From 5e44eb86576de4c96b4d484a9827b6ad5dcc5596 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 14 Nov 2009 05:18:01 +0000 Subject: [PATCH] - Update to upstream --- .cvsignore | 1 + nsadiff | 2 +- policy-F12.patch => policy-F13.patch | 8272 ++++++++++++++++++++------ selinux-policy.spec | 9 +- sources | 2 +- 5 files changed, 6477 insertions(+), 1809 deletions(-) rename policy-F12.patch => policy-F13.patch (79%) diff --git a/.cvsignore b/.cvsignore index ec10d57c..88b45151 100644 --- a/.cvsignore +++ b/.cvsignore @@ -190,3 +190,4 @@ serefpolicy-3.6.29.tgz serefpolicy-3.6.30.tgz serefpolicy-3.6.31.tgz serefpolicy-3.6.32.tgz +serefpolicy-3.6.33.tgz diff --git a/nsadiff b/nsadiff index 294aa387..3fe694eb 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.32 > /tmp/diff +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.6.33 > /tmp/diff diff --git a/policy-F12.patch b/policy-F13.patch similarity index 79% rename from policy-F12.patch rename to policy-F13.patch index 257543d1..8a5d85b6 100644 --- a/policy-F12.patch +++ b/policy-F13.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.32/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.33/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/Makefile 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/Makefile 2009-11-12 14:26:53.000000000 -0500 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -10,10 +10,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.32/policy/flask/access_vectors ---- nsaserefpolicy/policy/flask/access_vectors 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/flask/access_vectors 2009-09-18 16:41:29.000000000 -0400 -@@ -349,6 +349,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.33/policy/flask/access_vectors +--- nsaserefpolicy/policy/flask/access_vectors 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/flask/access_vectors 2009-11-12 14:26:53.000000000 -0500 +@@ -376,6 +376,7 @@ syslog_read syslog_mod syslog_console @@ -21,9 +21,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol } # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.32/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.33/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/global_tunables 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/global_tunables 2009-11-12 14:26:53.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -59,45 +59,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(mmap_low_allowed, false) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.32/policy/mcs ---- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/mcs 2009-09-16 10:03:08.000000000 -0400 -@@ -66,8 +66,8 @@ - # - # Note that getattr on files is always permitted. - # --mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } -- ( h1 dom h2 ); -+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom } -+ (( h1 dom h2 ) or ( t1 == mlsfilewrite )); +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.33/policy/modules/admin/alsa.te +--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/alsa.te 2009-11-12 15:17:26.000000000 -0500 +@@ -51,6 +51,8 @@ + files_read_etc_files(alsa_t) + files_read_usr_files(alsa_t) - mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } - (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); -@@ -75,7 +75,7 @@ - # New filesystem object labels must be dominated by the relabeling subject - # clearance, also the objects are single-level. - mlsconstrain file { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite )); ++term_dontaudit_use_console(alsa_t) ++ + auth_use_nsswitch(alsa_t) - # At this time we do not restrict "ps" type operations via MCS. This - # will probably change in future. -@@ -84,10 +84,10 @@ - - # new file labels must be dominated by the relabeling subject clearance - mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } -- ( h1 dom h2 ); -+ (( h1 dom h2 ) or ( t1 == mlsfilewrite )); - - mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 == mlsfilewrite )); - - mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.32/policy/modules/admin/anaconda.te + init_use_fds(alsa_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.33/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/anaconda.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/anaconda.te 2009-11-12 14:26:53.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -115,9 +91,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.32/policy/modules/admin/brctl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.33/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/brctl.te 2009-09-21 08:25:17.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/brctl.te 2009-11-12 14:26:53.000000000 -0500 @@ -21,7 +21,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; @@ -127,9 +103,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.32/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.33/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/certwatch.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/certwatch.te 2009-11-12 14:26:53.000000000 -0500 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -139,17 +115,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` apache_exec_modules(certwatch_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.33/policy/modules/admin/consoletype.te +--- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/consoletype.te 2009-11-12 14:26:53.000000000 -0500 +@@ -84,6 +84,7 @@ + optional_policy(` + hal_dontaudit_use_fds(consoletype_t) + hal_dontaudit_rw_pipes(consoletype_t) ++ hal_dontaudit_rw_dgram_sockets(consoletype_t) + ') + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.33/policy/modules/admin/dmesg.fc --- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/dmesg.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,2 +1,4 @@ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) + +/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.32/policy/modules/admin/dmesg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.33/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/dmesg.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/dmesg.te 2009-11-12 14:26:53.000000000 -0500 @@ -9,6 +9,7 @@ type dmesg_t; type dmesg_exec_t; @@ -184,9 +171,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(dmesg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.6.32/policy/modules/admin/firstboot.te +@@ -57,3 +62,6 @@ + optional_policy(` + udev_read_db(dmesg_t) + ') ++ ++#mcelog needs ++dev_read_raw_memory(dmesg_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.6.33/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/firstboot.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/firstboot.te 2009-11-12 14:26:53.000000000 -0500 @@ -91,8 +91,12 @@ userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) @@ -209,9 +203,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.6.33/policy/modules/admin/kismet.fc +--- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/kismet.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,3 +1,5 @@ ++HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) ++ + /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) + /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) + /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.33/policy/modules/admin/kismet.te +--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-08-31 13:30:04.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/kismet.te 2009-11-12 14:26:53.000000000 -0500 +@@ -26,6 +26,9 @@ + type kismet_var_run_t; + files_pid_file(kismet_var_run_t) + ++type kismet_home_t; ++userdom_user_home_content(kismet_home_t) ++ + ######################################## + # + # kismet local policy +@@ -59,6 +62,12 @@ + allow kismet_t kismet_var_run_t:dir manage_dir_perms; + files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) + ++manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) ++manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) ++manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t) ++userdom_search_user_home_dirs(kismet_t) ++userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) ++ + kernel_search_debugfs(kismet_t) + kernel_read_system_state(kismet_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.33/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/logrotate.te 2009-11-12 14:26:53.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -232,10 +261,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -149,6 +150,10 @@ +@@ -149,6 +150,14 @@ ') optional_policy(` ++ asterisk_stream_connect(logrotate_t) ++') ++ ++optional_policy(` + bind_manage_cache(logrotate_t) +') + @@ -243,7 +276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(logrotate_t) ') -@@ -183,6 +188,10 @@ +@@ -183,6 +192,10 @@ ') optional_policy(` @@ -254,18 +287,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol slrnpull_manage_spool(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.33/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/logwatch.te 2009-11-12 14:26:53.000000000 -0500 @@ -136,4 +136,5 @@ optional_policy(` samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.32/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.33/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/mrtg.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/mrtg.te 2009-11-12 14:26:53.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -274,10 +307,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol netutils_domtrans_ping(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.33/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-09-16 10:03:08.000000000 -0400 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/netutils.te 2009-11-12 14:26:53.000000000 -0500 +@@ -44,6 +44,7 @@ + allow netutils_t self:packet_socket create_socket_perms; + allow netutils_t self:udp_socket create_socket_perms; + allow netutils_t self:tcp_socket create_stream_socket_perms; ++allow netutils_t self:socket create_socket_perms; + + manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) + manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) +@@ -85,6 +86,7 @@ miscfiles_read_localization(netutils_t) @@ -285,9 +326,224 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.32/policy/modules/admin/portage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.fc serefpolicy-3.6.33/policy/modules/admin/ntop.fc +--- nsaserefpolicy/policy/modules/admin/ntop.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/ntop.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,5 @@ ++/etc/rc\.d/init\.d/ntop -- gen_context(system_u:object_r:ntop_initrc_exec_t,s0) ++ ++/usr/sbin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) ++ ++/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.if serefpolicy-3.6.33/policy/modules/admin/ntop.if +--- nsaserefpolicy/policy/modules/admin/ntop.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/ntop.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,158 @@ ++ ++## policy for ntop ++ ++######################################## ++## ++## Execute a domain transition to run ntop. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ntop_domtrans',` ++ gen_require(` ++ type ntop_t, ntop_exec_t; ++ ') ++ ++ domtrans_pattern($1,ntop_exec_t,ntop_t) ++') ++ ++ ++######################################## ++## ++## Execute ntop server in the ntop domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ntop_initrc_domtrans',` ++ gen_require(` ++ type ntop_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1,ntop_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search ntop lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_search_lib',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ allow $1 ntop_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read ntop lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_read_lib_files',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## ntop lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_manage_lib_files',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, ntop_var_lib_t, ntop_var_lib_t) ++') ++ ++######################################## ++## ++## Manage ntop var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntop_manage_var_lib',` ++ gen_require(` ++ type ntop_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1,ntop_var_lib_t,ntop_var_lib_t) ++ manage_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t) ++ manage_lnk_files_pattern($1,ntop_var_lib_t,ntop_var_lib_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ntop environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ntop_admin',` ++ gen_require(` ++ type ntop_t; ++ ') ++ ++ allow $1 ntop_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, ntop_t, ntop_t) ++ ++ ++ gen_require(` ++ type ntop_initrc_exec_t; ++ ') ++ ++ # Allow ntop_t to restart the apache service ++ ntop_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 ntop_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ ntop_manage_var_lib($1) ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ntop.te serefpolicy-3.6.33/policy/modules/admin/ntop.te +--- nsaserefpolicy/policy/modules/admin/ntop.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/ntop.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,40 @@ ++policy_module(ntop,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ntop_t; ++type ntop_exec_t; ++init_daemon_domain(ntop_t, ntop_exec_t) ++ ++permissive ntop_t; ++ ++type ntop_initrc_exec_t; ++init_script_file(ntop_initrc_exec_t) ++ ++type ntop_var_lib_t; ++files_type(ntop_var_lib_t) ++ ++######################################## ++# ++# ntop local policy ++# ++allow ntop_t self:capability { setgid setuid }; ++allow ntop_t self:fifo_file manage_file_perms; ++allow ntop_t self:unix_stream_socket create_stream_socket_perms; ++ ++# Init script handling ++domain_use_interactive_fds(ntop_t) ++ ++files_read_etc_files(ntop_t) ++ ++manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) ++manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) ++files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) ++ ++auth_use_nsswitch(ntop_t) ++ ++miscfiles_read_localization(ntop_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.33/policy/modules/admin/portage.te --- nsaserefpolicy/policy/modules/admin/portage.te 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/portage.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/portage.te 2009-11-12 14:26:53.000000000 -0500 @@ -196,7 +196,7 @@ # - for rsync and distfile fetching # @@ -297,9 +553,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow portage_fetch_t self:process signal; allow portage_fetch_t self:unix_stream_socket create_socket_perms; allow portage_fetch_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.33/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/prelink.if 2009-11-12 14:26:53.000000000 -0500 @@ -151,11 +151,11 @@ ## ## @@ -314,10 +570,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.33/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-09-16 10:03:08.000000000 -0400 -@@ -89,6 +89,7 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/prelink.te 2009-11-12 14:26:53.000000000 -0500 +@@ -80,6 +80,7 @@ + selinux_get_enforce_mode(prelink_t) + + libs_exec_ld_so(prelink_t) ++libs_legacy_use_shared_libs(prelink_t) + libs_manage_ld_so(prelink_t) + libs_relabel_ld_so(prelink_t) + libs_manage_shared_libs(prelink_t) +@@ -89,6 +90,7 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) @@ -325,9 +589,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amanda_manage_lib(prelink_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te +@@ -99,5 +101,9 @@ + ') + + optional_policy(` ++ rpm_manage_tmp_files(prelink_t) ++') ++ ++optional_policy(` + unconfined_domain(prelink_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.33/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/readahead.te 2009-11-12 14:26:53.000000000 -0500 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -336,10 +610,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.32/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.33/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-09-24 11:56:43.000000000 -0400 -@@ -1,17 +1,17 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/rpm.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,18 +1,18 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -357,11 +631,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) - +-/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` + /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -21,15 +21,23 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -386,9 +662,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.33/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-29 16:46:01.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/rpm.if 2009-11-12 14:26:53.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -436,7 +712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -146,6 +174,35 @@ +@@ -146,6 +174,40 @@ ######################################## ## @@ -458,11 +734,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms; ++ dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms; ++ dontaudit $1 rpm_t:shm rw_shm_perms; ++ + dontaudit $1 rpm_script_t:fd use; + dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms; ++ + dontaudit $1 rpm_var_run_t:file write_file_perms; ++ + dontaudit $1 rpm_tmp_t:file rw_file_perms; -+ dontaudit $1 rpm_t:shm rw_shm_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file write_file_perms; +') @@ -472,7 +753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +224,48 @@ +@@ -167,6 +229,68 @@ ######################################## ## @@ -516,12 +797,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow rpm_script_t $1:dbus send_msg; +') + ++##################################### ++## ++## Allow the specified domain to append ++## to rpm log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_append_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, rpm_log_t, rpm_log_t) ++') ++ +######################################## +## ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +285,24 @@ +@@ -186,6 +310,24 @@ ######################################## ## @@ -546,7 +847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +336,51 @@ +@@ -219,7 +361,51 @@ ') files_search_tmp($1) @@ -598,7 +899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +402,25 @@ +@@ -241,6 +427,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -624,7 +925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +445,47 @@ +@@ -265,6 +470,48 @@ ######################################## ## @@ -663,6 +964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + files_search_var_lib($1) ++ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) + manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) +') @@ -672,11 +974,64 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +504,46 @@ +@@ -283,3 +530,99 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') + ++##################################### ++## ++## Read rpm pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_pid_files',` ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t) ++') ++ ++##################################### ++## ++## Create, read, write, and delete rpm pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_manage_pid_files',` ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t) ++') ++ ++###################################### ++## ++## Create files in /var/run with the rpm pid file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_pid_filetrans',` ++ gen_require(` ++ type rpm_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, rpm_var_run_t, file) ++') + +######################################## +## @@ -719,9 +1074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.33/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-09-24 11:56:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/rpm.te 2009-11-12 14:26:53.000000000 -0500 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -794,22 +1149,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_all_executables(rpm_t) -@@ -108,12 +130,14 @@ +@@ -108,12 +130,15 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) +dev_read_raw_memory(rpm_t) #devices_manage_all_device_types(rpm_t) ++fs_getattr_all_fs(rpm_t) ++fs_getattr_all_dirs(rpm_t) ++fs_list_inotifyfs(rpm_t) fs_manage_nfs_dirs(rpm_t) fs_manage_nfs_files(rpm_t) fs_manage_nfs_symlinks(rpm_t) - fs_getattr_all_fs(rpm_t) -+fs_getattr_all_dirs(rpm_t) +-fs_getattr_all_fs(rpm_t) fs_search_auto_mountpoints(rpm_t) mls_file_read_all_levels(rpm_t) -@@ -132,6 +156,8 @@ +@@ -132,6 +157,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) @@ -818,7 +1175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +181,7 @@ +@@ -155,6 +182,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -826,7 +1183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,17 +201,28 @@ +@@ -174,44 +202,41 @@ ') optional_policy(` @@ -835,28 +1192,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +- prelink_domtrans(rpm_t) + networkmanager_dbus_chat(rpm_t) -+ ') -+ -+ optional_policy(` -+ dbus_system_domain(rpm_t, rpm_exec_t) -+ ') -+') -+ -+optional_policy(` - prelink_domtrans(rpm_t) ') optional_policy(` - unconfined_domain(rpm_t) -+ unconfined_domain_noaudit(rpm_t) - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) -+ unconfined_dbus_chat(rpm_script_t) +- # yum-updatesd requires this +- unconfined_dbus_chat(rpm_t) ++ dbus_system_domain(rpm_t, rpm_exec_t) ') - ifdef(`TODO',` -@@ -210,8 +248,8 @@ +-ifdef(`TODO',` +-# read/write/create any files in the system +-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr; +-allow rpm_t ttyfile:chr_file unlink; +- +-# needs rw permission to the directory for an rpm package that includes a mount +-# point +-allow rpm_t fs_type:dir { setattr rw_dir_perms }; +- +-allow rpm_t mount_t:tcp_socket write; ++ optional_policy(` ++ dbus_system_domain(rpm_t, debuginfo_exec_t) ++ ') ++') + +-allow rpm_t rpc_pipefs_t:dir search; ++optional_policy(` ++ prelink_domtrans(rpm_t) ++') + + optional_policy(` +-allow rpm_t sysadm_gph_t:fd use; ++ unconfined_domain_noaudit(rpm_t) ++ # yum-updatesd requires this ++ unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) + ') +-') dnl endif TODO + + ######################################## + # # rpm-script Local policy # @@ -867,7 +1244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +260,15 @@ +@@ -222,12 +247,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -883,7 +1260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +280,9 @@ +@@ -239,6 +267,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -893,15 +1270,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(rpm_script_t) -@@ -255,6 +299,7 @@ +@@ -254,7 +285,9 @@ + fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) ++fs_search_all(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) +fs_getattr_all_fs(rpm_script_t) mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +317,19 @@ +@@ -272,14 +305,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -921,15 +1300,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,6 +341,7 @@ +@@ -291,8 +329,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) init_domtrans_script(rpm_script_t) ++init_chat(rpm_script_t) -@@ -308,12 +359,15 @@ + libs_exec_ld_so(rpm_script_t) + libs_exec_lib_files(rpm_script_t) +@@ -308,12 +348,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -945,7 +1327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -326,13 +380,22 @@ +@@ -326,13 +369,22 @@ ') optional_policy(` @@ -969,9 +1351,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.32/policy/modules/admin/shorewall.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.33/policy/modules/admin/shorewall.fc +--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -4,8 +4,9 @@ + /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) + +-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) ++/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) + /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + + /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) ++/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) + /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.33/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.if 2009-11-12 14:26:53.000000000 -0500 @@ -75,6 +75,46 @@ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) ') @@ -1019,9 +1415,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.33/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/shorewall.te 2009-11-12 14:26:53.000000000 -0500 @@ -80,6 +80,8 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -1031,23 +1427,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(shorewall_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.32/policy/modules/admin/smoltclient.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.33/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.32/policy/modules/admin/smoltclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.33/policy/modules/admin/smoltclient.if --- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1 @@ +## The Fedora hardware profiler client -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.33/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,67 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/smoltclient.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + +######################################## @@ -1072,7 +1468,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow smoltclient_t self:fifo_file rw_fifo_file_perms; +allow smoltclient_t self:tcp_socket create_socket_perms; +allow smoltclient_t self:udp_socket create_socket_perms; -+allow smoltclient_t self:netlink_route_socket r_netlink_socket_perms; + +can_exec(smoltclient_t, smoltclient_tmp_t) +manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) @@ -1088,10 +1483,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corenet_tcp_connect_http_port(smoltclient_t) + -+dev_read_urand(smoltclient_t) ++auth_use_nsswitch(smoltclient_t) ++ +dev_read_sysfs(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) ++fs_getattr_all_dirs(smoltclient_t) + +files_getattr_generic_locks(smoltclient_t) +files_read_etc_files(smoltclient_t) @@ -1099,8 +1496,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(smoltclient_t) + -+sysnet_read_config(smoltclient_t) -+ +optional_policy(` + dbus_system_bus_client(smoltclient_t) +') @@ -1115,9 +1510,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive smoltclient_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.32/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.33/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/sudo.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/sudo.if 2009-11-12 14:26:53.000000000 -0500 @@ -66,8 +66,8 @@ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; allow $1_sudo_t self:unix_dgram_socket sendto; @@ -1162,10 +1557,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-09-16 10:03:08.000000000 -0400 -@@ -52,6 +52,10 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/tmpreaper.te 2009-11-12 14:26:53.000000000 -0500 +@@ -42,6 +42,7 @@ + cron_system_entry(tmpreaper_t, tmpreaper_exec_t) + + ifdef(`distro_redhat',` ++ userdom_list_user_home_content(tmpreaper_t) + userdom_delete_user_home_content_dirs(tmpreaper_t) + userdom_delete_user_home_content_files(tmpreaper_t) + userdom_delete_user_home_content_symlinks(tmpreaper_t) +@@ -52,6 +53,10 @@ ') optional_policy(` @@ -1176,9 +1579,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kismet_manage_log(tmpreaper_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.32/policy/modules/admin/tzdata.te +@@ -60,5 +65,9 @@ + ') + + optional_policy(` ++ rpm_read_cache(tmpreaper_t) ++') ++ ++optional_policy(` + unconfined_domain(tmpreaper_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.33/policy/modules/admin/tzdata.te --- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tzdata.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/tzdata.