From 29e94cd4d00f002003a2fdf6f7f6ea72add8c88c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 3 Nov 2008 20:42:37 +0000 Subject: [PATCH] - Allow dhcpc to restart ypbind - Fixup labeling in /var/run --- policy-20080710.patch | 584 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 507 insertions(+), 77 deletions(-) diff --git a/policy-20080710.patch b/policy-20080710.patch index 684ed375..31c2d9a0 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -490,9 +490,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(consoletype_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-14 11:58:10.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-10-28 10:56:19.000000000 -0400 -@@ -28,8 +28,9 @@ ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-11-03 14:20:02.000000000 -0500 +@@ -26,10 +26,12 @@ + # + allow kismet_t self:capability { net_admin net_raw setuid setgid }; ++allow kismet_t self:process signal; allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket create_socket_perms; @@ -502,7 +505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; -@@ -43,10 +44,18 @@ +@@ -43,10 +45,18 @@ allow kismet_t kismet_var_run_t:dir manage_dir_perms; files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) @@ -640,7 +643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.13/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc 2008-11-03 11:39:36.000000000 -0500 @@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -651,7 +654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,6 +22,9 @@ +@@ -21,14 +22,17 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -661,17 +664,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -@@ -29,6 +33,7 @@ - /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) + /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +- +-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) # SuSE ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-03 11:41:00.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -746,7 +751,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -210,6 +270,24 @@ +@@ -192,6 +252,24 @@ + + ######################################## + ## ++## Create, read, write, and delete the RPM log. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rpm_search_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ allow $1 rpm_log_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Inherit and use file descriptors from RPM scripts. + ## + ## +@@ -210,6 +288,24 @@ ######################################## ## @@ -771,7 +801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete RPM ## script temporary files. ## -@@ -225,7 +303,29 @@ +@@ -225,7 +321,29 @@ ') files_search_tmp($1) @@ -801,7 +831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -289,3 +389,175 @@ +@@ -289,3 +407,175 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1833,7 +1863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.13/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.if 2008-10-30 16:10:55.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -4394,8 +4424,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-29 12:10:02.000000000 -0400 -@@ -0,0 +1,257 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-30 16:17:36.000000000 -0400 +@@ -0,0 +1,267 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4546,6 +4576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + gnome_exec_gconf(nsplugin_t) + gnome_manage_user_gnome_config(user, nsplugin_t) ++ gnome_read_gconf_home_files(nsplugin_t) + allow nsplugin_t gnome_home_t:sock_file write; +') + @@ -4653,6 +4684,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mozilla_read_user_home_files(user, nsplugin_config_t) +') ++ ++optional_policy(` ++ gen_require(` ++ type unconfined_mono_t; ++ ') ++ allow nsplugin_t unconfined_mono_t:process signull; ++') ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2008-10-28 10:56:19.000000000 -0400 @@ -8913,7 +8953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if --- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-30 13:58:02.000000000 -0400 @@ -62,6 +62,26 @@ files_home_filetrans($1, user_home_dir_t, dir) ') @@ -8974,10 +9014,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`unprivuser_dontaudit_list_home_dirs',` + gen_require(` -+ type user_home_t; ++ type user_home_t, user_home_dir_t; + ') + -+ dontaudit $1 user_home_t:dir list_dir_perms; ++ dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms; ') ######################################## @@ -12121,6 +12161,247 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc +--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-10-30 14:43:22.000000000 -0400 +@@ -0,0 +1,11 @@ ++ ++/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) ++/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) ++ ++/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) ++ ++/etc/pki/certmaster(/.*)? gen_context(system_u:object_r:certmaster_cert_t,s0) ++ ++/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) ++ ++/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if +--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2008-10-30 14:44:58.000000000 -0400 +@@ -0,0 +1,133 @@ ++## policy for certmaster ++ ++######################################## ++## ++## Execute a domain transition to run certmaster. