patch from dan Fri, 27 Jan 2006 01:37:19 -0500

refpolicy/policy/modules/admin/rpm.fc

@@ -14,8 +14,10 @@
 
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)

refpolicy/policy/modules/admin/rpm.if

@@ -71,6 +71,7 @@ interface(`rpm_run',`
 	rpm_domtrans($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
+	seutil_run_loadpol(rpm_script_t,$2,$3)
 	allow rpm_t $3:chr_file rw_term_perms;
 ')
 

refpolicy/policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.2.0)
+policy_module(rpm,1.2.1)
 
 ########################################
 #
@@ -288,6 +288,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
 
 term_getattr_unallocated_ttys(rpm_script_t)
 term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
 # ideally we would not need this

refpolicy/policy/modules/apps/mono.te

@@ -1,5 +1,5 @@
 
-policy_module(mono,1.0.0)
+policy_module(mono,1.0.1)
 
 ########################################
 #
@@ -18,7 +18,7 @@ domain_entry_file(mono_t,mono_exec_t)
 #
 
 ifdef(`targeted_policy',`
-	allow mono_t self:process execheap;
+	allow mono_t self:process { execheap execmem };
 	unconfined_domain_template(mono_t)
 	role system_r types mono_t;
 ')

refpolicy/policy/modules/kernel/files.fc

@@ -125,6 +125,11 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
+#
+# /net
+#
+/net			-d	gen_context(system_u:object_r:mnt_t,s0)
+
 #
 # /opt
 #

refpolicy/policy/modules/kernel/files.if

@@ -321,7 +321,7 @@ interface(`files_list_non_security',`
 		attribute file_type, security_file_type;
 	')
 
-	dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+	allow $1 { file_type -security_file_type }:dir r_dir_perms;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/filesystem.if

@@ -969,6 +969,22 @@ interface(`fs_read_eventpollfs',`
 	allow $1 eventpollfs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Search inotifyfs filesystem. 
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount an iso9660 filesystem, which

refpolicy/policy/modules/kernel/storage.fc

@@ -42,8 +42,8 @@ ifdef(`distro_redhat', `
 /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/ub[a-z]		-b	gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
-
 /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+/dev/xvd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 
 /dev/ataraid/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
 

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.2.0)
+policy_module(cups,1.2.1)
 
 ########################################
 #
@@ -148,6 +148,7 @@ fs_getattr_all_fs(cupsd_t)
 fs_search_auto_mountpoints(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
 auth_dontaudit_read_pam_pid(cupsd_t)

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.2.1)
+policy_module(hal,1.2.2)
 
 ########################################
 #
@@ -116,6 +116,8 @@ term_dontaudit_use_unallocated_tty(hald_t)
 init_use_fd(hald_t)
 init_use_script_pty(hald_t)
 init_domtrans_script(hald_t)
+init_write_initctl(hald_t)
+init_read_utmp(hald_t)
 
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)

refpolicy/policy/modules/system/locallogin.te

@@ -1,5 +1,5 @@
 
-policy_module(locallogin,1.1.1)
+policy_module(locallogin,1.1.2)
 
 ########################################
 #
@@ -239,6 +239,7 @@ allow sulogin_t self:msg { send receive };
 kernel_read_system_state(sulogin_t)
 
 fs_search_auto_mountpoints(sulogin_t)
+fs_use_tmpfs_chr_dev(sulogin_t)
 
 files_read_etc_files(sulogin_t)
 # because file systems are not mounted:

refpolicy/policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.0.0)
+policy_module(modutils,1.0.1)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -113,6 +113,8 @@ logging_search_logs(insmod_t)
 
 miscfiles_read_localization(insmod_t)
 
+seutil_read_file_contexts(insmod_t)
+
 if( ! secure_mode_insmod ) {
 	kernel_domtrans_to(insmod_t,insmod_exec_t)
 }

