- Update to upstream

This commit is contained in:
Daniel J Walsh 2010-01-08 22:03:53 +00:00
parent 352dafd046
commit 468fe0b647
3 changed files with 174 additions and 37 deletions

View File

@ -196,3 +196,4 @@ serefpolicy-3.7.2.tgz
serefpolicy-3.7.3.tgz serefpolicy-3.7.3.tgz
serefpolicy-3.7.4.tgz serefpolicy-3.7.4.tgz
serefpolicy-3.7.5.tgz serefpolicy-3.7.5.tgz
serefpolicy-3.7.6.tgz

View File

@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.6/policy/modules/admin/prelink.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/admin/prelink.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/admin/prelink.te 2010-01-08 12:08:33.000000000 -0500
@@ -21,8 +21,21 @@ @@ -21,8 +21,21 @@
type prelink_tmp_t; type prelink_tmp_t;
files_tmp_file(prelink_tmp_t) files_tmp_file(prelink_tmp_t)
@ -501,7 +501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
optional_policy(` optional_policy(`
amanda_manage_lib(prelink_t) amanda_manage_lib(prelink_t)
@@ -99,5 +117,57 @@ @@ -99,5 +117,58 @@
') ')
optional_policy(` optional_policy(`
@ -524,6 +524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; +allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+ +
+domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) +domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+allow prelink_cron_system_t prelink_t:process noatsecure;
+ +
+read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) +read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+allow prelink_cron_system_t prelink_cache_t:file unlink; +allow prelink_cron_system_t prelink_cache_t:file unlink;
@ -5985,7 +5986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.6/policy/modules/kernel/devices.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc 2010-01-08 15:36:31.000000000 -0500
@@ -16,13 +16,16 @@ @@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@ -6011,9 +6012,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', ` ifdef(`distro_suse', `
@@ -159,6 +163,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
+
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.6/policy/modules/kernel/devices.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.6/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/kernel/devices.if 2010-01-08 15:36:31.000000000 -0500
@@ -801,6 +801,24 @@ @@ -801,6 +801,24 @@
######################################## ########################################
@ -6114,10 +6124,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem. ## Mount a usbfs filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3703,6 +3775,24 @@
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
+######################################
+## <summary>
+## Read or write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.6/policy/modules/kernel/devices.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.6/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/kernel/devices.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/kernel/devices.te 2010-01-08 15:36:31.000000000 -0500
@@ -227,6 +227,12 @@ @@ -227,11 +227,23 @@
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
# #
@ -6130,6 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
# #
type usb_device_t; type usb_device_t;
dev_node(usb_device_t)
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.6/policy/modules/kernel/domain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.6/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/kernel/domain.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/kernel/domain.if 2010-01-07 15:28:30.000000000 -0500
@ -10009,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate ## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.6/policy/modules/services/abrt.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.6/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/abrt.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/abrt.te 2010-01-08 08:37:25.000000000 -0500
@@ -33,12 +33,24 @@ @@ -33,12 +33,24 @@
type abrt_var_run_t; type abrt_var_run_t;
files_pid_file(abrt_var_run_t) files_pid_file(abrt_var_run_t)
@ -10057,7 +10103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t) kernel_read_ring_buffer(abrt_t)
@@ -75,18 +90,36 @@ @@ -75,18 +90,37 @@
corecmd_exec_bin(abrt_t) corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t) corecmd_exec_shell(abrt_t)
@ -10067,6 +10113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t) +corenet_tcp_connect_all_ports(abrt_t)
+dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t) dev_read_urand(abrt_t)
+dev_rw_sysfs(abrt_t) +dev_rw_sysfs(abrt_t)
+dev_dontaudit_read_memory_dev(abrt_t) +dev_dontaudit_read_memory_dev(abrt_t)
@ -10094,7 +10141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t) sysnet_read_config(abrt_t)
@@ -96,22 +129,93 @@ @@ -96,22 +130,93 @@
miscfiles_read_certs(abrt_t) miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t) miscfiles_read_localization(abrt_t)
@ -14695,7 +14742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.6/policy/modules/services/cups.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/cups.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/cups.te 2010-01-08 11:58:33.000000000 -0500
@@ -23,6 +23,9 @@ @@ -23,6 +23,9 @@
type cupsd_initrc_exec_t; type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t) init_script_file(cupsd_initrc_exec_t)
@ -14870,7 +14917,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
