diff --git a/policy-20071130.patch b/policy-20071130.patch index 4ebe095a..8532bd88 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -4561,7 +4561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-29 13:29:34.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-14 13:32:12.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in 2008-01-16 16:09:12.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -6549,7 +6549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.5/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/consolekit.te 2008-01-16 16:21:23.000000000 -0500 @@ -36,6 +36,7 @@ domain_read_all_domains_state(consolekit_t) @@ -6575,7 +6575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_connect_system_bus(consolekit_t) -@@ -67,3 +76,8 @@ +@@ -67,3 +76,13 @@ xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) ') @@ -6583,6 +6583,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +optional_policy(` + #reading .Xauthity + unconfined_ptrace(consolekit_t) ++ unconfined_stream_connect(consolekit_t) ++') ++ ++optional_policy(` ++ userdom_read_user_tmp_files(consolekit_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.5/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 @@ -9158,7 +9163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-16 06:23:08.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -9237,7 +9242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +158,30 @@ +@@ -136,11 +158,33 @@ ') optional_policy(` @@ -9253,6 +9258,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') -# should break this up among sections: ++init_stream_connect_script(mailserver_delivery) ++init_rw_script_stream_sockets(mailserver_delivery) ++ +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(mailserver_delivery) + fs_manage_cifs_files(mailserver_delivery) @@ -9269,7 +9277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +195,4 @@ +@@ -154,3 +198,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -9289,8 +9297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/munin.te 2007-12-31 06:15:20.000000000 -0500 -@@ -37,14 +37,18 @@ ++++ serefpolicy-3.2.5/policy/modules/services/munin.te 2008-01-16 16:05:13.000000000 -0500 +@@ -30,21 +30,25 @@ + # Local policy + # + +-allow munin_t self:capability { setgid setuid }; ++allow munin_t self:capability { dac_override setgid setuid }; + dontaudit munin_t self:capability sys_tty_config; + allow munin_t self:process { getsched setsched signal_perms }; + allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; allow munin_t self:tcp_socket create_stream_socket_perms; allow munin_t self:udp_socket create_socket_perms; @@ -10813,7 +10829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-16 15:49:34.000000000 -0500 @@ -102,6 +102,10 @@ ') @@ -10825,7 +10841,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc munin_dontaudit_search_lib(procmail_t) ') -@@ -129,7 +133,9 @@ +@@ -116,6 +120,7 @@ + + optional_policy(` + pyzor_domtrans(procmail_t) ++ pyzor_signal(procmail_t) + ') + + optional_policy(` +@@ -129,7 +134,9 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) @@ -10851,7 +10875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.if 2008-01-16 15:43:01.000000000 -0500 @@ -25,16 +25,18 @@ # template(`pyzor_per_role_template',` @@ -14931,7 +14955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/system/init.if 2007-12-20 08:48:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/init.if 2008-01-16 06:20:54.000000000 -0500 @@ -211,6 +211,13 @@ kernel_dontaudit_use_fds($1) ') @@ -15408,7 +15432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-14 12:58:45.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2008-01-16 15:54:07.000000000 -0500 @@ -133,6 +133,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15417,7 +15441,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -183,6 +184,7 @@ +@@ -165,6 +166,7 @@ + # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php + /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -183,6 +185,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15425,7 +15457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -242,7 +244,7 @@ +@@ -242,7 +245,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15434,7 +15466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -292,6 +294,8 @@ +@@ -292,6 +295,8 @@ # # /var # @@ -15443,11 +15475,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +308,4 @@ +@@ -304,3 +309,5 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2008-01-02 15:02:58.000000000 -0500 @@ -16013,7 +16046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-14 10:34:15.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/mount.te 2008-01-16 10:54:21.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -16092,7 +16125,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. auth_use_nsswitch(mount_t) -@@ -161,6 +168,8 @@ +@@ -119,6 +126,7 @@ + seutil_read_config(mount_t) + + userdom_use_all_users_fds(mount_t) ++userdom_read_sysadm_home_content_files(mount_t) + + ifdef(`distro_redhat',` + optional_policy(` +@@ -161,6 +169,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -16101,7 +16142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -175,6 +184,11 @@ +@@ -175,6 +185,11 @@ ') ') @@ -16113,7 +16154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -182,6 +196,7 @@ +@@ -182,6 +197,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -16121,7 +16162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -192,4 +207,26 @@ +@@ -192,4 +208,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -16992,7 +17033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.5/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.fc 2008-01-17 08:46:28.000000000 -0500 @@ -10,7 +10,11 @@ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) @@ -17274,7 +17315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-11 15:57:35.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/unconfined.te 2008-01-17 08:47:06.000000000 -0500 @@ -9,32 +9,48 @@ # usage in this module of types created by these # calls is not correct, however we dont currently @@ -17489,7 +17530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +238,32 @@ +@@ -219,14 +238,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -17527,6 +17568,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) ++# Allow SELinux aware applications to request rpm_script execution ++rpm_transition_script(unconfined_notrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.5/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/userdomain.fc 2007-12-19 05:38:09.000000000 -0500 @@ -17542,7 +17585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-16 16:19:31.000000000 -0500 @@ -29,8 +29,9 @@ ')