12 10:17:15.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@ -3692,7 +3726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-07 15:26:15.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-12 17:45:22.000000000 -0500
@@ -20,20 +20,22 @@
# Declarations
#
@ -4073,15 +4107,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -4133,19 +4167,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
@@ -730,3 +862,20 @@
@@ -730,3 +862,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t,httpd_bugzilla_tmp_t,{ file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@ -4964,7 +5024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-29 07:52:49.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-08 13:32:52.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-12 17:22:30.000000000 -0500
@@ -48,9 +48,7 @@
type hplip_t;
type hplip_exec_t;
@ -5075,7 +5135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
@@ -221,17 +222,37 @@
@@ -221,17 +222,38 @@
sysnet_read_config(cupsd_t)
@ -5099,6 +5159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+ init_stream_connect_script(cupsd_t)
+
+ unconfined_rw_pipes(cupsd_t)
+ unconfined_rw_stream_sockets(cupsd_t)
+
+ optional_policy(`
+ init_dbus_chat_script(cupsd_t)
@ -5113,7 +5174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
apm_domtrans_client(cupsd_t)
')
@@ -262,16 +283,16 @@
@@ -262,16 +284,16 @@
')
optional_policy(`
@ -5134,7 +5195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
@@ -291,7 +312,9 @@
@@ -291,7 +313,9 @@
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@ -5145,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t,cupsd_t)
@@ -330,6 +353,7 @@
@@ -330,6 +354,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@ -5153,7 +5214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
@@ -354,6 +378,8 @@
@@ -354,6 +379,8 @@
logging_send_syslog_msg(cupsd_config_t)
@ -5162,7 +5223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
@@ -376,6 +402,14 @@
@@ -376,6 +403,14 @@
')
optional_policy(`
@ -5177,7 +5238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
@@ -391,6 +425,7 @@
@@ -391,6 +426,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@ -5185,7 +5246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
@@ -402,14 +437,6 @@
@@ -402,14 +438,6 @@
')
optional_policy(`
@ -5200,7 +5261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
rpm_read_db(cupsd_config_t)
')
@@ -430,7 +457,6 @@
@@ -430,7 +458,6 @@
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
@ -5208,7 +5269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# for identd
# cjp: this should probably only be inetd_child rules?
@@ -480,6 +506,8 @@
@@ -480,6 +507,8 @@
files_read_etc_files(cupsd_lpd_t)
@ -5217,7 +5278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
@@ -495,14 +523,6 @@
@@ -495,14 +524,6 @@
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
@ -5232,7 +5293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# HPLIP local policy
@@ -523,11 +543,9 @@
@@ -523,11 +544,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@ -5247,7 +5308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
@@ -558,7 +576,9 @@
@@ -558,7 +577,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@ -5258,7 +5319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
@@ -585,8 +605,6 @@
@@ -585,8 +606,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@ -5267,7 +5328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
@@ -666,3 +684,15 @@
@@ -666,3 +685,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@ -6156,8 +6217,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-08 13:24:56.000000000 -0500
@@ -84,6 +84,7 @@
+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-12 11:36:04.000000000 -0500
@@ -30,6 +30,10 @@
type inetd_child_var_run_t;
files_pid_file(inetd_child_var_run_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
########################################
#
# Local policy
@@ -84,6 +88,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_inetd_child_port(inetd_t)
@ -6165,7 +6237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +138,7 @@
@@ -137,6 +142,7 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
@ -6173,7 +6245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -164,6 +166,7 @@
@@ -164,6 +170,7 @@
')
optional_policy(`
@ -6181,7 +6253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
unconfined_domtrans(inetd_t)
')
@@ -180,6 +183,9 @@
@@ -180,6 +187,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@ -6191,7 +6263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
@@ -226,3 +232,7 @@
@@ -226,3 +236,7 @@
optional_policy(`
unconfined_domain(inetd_child_t)
')
@ -6209,19 +6281,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.1.0/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/kerberos.if 2007-11-07 11:41:20.000000000 -0500
@@ -42,6 +42,10 @@
dontaudit $1 krb5_conf_t:file write;
+++ serefpolicy-3.1.0/policy/modules/services/kerberos.if 2007-11-12 16:50:13.000000000 -0500
@@ -43,7 +43,13 @@
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ seutil_dontaudit_read_file_contexts($1)
+
tunable_policy(`allow_kerberos',`
+ fs_rw_tmpfs_files($1)
+
allow $1 self:tcp_socket create_socket_perms;
@@ -61,9 +65,6 @@
allow $1 self:udp_socket create_socket_perms;
@@ -61,11 +67,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
@ -6229,9 +6304,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
')
-
optional_policy(`
@@ -172,3 +173,51 @@
tunable_policy(`allow_kerberos',`
pcscd_stream_connect($1)
@@ -172,3 +174,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
@ -7488,6 +7565,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
logrotate_exec(ntpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.1.0/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/openct.te 2007-11-12 10:46:57.000000000 -0500
@@ -22,6 +22,7 @@
allow openct_t self:process signal_perms;
manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-07 15:47:03.000000000 -0500