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,6 +19,8 @@ files_read_etc_files(tzdata_t) files_search_spool(tzdata_t) @@ -1188,10 +1601,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_list_ptys(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.32/policy/modules/admin/usermanage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.33/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-09-16 10:03:08.000000000 -0400 -@@ -274,6 +274,11 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/usermanage.if 2009-11-12 14:26:53.000000000 -0500 +@@ -113,6 +113,12 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms; ++ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms; ++ dontaudit passwd_t $1:tcp_socket rw_socket_perms; ++') + ') + + ######################################## +@@ -274,6 +280,11 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -1203,10 +1629,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_run(useradd_t, $2) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-09-16 10:03:08.000000000 -0400 -@@ -197,6 +197,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.33/policy/modules/admin/usermanage.te +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/admin/usermanage.te 2009-11-12 14:26:53.000000000 -0500 +@@ -82,6 +82,7 @@ + selinux_compute_relabel_context(chfn_t) + selinux_compute_user_contexts(chfn_t) + ++term_use_console(chfn_t) + term_use_all_user_ttys(chfn_t) + term_use_all_user_ptys(chfn_t) + +@@ -197,6 +198,7 @@ selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -1214,7 +1648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(groupadd_t) term_use_all_user_ptys(groupadd_t) -@@ -209,6 +210,7 @@ +@@ -209,6 +211,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) @@ -1222,7 +1656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t) -@@ -218,14 +220,11 @@ +@@ -218,14 +221,11 @@ miscfiles_read_localization(groupadd_t) @@ -1239,7 +1673,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(groupadd_t) -@@ -329,6 +328,7 @@ +@@ -292,6 +292,7 @@ + selinux_compute_relabel_context(passwd_t) + selinux_compute_user_contexts(passwd_t) + ++term_use_console(passwd_t) + term_use_all_user_ttys(passwd_t) + term_use_all_user_ptys(passwd_t) + +@@ -333,6 +334,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1247,7 +1689,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_domtrans(passwd_t) -@@ -446,6 +446,7 @@ +@@ -382,6 +384,7 @@ + fs_getattr_xattr_fs(sysadm_passwd_t) + fs_search_auto_mountpoints(sysadm_passwd_t) + ++term_use_console(sysadm_passwd_t) + term_use_all_user_ttys(sysadm_passwd_t) + term_use_all_user_ptys(sysadm_passwd_t) + +@@ -450,6 +453,7 @@ corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) @@ -1255,7 +1705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -465,18 +466,16 @@ +@@ -469,18 +473,16 @@ selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -1278,7 +1728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(useradd_t) init_rw_utmp(useradd_t) -@@ -494,10 +493,8 @@ +@@ -498,10 +500,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -1290,7 +1740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_manage_spool(useradd_t) -@@ -521,6 +518,12 @@ +@@ -525,6 +525,12 @@ ') optional_policy(` @@ -1300,13 +1750,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) + puppet_rw_tmp(useradd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.32/policy/modules/admin/vbetool.te + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.33/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2009-09-16 10:03:08.000000000 -0400 -@@ -15,15 +15,22 @@ ++++ serefpolicy-3.6.33/policy/modules/admin/vbetool.te 2009-11-12 14:26:53.000000000 -0500 +@@ -15,15 +15,20 @@ # Local policy # @@ -1325,13 +1775,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_mmap_low_type(vbetool_t) +tunable_policy(`mmap_low_allowed',` domain_mmap_low(vbetool_t) -+', ` -+dontaudit vbetool_t self:memprotect mmap_zero; +') term_use_unallocated_ttys(vbetool_t) -@@ -34,3 +41,8 @@ +@@ -34,3 +39,8 @@ hal_write_log(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t) ') @@ -1340,9 +1788,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_exec_pid(vbetool_t) + xserver_write_pid(vbetool_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.32/policy/modules/apps/calamaris.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.33/policy/modules/admin/vpn.te +--- nsaserefpolicy/policy/modules/admin/vpn.te 2009-08-31 13:30:04.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/admin/vpn.te 2009-11-12 14:26:53.000000000 -0500 +@@ -46,6 +46,7 @@ + kernel_read_system_state(vpnc_t) + kernel_read_network_state(vpnc_t) + kernel_read_all_sysctls(vpnc_t) ++kernel_request_load_module(vpnc_t) + kernel_rw_net_sysctls(vpnc_t) + + corenet_all_recvfrom_unlabeled(vpnc_t) +@@ -98,6 +99,7 @@ + logging_dontaudit_search_logs(vpnc_t) + + miscfiles_read_localization(vpnc_t) ++miscfiles_read_home_certs(vpnc_t) + + seutil_dontaudit_search_config(vpnc_t) + seutil_use_newrole_fds(vpnc_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.33/policy/modules/apps/calamaris.te --- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/calamaris.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/calamaris.te 2009-11-12 14:26:53.000000000 -0500 @@ -59,12 +59,12 @@ libs_read_lib_files(calamaris_t) @@ -1365,9 +1832,180 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nis_use_ypbind(calamaris_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.33/policy/modules/apps/chrome.fc +--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/chrome.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,2 @@ ++ ++/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.33/policy/modules/apps/chrome.if +--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/chrome.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,85 @@ ++ ++## policy for chrome ++ ++######################################## ++## ++## Execute a domain transition to run chrome_sandbox. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`chrome_domtrans_sandbox',` ++ gen_require(` ++ type chrome_sandbox_t, chrome_sandbox_exec_t; ++ ') ++ ++ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) ++') ++ ++ ++######################################## ++## ++## Execute chrome_sandbox in the chrome_sandbox domain, and ++## allow the specified role the chrome_sandbox domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the chrome_sandbox domain. ++## ++## ++# ++interface(`chrome_run_sandbox',` ++ gen_require(` ++ type chrome_sandbox_t; ++ ') ++ ++ chrome_domtrans_sandbox($1) ++ role $2 types chrome_sandbox_t; ++') ++ ++######################################## ++## ++## Role access for chrome sandbox ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`chrome_role',` ++ gen_require(` ++ type chrome_sandbox_t; ++ type chrome_sandbox_tmpfs_t; ++ ') ++ ++ role $1 types chrome_sandbox_t; ++ ++ chrome_domtrans_sandbox($2) ++ ++ ps_process_pattern($2, chrome_sandbox_t) ++ allow $2 chrome_sandbox_t:process signal_perms; ++ ++ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; ++ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; ++ allow chrome_sandbox_t $2:unix_stream_socket { read write }; ++ allow $2 chrome_sandbox_t:unix_stream_socket { read write }; ++ ++ allow $2 chrome_sandbox_t:shm rw_shm_perms; ++ ++ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.33/policy/modules/apps/chrome.te +--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/chrome.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,72 @@ ++policy_module(chrome,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type chrome_sandbox_t; ++type chrome_sandbox_exec_t; ++application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) ++role system_r types chrome_sandbox_t; ++ ++type chrome_sandbox_tmp_t; ++files_tmp_file(chrome_sandbox_tmp_t) ++ ++type chrome_sandbox_tmpfs_t; ++files_tmpfs_file(chrome_sandbox_tmpfs_t) ++ubac_constrained(chrome_sandbox_tmpfs_t) ++ ++permissive chrome_sandbox_t; ++ ++######################################## ++# ++# chrome_sandbox local policy ++# ++allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid }; ++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem }; ++allow chrome_sandbox_t self:fifo_file manage_file_perms; ++allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; ++allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_t self:shm create_shm_perms; ++ ++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) ++files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) ++ ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) ++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) ++ ++kernel_read_kernel_sysctls(chrome_sandbox_t) ++ ++corecmd_exec_bin(chrome_sandbox_t) ++ ++dev_read_urand(chrome_sandbox_t) ++ ++files_read_etc_files(chrome_sandbox_t) ++ ++userdom_rw_user_tmpfs_files(chrome_sandbox_t) ++userdom_use_user_ptys(chrome_sandbox_t) ++userdom_write_inherited_user_tmp_files(chrome_sandbox_t) ++ ++miscfiles_read_localization(chrome_sandbox_t) ++miscfiles_read_fonts(chrome_sandbox_t) ++ ++optional_policy(` ++ xserver_read_home_fonts(chrome_sandbox_t) ++') ++ ++optional_policy(` ++ execmem_exec(chrome_sandbox_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_append_nfs_files(chrome_sandbox_t) ++ fs_dontaudit_read_nfs_files(chrome_sandbox_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_append_cifs_files(chrome_sandbox_t) ++ fs_dontaudit_read_cifs_files(chrome_sandbox_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.33/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/cpufreqselector.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/cpufreqselector.te 2009-11-12 14:26:53.000000000 -0500 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -1377,24 +2015,189 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.33/policy/modules/apps/execmem.fc +--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/execmem.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,40 @@ ++/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++ifdef(`distro_gentoo',` ++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++') ++/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.33/policy/modules/apps/execmem.if +--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/execmem.if 2009-11-12 14:41:22.000000000 -0500 +@@ -0,0 +1,102 @@ ++## execmem domain ++ ++######################################## ++## ++## Execute the execmem program in the execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`execmem_exec',` ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ can_exec($1, execmem_exec_t) ++') ++ ++####################################### ++## ++## The role template for the execmem module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for execmem applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`execmem_role_template',` ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ type $1_execmem_t; ++ domain_type($1_execmem_t) ++ domain_entry_file($1_execmem_t, execmem_exec_t) ++ role $2 types $1_execmem_t; ++ ++ userdom_unpriv_usertype($1, $1_execmem_t) ++ userdom_manage_tmp_role($2, $1_execmem_t) ++ userdom_manage_tmpfs_role($2, $1_execmem_t) ++ ++ allow $1_execmem_t self:process { execmem execstack }; ++ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; ++ mozilla_execmod_user_home_files($1_execmem_t) ++ ++ domtrans_pattern($3, execmem_exec_t, $1_execmem_t) ++ ++ files_execmod_tmp($1_execmem_t) ++ ++ optional_policy(` ++ chrome_role($2, $1_execmem_t) ++ ') ++ ++ optional_policy(` ++ xserver_common_app($1_execmem_t) ++ xserver_role($2, $1_execmem_t) ++ ') ++') ++ ++######################################## ++## ++## Execute a execmem_exec file ++## in the specified domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`execmem_domtrans',` ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ domtrans_pattern($1, execmem_exec_t, $2) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.33/policy/modules/apps/execmem.te +--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/execmem.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,11 @@ ++ ++policy_module(execmem, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type execmem_exec_t alias unconfined_execmem_exec_t; ++application_executable_file(execmem_exec_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.6.33/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.32/policy/modules/apps/firewallgui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.6.33/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,3 @@ + +## policy for firewallgui + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.32/policy/modules/apps/firewallgui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.6.33/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/firewallgui.te 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,63 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/firewallgui.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,64 @@ + +policy_module(firewallgui,1.0.0) + @@ -1448,6 +2251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_read_sysfs(firewallgui_t) + +nscd_dontaudit_search_pid(firewallgui_t) ++nscd_socket_use(firewallgui_t) + +miscfiles_read_localization(firewallgui_t) + @@ -1458,9 +2262,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_dbus_chat(firewallgui_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.32/policy/modules/apps/gitosis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.33/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gitosis.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/gitosis.if 2009-11-12 14:26:53.000000000 -0500 @@ -43,3 +43,48 @@ role $2 types gitosis_t; ') @@ -1510,15 +2314,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.33/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2009-09-16 10:03:08.000000000 -0400 -@@ -1,8 +1,16 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/gnome.fc 2009-11-12 14:29:53.000000000 -0500 +@@ -1,8 +1,18 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) ++HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -1532,14 +2338,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.33/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2009-09-16 10:03:08.000000000 -0400 -@@ -89,5 +89,175 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/gnome.if 2009-11-12 14:33:12.000000000 -0500 +@@ -84,10 +84,180 @@ + # + interface(`gnome_manage_config',` + gen_require(` +- type gnome_home_t; ++ attribute gnome_home_type; + ') - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; -+ allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; ++ allow $1 gnome_home_type:dir manage_dir_perms; ++ allow $1 gnome_home_type:file manage_file_perms; ++ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; userdom_search_user_home_dirs($1) ') + @@ -1579,12 +2393,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +template(`gnome_read_config',` + gen_require(` -+ type gnome_home_t; ++ attribute gnome_home_type; + ') + -+ list_dirs_pattern($1, gnome_home_t, gnome_home_t) -+ read_files_pattern($1, gnome_home_t, gnome_home_t) -+ read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) ++ list_dirs_pattern($1, gnome_home_type, gnome_home_type) ++ read_files_pattern($1, gnome_home_type, gnome_home_type) ++ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) +') + +######################################## @@ -1705,23 +2519,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`gnome_stream_connect',` + gen_require(` -+ type gnome_home_t; ++ attribute gnome_home_type; + ') + + # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.33/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2009-09-18 08:09:19.000000000 -0400 -@@ -9,16 +9,18 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/gnome.te 2009-11-12 14:32:22.000000000 -0500 +@@ -7,18 +7,30 @@ + # + attribute gnomedomain; ++attribute gnome_home_type; type gconf_etc_t; -files_type(gconf_etc_t) +files_config_file(gconf_etc_t) - type gconf_home_t; +-type gconf_home_t; ++type data_home_t, gnome_home_type; ++userdom_user_home_content(data_home_t) ++ ++type config_home_t, gnome_home_type; ++userdom_user_home_content(config_home_t) ++ ++type cache_home_t, gnome_home_type; ++userdom_user_home_content(cache_home_t) ++ ++type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; +typealias gconf_home_t alias unconfined_gconf_home_t; @@ -1734,7 +2561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_file(gconf_tmp_t) ubac_constrained(gconf_tmp_t) -@@ -32,8 +34,17 @@ +@@ -32,8 +44,17 @@ type gnome_home_t; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; @@ -1752,7 +2579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Local Policy -@@ -73,3 +84,89 @@ +@@ -73,3 +94,89 @@ xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -1842,9 +2669,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.32/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.33/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/gpg.te 2009-09-21 09:16:56.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/gpg.te 2009-11-12 14:26:53.000000000 -0500 @@ -104,12 +104,19 @@ auth_use_nsswitch(gpg_t) @@ -1889,9 +2716,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(gpg_pinentry_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.32/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.33/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/java.fc 2009-11-12 14:26:53.000000000 -0500 @@ -2,15 +2,16 @@ # /opt # @@ -1912,7 +2739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,11 @@ +@@ -20,5 +21,12 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -1926,9 +2753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if ++/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.33/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/java.if 2009-11-12 14:26:53.000000000 -0500 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -1937,7 +2765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -71,24 +72,128 @@ +@@ -71,24 +72,131 @@ ######################################## ## @@ -2057,6 +2885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1_java_t self:process { ptrace signal getsched execmem execstack }; + allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; ++ dontaudit $1_java_t $3:tcp_socket { read write }; + + domtrans_pattern($3, java_exec_t, $1_java_t) + dev_dontaudit_append_rand($1_java_t) @@ -2064,14 +2893,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_tmpfs_files($1_java_t) + corecmd_bin_domtrans($1_java_t, $1_t) + ++ files_execmod_all_files($1_java_t) ++ + optional_policy(` + xserver_common_app($1_java_t) + xserver_role($1_r, $1_java_t) + ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.33/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-18 17:16:51.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/java.te 2009-11-12 14:26:53.000000000 -0500 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2081,7 +2912,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type java_tmp_t; files_tmp_file(java_tmp_t) ubac_constrained(java_tmp_t) -@@ -80,6 +82,7 @@ +@@ -32,9 +34,6 @@ + typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; + typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; + +-type unconfined_java_t; +-init_system_domain(unconfined_java_t, java_exec_t) +- + ######################################## + # + # Local policy +@@ -80,6 +79,7 @@ dev_write_sound(java_t) dev_read_urand(java_t) dev_read_rand(java_t) @@ -2089,7 +2930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(java_t) files_read_usr_files(java_t) -@@ -131,6 +134,7 @@ +@@ -131,20 +131,9 @@ ') optional_policy(` @@ -2097,40 +2938,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(java, java_t, java_tmpfs_t) ') -@@ -143,8 +147,18 @@ - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; +-######################################## +-# +-# Unconfined java local policy +-# +- +-optional_policy(` +- # execheap is needed for itanium/BEA jrocket +- allow unconfined_java_t self:process { execstack execmem execheap }; -+ files_execmod_all_files(unconfined_java_t) -+ - init_dbus_chat_script(unconfined_java_t) +- init_dbus_chat_script(unconfined_java_t) - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_java_t) -+') -+ -+ optional_policy(` -+ rpm_domtrans(unconfined_java_t) - ') -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc +- unconfined_domain_noaudit(unconfined_java_t) +- unconfined_dbus_chat(unconfined_java_t) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.33/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.32/policy/modules/apps/kdumpgui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.33/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.33/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/kdumpgui.te 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,65 @@ +policy_module(kdumpgui,1.0.0) + @@ -2197,16 +3033,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive kdumpgui_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.32/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.33/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/livecd.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/livecd.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.32/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.33/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/livecd.if 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,50 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/livecd.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,52 @@ + +## policy for livecd + @@ -2255,12 +3091,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types livecd_t; + + seutil_run_setfiles_mac(livecd_t, $2) ++ usermanage_run_passwd(livecd_t, $2) ++ usermanage_run_chfn(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.32/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.33/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/livecd.te 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,26 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/livecd.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + +######################################## @@ -2287,9 +3125,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.33/policy/modules/apps/loadkeys.te +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/loadkeys.te 2009-11-12 14:26:53.000000000 -0500 +@@ -40,8 +40,12 @@ + miscfiles_read_localization(loadkeys_t) + + userdom_use_user_ttys(loadkeys_t) +-userdom_list_user_home_dirs(loadkeys_t) ++userdom_list_user_home_content(loadkeys_t) + + optional_policy(` + nscd_dontaudit_search_pid(loadkeys_t) + ') ++ ++ifdef(`hide_broken_symptoms',` ++ dev_dontaudit_rw_lvm_control_dev(loadkeys_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.6.33/policy/modules/apps/mono.fc +--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mono.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1 +1 @@ +-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0) ++/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.33/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mono.if 2009-11-12 14:26:53.000000000 -0500 @@ -21,6 +21,105 @@ ######################################## @@ -2405,9 +3267,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.32/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.33/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mono.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mono.te 2009-11-12 14:26:53.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -2431,9 +3293,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.33/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -2442,9 +3304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.33/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-09-23 19:27:38.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.if 2009-11-12 14:26:53.000000000 -0500 @@ -45,6 +45,18 @@ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -2472,10 +3334,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -@@ -88,6 +101,25 @@ +@@ -88,6 +101,61 @@ ######################################## ## ++## Write mozilla home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_execmod_user_home_files',` ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ allow $1 mozilla_home_t:file execmod; ++') ++ ++######################################## ++## +## Dontaudit attempts to write mozilla home directory content +## +## @@ -2494,13 +3374,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +######################################## ++## ++## Dontaudit attempts to read/write mozilla home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_dontaudit_rw_user_home_files',` ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ dontaudit $1 mozilla_home_t:file { read write }; ++') ++ ++######################################## +## ## Run mozilla in the mozilla domain. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.33/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/mozilla.te 2009-11-12 14:26:53.000000000 -0500 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -2526,7 +3424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_etc_files(mozilla_t) -@@ -129,6 +133,7 @@ +@@ -129,21 +133,18 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -2534,7 +3432,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mozilla_t) -@@ -138,12 +143,7 @@ ++miscfiles_dontaudit_setattr_fonts(mozilla_t) + miscfiles_read_fonts(mozilla_t) + miscfiles_read_localization(mozilla_t) + # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -2548,7 +3449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -231,11 +231,15 @@ +@@ -231,11 +232,15 @@ optional_policy(` dbus_system_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t) @@ -2564,7 +3465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -256,5 +260,10 @@ +@@ -256,5 +261,10 @@ ') optional_policy(` @@ -2575,25 +3476,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.33/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.fc 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,12 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,11 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.config/gxine(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.33/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-29 16:37:24.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,323 @@ + +## policy for nsplugin @@ -2918,10 +3818,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.33/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-09-24 11:43:03.000000000 -0400 -@@ -0,0 +1,294 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/nsplugin.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3166,6 +4066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_user_home_content(nsplugin_config_t) ++userdom_read_user_home_content_symlinks(nsplugin_config_t) +userdom_read_user_home_content_files(nsplugin_config_t) +userdom_dontaudit_search_admin_dir(nsplugin_config_t) + @@ -3216,16 +4117,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.32/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.33/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.32/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.33/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,93 @@ +## Openoffice + @@ -3320,9 +4221,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.32/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.33/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/openoffice.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/openoffice.te 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,11 @@ + +policy_module(openoffice, 1.0.0) @@ -3335,9 +4236,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.33/policy/modules/apps/podsleuth.te +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/podsleuth.te 2009-11-12 14:26:53.000000000 -0500 +@@ -71,6 +71,8 @@ + + sysnet_dns_name_resolve(podsleuth_t) + ++userdom_signal_unpriv_users(podsleuth_t) ++ + optional_policy(` + dbus_system_bus_client(podsleuth_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.33/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-29 15:46:25.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/pulseaudio.if 2009-11-12 14:26:53.000000000 -0500 @@ -40,7 +40,7 @@ userdom_manage_tmpfs_role($1, pulseaudio_t) @@ -3347,9 +4260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.33/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/pulseaudio.te 2009-11-12 14:26:53.000000000 -0500 @@ -26,6 +26,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -3358,7 +4271,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -88,6 +89,10 @@ +@@ -63,12 +64,17 @@ + miscfiles_read_localization(pulseaudio_t) + + optional_policy(` ++ bluetooth_stream_connect(pulseaudio_t) ++') ++ ++optional_policy(` + gnome_manage_config(pulseaudio_t) + ') + + optional_policy(` + dbus_system_bus_client(pulseaudio_t) + dbus_session_bus_client(pulseaudio_t) ++ dbus_connect_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) +@@ -88,6 +94,10 @@ ') optional_policy(` @@ -3369,23 +4300,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -100,4 +105,5 @@ +@@ -100,4 +110,5 @@ optional_policy(` xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) + xserver_common_app(pulseaudio_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.32/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.33/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/qemu.