From 3b47cb03b75594e22e924ec11f443fea43c7020f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 3 Dec 2007 00:15:23 +0000 Subject: [PATCH] Fri Nov 30 2007 Dan Walsh 3.2.1-1 - Remove user based home directory separation --- policy-20071130.patch | 527 +++++++++++++++++++++++++++++------------- selinux-policy.spec | 3 +- 2 files changed, 365 insertions(+), 165 deletions(-) diff --git a/policy-20071130.patch b/policy-20071130.patch index f1341a8d..e9e5e8ac 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2404,6 +2404,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te +optional_policy(` + xserver_xdm_rw_shm(java_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.2.1/policy/modules/apps/loadkeys.te +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-12 08:56:02.000000000 -0400 ++++ serefpolicy-3.2.1/policy/modules/apps/loadkeys.te 2007-12-01 08:16:19.000000000 -0500 +@@ -44,3 +44,5 @@ + optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) + ') ++ ++userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.2.1/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500 +++ serefpolicy-3.2.1/policy/modules/apps/mono.if 2007-11-30 11:23:56.000000000 -0500 @@ -3840,7 +3849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/kernel/files.if 2007-12-01 06:48:16.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -3944,7 +3953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.2.1/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/kernel/filesystem.te 2007-12-01 08:42:02.000000000 -0500 @@ -25,6 +25,8 @@ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -3954,6 +3963,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); +@@ -135,6 +137,11 @@ + genfscon squash / gen_context(system_u:object_r:squash_t,s0) + files_mountpoint(squash_t) + ++type vmblock_t; ++fs_noxattr_type(vmblock_t) ++files_mountpoint(vmblock_t) ++genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) ++ + type vxfs_t; + fs_noxattr_type(vxfs_t) + files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.1/policy/modules/kernel/kernel.if 2007-11-30 11:30:39.000000000 -0500 @@ -5131,8 +5152,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.1/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-11-30 11:23:56.000000000 -0500 -@@ -13,8 +13,7 @@ ++++ serefpolicy-3.2.1/policy/modules/services/clamav.fc 2007-12-01 07:49:02.000000000 -0500 +@@ -5,16 +5,18 @@ + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) ++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + + /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) @@ -5140,11 +5171,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) ++/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.1/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/clamav.te 2007-12-01 08:04:25.000000000 -0500 @@ -87,6 +87,7 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) @@ -5153,7 +5185,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) -@@ -127,6 +128,10 @@ +@@ -120,6 +121,8 @@ + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) + ++mta_read_config(clamd_t) ++ + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -127,6 +130,10 @@ amavis_create_pid_files(clamd_t) ') @@ -5164,7 +5205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Freshclam local policy -@@ -233,3 +238,7 @@ +@@ -233,3 +240,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') @@ -5803,8 +5844,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-11-30 11:25:57.000000000 -0500 -@@ -48,9 +48,7 @@ ++++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 18:58:51.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(cups,1.8.2) ++policy_module(cups,1.4.1) + + ######################################## + # +@@ -43,14 +43,12 @@ + + type cupsd_var_run_t; + files_pid_file(cupsd_var_run_t) +-mls_trusted_object(cupsd_var_run_t) + type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t,hplip_exec_t) @@ -5812,27 +5865,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups -type hplip_etc_t; -files_config_file(hplip_etc_t) +domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t) ++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t) type hplip_var_run_t; files_pid_file(hplip_var_run_t) -@@ -81,14 +79,14 @@ +@@ -71,6 +69,8 @@ + + ifdef(`enable_mls',` + init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) ++ ++ mls_trusted_object(cupsd_var_run_t) + ') + + ######################################## +@@ -81,12 +81,12 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_file_perms; +allow cupsd_t self:process { setpgid setsched signal_perms }; - allow cupsd_t self:fifo_file rw_file_perms; ++allow cupsd_t self:fifo_file rw_fifo_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; allow cupsd_t self:netlink_selinux_socket create_socket_perms; -allow cupsd_t self:netlink_route_socket r_netlink_socket_perms; ++allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; -+allow cupsd_t self:shm create_shm_perms; allow cupsd_t self:appletalk_socket create_socket_perms; - # generic socket here until appletalk socket is available in kernels - allow cupsd_t self:socket create_socket_perms; -@@ -105,7 +103,7 @@ +@@ -105,7 +105,7 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -5841,7 +5903,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -122,13 +120,14 @@ +@@ -117,13 +117,19 @@ + manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t) + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + ++# This whole section needs to be moved to a smbspool policy ++# smbspool seems to be iterating through all existing tmp files. ++# Looking for kerberos files ++files_getattr_all_tmp_files(cupsd_t) ++userdom_read_unpriv_users_tmp_files(cupsd_t) ++files_dontaudit_getattr_all_tmp_sockets(cupsd_t) ++ + allow cupsd_t cupsd_var_run_t:dir setattr; + manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) @@ -5851,14 +5925,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) - allow cupsd_t ptal_var_run_t : sock_file setattr; - -+auth_use_nsswitch(cupsd_t) -+ - kernel_read_system_state(cupsd_t) +@@ -133,8 +139,7 @@ kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) -@@ -150,21 +149,26 @@ + +-corenet_all_recvfrom_unlabeled(cupsd_t) +-corenet_all_recvfrom_netlabel(cupsd_t) ++corenet_non_ipsec_sendrecv(cupsd_t) + corenet_tcp_sendrecv_all_if(cupsd_t) + corenet_udp_sendrecv_all_if(cupsd_t) + corenet_raw_sendrecv_all_if(cupsd_t) +@@ -150,31 +155,39 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -5884,18 +5961,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) - mls_file_write_all_levels(cupsd_t) - mls_file_read_all_levels(cupsd_t) -@@ -173,6 +177,8 @@ +-mls_file_write_all_levels(cupsd_t) +-mls_file_read_all_levels(cupsd_t) ++mls_file_write_down(cupsd_t) ++mls_file_read_up(cupsd_t) ++mls_rangetrans_target(cupsd_t) + mls_socket_write_all_levels(cupsd_t) + term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -+auth_use_nsswitch(cupsd_t) -+ auth_domtrans_chk_passwd(cupsd_t) ++auth_domtrans_upd_passwd_chk(cupsd_t) auth_dontaudit_read_pam_pid(cupsd_t) ++auth_rw_faillog(cupsd_t) -@@ -187,7 +193,7 @@ + # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp + corecmd_exec_shell(cupsd_t) +@@ -187,7 +200,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -5904,7 +5987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -196,12 +202,9 @@ +@@ -196,15 +209,14 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -5918,7 +6001,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -221,17 +224,38 @@ ++auth_use_nsswitch(cupsd_t) ++ + libs_use_ld_so(cupsd_t) + libs_use_shared_libs(cupsd_t) + # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +@@ -221,14 +233,37 @@ sysnet_read_config(cupsd_t) @@ -5932,9 +6020,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) - ') - - optional_policy(` ++ ++ mls_trusted_object(cupsd_var_run_t) ++ init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh) ++') ++ ++optional_policy(` + avahi_dbus_chat(cupsd_t) +') + @@ -5942,7 +6033,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + init_stream_connect_script(cupsd_t) + + unconfined_rw_pipes(cupsd_t) -+ unconfined_rw_stream_sockets(cupsd_t) + + optional_policy(` + init_dbus_chat_script(cupsd_t) @@ -5951,45 +6041,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + + dbus_stub(cupsd_t) + ') -+') -+ -+optional_policy(` - apm_domtrans_client(cupsd_t) ') -@@ -262,16 +286,16 @@ + optional_policy(` +@@ -241,6 +276,7 @@ + + optional_policy(` + dbus_system_bus_client_template(cupsd,cupsd_t) ++ dbus_send_system_bus(cupsd_t) + + userdom_dbus_send_all_users(cupsd_t) + +@@ -262,7 +298,7 @@ ') optional_policy(` - nscd_socket_use(cupsd_t) --') -- --optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) ++ mta_send_mail(cupsd_t) ') optional_policy(` -+ mta_send_mail(cupsd_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(cupsd_t) - ') +@@ -319,8 +355,7 @@ + kernel_read_system_state(cupsd_config_t) + kernel_read_kernel_sysctls(cupsd_config_t) -@@ -291,7 +315,9 @@ - allow cupsd_config_t self:unix_stream_socket create_socket_perms; - allow cupsd_config_t self:unix_dgram_socket create_socket_perms; - allow cupsd_config_t self:tcp_socket create_stream_socket_perms; --allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms; -+ -+allow cupsd_config_t hplip_exec_t:file read_file_perms; -+domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t) - - allow cupsd_config_t cupsd_t:process signal; - ps_process_pattern(cupsd_config_t,cupsd_t) -@@ -330,6 +356,7 @@ +-corenet_all_recvfrom_unlabeled(cupsd_config_t) +-corenet_all_recvfrom_netlabel(cupsd_config_t) ++corenet_non_ipsec_sendrecv(cupsd_config_t) + corenet_tcp_sendrecv_all_if(cupsd_config_t) + corenet_tcp_sendrecv_all_nodes(cupsd_config_t) + corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -330,11 +365,13 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -5997,31 +6079,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -354,6 +381,8 @@ - logging_send_syslog_msg(cupsd_config_t) + corecmd_exec_bin(cupsd_config_t) ++corecmd_exec_sbin(cupsd_config_t) + corecmd_exec_shell(cupsd_config_t) -+auth_use_nsswitch(cupsd_config_t) -+ - miscfiles_read_localization(cupsd_config_t) - - seutil_dontaudit_search_config(cupsd_config_t) -@@ -376,6 +405,14 @@ + domain_use_interactive_fds(cupsd_config_t) +@@ -376,12 +413,17 @@ ') optional_policy(` + term_use_generic_ptys(cupsd_config_t) +') + -+optional_policy(` -+ unconfined_rw_pipes(cupsd_config_t) -+') -+ +optional_policy(` cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -391,6 +428,7 @@ + optional_policy(` + dbus_system_bus_client_template(cupsd_config,cupsd_config_t) + dbus_connect_system_bus(cupsd_config_t) ++ dbus_send_system_bus(cupsd_config_t) + + optional_policy(` + hal_dbus_chat(cupsd_config_t) +@@ -391,6 +433,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -6029,30 +6111,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -402,14 +440,6 @@ - ') +@@ -461,8 +504,7 @@ + kernel_read_system_state(cupsd_lpd_t) + kernel_read_network_state(cupsd_lpd_t) - optional_policy(` -- nis_use_ypbind(cupsd_config_t) --') -- --optional_policy(` -- nscd_socket_use(cupsd_config_t) --') -- --optional_policy(` - rpm_read_db(cupsd_config_t) - ') - -@@ -430,7 +460,6 @@ - allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; - allow cupsd_lpd_t self:udp_socket create_socket_perms; --allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms; - - # for identd - # cjp: this should probably only be inetd_child rules? -@@ -480,6 +509,8 @@ +-corenet_all_recvfrom_unlabeled(cupsd_lpd_t) +-corenet_all_recvfrom_netlabel(cupsd_lpd_t) ++corenet_non_ipsec_sendrecv(cupsd_lpd_t) + corenet_tcp_sendrecv_all_if(cupsd_lpd_t) + corenet_udp_sendrecv_all_if(cupsd_lpd_t) + corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t) +@@ -480,6 +522,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -6061,7 +6130,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -495,14 +526,6 @@ +@@ -487,22 +531,12 @@ + + miscfiles_read_localization(cupsd_lpd_t) + +-sysnet_read_config(cupsd_lpd_t) +- + cups_stream_connect(cupsd_lpd_t) + + optional_policy(` inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) ') @@ -6076,8 +6153,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -523,11 +546,9 @@ - allow hplip_t cupsd_etc_t:dir search; +@@ -520,14 +554,12 @@ + allow hplip_t self:udp_socket create_socket_perms; + allow hplip_t self:rawip_socket create_socket_perms; + +-allow hplip_t cupsd_etc_t:dir search; ++allow hplip_t cupsd_etc_t:dir search_dir_perms; cups_stream_connect(hplip_t) - @@ -6091,38 +6172,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -558,7 +579,9 @@ +@@ -535,8 +567,7 @@ + kernel_read_system_state(hplip_t) + kernel_read_kernel_sysctls(hplip_t) + +-corenet_all_recvfrom_unlabeled(hplip_t) +-corenet_all_recvfrom_netlabel(hplip_t) ++corenet_non_ipsec_sendrecv(hplip_t) + corenet_tcp_sendrecv_all_if(hplip_t) + corenet_udp_sendrecv_all_if(hplip_t) + corenet_raw_sendrecv_all_if(hplip_t) +@@ -558,13 +589,15 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) -dev_read_usbfs(hplip_t) +dev_rw_usbfs(hplip_t) + -+lpd_read_spool(hplip_t) fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -585,8 +608,6 @@ - userdom_dontaudit_search_sysadm_home_dirs(hplip_t) + + # for python + corecmd_exec_bin(hplip_t) ++corecmd_search_sbin(hplip_t) + + domain_use_interactive_fds(hplip_t) + +@@ -586,6 +619,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) --lpd_read_config(cupsd_t) -- + lpd_read_config(cupsd_t) ++lpd_manage_spool(hplip_t) + optional_policy(` seutil_sigchld_newrole(hplip_t) - ') -@@ -666,3 +687,11 @@ - optional_policy(` - udev_read_db(ptal_t) - ') -+ -+ -+# This whole section needs to be moved to a smbspool policy -+# smbspool seems to be iterating through all existing tmp files. -+# Looking for kerberos files -+files_getattr_all_tmp_files(cupsd_t) -+userdom_read_unpriv_users_tmp_files(cupsd_t) -+files_dontaudit_getattr_all_tmp_sockets(cupsd_t) +@@ -627,8 +661,7 @@ + kernel_list_proc(ptal_t) + kernel_read_proc_symlinks(ptal_t) + +-corenet_all_recvfrom_unlabeled(ptal_t) +-corenet_all_recvfrom_netlabel(ptal_t) ++corenet_non_ipsec_sendrecv(ptal_t) + corenet_tcp_sendrecv_all_if(ptal_t) + corenet_tcp_sendrecv_all_nodes(ptal_t) + corenet_tcp_sendrecv_all_ports(ptal_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500 +++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500 @@ -7527,7 +7621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/mta.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/mta.te 2007-12-01 07:56:06.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -7545,7 +7639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -40,27 +43,38 @@ +@@ -40,27 +43,40 @@ allow system_mail_t self:capability { dac_override }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) @@ -7559,6 +7653,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. dev_read_urand(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) ++ ++selinux_getattr_fs(system_mail_t) + init_use_script_ptys(system_mail_t) @@ -7584,7 +7680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +87,7 @@ +@@ -73,6 +89,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -7592,7 +7688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') -@@ -81,6 +96,11 @@ +@@ -81,6 +98,11 @@ ') optional_policy(` @@ -7604,6 +7700,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') +@@ -136,6 +158,14 @@ + ') + + optional_policy(` ++ clamav_stream_connect(sendmail_t) ++') ++ ++optional_policy(` ++ spamd_stream_connect(system_mail_t) ++') ++ ++optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.1/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.1/policy/modules/services/mysql.fc 2007-11-30 11:23:56.000000000 -0500 @@ -9268,9 +9379,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd unconfined_shell_domtrans(rshd_t) + unconfined_signal(rshd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.1/policy/modules/services/rsync.fc +--- nsaserefpolicy/policy/modules/services/rsync.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/rsync.fc 2007-12-01 08:07:48.000000000 -0500 +@@ -1,2 +1,4 @@ + + /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) ++ ++/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.1/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/rsync.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/rsync.te 2007-12-01 08:08:40.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -9289,7 +9408,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn ##