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`certmaster_domtrans',` ++ gen_require(` ++ type certmaster_t, certmaster_exec_t; ++ ') ++ ++ domain_auto_trans($1,certmaster_exec_t,certmaster_t) ++ ++ allow certmaster_t $1:fd use; ++ allow certmaster_t $1:fifo_file rw_file_perms; ++ allow certmaster_t $1:process sigchld; ++') ++ ++####################################### ++### ++### read ++### certmaster logs. ++### ++### ++### ++### Domain allowed access. ++### ++### ++## ++# ++interface(`certmaster_read_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') ++ ++ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++') ++ ++####################################### ++### ++### Append to certmaster logs. ++### ++### ++### ++### Domain allowed access. ++### ++### ++## ++# ++interface(`certmaster_append_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') ++ ++ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++') ++ ++####################################### ++### ++### Create, read, write, and delete ++### certmaster logs. ++### ++### ++### ++### Domain allowed access. ++### ++### ++## ++# ++interface(`certmaster_manage_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') ++ ++ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++') ++ ++######################################## ++### ++### All of the rules required to administrate ++### an snort environment ++### ++### ++### ++### Domain allowed access. ++### ++### ++### ++### ++### The role to be allowed to manage the syslog domain. ++### ++### ++### ++## ++ ++interface(`certmaster_admin',` ++ gen_require(` ++ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t; ++ certmaster_initrc_exec_t; ++ ') ++ ++ allow $1 certmaster_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, certmaster_t) ++ ++ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 certmaster_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ miscfiles_manage_cert_dirs($1) ++ miscfiles_manage_cert_files($1) ++ ++ admin_pattern($1, certmaster_etc_rw_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, certmaster_var_run_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, certmaster_var_log_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, certmaster_var_lib_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te +--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-10-30 14:48:03.000000000 -0400 +@@ -0,0 +1,85 @@ ++policy_module(certmaster,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++# type and domain for certmaster ++type certmaster_t; ++type certmaster_exec_t; ++init_daemon_domain(certmaster_t, certmaster_exec_t) ++ ++type certmaster_initrc_exec_t; ++init_script_file(certmaster_initrc_exec_t) ++ ++# var/lib files ++type certmaster_var_lib_t; ++files_type(certmaster_var_lib_t) ++ ++# config files ++type certmaster_etc_rw_t; ++files_config_type(certmaster_etc_rw_t) ++ ++# log files ++type certmaster_var_log_t; ++logging_log_file(certmaster_var_log_t) ++ ++# pid files ++type certmaster_var_run_t; ++files_pid_file(certmaster_var_run_t) ++ ++########################################### ++# ++# certmaster local policy ++# ++ ++allow certmaster_t self:tcp_socket create_stream_socket_perms; ++ ++# certification files ++manage_dirs_pattern(certmaster_t,certmaster_cert_t,certmaster_cert_t) ++manage_files_pattern(certmaster_t, certmaster_cert_t, certmaster_cert_t) ++ ++# config files ++list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) ++manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) ++ ++# var/lib files for certmaster ++manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) ++ ++# log files ++manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) ++logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) ++ ++# pid file ++manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) ++ ++corecmd_search_bin(certmaster_t) ++corecmd_getattr_bin_files(certmaster_t) ++ ++# network ++corenet_tcp_bind_inaddr_any_node(certmaster_t) ++corenet_tcp_bind_certmaster_port(certmaster_t) ++ ++files_search_etc(certmaster_t) ++files_list_var(certmaster_t) ++files_search_var_lib(certmaster_t) ++ ++# read meminfo ++kernel_read_system_state(certmaster_t) ++ ++auth_use_nsswitch(certmaster_t) ++ ++libs_use_ld_so(certmaster_t) ++libs_use_shared_libs(certmaster_t) ++ ++miscfiles_read_localization(certmaster_t) ++ ++miscfiles_manage_cert_dirs(certmaster_t) ++miscfiles_manage_cert_files(certmaster_t) ++ ++permissive certmaster_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/clamav.fc 2008-10-28 10:56:19.000000000 -0400 @@ -12550,7 +12831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Calendar (PCP) local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-10-28 10:58:50.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-03 11:38:06.000000000 -0500 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -12560,13 +12841,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/at/[^/]* -- <> -@@ -45,3 +47,6 @@ +@@ -45,3 +47,8 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) ++ ++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400 @@ -17139,7 +17422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-30 11:44:48.000000000 -0400 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -17172,7 +17455,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -85,9 +87,11 @@ +@@ -81,13 +83,16 @@ + corenet_sendrecv_isakmp_server_packets(NetworkManager_t) + corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) + corenet_sendrecv_all_client_packets(NetworkManager_t) ++corenet_rw_tun_tap_dev(NetworkManager_t) + dev_read_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) @@ -17184,7 +17472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(NetworkManager_t) -@@ -104,9 +108,14 @@ +@@ -104,9 +109,14 @@ files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) @@ -17199,7 +17487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -119,27 +128,40 @@ +@@ -119,27 +129,40 @@ seutil_read_config(NetworkManager_t) @@ -17246,7 +17534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -151,8 +173,21 @@ +@@ -151,8 +174,21 @@ ') optional_policy(` @@ -17270,7 +17558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -160,23 +195,48 @@ +@@ -160,23 +196,48 @@ ') optional_policy(` @@ -17321,7 +17609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -194,7 +254,9 @@ +@@ -194,7 +255,9 @@ optional_policy(` vpn_domtrans(NetworkManager_t) @@ -17333,9 +17621,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.13/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.fc 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nis.fc 2008-11-03 13:40:14.000000000 -0500 @@ -1,9 +1,13 @@ - +- ++/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) +/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) @@ -17350,7 +17639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-03 14:12:23.