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.32/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.33/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/qemu.if 2009-11-12 14:26:53.000000000 -0500 @@ -40,6 +40,10 @@ qemu_domtrans($1) @@ -3397,7 +4328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -211,3 +215,189 @@ +@@ -211,3 +215,188 @@ # xserver_xdm_rw_shm($1_t) ') ') @@ -3586,10 +4517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.33/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/qemu.te 2009-11-12 14:26:53.000000000 -0500 @@ -13,15 +13,46 @@ ## gen_tunable(qemu_full_network, false) @@ -3697,21 +4627,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role unconfined_r types qemu_unconfined_t; allow qemu_unconfined_t self:process { execstack execmem }; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.32/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.33/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.32/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.33/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.33/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,56 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/sambagui.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,59 @@ +policy_module(sambagui,1.0.0) + +######################################## @@ -3729,6 +4659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow sambagui_t self:fifo_file rw_fifo_file_perms; ++allow sambagui_t self:unix_dgram_socket create_socket_perms; + +# handling with samba conf files +samba_append_log(sambagui_t) @@ -3751,6 +4682,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +auth_use_nsswitch(sambagui_t) + ++logging_send_syslog_msg(sambagui_t) ++ +miscfiles_read_localization(sambagui_t) + +# read meminfo @@ -3768,15 +4701,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.32/policy/modules/apps/sandbox.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.33/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.33/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-09-23 19:34:36.000000000 -0400 -@@ -0,0 +1,182 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,184 @@ + +## policy for sandbox + @@ -3808,6 +4741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + role $2 types sandbox_domain; + allow sandbox_domain $1:process sigchld; ++ allow sandbox_domain $1:fifo_file rw_fifo_file_perms; + + allow $1 sandbox_x_domain:process { signal_perms transition }; + dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; @@ -3816,7 +4750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types sandbox_xserver_t; + allow $1 sandbox_xserver_t:process signal_perms; + -+ allow sandbox_x_domain $1:process sigchld; ++ allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms; @@ -3828,7 +4762,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); -+ allow $1 sandbox_file_type:dir relabelto; ++ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type) ++ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type) +') + +######################################## @@ -3959,10 +4894,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.33/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-27 09:28:35.000000000 -0400 -@@ -0,0 +1,329 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/sandbox.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,331 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -4102,6 +5037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_search_home(sandbox_x_domain) +files_dontaudit_list_tmp(sandbox_x_domain) + ++kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) + +corecmd_exec_all_executables(sandbox_x_domain) @@ -4153,11 +5089,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + -+optional_policy(` -+ mozilla_dontaudit_manage_user_home_files(sandbox_x_t) -+') -+ -+ +######################################## +# +# sandbox_x_client_t local policy @@ -4285,6 +5216,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_read_default_contexts(sandbox_net_client_t) + +optional_policy(` ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_t) ++ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++') ++ ++optional_policy(` + nsplugin_read_rw_files(sandbox_web_client_t) + nsplugin_rw_exec(sandbox_web_client_t) +') @@ -4292,10 +5229,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-09-16 10:03:08.000000000 -0400 -@@ -79,6 +79,11 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.33/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/screen.if 2009-11-12 14:26:53.000000000 -0500 +@@ -80,6 +80,11 @@ relabel_files_pattern($3, screen_home_t, screen_home_t) relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) @@ -4307,149 +5244,201 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.32/policy/modules/apps/seunshare.fc ---- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.fc 2009-09-16 10:03:08.000000000 -0400 -@@ -0,0 +1,2 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.33/policy/modules/apps/sectoolm.fc +--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,6 @@ + -+/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.32/policy/modules/apps/seunshare.if ---- nsaserefpolicy/policy/modules/apps/seunshare.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if 2009-09-23 19:34:12.000000000 -0400 -@@ -0,0 +1,81 @@ ++/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) + -+## policy for seunshare ++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) + -+######################################## -+## -+## Execute a domain transition to run seunshare. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`seunshare_domtrans',` -+ gen_require(` -+ type seunshare_t; -+ type seunshare_exec_t; -+ ') ++/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.6.33/policy/modules/apps/sectoolm.if +--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,3 @@ + -+ domtrans_pattern($1,seunshare_exec_t,seunshare_t) -+ allow $1 seunshare_t:process signal_perms; -+') ++## policy for sectool-mechanism + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.6.33/policy/modules/apps/sectoolm.te +--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/sectoolm.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,120 @@ + -+######################################## -+## -+## Execute seunshare in the seunshare domain, and -+## allow the specified role the seunshare domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the seunshare domain. -+## -+## -+# -+interface(`seunshare_run',` -+ gen_require(` -+ type seunshare_t; -+ ') -+ -+ seunshare_domtrans($1) -+ sandbox_transition(seunshare_t, $2) -+ role $2 types seunshare_t; -+ -+ # leaks from firefox -+ dontaudit seunshare_t $1:tcp_socket rw_socket_perms; -+ dontaudit seunshare_t $1:udp_socket rw_socket_perms; -+') -+ -+######################################## -+## -+## Role access for seunshare -+## -+## -+## -+## Role allowed access -+## -+## -+## -+## -+## User domain for the role -+## -+## -+# -+interface(`seunshare_role',` -+ gen_require(` -+ type seunshare_t; -+ ') -+ -+ role $2 types seunshare_t; -+ -+ seunshare_domtrans($1) -+ -+ ps_process_pattern($2, seunshare_t) -+ allow $2 seunshare_t:process signal; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.32/policy/modules/apps/seunshare.te ---- nsaserefpolicy/policy/modules/apps/seunshare.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te 2009-09-23 19:28:08.000000000 -0400 -@@ -0,0 +1,45 @@ -+policy_module(seunshare,1.0.0) ++policy_module(sectoolm,1.0.0) + +######################################## +# +# Declarations +# + -+type seunshare_t; -+type seunshare_exec_t; -+application_domain(seunshare_t, seunshare_exec_t) -+role system_r types seunshare_t; ++type sectoolm_t; ++type sectoolm_exec_t; ++dbus_system_domain(sectoolm_t, sectoolm_exec_t) + -+permissive seunshare_t; ++# /var/lib files ++type sectool_var_lib_t; ++files_type(sectool_var_lib_t) ++ ++# log files ++type sectool_var_log_t; ++logging_log_file(sectool_var_log_t) ++ ++# tmp files ++type sectool_tmp_t; ++files_tmp_file(sectool_tmp_t) ++ ++permissive sectoolm_t; + +######################################## +# -+# seunshare local policy ++# sectool local policy +# + -+allow seunshare_t self:process { fork setexec signal }; -+allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -+allow seunshare_t self:process { getcap setcap }; ++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; ++allow sectoolm_t self:process { getcap getsched signull setsched }; ++dontaudit sectoolm_t self:process { execstack execmem }; + -+allow seunshare_t self:fifo_file rw_file_perms; -+allow seunshare_t self:unix_stream_socket create_stream_socket_perms; ++allow sectoolm_t self:fifo_file rw_fifo_file_perms; ++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; + -+corecmd_exec_shell(seunshare_t) -+corecmd_exec_bin(seunshare_t) ++# tmp files ++manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) ++manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) ++files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) + -+files_read_etc_files(seunshare_t) -+files_mounton_all_poly_members(seunshare_t) ++# var/lib files ++manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) ++manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) ++files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir }) + -+fs_list_inotifyfs(seunshare_t) ++# log files ++manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t) ++logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file }) + -+auth_use_nsswitch(seunshare_t) ++corecmd_exec_bin(sectoolm_t) ++corecmd_exec_shell(sectoolm_t) + -+logging_send_syslog_msg(seunshare_t) ++kernel_read_net_sysctls(sectoolm_t) ++kernel_read_network_state(sectoolm_t) ++kernel_read_kernel_sysctls(sectoolm_t) + -+miscfiles_read_localization(seunshare_t) ++dev_read_sysfs(sectoolm_t) ++dev_read_urand(sectoolm_t) + -+userdom_use_user_terminals(seunshare_t) ++dev_getattr_all_blk_files(sectoolm_t) ++dev_getattr_all_chr_files(sectoolm_t) ++ ++# selinux test ++selinux_validate_context(sectoolm_t) ++ ++fs_getattr_all_fs(sectoolm_t) ++fs_list_noxattr_fs(sectoolm_t) ++ ++files_getattr_all_pipes(sectoolm_t) ++files_getattr_all_sockets(sectoolm_t) ++files_read_all_files(sectoolm_t) ++files_read_all_symlinks(sectoolm_t) ++ ++auth_use_nsswitch(sectoolm_t) ++ ++libs_exec_ld_so(sectoolm_t) ++ ++logging_send_syslog_msg(sectoolm_t) ++ ++# tcp_wrappers test ++application_exec_all(sectoolm_t) ++ ++domain_getattr_all_domains(sectoolm_t) ++domain_read_all_domains_state(sectoolm_t) ++ ++userdom_users_dgram_send(sectoolm_t) ++userdom_dgram_send(sectoolm_t) ++userdom_manage_user_tmp_sockets(sectoolm_t) ++ ++# tests related to network ++hostname_exec(sectoolm_t) ++iptables_domtrans(sectoolm_t) ++sysnet_domtrans_ifconfig(sectoolm_t) + +optional_policy(` -+ mozilla_dontaudit_manage_user_home_files(seunshare_t) ++ mount_exec(sectoolm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te ++ ++optional_policy(` ++ policykit_dbus_chat(sectoolm_t) ++') ++ ++# suid test using ++# rpm -Vf option ++optional_policy(` ++ prelink_domtrans(sectoolm_t) ++') ++ ++optional_policy(` ++ rpm_exec(sectoolm_t) ++ rpm_append_log(sectoolm_t) ++ rpm_manage_pid_files(sectoolm_t) ++ rpm_pid_filetrans(sectoolm_t) ++ rpm_dontaudit_manage_db(sectoolm_t) ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.33/policy/modules/apps/seunshare.if +--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/seunshare.if 2009-11-12 14:26:53.000000000 -0500 +@@ -41,6 +41,16 @@ + + seunshare_domtrans($1) + role $2 types seunshare_t; ++ ++ allow $1 seunshare_t:process signal_perms; ++ ++ sandbox_transition(seunshare_t, $2) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit seunshare_t $1:tcp_socket rw_socket_perms; ++ dontaudit seunshare_t $1:udp_socket rw_socket_perms; ++ dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; ++') + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.33/policy/modules/apps/seunshare.te +--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/apps/seunshare.te 2009-11-12 14:26:53.000000000 -0500 +@@ -15,9 +15,8 @@ + # + # seunshare local policy + # +- +-allow seunshare_t self:capability setpcap; +-allow seunshare_t self:process { setexec signal getcap setcap }; ++allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; ++allow seunshare_t self:process { fork setexec signal getcap setcap }; + + allow seunshare_t self:fifo_file rw_file_perms; + allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +@@ -30,6 +29,15 @@ + + auth_use_nsswitch(seunshare_t) + ++logging_send_syslog_msg(seunshare_t) ++ + miscfiles_read_localization(seunshare_t) + + userdom_use_user_terminals(seunshare_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ fs_dontaudit_rw_anon_inodefs_files(seunshare_t) ++ optional_policy(` ++ mozilla_dontaudit_manage_user_home_files(seunshare_t) ++ ') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.33/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/vmware.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/vmware.te 2009-11-12 14:26:53.000000000 -0500 @@ -157,6 +157,7 @@ optional_policy(` xserver_read_tmp_files(vmware_host_t) @@ -4458,9 +5447,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ifdef(`TODO',` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.32/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.33/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/wine.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,4 +1,22 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -4487,10 +5476,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.33/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2009-09-16 10:03:08.000000000 -0400 -@@ -43,3 +43,62 @@ ++++ serefpolicy-3.6.33/policy/modules/apps/wine.if 2009-11-12 14:26:53.000000000 -0500 +@@ -43,3 +43,118 @@ wine_domtrans($1) role $2 types wine_t; ') @@ -4553,9 +5542,65 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te ++ ++####################################### ++## ++## The role template for the wine module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for wine applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`wine_role_template',` ++ gen_require(` ++ type wine_exec_t; ++ ') ++ ++ type $1_wine_t; ++ domain_type($1_wine_t) ++ domain_entry_file($1_wine_t, wine_exec_t) ++ role $2 types $1_wine_t; ++ ++ userdom_unpriv_usertype($1, $1_wine_t) ++ userdom_manage_tmpfs_role($2, $1_wine_t) ++ ++ domain_mmap_low_type($1_wine_t) ++ tunable_policy(`mmap_low_allowed',` ++ domain_mmap_low($1_wine_t) ++ ') ++ ++ allow $1_wine_t self:process { execmem execstack }; ++ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; ++ domtrans_pattern($3, wine_exec_t, $1_wine_t) ++ corecmd_bin_domtrans($1_wine_t, $1_t) ++ ++ optional_policy(` ++ xserver_common_app($1_wine_t) ++ xserver_role($1_r, $1_wine_t) ++ ') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.33/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/apps/wine.te 2009-11-12 14:26:53.000000000 -0500 @@ -9,20 +9,46 @@ type wine_t; type wine_exec_t; @@ -4607,16 +5652,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_app(wine_t) + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.33/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-09-16 10:03:08.000000000 -0400 -@@ -1,4 +1,4 @@ -- -+c - # - # /bin - # -@@ -54,6 +54,7 @@ ++++ serefpolicy-3.6.33/policy/modules/kernel/corecommands.fc 2009-11-12 15:56:19.000000000 -0500 +@@ -54,6 +53,7 @@ /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4624,7 +5663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -125,6 +126,7 @@ +@@ -125,6 +125,7 @@ /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) @@ -4632,7 +5671,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt -@@ -142,6 +144,9 @@ +@@ -135,13 +136,15 @@ + + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + +-/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` + /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4642,16 +5688,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -221,6 +226,8 @@ +@@ -211,6 +214,8 @@ + /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) ++/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) +@@ -221,6 +226,9 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +270,7 @@ +@@ -263,6 +271,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -4659,7 +5715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +323,21 @@ +@@ -315,3 +324,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4681,9 +5737,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.32/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.33/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/corecommands.if 2009-11-12 14:36:41.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4726,9 +5782,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-09-17 15:45:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.33/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/kernel/corenetwork.te.in 2009-11-12 14:26:53.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -4737,7 +5793,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,17 +88,21 @@ +@@ -75,7 +76,7 @@ + network_port(amavisd_send, tcp,10025,s0) + network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) + network_port(apcupsd, tcp,3551,s0, udp,3551,s0) +-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) ++network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) + network_port(audit, tcp,60,s0) + network_port(auth, tcp,113,s0) + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) +@@ -87,26 +88,33 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -4746,8 +5811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dccm, tcp,5679,s0, udp,5679,s0) -network_port(dhcpc, udp,68,s0) -+network_port(dhcpc, udp,68,s0, tcp,68,s0) - network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) +-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) ++network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,547,s0, tcp, 547,s0) ++network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -4759,8 +5825,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(ftps, tcp,990,s0, udp,990,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) ++network_port(git, tcp,9418,s0, udp,9418,s0) network_port(gopher, tcp,70,s0, udp,70,s0) -@@ -107,6 +112,8 @@ + network_port(gpsd, tcp,2947,s0) + network_port(hddtemp, tcp,7634,s0) +-network_port(howl, tcp,5335,s0, udp,5353,s0) ++network_port(howl, tcp,5353,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy @@ -4769,7 +5839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -129,7 +136,7 @@ +@@ -129,7 +137,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -4778,7 +5848,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -147,6 +154,12 @@ +@@ -138,7 +146,7 @@ + network_port(mysqld, tcp,1186,s0, tcp,3306,s0) + portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) + network_port(nessus, tcp,1241,s0) +-network_port(netsupport, tcp,5405,s0, udp,5405,s0) ++network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) + network_port(nmbd, udp,137,s0, udp,138,s0) + network_port(ntp, udp,123,s0) + network_port(ocsp, tcp,9080,s0) +@@ -147,12 +155,19 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -4791,8 +5870,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -173,27 +186,33 @@ + network_port(postgresql, tcp,5432,s0) + network_port(postgrey, tcp,60000,s0) + network_port(prelude, tcp,4690,s0, udp,4690,s0) ++network_port(presence, tcp,5298,s0, udp,5298,s0) + network_port(printer, tcp,515,s0) + network_port(ptal, tcp,5703,s0) + network_port(pulseaudio, tcp,4713,s0) +@@ -172,29 +187,37 @@ + network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) ++network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) @@ -4801,7 +5890,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) network_port(speech, tcp,8036,s0) - network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp ++network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, tcp,9000,s0) # snmp and htcp network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict @@ -4815,10 +5905,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) ++network_port(ups, tcp,3493,s0) network_port(varnishd, tcp,6081,s0, tcp,6082,s0) ++network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) +network_port(virt_migration, tcp,49152,s0) +portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0) -+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(vnc, tcp,5900,s0) +# Reserve 100 ports for vnc/virt machines +portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) @@ -4828,7 +5919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -222,6 +241,8 @@ +@@ -223,6 +246,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -4837,9 +5928,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # network_node examples: #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.33/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-09-29 07:50:28.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/devices.fc 2009-11-12 14:26:53.000000000 -0500 @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -4868,7 +5959,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -148,6 +151,8 @@ +@@ -139,8 +142,11 @@ + + /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) + ++/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) + /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + ++/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) ++ + /dev/pts(/.*)? <> + + /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -148,6 +154,8 @@ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4877,7 +5980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -168,6 +173,7 @@ +@@ -168,6 +176,7 @@ ifdef(`distro_redhat',` # originally from named.fc @@ -4885,9 +5988,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.33/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-09-30 13:17:45.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/devices.if 2009-11-12 14:26:53.000000000 -0500 @@ -1692,6 +1692,78 @@ ######################################## @@ -5029,7 +6132,112 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read the lvm comtrol device. -@@ -2305,6 +2432,25 @@ +@@ -1818,6 +1945,25 @@ + + ######################################## + ## ++## Do not audit attempts to read and write lvm control device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_dontaudit_rw_lvm_control_dev',` ++ gen_require(` ++ type lvm_control_t; ++ ') ++ ++ dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++') ++ ++ ++######################################## ++## + ## dontaudit getattr raw memory devices (e.g. /dev/mem). + ## + ## +@@ -2046,6 +2192,78 @@ + + ######################################## + ## ++## Get the attributes of the modem devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_modem_dev',` ++ gen_require(` ++ type device_t, modem_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, modem_device_t) ++') ++ ++######################################## ++## ++## Set the attributes of the modem devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_modem_dev',` ++ gen_require(` ++ type device_t, modem_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, modem_device_t) ++') ++ ++######################################## ++## ++## Read the modem devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_modem',` ++ gen_require(` ++ type device_t, modem_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, modem_device_t) ++') ++ ++######################################## ++## ++## Read and write to modem devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_modem',` ++ gen_require(` ++ type device_t, modem_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, modem_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of the mouse devices. + ## + ## +@@ -2305,6 +2523,25 @@ ######################################## ## @@ -5055,7 +6263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -@@ -3599,6 +3745,24 @@ +@@ -3599,6 +3836,24 @@ ######################################## ## @@ -5080,9 +6288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write Xen devices. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.33/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/devices.te 2009-11-12 14:26:53.000000000 -0500 @@ -84,6 +84,13 @@ dev_node(kmsg_device_t) @@ -5110,7 +6318,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Type for /dev/mapper/control # type lvm_control_t; -@@ -224,6 +237,12 @@ +@@ -110,6 +123,12 @@ + dev_node(misc_device_t) + + # ++# A general type for modem devices. ++# ++type modem_device_t; ++dev_node(modem_device_t) ++ ++# + # A more general type for mouse devices. + # + type mouse_device_t; +@@ -224,6 +243,12 @@ type watchdog_device_t; dev_node(watchdog_device_t) @@ -5123,9 +6344,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xen_device_t; dev_node(xen_device_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.33/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/domain.if 2009-11-12 14:26:53.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -5325,9 +6546,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_domain_type:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.33/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/domain.te 2009-11-13 11:32:05.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -5398,7 +6619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +174,66 @@ +@@ -153,3 +174,71 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5423,6 +6644,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# these seem questionable: + +optional_policy(` ++ abrt_signull(domain) ++ abrt_domtrans_helper(domain) ++') ++ ++optional_policy(` + rpm_use_fds(domain) + rpm_read_pipes(domain) + rpm_dontaudit_leaks(domain) @@ -5465,9 +6691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.33/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/files.fc 2009-11-12 14:26:53.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -5485,22 +6711,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-18 21:30:50.000000000 -0400 -@@ -110,6 +110,11 @@ - ## - # - interface(`files_config_file',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ typeattribute $1 etcfile; - files_type($1) - ') - -@@ -928,10 +933,8 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.33/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-12 13:24:12.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/kernel/files.if 2009-11-12 14:26:53.000000000 -0500 +@@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -5513,7 +6727,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1331,6 +1334,24 @@ +@@ -1154,6 +1152,26 @@ + allow $1 file_type:filesystem unmount; + ') + ++######################################## ++## ++## Read config files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_config_files',` ++ gen_require(` ++ attribute configfile; ++ ') ++ ++ allow $1 configfile:dir list_dir_perms; ++ read_files_pattern($1, configfile, configfile) ++ read_lnk_files_pattern($1, configfile, configfile) ++') ++ + ############################################# + ## + ## Manage all configuration directories on filesystem +@@ -1411,6 +1429,24 @@ ######################################## ## @@ -5538,7 +6779,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Remove entries from the root directory. ## ## -@@ -1715,6 +1736,25 @@ +@@ -1567,6 +1603,25 @@ + + ######################################## + ## ++## read files in the /boot directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_boot_files',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ manage_files_pattern($1, boot_t, boot_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete files + ## in the /boot directory. + ## +@@ -1795,6 +1850,25 @@ ######################################## ## @@ -5564,36 +6831,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a filesystem on a directory with the default file type. ## ## -@@ -1931,6 +1971,28 @@ +@@ -2030,6 +2104,8 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) + files_read_etc_runtime_files($1) + files_read_config_files($1) -+') -+ -+######################################## -+## -+## Read config files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_config_files',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ allow $1 etcfile:dir list_dir_perms; -+ read_files_pattern($1, etcfile, etcfile) -+ read_lnk_files_pattern($1, etcfile, etcfile) ') ######################################## -@@ -2418,6 +2480,11 @@ +@@ -2517,6 +2593,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -5605,7 +6852,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3449,6 +3516,24 @@ +@@ -3419,6 +3500,32 @@ + + ######################################## + ## ++## Allow shared library text relocations in tmp files. ++## ++## ++##