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.1.1)
+policy_module(selinuxutil,1.1.2)
 
 gen_require(`
 	bool secure_mode;
@@ -414,7 +414,7 @@ ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 	allow run_init_t self:fifo_file rw_file_perms;
-	allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
+	allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 	# often the administrator runs such programs from a directory that is owned
 	# by a different user or has restrictive SE permissions, do not want to audit

refpolicy/policy/modules/system/udev.te

@@ -1,5 +1,5 @@
 
-policy_module(udev,1.2.0)
+policy_module(udev,1.2.1)
 
 ########################################
 #
@@ -90,6 +90,7 @@ dev_rw_generic_file(udev_t)
 dev_delete_generic_file(udev_t)
 
 fs_getattr_all_fs(udev_t)
+fs_search_inotifyfs(udev_t)
 
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)

refpolicy/policy/modules/system/unconfined.if

@@ -54,8 +54,13 @@ template(`unconfined_domain_template',`
 	tunable_policy(`allow_execmem && allow_execstack',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execstack;
+	', `
+		# These are fairly common but seem to be harmless
+		# caused by using shared libraries built with old tool chains
+		dontaudit $1 self:process execstack;
 	')
 
+
 	optional_policy(`authlogin',`
 		auth_unconfined($1)
 	')

refpolicy/policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,1.2.1)
+policy_module(unconfined,1.2.2)
 
 ########################################
 #

refpolicy/policy/modules/system/userdomain.if

@@ -848,9 +848,6 @@ template(`admin_user_template',`
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
-	selinux_set_enforce_mode($1_t)
-	selinux_set_boolean($1_t)
-	selinux_set_parameters($1_t)
 	# Get security policy decisions:
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.4)
+policy_module(userdomain,1.2.5)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -156,14 +156,21 @@ ifdef(`targeted_policy',`
 
 	mls_process_read_up(sysadm_t)
 
-	logging_read_audit_log(sysadm_t)
-
 	ifdef(`direct_sysadm_daemon',`
 		optional_policy(`init',`
 			init_run_daemon(sysadm_t,sysadm_r,admin_terminal)
 		')
 	')
 
+	ifdef(`enable_mls',`
+		logging_read_audit_log(secadm_t)
+		logging_domtrans_auditctl(secadm_t)
+		mls_process_read_up(secadm_t)
+	', `
+		logging_domtrans_auditctl(sysadm_t)
+		logging_read_audit_log(sysadm_t)
+	')
+
 	tunable_policy(`allow_ptrace',`
 		domain_ptrace_all_domains(sysadm_t)
 	')
@@ -205,12 +212,20 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`consoletype',`
 		consoletype_exec(sysadm_t)
+
+		ifdef(`enable_mls',`
+			consoletype_exec(secadm_t)
+		')
 	')
 
 	optional_policy(`ddcprobe',`
 		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`dmesg',`
+		dmesg_exec(sysadm_t)
+	')
+
 	optional_policy(`dmidecode',`
 		dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
 	')
@@ -320,13 +335,27 @@ ifdef(`targeted_policy',`
 	')
 
 	optional_policy(`selinuxutil',`
-		seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
-		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
-		seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
+		seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
 
-		ifdef(`targeted_policy',`',`
+		ifdef(`enable_mls',`
-			seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+			selinux_set_enforce_mode(secadm_t)
+			selinux_set_boolean(secadm_t)
+			selinux_set_parameters(secadm_t)
+
+			seutil_manage_binary_pol(secadm_t)
+			seutil_run_checkpol(secadm_t,secadm_r,admin_terminal)
+			seutil_run_loadpol(secadm_t,secadm_r,admin_terminal)
+			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+		', `
+			selinux_set_enforce_mode(sysadm_t)
+			selinux_set_boolean(sysadm_t)
+			selinux_set_parameters(sysadm_t)
+
+			seutil_manage_binary_pol(sysadm_t)
+			seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
+			seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+			seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
 		')
 	')