######################################## ########################################
# #
# Cups lpd support # Cups lpd support
@@ -542,6 +576,8 @@ @@ -520,6 +554,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
@@ -542,6 +577,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@ -14879,7 +14934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
kernel_read_system_state(cups_pdf_t) kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t) files_read_etc_files(cups_pdf_t)
@@ -556,11 +592,15 @@ @@ -556,11 +593,15 @@
miscfiles_read_fonts(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t)
@ -14895,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t) fs_manage_nfs_dirs(cups_pdf_t)
@@ -601,6 +641,9 @@ @@ -601,6 +642,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t) files_search_etc(hplip_t)
@ -14905,7 +14960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -627,6 +670,7 @@ @@ -627,6 +671,7 @@
corenet_tcp_connect_ipp_port(hplip_t) corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t)
@ -15365,7 +15420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
## </summary> ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.6/policy/modules/services/devicekit.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.6/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/devicekit.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/devicekit.te 2010-01-08 09:11:11.000000000 -0500
@@ -42,6 +42,8 @@ @@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t) files_read_etc_files(devicekit_t)
@ -15380,7 +15435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
# #
-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process signal_perms; +allow devicekit_disk_t self:process signal_perms;
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -15832,7 +15887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.6/policy/modules/services/fail2ban.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.6/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if 2010-01-08 09:57:24.000000000 -0500
@@ -98,6 +98,46 @@ @@ -98,6 +98,46 @@
allow $1 fail2ban_var_run_t:file read_file_perms; allow $1 fail2ban_var_run_t:file read_file_perms;
') ')
@ -15880,6 +15935,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate
@@ -135,3 +175,21 @@
files_list_pids($1)
admin_pattern($1, fail2ban_var_run_t)
')
+
+########################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.6/policy/modules/services/fetchmail.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.6/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/services/fetchmail.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/fetchmail.te 2010-01-07 15:28:30.000000000 -0500
@ -23415,7 +23492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.6/policy/modules/services/sendmail.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.6/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/sendmail.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/sendmail.if 2010-01-08 09:57:13.000000000 -0500
@@ -59,20 +59,20 @@ @@ -59,20 +59,20 @@
######################################## ########################################
@ -23590,7 +23667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.6/policy/modules/services/sendmail.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/services/sendmail.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/sendmail.te 2010-01-08 09:55:32.000000000 -0500
@@ -20,13 +20,17 @@ @@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t) mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t) mta_mailserver_sender(sendmail_t)
@ -23650,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
auth_use_nsswitch(sendmail_t) auth_use_nsswitch(sendmail_t)
@@ -89,23 +100,46 @@ @@ -89,23 +100,47 @@
libs_read_lib_files(sendmail_t) libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t) logging_send_syslog_msg(sendmail_t)
@ -23692,6 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ +
+optional_policy(` +optional_policy(`
+ fail2ban_read_lib_files(sendmail_t) + fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -23699,7 +23777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
') ')
optional_policy(` optional_policy(`
@@ -113,13 +147,20 @@ @@ -113,13 +148,20 @@
') ')
optional_policy(` optional_policy(`
@ -23721,7 +23799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
') ')
optional_policy(` optional_policy(`
@@ -127,24 +168,29 @@ @@ -127,24 +169,29 @@
') ')
optional_policy(` optional_policy(`
@ -29582,11 +29660,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
udev_read_db(iptables_t) udev_read_db(iptables_t)
') ')
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.6/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/system/iscsi.fc 2010-01-08 15:36:31.000000000 -0500
@@ -1,4 +1,6 @@
-/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.6/policy/modules/system/iscsi.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.6/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/iscsi.te 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/system/iscsi.te 2010-01-08 15:37:25.000000000 -0500
@@ -69,11 +69,18 @@ @@ -35,10 +35,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
-allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:tcp_socket create_stream_socket_perms;
+can_exec(iscsid_t, iscsid_exec_t)
+
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