++## Allow shared library text relocations in tmp files. ++##

++##

++## This is added to support java policy. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_execmod_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file execmod; ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. + ## + ## +@@ -3548,6 +3655,24 @@ ######################################## ## @@ -5630,7 +6910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3515,6 +3600,8 @@ +@@ -3614,6 +3739,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -5639,7 +6919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3623,7 +3710,12 @@ +@@ -3722,7 +3849,12 @@ type usr_t; ') @@ -5653,7 +6933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3662,6 +3754,7 @@ +@@ -3761,6 +3893,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -5661,7 +6941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4188,6 +4281,24 @@ +@@ -4906,6 +5039,24 @@ ######################################## ## @@ -5683,10 +6963,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## - ## Search the /var/lib directory. + ## Search the contents of generic spool + ## directories (/var/spool). ## - ## -@@ -4955,7 +5066,7 @@ +@@ -5072,7 +5223,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -5695,7 +6975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5088,15 @@ +@@ -5094,12 +5245,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5712,7 +6992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5117,173 @@ +@@ -5120,3 +5274,173 @@ typeattribute $1 files_unconfined_type; ') @@ -5886,10 +7166,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + allow $1 file_type:file entrypoint; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.32/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.te 2009-09-16 10:03:08.000000000 -0400 -@@ -42,6 +42,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.33/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/kernel/files.te 2009-11-12 14:26:53.000000000 -0500 +@@ -43,6 +43,7 @@ # type boot_t; files_mountpoint(boot_t) @@ -5897,18 +7177,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # default_t is the default type for files that do not # match any specification in the file_contexts configuration -@@ -52,7 +53,9 @@ +@@ -53,7 +54,7 @@ # # etc_t is the type of the system etc directories. # -type etc_t; -+attribute etcfile; -+ -+type etc_t, etcfile; ++type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; -@@ -193,6 +196,7 @@ +@@ -194,6 +195,7 @@ fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) fs_associate_ramfs(file_type) @@ -5916,16 +7194,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.32/policy/modules/kernel/filesystem.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.33/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.fc 2009-09-16 10:03:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.33/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-09-16 15:58:43.000000000 -0400 -@@ -1149,6 +1149,44 @@ ++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.if 2009-11-12 14:26:53.000000000 -0500 +@@ -290,7 +290,7 @@ + + ######################################## + ## +-## Read and write files on anon_inodefs ++## Dontaudit Read and write files on anon_inodefs + ## file systems. + ## + ## +@@ -310,6 +310,26 @@ + + ######################################## + ## ++## Dontaudit Read and write files on anon_inodefs ++## file systems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_rw_anon_inodefs_files',` ++ gen_require(` ++ type anon_inodefs_t; ++ ++ ') ++ ++ dontaudit $1 anon_inodefs_t:file { read write }; ++') ++ ++######################################## ++## + ## Mount an automount pseudo filesystem. + ## + ## +@@ -1149,6 +1169,44 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -5970,7 +7284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Mount a DOS filesystem, such as -@@ -1537,6 +1575,24 @@ +@@ -1537,6 +1595,24 @@ ######################################## ## @@ -5995,7 +7309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -2542,6 +2598,42 @@ +@@ -2542,6 +2618,42 @@ ######################################## ## @@ -6038,7 +7352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write NFS server files. ## ## -@@ -3971,3 +4063,122 @@ +@@ -3971,3 +4083,122 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -6161,19 +7475,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 xenfs_t:file manage_file_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.33/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-09-16 10:03:09.000000000 -0400 -@@ -93,7 +93,7 @@ ++++ serefpolicy-3.6.33/policy/modules/kernel/filesystem.te 2009-11-13 15:47:18.000000000 -0500 +@@ -29,6 +29,7 @@ + fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); +@@ -93,7 +94,9 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) -genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) ++files_type(hugetlbfs_t) ++files_poly_parent(hugetlbfs_t) +fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -250,9 +250,13 @@ +@@ -171,6 +174,7 @@ + fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); + fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); + fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); ++fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0); + + allow tmpfs_t noxattrfs:filesystem associate; + +@@ -200,6 +204,7 @@ + # + type dosfs_t; + fs_noxattr_type(dosfs_t) ++files_mountpoint(dosfs_t) + allow dosfs_t fs_t:filesystem associate; + genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) + genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) +@@ -223,6 +228,7 @@ + # + type iso9660_t; + fs_noxattr_type(iso9660_t) ++files_mountpoint(iso9660_t) + genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) + genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) + +@@ -250,9 +256,13 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) @@ -6188,9 +7536,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules for all filesystem types -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.33/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-09-21 08:19:13.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/kernel.if 2009-11-12 14:26:53.000000000 -0500 @@ -485,6 +485,25 @@ ######################################## @@ -6217,7 +7565,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get information on all System V IPC objects. ## ## -@@ -1807,7 +1826,7 @@ +@@ -922,6 +941,28 @@ + + ######################################## + ## ++## Allows caller to read th core kernel interface. ++## ++## ++## ++## The process type getting the attibutes. ++## ++## ++# ++interface(`kernel_read_core_if',` ++ gen_require(` ++ type proc_t, proc_kcore_t; ++ attribute can_dump_kernel; ++ ') ++ ++ read_files_pattern($1, proc_t, proc_kcore_t) ++ list_dirs_pattern($1, proc_t, proc_t) ++ ++ typeattribute $1 can_dump_kernel; ++') ++ ++######################################## ++## + ## Do not audit attempts to get the attributes of + ## core kernel interfaces. + ## +@@ -1807,7 +1848,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -6226,7 +7603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2621,6 +2640,24 @@ +@@ -2621,6 +2662,24 @@ ######################################## ## @@ -6251,7 +7628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to kernel module resources. ## ## -@@ -2636,3 +2673,22 @@ +@@ -2636,3 +2695,22 @@ typeattribute $1 kern_unconfined; ') @@ -6274,10 +7651,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.32/policy/modules/kernel/kernel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.33/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.te 2009-09-16 10:03:09.000000000 -0400 -@@ -63,6 +63,15 @@ ++++ serefpolicy-3.6.33/policy/modules/kernel/kernel.te 2009-11-12 14:26:53.000000000 -0500 +@@ -9,6 +9,7 @@ + # assertion related attributes + attribute can_load_kernmodule; + attribute can_receive_kernel_messages; ++attribute can_dump_kernel; + + neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; + +@@ -63,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) # @@ -6293,7 +7678,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # kvmFS # -@@ -165,6 +174,7 @@ +@@ -90,7 +100,7 @@ + + # /proc kcore: inaccessible + type proc_kcore_t, proc_type; +-neverallow ~kern_unconfined proc_kcore_t:file ~getattr; ++neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr; + genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) + + type proc_mdstat_t, proc_type; +@@ -165,6 +175,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -6301,7 +7695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -255,7 +265,8 @@ +@@ -255,7 +266,8 @@ selinux_load_policy(kernel_t) @@ -6311,7 +7705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,6 +280,8 @@ +@@ -269,6 +281,8 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -6320,7 +7714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_process_set_categories(kernel_t) -@@ -276,12 +289,18 @@ +@@ -276,12 +290,18 @@ mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -6339,7 +7733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hotplug_search_config(kernel_t) ') -@@ -355,7 +374,11 @@ +@@ -355,7 +375,11 @@ ') optional_policy(` @@ -6352,15 +7746,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -387,3 +410,5 @@ +@@ -387,3 +411,5 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.32/policy/modules/kernel/selinux.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.33/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/selinux.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/selinux.if 2009-11-12 14:26:53.000000000 -0500 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -6418,9 +7812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.32/policy/modules/kernel/storage.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.33/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/storage.fc 2009-11-12 14:26:53.000000000 -0500 @@ -28,6 +28,7 @@ /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) @@ -6429,9 +7823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.33/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2009-09-23 10:29:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/storage.if 2009-11-12 14:26:53.000000000 -0500 @@ -266,6 +266,7 @@ dev_list_all_dev_nodes($1) @@ -6449,9 +7843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.32/policy/modules/kernel/terminal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.33/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.fc 2009-11-12 14:26:53.000000000 -0500 @@ -13,6 +13,7 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -6460,9 +7854,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.33/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.if 2009-11-12 14:26:53.000000000 -0500 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -6534,9 +7928,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read and write the controlling -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.32/policy/modules/kernel/terminal.te +@@ -991,10 +1029,12 @@ + interface(`term_use_unallocated_ttys',` + gen_require(` + type tty_device_t; ++ type console_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file rw_chr_file_perms; ++ allow $1 console_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.33/policy/modules/kernel/terminal.te --- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/kernel/terminal.te 2009-11-12 14:26:53.000000000 -0500 @@ -44,6 +44,7 @@ type ptmx_t; dev_node(ptmx_t) @@ -6545,9 +7952,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # tty_device_t is the type of /dev/*tty* -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.32/policy/modules/roles/guest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.33/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/guest.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/roles/guest.te 2009-11-12 14:26:53.000000000 -0500 @@ -16,7 +16,11 @@ # @@ -6562,33 +7969,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.32/policy/modules/roles/staff.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.33/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/staff.te 2009-09-16 10:03:09.000000000 -0400 -@@ -15,156 +15,109 @@ ++++ serefpolicy-3.6.33/policy/modules/roles/staff.te 2009-11-12 14:26:53.000000000 -0500 +@@ -10,161 +10,117 @@ + + userdom_unpriv_user_template(staff) + ++# needed for sandbox ++allow staff_t self:process setexec; ++ + ######################################## + # # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - +- -optional_policy(` - auth_role(staff_r, staff_t) -') -+auth_domtrans_pam_console(staff_t) - +- -optional_policy(` - auditadm_role_change(staff_r) -') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` +- +-optional_policy(` - bluetooth_role(staff_r, staff_t) -') - @@ -6615,16 +8023,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - games_role(staff_r, staff_t) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - gift_role(staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - gnome_role(staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - gpg_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') @@ -6760,9 +8175,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.33/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/roles/sysadm.te 2009-11-12 14:26:53.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -6772,7 +8187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -35,6 +35,7 @@ +@@ -35,10 +35,13 @@ ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) @@ -6780,7 +8195,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) -@@ -70,7 +71,6 @@ + userdom_home_filetrans_user_home_dir(sysadm_t) ++userdom_manage_user_tmp_chr_files(sysadm_t) ++userdom_manage_user_tmp_blk_files(sysadm_t) + + ifdef(`direct_sysadm_daemon',` + optional_policy(` +@@ -70,7 +73,6 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -6788,7 +8209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -87,10 +87,6 @@ +@@ -87,10 +89,6 @@ ') optional_policy(` @@ -6799,7 +8220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol backup_run(sysadm_t, sysadm_r) ') -@@ -99,18 +95,10 @@ +@@ -99,18 +97,10 @@ ') optional_policy(` @@ -6818,7 +8239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol certwatch_run(sysadm_t, sysadm_r) ') -@@ -127,7 +115,7 @@ +@@ -127,7 +117,7 @@ ') optional_policy(` @@ -6827,7 +8248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -135,10 +123,6 @@ +@@ -135,10 +125,6 @@ ') optional_policy(` @@ -6838,7 +8259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_run_cdcc(sysadm_t, sysadm_r) dcc_run_client(sysadm_t, sysadm_r) dcc_run_dbclean(sysadm_t, sysadm_r) -@@ -166,10 +150,6 @@ +@@ -166,10 +152,6 @@ ') optional_policy(` @@ -6849,7 +8270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol firstboot_run(sysadm_t, sysadm_r) ') -@@ -178,22 +158,6 @@ +@@ -178,22 +160,6 @@ ') optional_policy(` @@ -6872,7 +8293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_run(sysadm_t, sysadm_r) ') -@@ -205,6 +169,8 @@ +@@ -205,6 +171,8 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -6881,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,11 +178,7 @@ +@@ -212,11 +180,7 @@ ') optional_policy(` @@ -6894,7 +8315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,10 +190,6 @@ +@@ -228,10 +192,6 @@ ') optional_policy(` @@ -6905,7 +8326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_run(sysadm_t, sysadm_r) ') -@@ -255,14 +213,6 @@ +@@ -255,14 +215,6 @@ ') optional_policy(` @@ -6920,7 +8341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_role(sysadm_r, sysadm_t) ') -@@ -290,11 +240,6 @@ +@@ -290,11 +242,6 @@ ') optional_policy(` @@ -6932,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_run_cardctl(sysadm_t, sysadm_r) ') -@@ -308,7 +253,7 @@ +@@ -308,7 +255,7 @@ ') optional_policy(` @@ -6941,7 +8362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -320,10 +265,6 @@ +@@ -320,10 +267,6 @@ ') optional_policy(` @@ -6952,7 +8373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_nfsd(sysadm_t) ') -@@ -332,10 +273,6 @@ +@@ -332,10 +275,6 @@ ') optional_policy(` @@ -6963,7 +8384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rsync_exec(sysadm_t) ') -@@ -345,10 +282,6 @@ +@@ -345,10 +284,6 @@ ') optional_policy(` @@ -6974,7 +8395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +291,15 @@ +@@ -358,35 +293,15 @@ ') optional_policy(` @@ -7010,7 +8431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +307,10 @@ +@@ -394,18 +309,10 @@ ') optional_policy(` @@ -7029,7 +8450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,17 +323,13 @@ +@@ -418,17 +325,13 @@ ') optional_policy(` @@ -7048,7 +8469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -440,13 +341,12 @@ +@@ -440,13 +343,12 @@ ') optional_policy(` @@ -7066,49 +8487,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +init_script_role_transition(sysadm_r) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.33/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -0,0 +1,36 @@ ++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+ifdef(`distro_gentoo',` -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.33/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.if 2009-11-12 14:41:36.000000000 -0500 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -7669,10 +9062,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`unconfined_execmem_domtrans',` + + gen_require(` -+ type unconfined_execmem_t, execmem_exec_t; ++ type unconfined_execmem_t; + ') + -+ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) ++ execmem_domtrans($1, unconfined_execmem_t) +') + +######################################## @@ -7748,10 +9141,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400 -@@ -0,0 +1,402 @@ ++++ serefpolicy-3.6.33/policy/modules/roles/unconfineduser.te 2009-11-12 15:05:29.000000000 -0500 +@@ -0,0 +1,430 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -7789,6 +9182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_manage_tmpfs_role(unconfined_r, unconfined_t) +userdom_execmod_user_home_files(unconfined_t) ++userdom_unpriv_usertype(unconfined, unconfined_t) + +type unconfined_exec_t; +init_system_domain(unconfined_t, unconfined_exec_t) @@ -7801,14 +9195,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +role system_r types unconfined_t; +typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; + -+type unconfined_execmem_t; -+type execmem_exec_t; -+init_system_domain(unconfined_execmem_t, execmem_exec_t) -+role unconfined_r types unconfined_execmem_t; -+typealias execmem_exec_t alias unconfined_execmem_exec_t; -+userdom_unpriv_usertype(unconfined, unconfined_execmem_t) -+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t) -+ +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) @@ -7824,8 +9210,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + -+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) -+ +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) + @@ -7873,18 +9257,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ loadkeys_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + gen_require(` + attribute unconfined_usertype; + ') + + nsplugin_role_notrans(unconfined_r, unconfined_usertype) + tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_execmem_t) -+ nsplugin_domtrans_config(unconfined_execmem_t) + nsplugin_domtrans(unconfined_t) + nsplugin_domtrans_config(unconfined_t) + ') @@ -7916,6 +9294,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ chrome_role(unconfined_r, unconfined_t) ++') ++ ++optional_policy(` + init_dbus_chat_script(unconfined_t) + + dbus_stub(unconfined_t) @@ -7978,7 +9360,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ java_run_unconfined(unconfined_t, unconfined_r) ++ java_role_template(unconfined, unconfined_r, unconfined_t) ++ role system_r types unconfined_java_t; ++ ++ files_execmod_all_files(unconfined_java_t) ++ ++ init_dbus_chat_script(unconfined_java_t) ++ ++ unconfined_domain_noaudit(unconfined_java_t) ++ unconfined_dbus_chat(unconfined_java_t) ++ optional_policy(` ++ hal_dbus_chat(unconfined_java_t) ++ ') ++ ++ optional_policy(` ++ rpm_domtrans(unconfined_java_t) ++ ') +') + +optional_policy(` @@ -8038,7 +9435,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + rtkit_daemon_system_domain(unconfined_t) -+ rtkit_daemon_system_domain(unconfined_execmem_t) +') + +optional_policy(` @@ -8067,6 +9463,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ vbetool_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + vpn_run(unconfined_t, unconfined_r) +') + @@ -8079,7 +9479,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ xserver_run(unconfined_t, unconfined_r) + xserver_rw_shm(unconfined_t) ++ xserver_run_xauth(unconfined_t, unconfined_r) +') + +######################################## @@ -8087,12 +9489,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Unconfined Execmem Local policy +# + -+allow unconfined_execmem_t self:process { execstack execmem }; ++optional_policy(` ++execmem_role_template(unconfined, unconfined_r, unconfined_t) ++typealias unconfined_execmem_t alias execmem_t; +unconfined_domain_noaudit(unconfined_execmem_t) +allow unconfined_execmem_t unconfined_t:process transition; +rpm_transition_script(unconfined_execmem_t) + +optional_policy(` ++ sandbox_transition(unconfined_execmem_t, unconfined_r) ++') ++optional_policy(` ++ tunable_policy(`allow_unconfined_nsplugin_transition',` ++ nsplugin_domtrans(unconfined_execmem_t) ++ nsplugin_domtrans_config(unconfined_execmem_t) ++ ') ++') ++ ++optional_policy(` + init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client(unconfined_execmem_t) + unconfined_dbus_chat(unconfined_execmem_t) @@ -8103,12 +9517,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + avahi_dbus_chat(unconfined_execmem_t) +') + -+ optional_policy(` -+ hal_dbus_chat(unconfined_execmem_t) ++optional_policy(` ++ hal_dbus_chat(unconfined_execmem_t) ++') ++optional_policy(` ++ gen_require(` ++ type mplayer_exec_t; ++ type unconfined_execmem_t; + ') ++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) ++') + +optional_policy(` -+ xserver_rw_shm(unconfined_execmem_t) ++tunable_policy(`allow_unconfined_nsplugin_transition',`', ` ++ gen_require(` ++ type mozilla_exec_t; ++ type unconfined_execmem_t; ++ type nsplugin_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) ++') ++') ++ ++optional_policy(` ++ gen_require(` ++ type openoffice_exec_t; ++ type unconfined_execmem_t; ++ ') ++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++') ++ ++ +') + +######################################## @@ -8124,26 +9564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_ptrace_all_domains(unconfined_notrans_t) + +optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') -+ -+optional_policy(` -+tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) -+') -+') -+ -+optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++ policykit_role(unconfined_r, unconfined_notrans_t) +') + +######################################## @@ -8154,10 +9575,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.33/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400 -@@ -14,142 +14,21 @@ ++++ serefpolicy-3.6.33/policy/modules/roles/unprivuser.te 2009-11-12 14:26:53.000000000 -0500 +@@ -14,96 +14,19 @@ userdom_unpriv_user_template(user) optional_policy(` @@ -8177,10 +9598,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - cdrecord_role(user_r, user_t) -+ sandbox_transition(user_t, user_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - cron_role(user_r, user_t) -') - @@ -8255,13 +9675,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -optional_policy(` - rssh_role(user_r, user_t) --') -- --optional_policy(` -- screen_role_template(user, user_r, user_t) --') -- --optional_policy(` ++ sandbox_transition(user_t, user_r) + ') + + optional_policy(` +@@ -111,45 +34,5 @@ + ') + + optional_policy(` - spamassassin_role(user_r, user_t) -') - @@ -8305,10 +9726,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_role(user_r, user_t) + setroubleshoot_dontaudit_stream_connect(user_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.33/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-09-16 10:03:09.000000000 -0400 -@@ -36,11 +36,17 @@ ++++ serefpolicy-3.6.33/policy/modules/roles/xguest.te 2009-11-12 14:26:53.000000000 -0500 +@@ -31,16 +31,37 @@ + + userdom_restricted_xwindows_user_template(xguest) + ++ifndef(`enable_mls',` ++ fs_exec_noxattr(xguest_t) ++ ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files(xguest_t) ++ fs_manage_noxattr_fs_dirs(xguest_t) ++ # Write floppies ++ storage_raw_read_removable_device(xguest_t) ++ storage_raw_write_removable_device(xguest_t) ++ ',` ++ storage_raw_read_removable_device(xguest_t) ++ ') ++') ++storage_rw_fuse(xguest_t) ++ + ######################################## + # # Local policy # @@ -8326,7 +9767,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -67,7 +73,11 @@ +@@ -49,6 +70,7 @@ + fs_manage_noxattr_fs_dirs(xguest_t) + fs_getattr_noxattr_fs(xguest_t) + fs_read_noxattr_fs_symlinks(xguest_t) ++ fs_mount_fusefs(xguest_t) + + auth_list_pam_console_data(xguest_t) + +@@ -67,7 +89,11 @@ ') optional_policy(` @@ -8339,7 +9788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,9 +85,13 @@ +@@ -75,9 +101,16 @@ ') optional_policy(` @@ -8349,27 +9798,96 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` tunable_policy(`xguest_connect_network',` networkmanager_dbus_chat(xguest_t) ++ networkmanager_read_var_lib_files(xguest_t) ++ corenet_tcp_connect_pulseaudio_port(xguest_t) ++ corenet_tcp_connect_ipp_port(xguest_t) ') ') -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.32/policy/modules/services/abrt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.33/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -1,7 +1,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/abrt.fc 2009-11-13 11:25:52.000000000 -0500 +@@ -1,11 +1,15 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0) -+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++ ++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if + /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) + + /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) + /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) ++/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.33/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2009-09-17 15:49:39.000000000 -0400 -@@ -75,6 +75,27 @@ ++++ serefpolicy-3.6.33/policy/modules/services/abrt.if 2009-11-13 11:25:29.000000000 -0500 +@@ -19,6 +19,24 @@ + domtrans_pattern($1, abrt_exec_t, abrt_t) + ') + ++##################################### ++## ++## Execute abrt-helper in the abrt-helper domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`abrt_domtrans_helper',` ++ gen_require(` ++ type abrt_helper_t, abrt_helper_exec_t; ++ ') ++ ++ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) ++') ++ + ###################################### + ## + ## Execute abrt +@@ -56,6 +74,32 @@ + read_files_pattern($1, abrt_etc_t, abrt_etc_t) + ') + ++######################################## ++## ++## Execute abrt helper in the abrt_helper domain, and ++## allow the specified role the abrt_helper domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the abrt_helper domain. ++## ++## ++## ++# ++interface(`abrt_run_helper',` ++ gen_require(` ++ type abrt_helper_t; ++ ') ++ ++ abrt_domtrans_helper($1) ++ role $2 types abrt_helper_t; ++') ++ + ###################################### + ## + ## Read abrt logs. +@@ -75,6 +119,64 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -8393,37 +9911,147 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 abrt_t:dbus send_msg; + allow abrt_t $1:dbus send_msg; +') ++ ++######################################## ++## ++## Send and receive messages from ++## abrt over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_cache_manage',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++') ++ ++######################################## ++## ++## Send a null signal to abrt. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_signull',` ++ gen_require(` ++ type abrt_t; ++ ') ++ ++ allow $1 abrt_t:process signull; ++') + ##################################### ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.33/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-09-29 16:46:09.000000000 -0400 -@@ -75,6 +75,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/abrt.te 2009-11-13 11:25:18.000000000 -0500 +@@ -33,12 +33,23 @@ + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) + ++# type needed to allow all domains ++# to handle /var/cache/abrt ++type abrt_helper_t; ++type abrt_helper_exec_t; ++application_domain(abrt_helper_t, abrt_helper_exec_t) ++role system_r types abrt_helper_t; ++ ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ++') ++ + ######################################## + # + # abrt local policy + # + +-allow abrt_t self:capability { setuid setgid sys_nice dac_override }; ++allow abrt_t self:capability { chown setuid setgid sys_nice dac_override }; + allow abrt_t self:process { signal signull setsched getsched }; + + allow abrt_t self:fifo_file rw_fifo_file_perms; +@@ -60,13 +71,15 @@ + files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) + + # abrt var/cache files +-manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) + files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) + + # abrt pid files +-manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) ++manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) ++manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) + files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) + + kernel_read_ring_buffer(abrt_t) +@@ -75,11 +88,17 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) +corecmd_read_all_executables(abrt_t) corenet_tcp_connect_http_port(abrt_t) ++corenet_tcp_connect_ftp_port(abrt_t) ++corenet_tcp_connect_all_ports(abrt_t) -@@ -105,13 +106,22 @@ - dbus_system_bus_client(abrt_t) - ') + dev_read_urand(abrt_t) ++domain_read_all_domains_state(abrt_t) ++domain_signull_all_domains(abrt_t) ++ + files_getattr_all_files(abrt_t) + files_read_etc_files(abrt_t) + files_read_usr_files(abrt_t) +@@ -96,22 +115,59 @@ + miscfiles_read_certs(abrt_t) + miscfiles_read_localization(abrt_t) + +-# to run bugzilla plugin +-# read ~/.abrt/Bugzilla.conf +-userdom_read_user_home_content_files(abrt_t) ++userdom_dontaudit_read_user_home_content_files(abrt_t) ++ +optional_policy(` -+ nsplugin_read_rw_files(abrt_t) ++ dbus_system_domain(abrt_t, abrt_exec_t) +') + ++optional_policy(` ++ nsplugin_read_rw_files(abrt_t) ++ nsplugin_read_home(abrt_t) ++') + + optional_policy(` +- dbus_connect_system_bus(abrt_t) +- dbus_system_bus_client(abrt_t) ++ policykit_dbus_chat(abrt_t) ++ policykit_domtrans_auth(abrt_t) ++ policykit_read_lib(abrt_t) ++ policykit_read_reload(abrt_t) + ') + # to install debuginfo packages optional_policy(` - rpm_manage_db(abrt_t) - rpm_domtrans(abrt_t) + rpm_manage_cache(abrt_t) + rpm_read_db(abrt_t) ++ rpm_read_pid_files(abrt_t) ++ rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) -+ rpm_domtrans_debuginfo(abrt_t) + rpm_signull(abrt_t) ') @@ -8432,10 +10060,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sendmail_domtrans(abrt_t) ') + ++optional_policy(` ++ sssd_stream_connect(abrt_t) ++') ++ +permissive abrt_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc ++ ++######################################## ++# ++# abrt--helper local policy ++# ++ ++allow abrt_helper_t self:capability { setgid }; ++read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) ++ ++manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) ++files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) ++ ++files_read_etc_files(abrt_helper_t) ++ ++permissive abrt_helper_t; ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.33/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/afs.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/afs.fc 2009-11-12 14:26:53.000000000 -0500 @@ -25,6 +25,7 @@ /usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) @@ -8444,9 +10094,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /vicepa gen_context(system_u:object_r:afs_files_t,s0) /vicepb gen_context(system_u:object_r:afs_files_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.33/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/afs.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/afs.te 2009-11-13 08:49:52.000000000 -0500 +@@ -71,7 +71,7 @@ + # afs client local policy + # + +-allow afs_t self:capability { sys_nice sys_tty_config }; ++allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; + allow afs_t self:process setsched; + allow afs_t self:udp_socket create_socket_perms; + allow afs_t self:fifo_file rw_file_perms; @@ -83,6 +83,7 @@ files_mounton_mnt(afs_t) @@ -8455,9 +10114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_rw_etc_runtime_files(afs_t) fs_getattr_xattr_fs(afs_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.32/policy/modules/services/aisexec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.6.33/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/aisexec.fc 2009-09-29 09:58:56.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/aisexec.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,12 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) @@ -8471,9 +10130,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) + +/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.33/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-09-29 09:58:56.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/aisexec.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -8581,9 +10240,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, aisexec_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.32/policy/modules/services/aisexec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.6.33/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/aisexec.te 2009-09-29 09:58:56.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/aisexec.te 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,112 @@ + +policy_module(aisexec,1.0.0) @@ -8697,9 +10356,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +groupd_rw_semaphores(aisexec_t) +groupd_rw_shm(aisexec_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.32/policy/modules/services/amavis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.33/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/amavis.te 2009-09-28 09:36:06.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/amavis.te 2009-11-12 14:26:53.000000000 -0500 @@ -103,6 +103,8 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) kernel_dontaudit_read_system_state(amavis_t) @@ -8709,10 +10368,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # find perl corecmd_exec_bin(amavis_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.33/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-09-28 16:53:33.000000000 -0400 -@@ -1,12 +1,13 @@ ++++ serefpolicy-3.6.33/policy/modules/services/apache.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,12 +1,15 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -8725,24 +10384,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,6 +23,7 @@ +@@ -21,10 +24,13 @@ + /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -@@ -32,12 +34,17 @@ ++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) + /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + +@@ -32,12 +38,19 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -8750,20 +10418,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,6 +54,7 @@ +@@ -46,7 +59,9 @@ + /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +58,10 @@ +@@ -50,13 +65,17 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -8774,7 +10445,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +74,34 @@ + /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ + ifdef(`distro_debian', ` + /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + ') +@@ -64,11 +83,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -8799,6 +10477,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + ++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++ +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -8807,12 +10487,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.33/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-09-29 07:46:30.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/apache.if 2009-11-12 14:26:53.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -9416,9 +11093,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + typeattribute $1 httpd_rw_content; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.33/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/apache.