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -17397,7 +17686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute ypbind in the ypbind domain. ## ## -@@ -244,3 +263,83 @@ +@@ -244,3 +263,105 @@ corecmd_search_bin($1) domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) ') @@ -17423,6 +17712,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Execute nis server in the nis domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`nis_ypbind_initrc_domtrans',` ++ gen_require(` ++ type ypbind_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an nis environment +## @@ -17444,6 +17752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type ypserv_t, ypxfr_t; + type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; ++ type ypbind_initrc_exec_t; + type nis_initrc_exec_t; + ') + @@ -17460,8 +17769,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ps_process_pattern($1, ypxfr_t) + + nis_initrc_domtrans($1) ++ nis_ypbind_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nis_initrc_exec_t system_r; ++ role_transition $2 ypbind_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) @@ -17483,8 +17794,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.13/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.te 2008-10-28 10:56:19.000000000 -0400 -@@ -44,6 +44,9 @@ ++++ serefpolicy-3.5.13/policy/modules/services/nis.te 2008-11-03 13:39:45.000000000 -0500 +@@ -13,6 +13,9 @@ + type ypbind_exec_t; + init_daemon_domain(ypbind_t, ypbind_exec_t) + ++type ypbind_initrc_exec_t; ++init_script_file(ypbind_initrc_exec_t) ++ + type ypbind_tmp_t; + files_tmp_file(ypbind_tmp_t) + +@@ -44,6 +47,9 @@ type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) @@ -17494,7 +17815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # ypbind local policy -@@ -111,9 +114,19 @@ +@@ -111,9 +117,19 @@ sysnet_read_config(ypbind_t) userdom_dontaudit_use_unpriv_user_fds(ypbind_t) @@ -17515,7 +17836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` seutil_sigchld_newrole(ypbind_t) ') -@@ -127,6 +140,7 @@ +@@ -127,6 +143,7 @@ # yppasswdd local policy # @@ -17523,7 +17844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -157,8 +171,8 @@ +@@ -157,8 +174,8 @@ corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_all_nodes(yppasswdd_t) corenet_udp_bind_all_nodes(yppasswdd_t) @@ -17534,7 +17855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -249,6 +263,8 @@ +@@ -249,6 +266,8 @@ corenet_udp_bind_all_nodes(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) @@ -17543,7 +17864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -318,6 +334,8 @@ +@@ -318,6 +337,8 @@ corenet_udp_bind_all_nodes(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) corenet_udp_bind_reserved_port(ypxfr_t) @@ -17562,7 +17883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-11-03 13:42:37.000000000 -0500 @@ -2,7 +2,27 @@ ######################################## @@ -17753,7 +18074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.13/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nscd.te 2008-11-03 13:39:13.000000000 -0500 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -19650,7 +19971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-29 10:47:55.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-30 15:01:10.000000000 -0400 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -19722,7 +20043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(pptp_t) corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_all_if(pptp_t) -@@ -269,6 +279,8 @@ +@@ -269,12 +279,16 @@ fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) @@ -19731,30 +20052,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) -@@ -283,6 +295,7 @@ + + domain_use_interactive_fds(pptp_t) + ++auth_use_nsswitch(pptp_t) ++ + libs_use_ld_so(pptp_t) + libs_use_shared_libs(pptp_t) + +@@ -282,7 +296,7 @@ + miscfiles_read_localization(pptp_t) - sysnet_read_config(pptp_t) +-sysnet_read_config(pptp_t) +sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -293,6 +306,14 @@ +@@ -293,11 +307,15 @@ ') optional_policy(` +- hostname_exec(pptp_t) + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` + networkmanager_dbus_chat(pppd_t) + ') -+') -+ -+optional_policy(` - hostname_exec(pptp_t) ') -@@ -311,6 +332,3 @@ + optional_policy(` +- nscd_socket_use(pptp_t) ++ hostname_exec(pptp_t) + ') + + optional_policy(` +@@ -311,6 +329,3 @@ optional_policy(` postfix_read_config(pppd_t) ') @@ -23179,7 +23512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-10-28 10:58:34.