From 20272c2b2724f43287aa00d2e618d0d9412c7874 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 26 Jun 2009 13:22:39 +0000 Subject: [PATCH] trunk: 7 patches from dan. --- policy/modules/services/apm.te | 3 ++- policy/modules/services/audioentropy.te | 10 +++++++++- policy/modules/services/bitlbee.te | 4 +++- policy/modules/services/lpd.if | 1 + policy/modules/services/lpd.te | 2 +- policy/modules/services/portreserve.te | 8 +++++--- policy/modules/services/privoxy.te | 23 ++++++++++++++--------- policy/modules/services/sasl.te | 7 ++++++- 8 files changed, 41 insertions(+), 17 deletions(-) diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 3bd8c13c..5dd72f71 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm, 1.9.1) +policy_module(apm, 1.9.2) ######################################## # @@ -123,6 +123,7 @@ libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) logging_send_syslog_msg(apmd_t) +logging_send_audit_msgs(apmd_t) miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index e8a50c0e..46e4cd80 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -1,5 +1,5 @@ -policy_module(audioentropy, 1.5.0) +policy_module(audioentropy, 1.5.1) ######################################## # @@ -40,6 +40,9 @@ dev_read_sound(entropyd_t) # and sample rate. dev_write_sound(entropyd_t) +files_read_etc_files(entropyd_t) +files_read_usr_files(entropyd_t) + fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) @@ -52,6 +55,11 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) +optional_policy(` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) +') + optional_policy(` seutil_sigchld_newrole(entropyd_t) ') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te index 95e1cd48..10611a05 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -1,5 +1,5 @@ -policy_module(bitlbee, 1.1.1) +policy_module(bitlbee, 1.1.2) ######################################## # @@ -46,6 +46,8 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) +kernel_read_system_state(bitlbee_t) + corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_udp_sendrecv_generic_if(bitlbee_t) corenet_udp_sendrecv_generic_node(bitlbee_t) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index 9c1c7cf3..c358cd79 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -134,6 +134,7 @@ interface(`lpd_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, print_spool_t, print_spool_t) manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) ') ######################################## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 86042393..9c6b9ce9 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd, 1.11.2) +policy_module(lpd, 1.11.3) ######################################## # diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te index 347387b5..7e1cf86a 100644 --- a/policy/modules/services/portreserve.te +++ b/policy/modules/services/portreserve.te @@ -1,5 +1,5 @@ -policy_module(portreserve, 1.0.0) +policy_module(portreserve, 1.0.1) ######################################## # @@ -37,9 +37,11 @@ manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file }) +corenet_all_recvfrom_unlabeled(portreserve_t) +corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) corenet_udp_bind_generic_node(portreserve_t) -corenet_tcp_bind_all_reserved_ports(portreserve_t) -corenet_udp_bind_all_reserved_ports(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_udp_bind_all_ports(portreserve_t) files_read_etc_files(portreserve_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 9660faac..d95879aa 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -1,11 +1,19 @@ -policy_module(privoxy, 1.8.2) +policy_module(privoxy, 1.8.3) ######################################## # # Declarations # +## +##

+## Allow privoxy to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

+##
+gen_tunable(privoxy_connect_any, false) + type privoxy_t; # web_client_domain type privoxy_exec_t; init_daemon_domain(privoxy_t, privoxy_exec_t) @@ -70,23 +78,20 @@ domain_use_interactive_fds(privoxy_t) files_read_etc_files(privoxy_t) +auth_use_nsswitch(privoxy_t) + logging_send_syslog_msg(privoxy_t) miscfiles_read_localization(privoxy_t) -sysnet_dns_name_resolve(privoxy_t) - userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed userdom_use_user_terminals(privoxy_t) -optional_policy(` - nis_use_ypbind(privoxy_t) -') - -optional_policy(` - nscd_socket_use(privoxy_t) +tunable_policy(`privoxy_connect_any',` + corenet_tcp_connect_all_ports(privoxy_t) + corenet_sendrecv_all_client_packets(privoxy_t) ') optional_policy(` diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 4d47b0a3..703c8d93 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl, 1.11.2) +policy_module(sasl, 1.11.3) ######################################## # @@ -99,6 +99,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) ') optional_policy(` @@ -106,6 +107,10 @@ optional_policy(` mysql_stream_connect(saslauthd_t) ') +optional_policy(` + nis_authenticate(saslauthd_t) +') + optional_policy(` seutil_sigchld_newrole(saslauthd_t) ')