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -9692,7 +11369,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -9703,8 +11381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -9809,10 +11486,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +583,10 @@ +@@ -451,6 +583,14 @@ ') optional_policy(` ++ cobbler_search_lib(httpd_t) ++') ++ ++optional_policy(` + cvs_read_data(httpd_t) +') + @@ -9820,7 +11501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +595,13 @@ +@@ -459,8 +599,13 @@ ') optional_policy(` @@ -9836,7 +11517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +609,18 @@ +@@ -468,22 +613,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -9858,10 +11539,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nagios_read_config(httpd_t) - nagios_domtrans_cgi(httpd_t) ++ nagios_read_log(httpd_t) ') optional_policy(` -@@ -494,12 +631,23 @@ +@@ -494,12 +636,23 @@ ') optional_policy(` @@ -9885,7 +11567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +656,7 @@ +@@ -508,6 +661,7 @@ ') optional_policy(` @@ -9893,7 +11575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +684,23 @@ +@@ -535,6 +689,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -9917,7 +11599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +730,25 @@ +@@ -564,20 +735,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -9949,7 +11631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +766,24 @@ +@@ -595,23 +771,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -9978,7 +11660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +796,7 @@ +@@ -624,6 +801,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -9986,7 +11668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +804,30 @@ +@@ -631,22 +809,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -10014,6 +11696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') - @@ -10024,7 +11707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +853,14 @@ +@@ -672,15 +859,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10043,7 +11726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +879,24 @@ +@@ -699,12 +885,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10070,7 +11753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +904,35 @@ +@@ -712,6 +910,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -10106,7 +11789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +945,10 @@ +@@ -724,6 +951,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10117,7 +11800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +960,8 @@ +@@ -735,6 +966,8 @@ # httpd_rotatelogs local policy # @@ -10126,7 +11809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +981,12 @@ +@@ -754,11 +987,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -10139,10 +11822,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +995,74 @@ - userdom_search_user_home_dirs(httpd_suexec_t) - userdom_search_user_home_dirs(httpd_user_script_t) - ') + tunable_policy(`httpd_enable_homedirs',` +- userdom_search_user_home_dirs(httpd_t) +- userdom_search_user_home_dirs(httpd_suexec_t) +- userdom_search_user_home_dirs(httpd_user_script_t) ++ userdom_search_user_home_content(httpd_t) ++ userdom_search_user_home_content(httpd_suexec_t) ++ userdom_search_user_home_content(httpd_user_script_t) ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) @@ -10196,7 +11883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) -+') + ') + +manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) @@ -10214,9 +11901,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.32/policy/modules/services/apm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.33/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apm.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/apm.te 2009-11-12 14:26:53.000000000 -0500 @@ -60,7 +60,7 @@ # mknod: controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. @@ -10226,10 +11913,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.33/policy/modules/services/asterisk.if +--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/asterisk.if 2009-11-12 14:26:53.000000000 -0500 +@@ -1,5 +1,26 @@ + ## Asterisk IP telephony server + ++##################################### ++## ++## Connect to asterisk over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`asterisk_stream_connect',` ++ gen_require(` ++ type asterisk_t, asterisk_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) ++') ++ ++ + ######################################## + ## + ## All of the rules required to administrate +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.33/policy/modules/services/asterisk.te +--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/asterisk.te 2009-11-12 14:26:53.000000000 -0500 +@@ -34,6 +34,8 @@ + type asterisk_var_run_t; + files_pid_file(asterisk_var_run_t) + ++permissive asterisk_t; ++ + ######################################## + # + # Local policy +@@ -97,6 +99,7 @@ + corenet_udp_bind_generic_node(asterisk_t) + corenet_tcp_bind_asterisk_port(asterisk_t) + corenet_udp_bind_asterisk_port(asterisk_t) ++corenet_udp_bind_sip_port(asterisk_t) + corenet_sendrecv_asterisk_server_packets(asterisk_t) + # for VOIP voice channels. + corenet_tcp_bind_generic_port(asterisk_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.33/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-09-16 10:03:09.000000000 -0400 -@@ -129,6 +129,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/automount.te 2009-11-12 14:26:53.000000000 -0500 +@@ -75,6 +75,7 @@ + + fs_mount_all_fs(automount_t) + fs_unmount_all_fs(automount_t) ++fs_search_all(automount_t) + + corecmd_exec_bin(automount_t) + corecmd_exec_shell(automount_t) +@@ -129,6 +130,7 @@ fs_unmount_autofs(automount_t) fs_mount_autofs(automount_t) fs_manage_autofs_symlinks(automount_t) @@ -10237,9 +11982,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_rw_fuse(automount_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.33/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/avahi.te 2009-11-12 14:26:53.000000000 -0500 +@@ -24,7 +24,7 @@ + # Local policy + # + +-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; ++allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot }; + dontaudit avahi_t self:capability sys_tty_config; + allow avahi_t self:process { setrlimit signal_perms getcap setcap }; + allow avahi_t self:fifo_file rw_fifo_file_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.33/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/bind.if 2009-11-12 14:26:53.000000000 -0500 @@ -235,7 +235,7 @@ ######################################## @@ -10301,12 +12058,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an bind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-22 20:55:58.000000000 -0400 -@@ -56,7 +56,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.33/policy/modules/services/bitlbee.te +--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/bitlbee.te 2009-11-12 14:26:53.000000000 -0500 +@@ -68,6 +68,8 @@ + # MSN can use passport auth, which is over http: + corenet_tcp_connect_http_port(bitlbee_t) + corenet_tcp_sendrecv_http_port(bitlbee_t) ++corenet_tcp_connect_http_cache_port(bitlbee_t) ++corenet_tcp_sendrecv_http_cache_port(bitlbee_t) - allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; + dev_read_rand(bitlbee_t) + dev_read_urand(bitlbee_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.33/policy/modules/services/bluetooth.if +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/bluetooth.if 2009-11-12 14:26:53.000000000 -0500 +@@ -153,6 +153,27 @@ + dontaudit $1 bluetooth_helper_t:file { read getattr }; + ') + ++##################################### ++## ++## Connect to bluetooth over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bluetooth_stream_connect',` ++ gen_require(` ++ type bluetooth_t, bluetooth_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 bluetooth_t:socket rw_socket_perms; ++ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.33/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/bluetooth.te 2009-11-12 14:26:53.000000000 -0500 +@@ -54,9 +54,9 @@ + # Bluetooth services local policy + # + +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getsched signal_perms }; +allow bluetooth_t self:process { getcap setcap getsched signal_perms }; @@ -10348,10 +12151,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pulseaudio_dbus_chat(bluetooth_t) ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.6.32/policy/modules/services/ccs.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-3.6.33/policy/modules/services/ccs.fc --- nsaserefpolicy/policy/modules/services/ccs.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ccs.fc 2009-09-29 15:31:19.000000000 -0400 -@@ -2,9 +2,4 @@ ++++ serefpolicy-3.6.33/policy/modules/services/ccs.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -2,9 +2,5 @@ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0) @@ -10359,11 +12162,99 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -/var/lib/openais(/.*)? gen_context(system_u:object_r:ccs_var_lib_t,s0) - - /var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0) +-/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0) -/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.32/policy/modules/services/certmaster.te ++/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) ++/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.6.33/policy/modules/services/ccs.te +--- nsaserefpolicy/policy/modules/services/ccs.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ccs.te 2009-11-12 14:26:53.000000000 -0500 +@@ -10,23 +10,21 @@ + type ccs_exec_t; + init_daemon_domain(ccs_t, ccs_exec_t) + +-# conf files + type cluster_conf_t; + files_type(cluster_conf_t) + +-# tmp files + type ccs_tmp_t; + files_tmp_file(ccs_tmp_t) + +-# log files +-type ccs_var_log_t; +-logging_log_file(ccs_var_log_t) ++type ccs_tmpfs_t; ++files_tmpfs_file(ccs_tmpfs_t) + +-# var lib files + type ccs_var_lib_t; + logging_log_file(ccs_var_lib_t) + +-# pid files ++type ccs_var_log_t; ++logging_log_file(ccs_var_log_t) ++ + type ccs_var_run_t; + files_pid_file(ccs_var_run_t) + +@@ -35,7 +33,7 @@ + # ccs local policy + # + +-allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin }; ++allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; + allow ccs_t self:process { signal setrlimit setsched }; + dontaudit ccs_t self:process ptrace; + allow ccs_t self:fifo_file rw_fifo_file_perms; +@@ -55,23 +53,29 @@ + manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t) + files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir }) + +-# log files +-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +-manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) +-allow ccs_t ccs_var_log_t:dir setattr; +-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) ++manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) ++manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t) ++fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t,{ dir file }) + + # var lib files + manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) + manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) + files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) + ++# log files ++manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) ++manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) ++allow ccs_t ccs_var_log_t:dir setattr; ++logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) ++ + # pid file + manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) + manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) + manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) + files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) + ++aisexec_stream_connect(ccs_t) ++ + kernel_read_kernel_sysctls(ccs_t) + + corecmd_list_bin(ccs_t) +@@ -104,6 +108,9 @@ + + sysnet_dns_name_resolve(ccs_t) + ++userdom_manage_unpriv_user_shared_mem(ccs_t) ++userdom_manage_unpriv_user_semaphores(ccs_t) ++ + ifdef(`hide_broken_symptoms', ` + corecmd_dontaudit_write_bin_dirs(ccs_t) + files_manage_isid_type_files(ccs_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.33/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/certmaster.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/certmaster.te 2009-11-12 14:26:53.000000000 -0500 @@ -30,7 +30,7 @@ # certmaster local policy # @@ -10373,9 +12264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow certmaster_t self:tcp_socket create_stream_socket_perms; # config files -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.32/policy/modules/services/chronyd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.6.33/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/chronyd.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/chronyd.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,11 @@ + +/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) @@ -10388,9 +12279,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.32/policy/modules/services/chronyd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.33/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/chronyd.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/chronyd.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,105 @@ +## chrony background daemon + @@ -10497,9 +12388,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.33/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/chronyd.te 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,67 @@ +policy_module(chronyd,1.0.0) + @@ -10568,9 +12459,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(chronyd_t) + +permissive chronyd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.33/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/clamav.te 2009-11-12 14:26:53.000000000 -0500 @@ -117,9 +117,9 @@ logging_send_syslog_msg(clamd_t) @@ -10612,16 +12503,192 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` apache_read_sys_content(clamscan_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.6.33/policy/modules/services/clogd.fc +--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/clogd.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,4 @@ ++ ++/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) ++ ++/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.6.33/policy/modules/services/clogd.if +--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/clogd.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,98 @@ ++## clogd - clustered mirror log server ++ ++###################################### ++## ++## Execute a domain transition to run clogd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`clogd_domtrans',` ++ gen_require(` ++ type clogd_t, clogd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,clogd_exec_t,clogd_t) ++ ++') ++ ++##################################### ++## ++## Connect to clogd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clogd_stream_connect',` ++ gen_require(` ++ type clogd_t, clogd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t) ++') ++ ++##################################### ++## ++## Manage clogd tmpfs files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`clogd_manage_tmpfs_files',` ++ gen_require(` ++ type clogd_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++ manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++') ++ ++##################################### ++## ++## Allow read and write access to clogd semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clogd_rw_semaphores',` ++ gen_require(` ++ type clogd_t; ++ ') ++ ++ allow $1 clogd_t:sem { rw_sem_perms destroy }; ++') ++ ++######################################## ++## ++## Read and write to group shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`clogd_rw_shm',` ++ gen_require(` ++ type clogd_t; ++ ') ++ ++ allow $1 clogd_t:shm { rw_shm_perms destroy }; ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.6.33/policy/modules/services/clogd.te +--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/clogd.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,62 @@ ++ ++policy_module(clogd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type clogd_t; ++type clogd_exec_t; ++init_daemon_domain(clogd_t, clogd_exec_t) ++ ++type clogd_tmpfs_t; ++files_tmpfs_file(clogd_tmpfs_t) ++ ++# pid files ++type clogd_var_run_t; ++files_pid_file(clogd_var_run_t) ++ ++permissive clogd_t; ++ ++######################################## ++# ++# clogd local policy ++# ++ ++allow clogd_t self:capability { net_admin mknod }; ++allow clogd_t self:process { signal }; ++ ++allow clogd_t self:sem create_sem_perms; ++allow clogd_t self:shm create_shm_perms; ++allow clogd_t self:netlink_socket create_socket_perms; ++allow clogd_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) ++manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) ++fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t,{ dir file }) ++ ++# pid files ++manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) ++manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) ++files_pid_filetrans(clogd_t,clogd_var_run_t, { file }) ++ ++aisexec_stream_connect(clogd_t) ++ ++dev_manage_generic_blk_files(clogd_t) ++ ++storage_raw_read_fixed_disk(clogd_t) ++storage_raw_write_fixed_disk(clogd_t) ++ ++libs_use_ld_so(clogd_t) ++libs_use_shared_libs(clogd_t) ++ ++logging_send_syslog_msg(clogd_t) ++ ++miscfiles_read_localization(clogd_t) ++ ++optional_policy(` ++ dev_read_lvm_control(clogd_t) ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.33/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2009-09-28 09:37:48.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cobbler.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,2 @@ + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.33/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2009-09-28 09:39:30.000000000 -0400 -@@ -0,0 +1,24 @@ ++++ serefpolicy-3.6.33/policy/modules/services/cobbler.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,44 @@ +## +## Cobbler var_lib_t +## @@ -10646,18 +12713,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te ++ ++######################################## ++## ++## Read cobbler lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_search_lib',` ++ gen_require(` ++ type cobbler_var_lib_t; ++ ') ++ ++ allow $1 cobbler_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.33/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2009-09-28 09:36:27.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cobbler.te 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,5 @@ + +policy_module(cobbler, 1.10.0) + +type cobbler_var_lib_t; +files_type(cobbler_var_lib_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.32/policy/modules/services/consolekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.33/policy/modules/services/consolekit.fc +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/consolekit.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -2,4 +2,5 @@ + + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) + /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++ ++/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.33/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/consolekit.if 2009-11-12 14:26:53.000000000 -0500 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -10701,10 +12798,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.33/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-09-16 10:03:09.000000000 -0400 -@@ -62,12 +62,15 @@ ++++ serefpolicy-3.6.33/policy/modules/services/consolekit.te 2009-11-12 14:26:53.000000000 -0500 +@@ -21,7 +21,7 @@ + # consolekit local policy + # + +-allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; + allow consolekit_t self:process { getsched signal }; + allow consolekit_t self:fifo_file rw_fifo_file_perms; + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; +@@ -59,15 +59,19 @@ + term_use_all_terms(consolekit_t) + + auth_use_nsswitch(consolekit_t) ++auth_manage_pam_console_data(consolekit_t) init_telinit(consolekit_t) init_rw_utmp(consolekit_t) @@ -10720,7 +12830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_read_user_home_content_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) -@@ -84,9 +87,12 @@ +@@ -84,9 +88,12 @@ ') optional_policy(` @@ -10734,7 +12844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat(consolekit_t) ') -@@ -100,6 +106,7 @@ +@@ -100,6 +107,7 @@ ') optional_policy(` @@ -10742,7 +12852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -108,10 +115,19 @@ +@@ -108,10 +116,21 @@ optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) @@ -10754,6 +12864,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` + udev_domtrans(consolekit_t) ++ udev_read_db(consolekit_t) ++ udev_signal(consolekit_t) +') + +optional_policy(` @@ -10762,9 +12874,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_stream_connect(consolekit_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.32/policy/modules/services/corosync.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.6.33/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/corosync.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/corosync.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,13 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) @@ -10779,9 +12891,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.6.32/policy/modules/services/corosync.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.6.33/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/corosync.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/corosync.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -10891,10 +13003,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.33/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-09-16 10:03:09.000000000 -0400 -@@ -0,0 +1,109 @@ ++++ serefpolicy-3.6.33/policy/modules/services/corosync.te 2009-11-12 15:10:07.000000000 -0500 +@@ -0,0 +1,107 @@ + +policy_module(corosync,1.0.0) + @@ -10935,7 +13047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -+allow corosync_t self:process { setsched signal }; ++allow corosync_t self:process { setrlimit setsched signal }; + +allow corosync_t self:fifo_file rw_fifo_file_perms; +allow corosync_t self:sem create_sem_perms; @@ -10968,20 +13080,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_sock_files_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) +files_pid_filetrans(corosync_t,corosync_var_run_t, { file sock_file }) + ++kernel_read_system_state(corosync_t) ++ +corenet_udp_bind_netsupport_port(corosync_t) + +corecmd_exec_bin(corosync_t) + -+kernel_read_system_state(corosync_t) ++dev_read_urand(corosync_t) + +files_manage_mounttab(corosync_t) + +auth_use_nsswitch(corosync_t) + -+dev_read_urand(corosync_t) -+ -+libs_use_ld_so(corosync_t) -+libs_use_shared_libs(corosync_t) +miscfiles_read_localization(corosync_t) + +init_rw_script_tmp_files(corosync_t) @@ -11004,9 +13114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive corosync_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.32/policy/modules/services/courier.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.33/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/courier.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/courier.if 2009-11-12 14:26:53.000000000 -0500 @@ -179,6 +179,24 @@ ######################################## @@ -11032,9 +13142,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to courier spool pipes. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.32/policy/modules/services/courier.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.33/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/courier.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/courier.te 2009-11-12 14:26:53.000000000 -0500 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -11043,9 +13153,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol courier_domain_template(pcp) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.32/policy/modules/services/cron.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.33/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cron.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cron.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -14,7 +14,7 @@ + /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +-/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) ++/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + @@ -45,3 +45,7 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -11054,9 +13173,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.32/policy/modules/services/cron.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.33/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cron.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cron.if 2009-11-12 14:26:53.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -11124,6 +13243,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types $1; ') +@@ -408,7 +404,7 @@ + type crond_t; + ') + +- allow $1 crond_t:fifo_file { getattr read write }; ++ allow $1 crond_t:fifo_file rw_fifo_file_perms; + ') + + ######################################## @@ -587,11 +583,14 @@ # interface(`cron_read_system_job_tmp_files',` @@ -11189,9 +13317,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.33/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cron.te 2009-11-12 14:26:53.000000000 -0500 @@ -38,6 +38,7 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -11448,9 +13576,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.32/policy/modules/services/cups.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.33/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cups.fc 2009-11-12 14:26:53.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -11494,9 +13622,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.33/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-09-30 10:20:40.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cups.te 2009-11-12 14:26:53.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -11542,7 +13670,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_t) corenet_all_recvfrom_netlabel(cupsd_t) -@@ -250,6 +260,7 @@ +@@ -171,6 +181,7 @@ + corenet_udp_bind_generic_node(cupsd_t) + corenet_tcp_bind_ipp_port(cupsd_t) + corenet_udp_bind_ipp_port(cupsd_t) ++corenet_udp_bind_howl_port(cupsd_t) + corenet_tcp_bind_reserved_port(cupsd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_bind_all_rpc_ports(cupsd_t) +@@ -250,6 +261,7 @@ miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) @@ -11550,7 +13686,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -327,7 +338,7 @@ +@@ -317,6 +329,10 @@ + ') + + optional_policy(` ++ snmp_read_snmp_var_lib_files(cupsd_t) ++') ++ ++optional_policy(` + udev_read_db(cupsd_t) + ') + +@@ -327,7 +343,7 @@ allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -11559,15 +13706,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -407,6 +418,7 @@ +@@ -407,6 +423,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) -+userdom_read_user_tmp_files(cupsd_config_t) ++userdom_rw_user_tmp_files(cupsd_config_t) cups_stream_connect(cupsd_config_t) -@@ -419,12 +431,15 @@ +@@ -419,12 +436,15 @@ ') optional_policy(` @@ -11585,7 +13732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +461,10 @@ +@@ -446,6 +466,10 @@ ') optional_policy(` @@ -11596,7 +13743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -542,6 +561,8 @@ +@@ -542,6 +566,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -11605,7 +13752,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -601,6 +622,9 @@ +@@ -556,11 +582,15 @@ + miscfiles_read_fonts(cups_pdf_t) + + userdom_home_filetrans_user_home_dir(cups_pdf_t) ++userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir }) + userdom_manage_user_home_content_dirs(cups_pdf_t) + userdom_manage_user_home_content_files(cups_pdf_t) + + lpd_manage_spool(cups_pdf_t) + ++optional_policy(` ++ gnome_read_config(cups_pdf_t) ++') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(cups_pdf_t) +@@ -601,6 +631,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -11615,18 +13778,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.32/policy/modules/services/cvs.te +@@ -627,6 +660,7 @@ + corenet_tcp_connect_ipp_port(hplip_t) + corenet_sendrecv_hplip_client_packets(hplip_t) + corenet_receive_hplip_server_packets(hplip_t) ++corenet_udp_bind_howl_port(hplip_t) + + dev_read_sysfs(hplip_t) + dev_rw_printer(hplip_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.33/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cvs.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cvs.te 2009-11-12 14:26:53.000000000 -0500 @@ -112,4 +112,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.32/policy/modules/services/cyrus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.33/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cyrus.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/cyrus.te 2009-11-12 14:26:53.000000000 -0500 @@ -137,6 +137,7 @@ optional_policy(` snmp_read_snmp_var_lib_files(cyrus_t) @@ -11635,9 +13806,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.33/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/dbus.if 2009-11-12 14:26:53.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -11763,9 +13934,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.32/policy/modules/services/dbus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.33/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/dbus.te 2009-11-12 14:26:53.000000000 -0500 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -11818,9 +13989,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.32/policy/modules/services/dcc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.33/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dcc.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/dcc.te 2009-11-12 14:26:53.000000000 -0500 @@ -130,11 +130,13 @@ # Access files in /var/dcc. The map file can be updated @@ -11847,9 +14018,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_read_spamd_tmp_files(dcc_client_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.32/policy/modules/services/ddclient.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.33/policy/modules/services/ddclient.if --- nsaserefpolicy/policy/modules/services/ddclient.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ddclient.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ddclient.if 2009-11-12 14:26:53.000000000 -0500 @@ -21,6 +21,31 @@ ######################################## @@ -11882,18 +14053,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ddclient environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.32/policy/modules/services/devicekit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.33/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/devicekit.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/devicekit.fc 2009-11-12 14:26:53.000000000 -0500 @@ -5,4 +5,4 @@ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.32/policy/modules/services/devicekit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.33/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/devicekit.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/devicekit.if 2009-11-12 14:26:53.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -11930,9 +14101,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.33/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/devicekit.te 2009-11-14 00:17:30.000000000 -0500 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -11962,17 +14133,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,7 +77,9 @@ +@@ -71,7 +77,10 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) ++kernel_request_load_module(devicekit_disk_t) kernel_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) -@@ -79,21 +87,34 @@ +@@ -79,21 +88,35 @@ dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) @@ -11997,6 +14169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_all_fs(devicekit_disk_t) fs_unmount_all_fs(devicekit_disk_t) -fs_manage_fusefs_dirs(devicekit_disk_t) ++fs_search_all(devicekit_disk_t) storage_raw_read_fixed_disk(devicekit_disk_t) storage_raw_write_fixed_disk(devicekit_disk_t) @@ -12008,7 +14181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -110,6 +131,7 @@ +@@ -110,6 +133,7 @@ ') optional_policy(` @@ -12016,10 +14189,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -134,14 +156,22 @@ +@@ -134,14 +158,26 @@ udev_read_db(devicekit_disk_t) ') ++ ++optional_policy(` ++ virt_read_images(devicekit_disk_t) ++') + +optional_policy(` + unconfined_domain(devicekit_t) @@ -12040,7 +14217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +181,7 @@ +@@ -151,6 +187,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -12048,7 +14225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +190,7 @@ +@@ -159,6 +196,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -12056,7 +14233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +199,17 @@ +@@ -167,12 +205,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -12074,7 +14251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,8 +217,11 @@ +@@ -180,8 +223,11 @@ ') optional_policy(` @@ -12087,7 +14264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +243,23 @@ +@@ -203,17 +249,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -12111,9 +14288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.32/policy/modules/services/dnsmasq.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.33/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dnsmasq.te 2009-09-28 09:39:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/dnsmasq.te 2009-11-12 14:26:53.000000000 -0500 @@ -83,6 +83,18 @@ userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -12133,9 +14310,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dnsmasq_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.33/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-09-29 16:39:40.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/dovecot.te 2009-11-13 11:27:22.000000000 -0500 +@@ -56,7 +56,7 @@ + + allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; + dontaudit dovecot_t self:capability sys_tty_config; +-allow dovecot_t self:process { setrlimit signal_perms }; ++allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; + allow dovecot_t self:fifo_file rw_fifo_file_perms; + allow dovecot_t self:tcp_socket create_stream_socket_perms; + allow dovecot_t self:unix_dgram_socket create_socket_perms; @@ -103,6 +103,7 @@ dev_read_urand(dovecot_t) @@ -12153,7 +14339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -220,9 +221,15 @@ +@@ -220,15 +221,23 @@ ') optional_policy(` @@ -12169,9 +14355,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # dovecot deliver local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te + # + allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + ++allow dovecot_deliver_t dovecot_t:process signull; ++ + allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + +@@ -260,3 +269,14 @@ + optional_policy(` + mta_manage_spool(dovecot_deliver_t) + ') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(dovecot_deliver_t) ++ fs_manage_nfs_symlinks(dovecot_deliver_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(dovecot_deliver_t) ++ fs_manage_cifs_symlinks(dovecot_deliver_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.33/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/exim.te 2009-11-12 14:26:53.000000000 -0500 @@ -111,6 +111,7 @@ files_search_var(exim_t) files_read_etc_files(exim_t) @@ -12191,9 +14400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol spamassassin_exec(exim_t) spamassassin_exec_client(exim_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.32/policy/modules/services/fail2ban.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.33/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/fail2ban.te 2009-11-12 14:26:53.000000000 -0500 @@ -33,6 +33,7 @@ allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; @@ -12202,9 +14411,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.32/policy/modules/services/fetchmail.te +@@ -79,6 +80,7 @@ + auth_use_nsswitch(fail2ban_t) + + logging_read_all_logs(fail2ban_t) ++logging_send_syslog_msg(fail2ban_t) + + miscfiles_read_localization(fail2ban_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.33/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fetchmail.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/fetchmail.te 2009-11-12 14:26:53.000000000 -0500 @@ -47,6 +47,8 @@ kernel_read_proc_symlinks(fetchmail_t) kernel_dontaudit_read_system_state(fetchmail_t) @@ -12214,9 +14431,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.33/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/fprintd.te 2009-11-12 14:26:53.000000000 -0500 @@ -37,6 +37,8 @@ files_read_etc_files(fprintd_t) files_read_usr_files(fprintd_t) @@ -12234,9 +14451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(fprintd_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.33/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ftp.te 2009-11-12 14:26:53.000000000 -0500 @@ -41,6 +41,13 @@ ## @@ -12251,7 +14468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow ftp to read and write files in the user home directories ##