@ -8273,7 +8361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.1.0/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/rlogin.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/rlogin.te 2007-11-12 10:59:25.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@ -9720,7 +9808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.1.0/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/ssh.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/ssh.te 2007-11-12 11:36:01.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@ -9988,7 +10076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.1.0/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/xserver.fc 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.fc 2007-11-12 11:55:11.000000000 -0500
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@ -10011,9 +10099,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -92,13 +88,16 @@
@@ -91,14 +87,19 @@
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@ -10026,12 +10116,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-08 14:26:18.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-12 16:37:20.000000000 -0500
@@ -58,7 +58,6 @@
allow $1_xserver_t self:msg { send receive };
allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@ -10040,7 +10131,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
@@ -126,6 +125,9 @@
@@ -116,8 +115,7 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
- dev_create_generic_dirs($1_xserver_t)
- dev_setattr_generic_dirs($1_xserver_t)
+ dev_manage_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
@@ -126,6 +124,9 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
@ -10050,7 +10151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_mmap_low($1_xserver_t)
@@ -141,10 +143,14 @@
@@ -141,10 +142,14 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@ -10066,7 +10167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -160,8 +166,6 @@
@@ -160,8 +165,6 @@
seutil_dontaudit_search_config($1_xserver_t)
@ -10075,7 +10176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
@@ -179,14 +183,6 @@
@@ -179,14 +182,6 @@
')
optional_policy(`
@ -10090,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
rhgb_getpgid($1_xserver_t)
rhgb_signal($1_xserver_t)
')
@@ -251,7 +247,7 @@
@@ -251,7 +246,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@ -10099,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type $1_iceauth_t;
domain_type($1_iceauth_t)
@@ -282,11 +278,14 @@
@@ -282,11 +277,14 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@ -10114,7 +10215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
@@ -316,6 +315,7 @@
@@ -316,6 +314,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@ -10122,7 +10223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
@@ -353,12 +353,6 @@
@@ -353,12 +352,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@ -10135,7 +10236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
@@ -387,6 +381,14 @@
@@ -387,6 +380,14 @@
')
optional_policy(`
@ -10150,7 +10251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
@@ -536,17 +538,15 @@
@@ -536,17 +537,15 @@
template(`xserver_user_client_template',`
gen_require(`
@ -10174,7 +10275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -555,25 +555,53 @@
@@ -555,25 +554,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@ -10236,7 +10337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
@@ -626,6 +654,24 @@
@@ -626,6 +653,24 @@
########################################
## <summary>
@ -10261,7 +10362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -659,6 +705,73 @@
@@ -659,6 +704,73 @@
########################################
## <summary>
@ -10335,7 +10436,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -927,6 +1040,7 @@
@@ -873,6 +985,25 @@
########################################
## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+ gen_require(`
+ type xdm_xserver_t, xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
+')
+
+########################################
+## <summary>
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
@@ -927,6 +1058,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -10343,7 +10470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -987,6 +1101,37 @@
@@ -987,6 +1119,37 @@
########################################
## <summary>
@ -10381,7 +10508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1136,7 +1281,7 @@
@@ -1136,7 +1299,7 @@
type xdm_xserver_tmp_t;
')
@ -10390,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -1325,3 +1470,45 @@
@@ -1325,3 +1488,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@ -10438,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.1.0/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/xserver.te 2007-11-12 11:58:29.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@ -10453,7 +10580,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Allow xdm logins as sysadm
## </p>
## </desc>
@@ -96,7 +103,7 @@
@@ -56,6 +63,12 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
@@ -96,7 +109,7 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@ -10462,7 +10602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -132,15 +139,20 @@
@@ -132,15 +145,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -10484,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -185,6 +197,7 @@
@@ -185,6 +203,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@ -10492,7 +10632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -197,6 +210,7 @@
@@ -197,6 +216,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@ -10500,7 +10640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -246,6 +260,7 @@
@@ -246,6 +266,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -10508,7 +10648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -257,6 +272,7 @@
@@ -257,6 +278,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -10516,7 +10656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