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-10-29 17:13:04.000000000 -0400 @@ -21,16 +21,24 @@ gen_tunable(spamd_enable_home_dirs, true) @@ -23321,7 +23654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -172,16 +218,17 @@ +@@ -172,6 +218,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -23329,20 +23662,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') - optional_policy(` -- mysql_search_db(spamd_t) -- mysql_stream_connect(spamd_t) -+ exim_manage_spool_files(spamd_t) +@@ -181,10 +228,6 @@ ') optional_policy(` - nis_use_ypbind(spamd_t) -+ mysql_search_db(spamd_t) -+ mysql_stream_connect(spamd_t) +-') +- +-optional_policy(` + postfix_read_config(spamd_t) ') - optional_policy(` -@@ -199,6 +246,10 @@ +@@ -199,6 +242,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -23353,7 +23684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -213,3 +264,121 @@ +@@ -213,3 +260,121 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -24198,7 +24529,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-11-03 11:42:39.000000000 -0500 @@ -1,13 +1,15 @@ # # HOME_DIR @@ -24233,6 +24564,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # # /opt + # +@@ -50,7 +47,7 @@ + /tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) + /tmp/\.ICE-unix/.* -s <> + /tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) +-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) + /tmp/\.X11-unix/.* -s <> + # @@ -58,9 +55,11 @@ # @@ -27845,6 +28185,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.5.13/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-10-31 11:01:20.000000000 -0400 +@@ -23,6 +23,45 @@ + + ######################################## + ## ++## manange system SSL certificates. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ manage_dirs_pattern($1,cert_t,cert_t) ++') ++ ++######################################## ++## ++## manange system SSL certificates. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_manage_cert_files',` ++ gen_require(` ++ type cert_t; ++ ') ++ ++ manage_files_pattern($1,cert_t,cert_t) ++ read_lnk_files_pattern($1,cert_t,cert_t) ++') ++ ++######################################## ++## + ## Read fonts. + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.13/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-10-14 11:58:09.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/modutils.te 2008-10-28 10:56:19.000000000 -0400 @@ -29128,7 +29517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-10-29 09:04:33.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-03 13:42:28.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -29184,7 +29573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) ') -@@ -185,14 +187,12 @@ +@@ -185,25 +187,22 @@ ') optional_policy(` @@ -29201,11 +29590,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ nis_initrc_domtrans(dhcpc_t) ++ nis_ypbind_initrc_domtrans(dhcpc_t) ') optional_policy(` -@@ -201,9 +201,7 @@ ++ nscd_initrc_domtrans(dhcpc_t) + nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) ') optional_policy(` @@ -29216,7 +29607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -214,6 +212,11 @@ +@@ -214,6 +213,11 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -29228,7 +29619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -225,6 +228,10 @@ +@@ -225,6 +229,10 @@ ') optional_policy(` @@ -29239,7 +29630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -238,7 +245,6 @@ +@@ -238,7 +246,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -29247,7 +29638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -252,6 +258,7 @@ +@@ -252,6 +259,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -29255,7 +29646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -261,13 +268,20 @@ +@@ -261,13 +269,20 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; @@ -29276,7 +29667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(ifconfig_t) -@@ -278,8 +292,13 @@ +@@ -278,8 +293,13 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -29290,7 +29681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(ifconfig_t) -@@ -335,6 +354,14 @@ +@@ -335,6 +355,14 @@ ') optional_policy(` @@ -29307,8 +29698,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -13,6 +13,7 @@ ++++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-03 11:39:49.000000000 -0500 +@@ -13,8 +13,11 @@ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -29316,6 +29707,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) + + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) ++ ++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-28 10:56:19.000000000 -0400 @@ -29374,7 +29769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.13/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/udev.te 2008-11-03 11:41:29.000000000 -0500 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -29410,7 +29805,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -240,5 +247,9 @@ +@@ -233,6 +240,10 @@ + ') + + optional_policy(` ++ rpm_search_log(udev_t) ++') ++ ++optional_policy(` + kernel_write_xen_state(udev_t) + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) +@@ -240,5 +251,9 @@ ') optional_policy(` @@ -30167,7 +30573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-29 16:35:07.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-30 16:14:16.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -32280,6 +32686,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 userdomain:process getattr; +@@ -5429,7 +5528,7 @@ + + ######################################## + ## +-## Send general signals to all user domains. ++## Send signull to all user domains. + ## + ## + ## +@@ -5437,12 +5536,12 @@ + ## + ## + # +-interface(`userdom_signal_all_users',` ++interface(`userdom_signull_all_users',` + gen_require(` + attribute userdomain; + ') + +- allow $1 userdomain:process signal; ++ allow $1 userdomain:process signull; + ') + + ######################################## @@ -5483,6 +5582,42 @@ ########################################