## -@@ -78,6 +85,14 @@ +@@ -78,12 +85,20 @@ type xferlog_t; logging_log_file(xferlog_t) @@ -12266,6 +14483,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # ftpd local policy + # + +-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource }; ++allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource }; + dontaudit ftpd_t self:capability sys_tty_config; + allow ftpd_t self:process signal_perms; + allow ftpd_t self:process { getcap setcap setsched setrlimit }; @@ -92,6 +107,8 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; @@ -12353,9 +14577,491 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ftpd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.32/policy/modules/services/gpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.33/policy/modules/services/git.fc +--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/git.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,3 +1,9 @@ + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) +-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) + /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++ ++/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) ++ ++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) ++ ++# Conflict with Fedora cgit fc spec. ++/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.33/policy/modules/services/git.if +--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/git.if 2009-11-12 14:26:53.000000000 -0500 +@@ -1 +1,285 @@ +-## GIT revision control system ++## Git daemon is a really simple server for Git repositories. ++## ++##

++## A really simple TCP git daemon that normally listens on ++## port DEFAULT_GIT_PORT aka 9418. It waits for a ++## connection asking for a service, and will serve that ++## service if it is enabled. ++##

++##

++## It verifies that the directory has the magic file ++## git-daemon-export-ok, and it will refuse to export any ++## git directory that has not explicitly been marked for ++## export this way (unless the --export-all parameter is ++## specified). If you pass some directory paths as ++## git-daemon arguments, you can further restrict the ++## offers to a whitelist comprising of those. ++##

++##

++## By default, only upload-pack service is enabled, which ++## serves git-fetch-pack and git-ls-remote clients, which ++## are invoked from git-fetch, git-pull, and git-clone. ++##

++##

++## This is ideally suited for read-only updates, i.e., ++## pulling from git repositories. ++##

++##

++## An upload-archive also exists to serve git-archive. ++##

++## ++ ++####################################### ++## ++## Role access for Git daemon session. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++## ++## User domain for the role. ++## ++## ++# ++interface(`git_session_role', ` ++ gen_require(` ++ type gitd_session_t, gitd_exec_t, git_home_t; ++ ') ++ ++ ######################################## ++ # ++ # Git daemon session data declarations. ++ # ++ ++ ## ++ ##

++ ## Allow transitions to the Git daemon ++ ## session domain. ++ ##

++ ## ++ gen_tunable(gitd_session_transition, false) ++ ++ role $1 types gitd_session_t; ++ ++ ######################################## ++ # ++ # Git daemon session data policy. ++ # ++ ++ tunable_policy(`gitd_session_transition', ` ++ domtrans_pattern($2, gitd_exec_t, gitd_session_t) ++ ', ` ++ can_exec($2, gitd_exec_t) ++ ') ++ ++ allow $2 gitd_session_t:process { ptrace signal_perms }; ++ ps_process_pattern($2, gitd_session_t) ++ ++ exec_files_pattern($2, git_home_t, git_home_t) ++ manage_dirs_pattern($2, git_home_t, git_home_t) ++ manage_files_pattern($2, git_home_t, git_home_t) ++ ++ relabel_dirs_pattern($2, git_home_t, git_home_t) ++ relabel_files_pattern($2, git_home_t, git_home_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to execute ++## Git daemon data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_execute_data_files', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ exec_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_manage_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ manage_dirs_pattern($1, git_data_t, git_data_t) ++ manage_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_manage_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ manage_dirs_pattern($1, git_home_t, git_home_t) ++ manage_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_read_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ list_dirs_pattern($1, git_home_t, git_home_t) ++ read_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_read_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ list_dirs_pattern($1, git_data_t, git_data_t) ++ read_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon data content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_data_content', ` ++ gen_require(` ++ type git_data_t; ++ ') ++ ++ relabel_dirs_pattern($1, git_data_t, git_data_t) ++ relabel_files_pattern($1, git_data_t, git_data_t) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon home content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_home_content', ` ++ gen_require(` ++ type git_home_t; ++ ') ++ ++ relabel_dirs_pattern($1, git_home_t, git_home_t) ++ relabel_files_pattern($1, git_home_t, git_home_t) ++ files_search_home($1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate an ++## Git daemon system environment ++## ++## ++## ++## Prefix of the domain. Example, user would be ++## the prefix for the user_t domain. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the Git daemon domain. ++## ++## ++## ++# ++interface(`git_system_admin', ` ++ gen_require(` ++ type gitd_t, gitd_exec_t; ++ ') ++ ++ allow $1 gitd_t:process { getattr ptrace signal_perms }; ++ ps_process_pattern($1, gitd_t) ++ ++ kernel_search_proc($1) ++ ++ manage_files_pattern($1, gitd_exec_t, gitd_exec_t) ++ ++ # This will not work since git-shell needs to execute gitd content thus public content files. ++ # There is currently no clean way to execute public content files. ++ # miscfiles_manage_public_files($1) ++ ++ git_manage_data_content($1) ++ git_relabel_data_content($1) ++ ++ seutil_domtrans_setfiles($1) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.33/policy/modules/services/git.te +--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/git.te 2009-11-12 14:26:53.000000000 -0500 +@@ -1,9 +1,173 @@ + + policy_module(git, 1.0) + ++attribute gitd_type; ++attribute git_content_type; ++ ++######################################## ++# ++# Git daemon system private declarations. ++# ++ ++## ++##

++## Allow Git daemon system to search home directories. ++##

++## ++gen_tunable(git_system_enable_homedirs, false) ++ ++## ++##

++## Allow Git daemon system to access cifs file systems. ++##

++## ++gen_tunable(git_system_use_cifs, false) ++ ++## ++##

++## Allow Git daemon system to access nfs file systems. ++##

++## ++gen_tunable(git_system_use_nfs, false) ++ ++######################################## ++# ++# Git daemon global private declarations. ++# ++type gitd_exec_t; ++ ++type gitd_t, gitd_type; ++inetd_service_domain(gitd_t, gitd_exec_t) ++role system_r types gitd_t; ++ ++type git_data_t, git_content_type; ++files_type(git_data_t) ++ ++permissive gitd_t; ++ ++######################################## ++# ++# Git daemon session session private declarations. ++# ++ ++## ++##

++## Allow Git daemon session to bind ++## tcp sockets to all unreserved ports. ++##