@@ -54,6 +57,7 @@
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
kernel_search_debugfs(iscsid_t)
@@ -67,13 +71,21 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t) dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
domain_use_interactive_fds(iscsid_t) domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t) +domain_dontaudit_read_all_domains_state(iscsid_t)
@ -29606,7 +29721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.6/policy/modules/system/libraries.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/system/libraries.fc 2010-01-08 09:16:04.000000000 -0500
@@ -60,12 +60,15 @@ @@ -60,12 +60,15 @@
# #
# /opt # /opt
@ -29823,7 +29938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
') dnl end distro_redhat ') dnl end distro_redhat
# #
@@ -307,10 +317,131 @@ @@ -307,10 +317,132 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@ -29936,6 +30051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+ +
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ +
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30385,7 +30501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.6/policy/modules/system/miscfiles.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.6/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if 2010-01-08 11:59:54.000000000 -0500
@@ -73,7 +73,8 @@ @@ -73,7 +73,8 @@
# #
interface(`miscfiles_read_fonts',` interface(`miscfiles_read_fonts',`
@ -30407,7 +30523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
') ')
######################################## ########################################
@@ -167,6 +172,32 @@ @@ -167,6 +172,51 @@
manage_dirs_pattern($1, fonts_t, fonts_t) manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t) manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t) manage_lnk_files_pattern($1, fonts_t, fonts_t)
@ -30416,6 +30532,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts cache. +## Create, read, write, and delete fonts cache.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -30427,7 +30562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+# +#
+interface(`miscfiles_manage_fonts_cache',` +interface(`miscfiles_manage_fonts_cache',`
+ gen_require(` + gen_require(`
+ type fonts_t; + type fonts_cache_t;
+ ') + ')
+ +
+ # cjp: fonts can be in either of these dirs + # cjp: fonts can be in either of these dirs
@ -32190,7 +32325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-') -')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.6/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.6/policy/modules/system/unconfined.if 2010-01-07 15:28:30.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/system/unconfined.if 2010-01-08 10:06:25.000000000 -0500
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -32207,7 +32342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
allow $1 self:fifo_file manage_fifo_file_perms; allow $1 self:fifo_file manage_fifo_file_perms;
# Transition to myself, to make get_ordered_context_list happy. # Transition to myself, to make get_ordered_context_list happy.
@@ -27,12 +26,13 @@ @@ -27,12 +26,14 @@
# Write access is for setting attributes under /proc/self/attr. # Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms; allow $1 self:file rw_file_perms;
@ -32222,10 +32357,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ allow $1 self:dbus all_dbus_perms; + allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms; + allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms; + allow $1 self:association all_association_perms;
+ allow $1 self:socket_class_set create_socket_perms;
kernel_unconfined($1) kernel_unconfined($1)
corenet_unconfined($1) corenet_unconfined($1)
@@ -44,6 +44,16 @@ @@ -44,6 +45,16 @@
fs_unconfined($1) fs_unconfined($1)
selinux_unconfined($1) selinux_unconfined($1)
@ -32242,7 +32378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
tunable_policy(`allow_execheap',` tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect. # Allow making the stack executable via mprotect.
allow $1 self:process execheap; allow $1 self:process execheap;
@@ -57,8 +67,8 @@ @@ -57,8 +68,8 @@
tunable_policy(`allow_execstack',` tunable_policy(`allow_execstack',`
# Allow making the stack executable via mprotect; # Allow making the stack executable via mprotect;
@ -32253,7 +32389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
# auditallow $1 self:process execstack; # auditallow $1 self:process execstack;
') ')
@@ -69,6 +79,7 @@ @@ -69,6 +80,7 @@
optional_policy(` optional_policy(`
# Communicate via dbusd. # Communicate via dbusd.
dbus_system_bus_unconfined($1) dbus_system_bus_unconfined($1)
@ -32261,7 +32397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -111,16 +122,16 @@ @@ -111,16 +123,16 @@
## </param> ## </param>
# #
interface(`unconfined_domain',` interface(`unconfined_domain',`
@ -32282,7 +32418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
######################################## ########################################
@@ -173,411 +184,3 @@ @@ -173,411 +185,3 @@
refpolicywarn(`$0($1) has been deprecated.') refpolicywarn(`$0($1) has been deprecated.')
') ')

View File

@ -1,2 +1,2 @@
3651679c4b12a31d2ba5f4305bba5540 config.tgz 3651679c4b12a31d2ba5f4305bba5540 config.tgz
d3b12775aaeafb96c96a6a74e85e96ba serefpolicy-3.7.5.tgz 0e56f0205d64ac083d61ec1d15873df7 serefpolicy-3.7.6.tgz