## gen_tunable(allow_rsync_anon_write,false) -@@ -41,7 +41,7 @@ +@@ -30,6 +30,9 @@ + type rsync_data_t; + files_type(rsync_data_t) + ++type rsync_log_t; ++logging_log_file(rsync_log_t) ++ + type rsync_tmp_t; + files_tmp_file(rsync_tmp_t) + +@@ -41,7 +44,7 @@ # Local policy # @@ -9298,7 +9427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; -@@ -51,7 +51,6 @@ +@@ -51,7 +54,6 @@ # cjp: this should probably only be inetd_child_t rules? # search home and kerberos also. allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -9306,7 +9435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; -@@ -65,8 +64,6 @@ +@@ -65,8 +67,6 @@ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) @@ -9315,7 +9444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) -@@ -90,6 +87,8 @@ +@@ -90,11 +90,14 @@ files_read_etc_files(rsync_t) files_search_home(rsync_t) @@ -9324,7 +9453,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) -@@ -116,7 +115,6 @@ + logging_send_syslog_msg(rsync_t) +-logging_dontaudit_search_logs(rsync_t) ++manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) ++logging_log_filetrans(rsync_t,rsync_log_t,file) + + miscfiles_read_localization(rsync_t) + miscfiles_read_public_files(rsync_t) +@@ -116,7 +119,6 @@ ') tunable_policy(`rsync_export_all_ro',` @@ -10066,7 +10202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.1/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/sendmail.te 2007-11-30 11:38:03.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/sendmail.te 2007-12-01 07:43:47.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -10101,7 +10237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -94,30 +99,33 @@ +@@ -94,30 +99,34 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -10133,6 +10269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send optional_policy(` - nis_use_ypbind(sendmail_t) + cyrus_stream_connect(sendmail_t) ++ clamav_stream_connect(sendmail_t) ') optional_policy(` @@ -10141,36 +10278,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -135,6 +143,10 @@ +@@ -135,24 +144,25 @@ ') optional_policy(` + sasl_connect(sendmail_t) +') + ++optional_policy(` ++ spamd_stream_connect(sendmail_t) ++') ++ +optional_policy(` udev_read_db(sendmail_t) ') -@@ -156,3 +168,15 @@ - - dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; - ') dnl end TODO -+ +-ifdef(`TODO',` +-allow sendmail_t etc_mail_t:dir rw_dir_perms; +-allow sendmail_t etc_mail_t:file manage_file_perms; +-# for the start script to run make -C /etc/mail +-allow initrc_t etc_mail_t:dir rw_dir_perms; +-allow initrc_t etc_mail_t:file manage_file_perms; +-allow system_mail_t initrc_t:fd use; +-allow system_mail_t initrc_t:fifo_file write; +- +-# When sendmail runs as user_mail_domain, it needs some extra permissions +-# to update /etc/mail/statistics. +-allow user_mail_domain etc_mail_t:file rw_file_perms; +######################################## +# +# Unconfined sendmail local policy +# Allow unconfined domain to run newalias and have transitions work +# -+ + +-# Silently deny attempts to access /root. +-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search }; +optional_policy(` + mta_etc_filetrans_aliases(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) +') -+ + +-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; +-') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te 2007-11-30 11:30:59.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/setroubleshoot.te 2007-12-02 19:04:59.000000000 -0500 +@@ -27,8 +27,8 @@ + # setroubleshootd local policy + # + +-allow setroubleshootd_t self:capability { dac_override sys_tty_config }; +-allow setroubleshootd_t self:process { signull signal getattr getsched }; ++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; + allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; + allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; + allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52,7 +52,9 @@ kernel_read_kernel_sysctls(setroubleshootd_t) @@ -10181,6 +10344,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) +@@ -73,7 +75,7 @@ + + files_read_usr_files(setroubleshootd_t) + files_read_etc_files(setroubleshootd_t) +-files_getattr_all_dirs(setroubleshootd_t) ++files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) + + fs_getattr_all_dirs(setroubleshootd_t) @@ -110,6 +112,7 @@ optional_policy(` dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) @@ -10292,7 +10464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.1/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/spamassassin.if 2007-12-01 07:44:50.000000000 -0500 @@ -38,6 +38,8 @@ gen_require(` type spamc_exec_t, spamassassin_exec_t; @@ -10396,9 +10568,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam kernel_read_kernel_sysctls($1_spamassassin_t) +@@ -528,3 +526,21 @@ + + dontaudit $1 spamd_tmp_t:sock_file getattr; + ') ++ ++######################################## ++## ++## Connect to run spamd. ++## ++## ++## ++## Domain allowed to connect. ++## ++## ++# ++interface(`spamd_stream_connect',` ++ gen_require(` ++ type spamd_t, spamd_var_run_t; ++ ') ++ ++ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/spamassassin.te 2007-12-01 07:44:33.000000000 -0500 @@ -44,6 +44,15 @@ type spamassassin_exec_t; application_executable_file(spamassassin_exec_t) @@ -10415,7 +10609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ######################################## # # Spamassassin daemon local policy -@@ -81,7 +90,7 @@ +@@ -81,10 +90,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -10424,7 +10618,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -@@ -150,10 +159,12 @@ ++manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) + + kernel_read_all_sysctls(spamd_t) +@@ -150,10 +160,12 @@ userdom_dontaudit_search_sysadm_home_dirs(spamd_t) tunable_policy(`use_nfs_home_dirs',` @@ -11548,7 +11746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-11-30 13:33:41.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-01 06:51:49.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -11626,12 +11824,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -132,15 +166,20 @@ +@@ -132,15 +166,21 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) +fs_getattr_all_fs(xdm_t) ++fs_search_inotifyfs(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) @@ -11648,7 +11847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +224,7 @@ +@@ -185,6 +225,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -11656,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -197,6 +237,7 @@ +@@ -197,6 +238,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -11664,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -209,8 +250,8 @@ +@@ -209,8 +251,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -11675,7 +11874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -246,6 +287,7 @@ +@@ -246,6 +288,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -11683,7 +11882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,12 +299,11 @@ +@@ -257,12 +300,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -11697,7 +11896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -271,6 +312,10 @@ +@@ -271,6 +313,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -11708,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +351,11 @@ +@@ -306,6 +352,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -11720,7 +11919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -323,6 +373,10 @@ +@@ -323,6 +374,10 @@ ') optional_policy(` @@ -11731,7 +11930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -336,10 +390,6 @@ +@@ -336,10 +391,6 @@ ') optional_policy(` @@ -11742,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -348,8 +398,8 @@ +@@ -348,8 +399,8 @@ ') optional_policy(` @@ -11752,7 +11951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +435,7 @@ +@@ -385,7 +436,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -11761,7 +11960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +447,15 @@ +@@ -397,6 +448,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -11777,7 +11976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -409,6 +468,7 @@ +@@ -409,6 +469,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -11785,7 +11984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -425,6 +485,14 @@ +@@ -425,6 +486,14 @@ ') optional_policy(` @@ -11800,7 +11999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +502,30 @@ +@@ -434,47 +503,30 @@ ') optional_policy(` @@ -14758,7 +14957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*) gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/userdomain.if 2007-11-30 15:06:10.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/system/userdomain.if 2007-12-01 08:14:44.000000000 -0500 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 3a858631..3256b69a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -379,6 +379,7 @@ exit 0 %endif %changelog +* Sun Dec 2 2007 Dan Walsh 3.2.1-2 * Fri Nov 30 2007 Dan Walsh 3.2.1-1 - Remove user based home directory separation