++## ++gen_tunable(git_session_bind_all_unreserved_ports, false) ++ ++type gitd_session_t, gitd_type; ++application_domain(gitd_session_t, gitd_exec_t) ++ubac_constrained(gitd_session_t) ++ ++type git_home_t, git_content_type; ++userdom_user_home_content(git_home_t) ++ ++permissive gitd_session_t; ++ ++######################################## ++# ++# Git daemon global private policy. ++# ++ ++allow gitd_type self:fifo_file rw_fifo_file_perms; ++allow gitd_type self:tcp_socket create_socket_perms; ++allow gitd_type self:udp_socket create_socket_perms; ++allow gitd_type self:unix_dgram_socket create_socket_perms; ++ ++corenet_all_recvfrom_netlabel(gitd_type) ++corenet_all_recvfrom_unlabeled(gitd_type) ++ ++corenet_tcp_sendrecv_all_if(gitd_type) ++corenet_tcp_sendrecv_all_nodes(gitd_type) ++corenet_tcp_sendrecv_all_ports(gitd_type) ++ ++corenet_tcp_bind_all_nodes(gitd_type) ++corenet_tcp_bind_git_port(gitd_type) ++ ++corecmd_exec_bin(gitd_type) ++ ++files_read_etc_files(gitd_type) ++files_read_usr_files(gitd_type) ++ ++fs_search_auto_mountpoints(gitd_type) ++ ++kernel_read_system_state(gitd_type) ++ ++logging_send_syslog_msg(gitd_type) ++ ++auth_use_nsswitch(gitd_type) ++ ++miscfiles_read_localization(gitd_type) ++ ++######################################## ++# ++# Git daemon system repository private policy. ++# ++ ++list_dirs_pattern(gitd_t, git_content_type, git_content_type) ++read_files_pattern(gitd_t, git_content_type, git_content_type) ++files_search_var(gitd_t) ++ ++# This will not work since git-shell needs to execute gitd content thus public content files. ++# There is currently no clean way to execute public content files. ++# miscfiles_read_public_files(gitd_t) ++ ++tunable_policy(`git_system_enable_homedirs', ` ++ userdom_search_user_home_dirs(gitd_t) ++') ++ ++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` ++ fs_list_nfs(gitd_t) ++ fs_read_nfs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` ++ fs_list_cifs(gitd_t) ++ fs_read_cifs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_use_cifs', ` ++ fs_list_cifs(gitd_t) ++ fs_read_cifs_files(gitd_t) ++') ++ ++tunable_policy(`git_system_use_nfs', ` ++ fs_list_nfs(gitd_t) ++ fs_read_nfs_files(gitd_t) ++') ++ ++######################################## ++# ++# Git daemon session repository private policy. ++# ++ ++list_dirs_pattern(gitd_session_t, git_home_t, git_home_t) ++read_files_pattern(gitd_session_t, git_home_t, git_home_t) ++userdom_search_user_home_dirs(gitd_session_t) ++ ++userdom_use_user_terminals(gitd_session_t) ++ ++tunable_policy(`git_session_bind_all_unreserved_ports', ` ++ corenet_tcp_bind_all_unreserved_ports(gitd_session_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs', ` ++ fs_list_nfs(gitd_session_t) ++ fs_read_nfs_files(gitd_session_t) ++') ++ ++tunable_policy(`use_samba_home_dirs', ` ++ fs_list_cifs(gitd_session_t) ++ fs_read_cifs_files(gitd_session_t) ++') ++ + ######################################## + # +-# Declarations ++# cgi git Declarations + # + + apache_content_template(git) ++git_read_data_content(httpd_git_script_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.33/policy/modules/services/gpm.te --- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/gpm.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/gpm.te 2009-11-12 14:26:53.000000000 -0500 @@ -27,7 +27,8 @@ # Local policy # @@ -12366,9 +15072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow gpm_t self:unix_stream_socket create_stream_socket_perms; allow gpm_t gpm_conf_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.32/policy/modules/services/gpsd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.33/policy/modules/services/gpsd.fc --- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/gpsd.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/gpsd.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1 +1,6 @@ +/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) + @@ -12376,9 +15082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) +/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.32/policy/modules/services/gpsd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.33/policy/modules/services/gpsd.if --- nsaserefpolicy/policy/modules/services/gpsd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/gpsd.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/gpsd.if 2009-11-12 14:26:53.000000000 -0500 @@ -33,11 +33,6 @@ ## The role to be allowed the gpsd domain. ## @@ -12424,9 +15130,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.32/policy/modules/services/gpsd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.33/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/gpsd.te 2009-11-12 14:26:53.000000000 -0500 @@ -11,15 +11,21 @@ application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) @@ -12468,9 +15174,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ntpd_rw_shm(gpsd_t) + ntp_rw_shm(gpsd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.32/policy/modules/services/hal.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.33/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/hal.fc 2009-11-12 14:26:53.000000000 -0500 @@ -26,6 +26,7 @@ /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) @@ -12479,9 +15185,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` /var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.33/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-09-24 14:39:22.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/hal.if 2009-11-12 14:26:53.000000000 -0500 @@ -413,3 +413,21 @@ files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) @@ -12504,9 +15210,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 hald_t:unix_dgram_socket { read write }; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.33/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-09-23 10:21:23.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/hal.te 2009-11-12 14:26:53.000000000 -0500 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12539,7 +15245,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_mountpoints(hald_t) mls_file_read_all_levels(hald_t) -@@ -202,8 +212,10 @@ +@@ -197,13 +207,16 @@ + miscfiles_read_hwdata(hald_t) + + modutils_domtrans_insmod(hald_t) ++modutils_read_module_deps(hald_t) + + seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) @@ -12551,7 +15263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -290,6 +302,7 @@ +@@ -290,6 +303,7 @@ ') optional_policy(` @@ -12559,7 +15271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -321,6 +334,10 @@ +@@ -321,6 +335,10 @@ virt_manage_images(hald_t) ') @@ -12570,7 +15282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Hal acl local policy -@@ -341,6 +358,7 @@ +@@ -341,6 +359,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -12578,7 +15290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -357,6 +375,8 @@ +@@ -357,6 +376,8 @@ files_read_usr_files(hald_acl_t) files_read_etc_files(hald_acl_t) @@ -12587,7 +15299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) storage_getattr_fixed_disk_dev(hald_acl_t) -@@ -369,6 +389,7 @@ +@@ -369,6 +390,7 @@ miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -12595,7 +15307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -450,12 +471,16 @@ +@@ -450,12 +472,16 @@ miscfiles_read_localization(hald_keymap_t) @@ -12614,7 +15326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_dccm_t self:process getsched; allow hald_dccm_t self:tcp_socket create_stream_socket_perms; allow hald_dccm_t self:udp_socket create_socket_perms; -@@ -469,10 +494,22 @@ +@@ -469,10 +495,22 @@ manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_dccm_t) @@ -12637,7 +15349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(hald_dccm_t) corenet_all_recvfrom_netlabel(hald_dccm_t) corenet_tcp_sendrecv_generic_if(hald_dccm_t) -@@ -484,6 +521,7 @@ +@@ -484,6 +522,7 @@ corenet_tcp_bind_generic_node(hald_dccm_t) corenet_udp_bind_generic_node(hald_dccm_t) corenet_udp_bind_dhcpc_port(hald_dccm_t) @@ -12645,7 +15357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_dccm_port(hald_dccm_t) logging_send_syslog_msg(hald_dccm_t) -@@ -491,3 +529,7 @@ +@@ -491,3 +530,7 @@ files_read_usr_files(hald_dccm_t) miscfiles_read_localization(hald_dccm_t) @@ -12653,9 +15365,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + dbus_system_bus_client(hald_dccm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.6.32/policy/modules/services/howl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.6.33/policy/modules/services/howl.te --- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/howl.te 2009-09-21 08:23:32.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/howl.te 2009-11-12 14:26:53.000000000 -0500 @@ -30,7 +30,7 @@ kernel_read_network_state(howl_t) @@ -12665,10 +15377,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.6.33/policy/modules/services/inetd.fc +--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/inetd.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -9,4 +9,4 @@ + + /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) + +-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) ++/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.33/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-16 10:03:09.000000000 -0400 -@@ -138,6 +138,8 @@ ++++ serefpolicy-3.6.33/policy/modules/services/inetd.te 2009-11-12 14:26:53.000000000 -0500 +@@ -104,6 +104,8 @@ + corenet_tcp_bind_telnetd_port(inetd_t) + corenet_udp_bind_tftp_port(inetd_t) + corenet_tcp_bind_ssh_port(inetd_t) ++corenet_tcp_bind_git_port(inetd_t) ++corenet_udp_bind_git_port(inetd_t) + + # service port packets: + corenet_sendrecv_amanda_server_packets(inetd_t) +@@ -138,6 +140,8 @@ files_read_etc_files(inetd_t) files_read_etc_runtime_files(inetd_t) @@ -12677,9 +15407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(inetd_t) miscfiles_read_localization(inetd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.6.32/policy/modules/services/irqbalance.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-3.6.33/policy/modules/services/irqbalance.te --- nsaserefpolicy/policy/modules/services/irqbalance.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/irqbalance.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/irqbalance.te 2009-11-12 14:26:53.000000000 -0500 @@ -18,11 +18,11 @@ # Local policy # @@ -12694,10 +15424,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.32/policy/modules/services/kerberos.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.33/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/kerberos.if 2009-11-13 11:27:57.000000000 -0500 +@@ -74,7 +74,7 @@ + ') + + files_search_etc($1) +- allow $1 krb5_conf_t:file read_file_perms; ++ read_files_pattern($1, krb5_conf_t, krb5_conf_t) + dontaudit $1 krb5_conf_t:file write; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; +@@ -84,6 +84,10 @@ + selinux_dontaudit_validate_context($1) + seutil_dontaudit_read_file_contexts($1) + ++ optional_policy(` ++ sssd_read_config_files($1) ++ ') ++ + tunable_policy(`allow_kerberos',` + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.33/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/kerberos.te 2009-09-16 10:03:09.000000000 -0400 -@@ -277,6 +277,8 @@ ++++ serefpolicy-3.6.33/policy/modules/services/kerberos.te 2009-11-13 08:15:23.000000000 -0500 +@@ -110,8 +110,9 @@ + manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) + files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) + +-kernel_read_kernel_sysctls(kadmind_t) + kernel_list_proc(kadmind_t) ++kernel_read_kernel_sysctls(kadmind_t) ++kernel_read_network_state(kadmind_t) + kernel_read_proc_symlinks(kadmind_t) + kernel_read_system_state(kadmind_t) + +@@ -277,6 +278,8 @@ # allow kpropd_t self:capability net_bind_service; @@ -12706,7 +15470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kpropd_t self:fifo_file rw_file_perms; allow kpropd_t self:unix_stream_socket create_stream_socket_perms; allow kpropd_t self:tcp_socket create_stream_socket_perms; -@@ -286,8 +288,13 @@ +@@ -286,8 +289,13 @@ allow kpropd_t krb5_keytab_t:file read_file_perms; manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) @@ -12721,7 +15485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(kpropd_t) -@@ -303,10 +310,14 @@ +@@ -303,10 +311,14 @@ files_read_etc_files(kpropd_t) files_search_tmp(kpropd_t) @@ -12736,9 +15500,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_dns_name_resolve(kpropd_t) kerberos_use(kpropd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.32/policy/modules/services/kerneloops.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.33/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/kerneloops.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/kerneloops.te 2009-11-12 14:26:53.000000000 -0500 @@ -22,7 +22,7 @@ # @@ -12748,9 +15512,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kerneloops_t self:fifo_file rw_file_perms; manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.32/policy/modules/services/ktalk.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.33/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ktalk.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ktalk.te 2009-11-12 14:26:53.000000000 -0500 @@ -69,6 +69,7 @@ files_read_etc_files(ktalkd_t) @@ -12759,18 +15523,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ktalkd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.fc serefpolicy-3.6.33/policy/modules/services/lircd.fc +--- nsaserefpolicy/policy/modules/services/lircd.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/lircd.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -6,3 +6,5 @@ + /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + + /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) ++/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) ++/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.33/policy/modules/services/lircd.if +--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/lircd.if 2009-11-12 14:26:53.000000000 -0500 +@@ -32,12 +32,11 @@ + # + interface(`lircd_stream_connect',` + gen_require(` +- type lircd_sock_t, lircd_t; ++ type lircd_var_run_t, lircd_t; + ') + +- allow $1 lircd_t:unix_stream_socket connectto; +- allow $1 lircd_sock_t:sock_file write_sock_file_perms; + files_search_pids($1) ++ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) + ') + + ####################################### +@@ -77,7 +76,7 @@ + # + interface(`lircd_admin',` + gen_require(` +- type lircd_t, lircd_var_run_t, lircd_sock_t; ++ type lircd_t, lircd_var_run_t; + type lircd_initrc_exec_t, lircd_etc_t; + ') + +@@ -94,6 +93,4 @@ + + files_search_pids($1) + admin_pattern($1, lircd_var_run_t) +- +- admin_pattern($1, lircd_sock_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.33/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-09-16 10:03:09.000000000 -0400 -@@ -42,7 +42,18 @@ ++++ serefpolicy-3.6.33/policy/modules/services/lircd.te 2009-11-12 14:26:53.000000000 -0500 +@@ -16,13 +16,9 @@ + type lircd_etc_t; + files_type(lircd_etc_t) + +-type lircd_var_run_t; ++type lircd_var_run_t alias lircd_sock_t; + files_pid_file(lircd_var_run_t) + +-# type for lircd /dev/ sock file +-type lircd_sock_t; +-files_type(lircd_sock_t) +- + ######################################## + # + # lircd local policy +@@ -34,15 +30,26 @@ + # etc file + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +-# pid file + manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) ++manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) + files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) + # /dev/lircd socket - manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) - dev_filetrans(lircd_t, lircd_sock_t, sock_file ) +-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) +-dev_filetrans(lircd_t, lircd_sock_t, sock_file ) ++dev_filetrans(lircd_t, lircd_var_run_t, sock_file ) +dev_read_generic_usb_dev(lircd_t) -+ +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) ++ ++term_use_ptmx(lircd_t) logging_send_syslog_msg(lircd_t) @@ -12781,9 +15614,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + miscfiles_read_localization(lircd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.33/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/mailman.te 2009-11-12 14:26:53.000000000 -0500 @@ -78,6 +78,10 @@ mta_dontaudit_rw_queue(mailman_mail_t) @@ -12795,9 +15628,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_read_pipes(mailman_mail_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.33/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/memcached.te 2009-11-12 14:26:53.000000000 -0500 @@ -44,6 +44,8 @@ files_read_etc_files(memcached_t) @@ -12807,19 +15640,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(memcached_t) sysnet_dns_name_resolve(memcached_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.32/policy/modules/services/mta.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.33/policy/modules/services/milter.if +--- nsaserefpolicy/policy/modules/services/milter.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/milter.if 2009-11-12 14:26:53.000000000 -0500 +@@ -35,6 +35,8 @@ + # Create other data files and directories in the data directory + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + ++ files_read_etc_files($1_milter_t) ++ + miscfiles_read_localization($1_milter_t) + + logging_send_syslog_msg($1_milter_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.33/policy/modules/services/modemmanager.te +--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 09:09:20.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/modemmanager.te 2009-11-12 14:26:53.000000000 -0500 +@@ -16,7 +16,7 @@ + # + # ModemManager local policy + # +- ++allow modemmanager_t self:process signal; + allow modemmanager_t self:fifo_file rw_file_perms; + allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; + allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -24,6 +24,7 @@ + kernel_read_system_state(modemmanager_t) + + dev_read_sysfs(modemmanager_t) ++dev_rw_modem(modemmanager_t) + + files_read_etc_files(modemmanager_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.33/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/mta.fc 2009-11-12 14:26:53.000000000 -0500 @@ -26,3 +26,5 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.33/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-09-21 09:15:52.000000000 -0400 -@@ -311,6 +311,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/mta.if 2009-11-12 14:26:53.000000000 -0500 +@@ -69,6 +69,7 @@ + can_exec($1_mail_t, sendmail_exec_t) + allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; + ++ kernel_read_system_state($1_mail_t) + kernel_read_kernel_sysctls($1_mail_t) + + corenet_all_recvfrom_unlabeled($1_mail_t) +@@ -87,6 +88,8 @@ + # It wants to check for nscd + files_dontaudit_search_pids($1_mail_t) + ++ init_dontaudit_rw_utmp($1_mail_t) ++ + auth_use_nsswitch($1_mail_t) + + logging_send_syslog_msg($1_mail_t) +@@ -311,6 +314,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1, mail_spool_t, mail_spool_t) read_files_pattern($1, mail_spool_t, mail_spool_t) @@ -12827,7 +15709,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -@@ -351,6 +352,7 @@ +@@ -351,6 +355,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) @@ -12835,15 +15717,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -471,6 +473,7 @@ +@@ -376,7 +381,7 @@ + + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; +- allow mta_user_agent $1:fifo_file { read write }; ++ allow mta_user_agent $1:fifo_file rw_fifo_file_perms; + ') + + ######################################## +@@ -470,7 +475,8 @@ + type etc_mail_t; ') - write_files_pattern($1, etc_mail_t, etc_mail_t) +- write_files_pattern($1, etc_mail_t, etc_mail_t) ++ manage_files_pattern($1, etc_mail_t, etc_mail_t) + allow $1 etc_mail_t:file setattr; ') ######################################## -@@ -694,7 +697,7 @@ +@@ -694,7 +700,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -12852,9 +15745,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.33/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-09-22 20:56:19.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/mta.te 2009-11-12 14:26:53.000000000 -0500 @@ -27,6 +27,9 @@ type mail_spool_t; files_mountpoint(mail_spool_t) @@ -12865,19 +15758,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -57,8 +60,11 @@ +@@ -57,8 +60,10 @@ can_exec(system_mail_t, mta_exec_type) +-kernel_read_system_state(system_mail_t) +files_read_all_tmp_files(system_mail_t) + - kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) +kernel_request_load_module(system_mail_t) dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) -@@ -72,16 +78,21 @@ +@@ -72,16 +77,21 @@ userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) @@ -12899,7 +15792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -100,6 +111,7 @@ +@@ -100,6 +110,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -12907,7 +15800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -178,6 +190,10 @@ +@@ -178,6 +189,10 @@ ') optional_policy(` @@ -12918,7 +15811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol smartmon_read_tmp_files(system_mail_t) ') -@@ -197,6 +213,25 @@ +@@ -197,6 +212,25 @@ ') ') @@ -12944,9 +15837,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.32/policy/modules/services/munin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.33/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/munin.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/munin.fc 2009-11-12 14:26:53.000000000 -0500 @@ -9,3 +9,6 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) @@ -12954,9 +15847,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.33/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/munin.te 2009-11-12 14:26:53.000000000 -0500 @@ -33,7 +33,7 @@ # Local policy # @@ -12974,9 +15867,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.33/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/mysql.te 2009-11-12 14:26:53.000000000 -0500 @@ -136,7 +136,12 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -12985,7 +15878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + -+domain_getattr_all_domains(mysqld_safe_t) ++domain_read_all_domains_state(mysqld_safe_t) + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) @@ -12999,22 +15892,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_read_config(mysqld_safe_t) mysql_search_pid_files(mysqld_safe_t) mysql_write_log(mysqld_safe_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.33/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -1,16 +1,21 @@ ++++ serefpolicy-3.6.33/policy/modules/services/nagios.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,16 +1,22 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) +-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) ++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) @@ -13027,9 +15923,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.33/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nagios.if 2009-11-12 14:26:53.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -13062,7 +15958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -92,10 +91,63 @@ +@@ -92,10 +91,82 @@ ## ## # @@ -13078,6 +15974,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_spool($1) +') + ++###################################### ++## ++## Read nagios logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_read_log',` ++ gen_require(` ++ type nagios_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, nagios_var_log_t, nagios_var_log_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -13129,9 +16044,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, nrpe_etc_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.33/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nagios.te 2009-11-12 14:26:53.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -13159,7 +16074,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -60,6 +62,8 @@ +@@ -33,6 +35,9 @@ + type nrpe_etc_t; + files_config_file(nrpe_etc_t) + ++type nrpe_var_run_t; ++files_pid_file(nrpe_var_run_t) ++ + ######################################## + # + # Nagios local policy +@@ -60,6 +65,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -13168,7 +16093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -127,39 +131,34 @@ +@@ -127,52 +134,57 @@ # # Nagios CGI local policy # @@ -13178,46 +16103,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; - +- -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + +-kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) --kernel_read_system_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) --corecmd_exec_bin(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - -domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++kernel_read_system_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) -- ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` @@ -13227,9 +16152,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc + # Nagios remote plugin executor local policy + # + ++allow nrpe_t self:capability {setuid setgid}; + dontaudit nrpe_t self:capability sys_tty_config; + allow nrpe_t self:process { setpgid signal_perms }; + allow nrpe_t self:fifo_file rw_fifo_file_perms; ++allow nrpe_t self:tcp_socket create_stream_socket_perms; + +-allow nrpe_t nrpe_etc_t:file read_file_perms; ++read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) + files_search_etc(nrpe_t) + ++manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) ++files_pid_filetrans(nrpe_t,nrpe_var_run_t,file) ++files_read_etc_files(nrpe_t) ++ ++corenet_tcp_bind_generic_node(nrpe_t) ++corenet_tcp_bind_inetd_child_port(nrpe_t) ++corenet_sendrecv_unlabeled_packets(nrpe_t) ++ + kernel_read_system_state(nrpe_t) + kernel_read_kernel_sysctls(nrpe_t) + +@@ -192,6 +204,8 @@ + + miscfiles_read_localization(nrpe_t) + ++sysnet_read_config(nrpe_t) ++ + userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.33/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-09-29 08:08:44.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,12 +1,26 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -13257,9 +16215,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.33/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.if 2009-11-12 14:26:53.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -13285,13 +16243,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read NetworkManager PID files. ## ## -@@ -134,3 +152,30 @@ +@@ -134,3 +152,50 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') + +######################################## +## ++## Read NetworkManager PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_read_var_lib_files',` ++ gen_require(` ++ type NetworkManager_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++') ++ ++######################################## ++## +## Execute NetworkManager in the NetworkManager domain, and +## allow the specified role the NetworkManager domain. +## @@ -13316,9 +16294,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.33/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 20:38:43.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/networkmanager.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -13557,9 +16535,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.33/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nis.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -13569,9 +16547,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.32/policy/modules/services/nis.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.33/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nis.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nis.if 2009-11-12 14:26:53.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -13713,9 +16691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types ypbind_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.33/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nis.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nis.te 2009-11-12 14:26:53.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -13765,10 +16743,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.32/policy/modules/services/nscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.33/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nscd.if 2009-11-12 14:26:53.000000000 -0500 +@@ -121,6 +121,24 @@ + + ######################################## + ## ++## Use nscd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nscd_use',` ++ tunable_policy(`nscd_use_shm',` ++ nscd_shm_use($1) ++ ',` ++ nscd_socket_use($1) ++ ') ++') ++ ++######################################## ++## + ## Use NSCD services by mapping the database from + ## an inherited NSCD file descriptor. + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.33/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-09-16 10:03:09.000000000 -0400 -@@ -91,6 +91,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/nscd.te 2009-11-12 14:26:53.000000000 -0500 +@@ -5,6 +5,13 @@ + class nscd all_nscd_perms; + ') + ++## ++##