@@ -271,6 +287,10 @@
@@ -271,6 +293,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -10527,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
@@ -306,6 +326,10 @@
@@ -306,6 +332,10 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@ -10538,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -348,8 +372,8 @@
@@ -348,8 +378,8 @@
')
optional_policy(`
@ -10548,7 +10688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -385,7 +409,7 @@
@@ -385,7 +415,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -10557,7 +10697,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -425,6 +449,14 @@
@@ -397,6 +427,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
+manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
+files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
+
+manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
+manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
+files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
+
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -425,6 +464,14 @@
')
optional_policy(`
@ -10572,7 +10728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -434,47 +466,31 @@
@@ -434,47 +481,31 @@
')
optional_policy(`
@ -10597,6 +10753,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
+')
+
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
')
-ifdef(`TODO',`
@ -10620,11 +10781,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
+')
+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
@ -10810,7 +10966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-12 12:07:41.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@ -10831,6 +10987,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
@@ -287,8 +293,8 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
-term_dontaudit_use_console(updpwd_t)
-term_dontaudit_use_unallocated_ttys(updpwd_t)
+term_dontaudit_use_all_user_ptys(updpwd_t)
+term_dontaudit_use_all_user_ttys(updpwd_t)
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.1.0/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/fstools.fc 2007-11-06 09:28:35.000000000 -0500
@ -11288,7 +11455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-08 13:26:15.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-12 11:17:51.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@ -12377,7 +12544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.1.0/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-10-12 08:56:08.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/raid.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/raid.te 2007-11-12 10:43:40.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
@ -12395,6 +12562,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
@@ -85,3 +86,7 @@
optional_policy(`
udev_read_db(mdadm_t)
')
+
+optional_policy(`
+ unconfined_domain(mdadm_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.fc 2007-11-06 09:28:35.000000000 -0500
@ -12684,7 +12859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-09 14:28:06.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-12 11:41:33.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -12704,7 +12879,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type semanage_store_t;
files_type(semanage_store_t)
@@ -194,10 +197,19 @@
@@ -170,6 +173,7 @@
files_read_etc_runtime_files(load_policy_t)
fs_getattr_xattr_fs(load_policy_t)
+fs_list_inotifyfs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
@@ -194,10 +198,19 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
@ -12725,7 +12908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
########################################
#
# Newrole local policy
@@ -215,7 +227,7 @@
@@ -215,7 +228,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -12734,7 +12917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
@@ -252,7 +264,9 @@
@@ -252,7 +265,9 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@ -12744,7 +12927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_rw_faillog(newrole_t)
corecmd_list_bin(newrole_t)
@@ -273,6 +287,7 @@
@@ -273,6 +288,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@ -12752,7 +12935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
@@ -294,14 +309,6 @@
@@ -294,14 +310,6 @@
files_polyinstantiate_all(newrole_t)
')
@ -12767,7 +12950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
########################################
#
# Restorecond local policy
@@ -309,11 +316,12 @@
@@ -309,11 +317,12 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
@ -12781,7 +12964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -343,15 +351,12 @@
@@ -343,15 +352,12 @@
miscfiles_read_localization(restorecond_t)
@ -12799,7 +12982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
#################################
#
@@ -361,7 +366,7 @@
@@ -361,7 +367,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@ -12808,7 +12991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -375,6 +380,7 @@
@@ -375,6 +381,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@ -12816,7 +12999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
@@ -425,75 +431,49 @@
@@ -425,75 +432,49 @@
########################################
#
@ -12917,7 +13100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -519,7 +499,12 @@
@@ -519,7 +500,12 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
@ -12931,7 +13114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
@@ -537,6 +522,7 @@
@@ -537,6 +523,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@ -12939,7 +13122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -590,8 +576,16 @@
@@ -590,8 +577,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@ -13438,7 +13621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-12 08:56:08.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-11-06 09:28:35.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-11-12 10:02:01.000000000 -0500
@@ -5,17 +5,18 @@
#
# Declarations