++## Allow confined applications to use nscd shared memory. ++##

++## ++gen_tunable(nscd_use_shm, false) ++ + ######################################## + # + # Declarations +@@ -91,6 +98,7 @@ selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -13776,7 +16796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -128,3 +129,12 @@ +@@ -128,3 +136,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -13789,9 +16809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.32/policy/modules/services/nslcd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.33/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nslcd.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nslcd.if 2009-11-12 14:26:53.000000000 -0500 @@ -94,6 +94,7 @@ interface(`nslcd_admin',` gen_require(` @@ -13812,9 +16832,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.32/policy/modules/services/ntp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.33/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ntp.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ntp.if 2009-11-12 14:26:53.000000000 -0500 @@ -37,6 +37,32 @@ ######################################## @@ -13882,9 +16902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an ntp environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.32/policy/modules/services/ntp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.33/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ntp.te 2009-09-21 08:21:35.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ntp.te 2009-11-12 14:26:53.000000000 -0500 @@ -41,10 +41,11 @@ # sys_resource and setrlimit is for locking memory @@ -13931,9 +16951,258 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.6.33/policy/modules/services/nut.fc +--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/nut.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,15 @@ ++ ++/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0) ++ ++/usr/sbin/upsmon -- gen_context(system_u:object_r:upsmon_exec_t,s0) ++ ++/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0) ++ ++/var/run/nut/upsdrvctl\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) ++ ++/var/run/nut/upsd\.pid -- gen_context(system_u:object_r:upsd_var_run_t,s0) ++ ++/var/run/nut/upsmon\.pid -- gen_context(system_u:object_r:upsmon_var_run_t,s0) ++ ++/var/run/nut/usbhid-ups-myups\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) ++/var/run/nut/usbhid-ups-myups -s gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.6.33/policy/modules/services/nut.if +--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/nut.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,82 @@ ++## SELinux policy for nut - Network UPS Tools ++ ++##################################### ++## ++## Execute a domain transition to run upsd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`upsd_domtrans',` ++ gen_require(` ++ type upsd_t, upsd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,upsd_exec_t,upsd_t) ++ ++') ++ ++#################################### ++## ++## Execute a domain transition to run upsmon. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`upsmon_domtrans',` ++ gen_require(` ++ type upsmon_t, upsmon_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,upsmon_exec_t,upsmon_t) ++ ++') ++ ++#################################### ++## ++## Execute a domain transition to run upsdrvctl. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`upsdrvctl_domtrans',` ++ gen_require(` ++ type upsdrvctl_t, upsdrvctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,upsdrvctl_exec_t,upsdrvctl_t) ++ ++') ++ ++#################################### ++## ++## Connect to upsdrvctl over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`upsdrvctl_stream_connect',` ++ gen_require(` ++ type upsdrvctl_t, upsdrvctl_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, upsdrvctl_var_run_t, upsdrvctl_var_run_t, upsdrvctl_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.33/policy/modules/services/nut.te +--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/nut.te 2009-11-13 15:33:43.000000000 -0500 +@@ -0,0 +1,140 @@ ++ ++policy_module(nut,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type upsd_t; ++type upsd_exec_t; ++init_daemon_domain(upsd_t,upsd_exec_t) ++ ++type upsd_var_run_t; ++files_pid_file(upsd_var_run_t) ++ ++type upsmon_t; ++type upsmon_exec_t; ++init_daemon_domain(upsmon_t,upsmon_exec_t) ++ ++type upsmon_var_run_t; ++files_pid_file(upsmon_var_run_t) ++ ++type upsdrvctl_t; ++type upsdrvctl_exec_t; ++init_daemon_domain(upsdrvctl_t, upsdrvctl_exec_t) ++ ++type upsdrvctl_var_run_t; ++files_pid_file(upsdrvctl_var_run_t) ++ ++permissive upsd_t; ++permissive upsdrvctl_t; ++permissive upsmon_t; ++ ++####################################### ++# ++# upsd local policy ++# ++ ++allow upsd_t self:capability { setuid setgid }; ++ ++allow upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow upsd_t self:tcp_socket create_stream_socket_perms; ++ ++# pid file ++manage_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) ++manage_dirs_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) ++manage_sock_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) ++files_pid_filetrans(upsd_t, upsd_var_run_t, { file }) ++ ++rw_files_pattern(upsd_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) ++ ++corenet_tcp_bind_ups_port(upsd_t) ++corenet_tcp_bind_generic_node(upsd_t) ++ ++kernel_read_kernel_sysctls(upsd_t) ++ ++files_read_etc_files(upsd_t) ++files_read_usr_files(upsd_t) ++ ++auth_use_nsswitch(upsd_t) ++ ++sysnet_read_config(upsd_t) ++ ++logging_send_syslog_msg(upsd_t) ++ ++miscfiles_read_localization(upsd_t) ++ ++optional_policy(` ++ upsdrvctl_stream_connect(upsd_t) ++') ++ ++###################################### ++# ++# upsmon local policy ++# ++ ++allow upsmon_t self:capability { dac_override setuid setgid }; ++ ++allow upsmon_t self:fifo_file rw_fifo_file_perms; ++allow upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow upsmon_t self:tcp_socket create_stream_socket_perms; ++ ++# pid file ++manage_files_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t) ++manage_dirs_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t) ++files_pid_filetrans(upsmon_t, upsmon_var_run_t, { file }) ++ ++rw_sock_files_pattern(upsmon_t,upsd_var_run_t,upsd_var_run_t) ++ ++corenet_tcp_connect_ups_port(upsmon_t) ++ ++corecmd_exec_bin(upsmon_t) ++corecmd_exec_shell(upsmon_t) ++ ++kernel_read_kernel_sysctls(upsmon_t) ++kernel_read_system_state(upsmon_t) ++ ++files_read_etc_files(upsmon_t) ++ ++auth_use_nsswitch(upsmon_t) ++ ++init_read_utmp(upsmon_t) ++ ++logging_send_syslog_msg(upsmon_t) ++ ++miscfiles_read_localization(upsmon_t) ++ ++###################################### ++# ++# ups local policy ++# ++ ++allow upsdrvctl_t self:capability { dac_override kill setuid setgid }; ++allow upsdrvctl_t self:process { signal signull }; ++ ++allow upsdrvctl_t self:fifo_file rw_fifo_file_perms; ++allow upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; ++ ++# pid file ++manage_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) ++manage_dirs_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) ++manage_sock_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) ++files_pid_filetrans(upsdrvctl_t, upsdrvctl_var_run_t, { file sock_file }) ++ ++corecmd_exec_bin(upsdrvctl_t) ++ ++kernel_read_kernel_sysctls(upsdrvctl_t) ++ ++dev_rw_generic_usb_dev(upsdrvctl_t) ++ ++term_use_unallocated_ttys(upsdrvctl_t) ++ ++files_read_etc_files(upsdrvctl_t) ++ ++sysnet_read_config(upsdrvctl_t) ++ ++logging_send_syslog_msg(upsdrvctl_t) ++ ++miscfiles_read_localization(upsdrvctl_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.33/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nx.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,6 +1,7 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -13942,9 +17211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.33/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nx.if 2009-11-12 14:26:53.000000000 -0500 @@ -17,3 +17,22 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -13968,9 +17237,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.32/policy/modules/services/nx.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.33/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/nx.te 2009-11-12 14:26:53.000000000 -0500 @@ -25,6 +25,9 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -13991,9 +17260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.32/policy/modules/services/oddjob.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.33/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/oddjob.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/oddjob.if 2009-11-12 14:26:53.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -14002,9 +17271,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.33/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/openvpn.te 2009-11-12 14:26:53.000000000 -0500 @@ -100,6 +100,8 @@ files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) @@ -14014,9 +17283,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.32/policy/modules/services/pcscd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.33/policy/modules/services/pcscd.if +--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pcscd.if 2009-11-12 14:26:53.000000000 -0500 +@@ -53,6 +53,5 @@ + ') + + files_search_pids($1) +- allow $1 pcscd_var_run_t:sock_file write; +- allow $1 pcscd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.33/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pcscd.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pcscd.te 2009-11-12 14:26:53.000000000 -0500 @@ -29,6 +29,7 @@ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) @@ -14025,7 +17305,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) -@@ -46,6 +47,8 @@ +@@ -40,12 +41,15 @@ + corenet_tcp_connect_http_port(pcscd_t) + + dev_rw_generic_usb_dev(pcscd_t) ++dev_rw_smartcard(pcscd_t) + dev_rw_usbfs(pcscd_t) + dev_search_sysfs(pcscd_t) + files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) @@ -14034,9 +17321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_unallocated_ttys(pcscd_t) term_dontaudit_getattr_pty_dirs(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.32/policy/modules/services/pegasus.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.33/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pegasus.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pegasus.te 2009-11-12 14:26:53.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -14108,18 +17395,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.32/policy/modules/services/plymouth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.33/policy/modules/services/plymouth.fc --- nsaserefpolicy/policy/modules/services/plymouth.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.fc 2009-09-30 13:21:52.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/plymouth.fc 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,5 @@ +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t, s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t, s0) +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.33/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-09-30 13:20:45.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/plymouth.if 2009-11-12 14:26:53.000000000 -0500 @@ -0,0 +1,286 @@ +## policy for plymouthd + @@ -14407,10 +17694,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.33/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-09-30 13:18:14.000000000 -0400 -@@ -0,0 +1,86 @@ ++++ serefpolicy-3.6.33/policy/modules/services/plymouth.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,97 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -14455,9 +17742,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(plymouthd_t) ++kernel_request_load_module(plymouthd_t) ++kernel_change_ring_buffer_level(plymouthd_t) + +dev_rw_dri(plymouthd_t) +dev_read_sysfs(plymouthd_t) ++dev_read_framebuffer(plymouthd_t) ++dev_write_framebuffer(plymouthd_t) + +domain_use_interactive_fds(plymouthd_t) + @@ -14497,9 +17788,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(plymouth_t) + +plymouth_stream_connect(plymouth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.32/policy/modules/services/policykit.fc ++ ++ifdef(`hide_broken_symptoms', ` ++optional_policy(` ++ hal_dontaudit_write_log(plymouth_t) ++ hal_dontaudit_rw_pipes(plymouth_t) ++') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.33/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/policykit.fc 2009-11-12 14:26:53.000000000 -0500 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -14515,9 +17813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.33/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/policykit.if 2009-11-12 14:26:53.000000000 -0500 @@ -17,6 +17,8 @@ class dbus send_msg; ') @@ -14585,9 +17883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 policykit_auth_t:process signal; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.33/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-09-18 17:05:02.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/policykit.te 2009-11-12 14:26:53.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -14605,7 +17903,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(policykit_t) -@@ -62,27 +63,46 @@ +@@ -57,32 +58,52 @@ + manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) + files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) + ++kernel_read_system_state(policykit_t) + kernel_read_kernel_sysctls(policykit_t) + files_read_etc_files(policykit_t) files_read_usr_files(policykit_t) @@ -14656,7 +17960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,12 +112,14 @@ +@@ -92,12 +113,14 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -14673,7 +17977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(policykit_auth_t) -@@ -106,7 +128,7 @@ +@@ -106,7 +129,7 @@ userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` @@ -14682,7 +17986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +141,14 @@ +@@ -119,6 +142,14 @@ hal_read_state(policykit_auth_t) ') @@ -14697,7 +18001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_grant local policy -@@ -126,7 +156,8 @@ +@@ -126,7 +157,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -14707,7 +18011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +187,12 @@ +@@ -156,9 +188,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -14721,7 +18025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +204,8 @@ +@@ -170,7 +205,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -14731,9 +18035,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.32/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.33/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postfix.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/postfix.fc 2009-11-12 14:26:53.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -14747,9 +18051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.32/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.33/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postfix.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/postfix.if 2009-11-12 14:26:53.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -14996,9 +18300,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types postfix_postdrop_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.33/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2009-09-29 17:17:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/postfix.te 2009-11-12 14:26:53.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -15159,7 +18463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -240,11 +268,16 @@ +@@ -240,11 +268,18 @@ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) @@ -15169,6 +18473,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(postfix_cleanup_t) ++mta_read_aliases(postfix_cleanup_t) ++ +optional_policy(` + mailman_read_data_files(postfix_cleanup_t) +') @@ -15176,7 +18482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -253,10 +286,6 @@ +@@ -253,10 +288,6 @@ allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; @@ -15187,7 +18493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -270,18 +299,29 @@ +@@ -270,18 +301,29 @@ files_read_etc_files(postfix_local_t) @@ -15217,7 +18523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +332,7 @@ +@@ -292,8 +334,7 @@ # # Postfix map local policy # @@ -15227,7 +18533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,14 +379,15 @@ +@@ -340,14 +381,15 @@ miscfiles_read_localization(postfix_map_t) @@ -15247,7 +18553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -372,6 +412,7 @@ +@@ -372,6 +414,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -15255,7 +18561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -379,6 +420,12 @@ +@@ -379,6 +422,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -15268,7 +18574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +435,15 @@ +@@ -388,6 +437,15 @@ ') optional_policy(` @@ -15284,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +471,10 @@ +@@ -415,6 +473,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -15295,7 +18601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +484,11 @@ +@@ -424,8 +486,11 @@ ') optional_policy(` @@ -15309,7 +18615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -451,6 +514,15 @@ +@@ -451,6 +516,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -15325,7 +18631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -464,6 +536,7 @@ +@@ -464,6 +538,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -15333,7 +18639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -505,7 +578,7 @@ +@@ -505,7 +580,7 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -15342,7 +18648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +608,18 @@ +@@ -535,9 +610,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -15361,7 +18667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +641,22 @@ +@@ -559,20 +643,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -15389,20 +18695,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.32/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.33/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -2,6 +2,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/postgresql.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -2,6 +2,8 @@ # /etc # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) ++/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.32/policy/modules/services/postgresql.if +@@ -9,13 +11,11 @@ + /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) +-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) +- +-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ++/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) + + ifdef(`distro_debian', ` +-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/lib(64)?/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + ') + + ifdef(`distro_redhat', ` +@@ -38,8 +38,6 @@ + /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) + /var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) + +-ifdef(`distro_redhat', ` +-/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) +-') +- + /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) ++ ++/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.33/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postgresql.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/postgresql.if 2009-11-12 14:26:53.000000000 -0500 @@ -384,3 +384,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -15450,9 +18785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.32/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.33/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/postgresql.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/postgresql.te 2009-11-12 14:26:53.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -15497,9 +18832,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(postgresql_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.32/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.33/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ppp.if 2009-11-12 14:26:53.000000000 -0500 @@ -177,10 +177,16 @@ interface(`ppp_run',` gen_require(` @@ -15517,9 +18852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.33/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2009-09-21 08:21:54.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ppp.te 2009-11-12 14:26:53.000000000 -0500 @@ -38,7 +38,7 @@ files_type(pppd_etc_rw_t) @@ -15571,20 +18906,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(pptp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.33/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2009-09-18 21:24:50.000000000 -0400 -@@ -123,6 +123,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/prelude.te 2009-11-12 14:26:53.000000000 -0500 +@@ -122,7 +122,8 @@ + # # prelude_audisp local policy # - allow prelude_audisp_t self:capability dac_override; +-allow prelude_audisp_t self:capability dac_override; ++allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; +allow prelude_audisp_t self:process { getcap setcap }; allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.6.33/policy/modules/services/privoxy.fc +--- nsaserefpolicy/policy/modules/services/privoxy.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/privoxy.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -1,6 +1,5 @@ + +-/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) +-/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) ++/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) + /etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) + + /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.33/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/privoxy.te 2009-11-12 14:26:53.000000000 -0500 @@ -47,9 +47,8 @@ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) @@ -15596,9 +18944,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.32/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.33/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/procmail.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/procmail.te 2009-11-12 14:26:53.000000000 -0500 @@ -22,7 +22,7 @@ # Local policy # @@ -15646,9 +18994,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.32/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.33/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pyzor.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pyzor.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -15660,9 +19008,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.32/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.33/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pyzor.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pyzor.if 2009-11-12 14:26:53.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -15714,9 +19062,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.32/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.33/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pyzor.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/pyzor.te 2009-11-12 14:26:53.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -15781,9 +19129,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.32/policy/modules/services/radvd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.33/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/radvd.te 2009-09-21 22:37:52.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/radvd.te 2009-11-12 14:26:53.000000000 -0500 @@ -41,6 +41,7 @@ kernel_rw_net_sysctls(radvd_t) kernel_read_network_state(radvd_t) @@ -15792,17 +19140,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(radvd_t) corenet_all_recvfrom_netlabel(radvd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.32/policy/modules/services/razor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.33/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/razor.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/razor.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.32/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.33/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/razor.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/razor.if 2009-11-12 14:26:53.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -15849,9 +19197,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.32/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.33/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/razor.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/razor.te 2009-11-12 14:26:53.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -15903,20 +19251,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.6.32/policy/modules/services/rgmanager.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.6.33/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -0,0 +1,6 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) + +/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) + +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if ++ ++/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.33/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2009-09-16 10:03:09.000000000 -0400 -@@ -0,0 +1,40 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,59 @@ +## SELinux policy for rgmanager + +####################################### @@ -15957,10 +19307,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rgmanager_t:sem { unix_read unix_write associate read write }; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te ++######################################## ++## ++## Connect to rgmanager over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_stream_connect',` ++ gen_require(` ++ type rgmanager_t, rgmanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.33/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2009-09-16 10:03:09.000000000 -0400 -@@ -0,0 +1,54 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rgmanager.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,83 @@ + +policy_module(rgmanager,1.0.0) + @@ -15974,6 +19343,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_type(rgmanager_t) +init_daemon_domain(rgmanager_t, rgmanager_exec_t) + ++# tmp files ++type rgmanager_tmp_t; ++files_tmp_file(rgmanager_tmp_t) ++ +# log files +type rgmanager_var_log_t; +logging_log_file(rgmanager_var_log_t) @@ -15988,13 +19361,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow rgmanager_t self:capability { sys_nice ipc_lock }; -+allow rgmanager_t self:process setsched; ++allow rgmanager_t self:process { setsched signal ptrace }; + +allow rgmanager_t self:fifo_file rw_fifo_file_perms; +allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; +allow rgmanager_t self:unix_dgram_socket create_socket_perms; +allow rgmanager_t self:tcp_socket create_stream_socket_perms; + ++# tmp files ++manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) ++manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) ++files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) ++ +# log files +manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t) +logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file }) @@ -16002,7 +19380,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# pid file +manage_files_pattern(rgmanager_t, rgmanager_var_run_t,rgmanager_var_run_t) +manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -+files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file }) ++files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) ++ ++aisexec_stream_connect(rgmanager_t) ++groupd_stream_connect(rgmanager_t) ++ ++corecmd_exec_bin(rgmanager_t) ++corecmd_exec_sbin(rgmanager_t) ++corecmd_exec_shell(rgmanager_t) ++consoletype_exec(rgmanager_t) ++ ++kernel_search_debugfs(rgmanager_t) ++ ++fs_getattr_xattr_fs(rgmanager_t) ++ ++# need to write to /dev/misc/dlm-control ++dev_manage_generic_chr_files(rgmanager_t) ++dev_search_sysfs(rgmanager_t) + +auth_use_nsswitch(rgmanager_t) + @@ -16015,10 +19409,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive rgmanager_t; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc ++optional_policy(` ++ ccs_stream_connect(rgmanager_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.33/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2009-09-25 16:23:28.000000000 -0400 -@@ -0,0 +1,21 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rhcs.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,22 @@ + +/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -16028,6 +19426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) ++/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) + +/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) @@ -16040,12 +19439,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.32/policy/modules/services/rhcs.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.6.33/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.if 2009-09-25 16:23:28.000000000 -0400 -@@ -0,0 +1,309 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rhcs.if 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,348 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + ++###################################### ++## ++## Execute a domain transition to run groupd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`groupd_domtrans',` ++ gen_require(` ++ type groupd_t, groupd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,groupd_exec_t,groupd_t) ++') ++ +##################################### +## +## Connect to groupd over a unix domain @@ -16353,10 +19771,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te ++###################################### ++## ++## Execute a domain transition to run qdiskd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`qdiskd_domtrans',` ++ gen_require(` ++ type qdiskd_t, qdiskd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t) ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.33/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2009-09-25 16:23:28.000000000 -0400 -@@ -0,0 +1,340 @@ ++++ serefpolicy-3.6.33/policy/modules/services/rhcs.te 2009-11-12 14:26:53.000000000 -0500 +@@ -0,0 +1,394 @@ + +policy_module(rhcs,1.0.0) + @@ -16365,6 +19803,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Declarations +# + ++## ++##

++## Allow fenced domain to connect to the network using TCP. ++##

++## ++gen_tunable(fenced_can_network_connect, false) ++ +type dlm_controld_t; +type dlm_controld_exec_t; +init_daemon_domain(dlm_controld_t, dlm_controld_exec_t) @@ -16503,7 +19948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# fenced local policy +# + -+allow fenced_t self:capability { sys_nice sys_resource }; ++allow fenced_t self:capability { sys_nice sys_rawio sys_resource }; +allow fenced_t self:process { setsched getsched }; + +allow fenced_t self:fifo_file rw_fifo_file_perms; @@ -16532,7 +19977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t) +manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) +manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -+files_pid_filetrans(fenced_t,fenced_var_run_t, { file }) ++files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) + +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +aisexec_stream_connect(fenced_t) @@ -16540,9 +19985,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corecmd_exec_bin(fenced_t) + -+dev_list_sysfs(fenced_t) ++dev_read_sysfs(fenced_t) +dev_read_urand(fenced_t) + ++storage_raw_read_fixed_disk(fenced_t) ++storage_raw_write_fixed_disk(fenced_t) ++storage_raw_read_removable_device(fenced_t) ++ +auth_use_nsswitch(fenced_t) + +files_read_usr_symlinks(fenced_t) @@ -16554,6 +20003,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(fenced_t) + ++tunable_policy(`fenced_can_network_connect',` ++ corenet_tcp_connect_all_ports(fenced_t) ++') ++ ++optional_policy(` ++ ccs_read_config(fenced_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(fenced_t) ++ lvm_read_config(fenced_t) ++') ++ +###################################### +# +# gfs_controld local policy @@ -16591,6 +20053,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +kernel_read_system_state(gfs_controld_t) + ++storage_getattr_removable_dev(gfs_controld_t) ++ +dev_manage_generic_chr_files(gfs_controld_t) +#dev_read_sysfs(gfs_controld_t) +dev_rw_sysfs(gfs_controld_t) @@ -16604,6 +20068,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(gfs_controld_t) + ++optional_policy(` ++ lvm_exec(gfs_controld_t) ++ dev_rw_lvm_control(gfs_controld_t) ++') ++ +####################################### +# +# groupd local policy @@ -16657,8 +20126,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow qdiskd_t self:process setsched; + +allow qdiskd_t self:sem create_sem_perms; ++allow qdiskd_t self:udp_socket create_socket_perms; ++allow qdiskd_t self:udp_socket create_socket_perms; +allow qdiskd_t self:unix_dgram_socket create_socket_perms; -+allow qdiskd_t self:fifo_file rw_fifo_file_perms; +allow qdiskd_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) @@ -16683,11 +20153,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +aisexec_stream_connect(qdiskd_t) +ccs_stream_connect(qdiskd_t) + -+kernel_read_system_state(qdiskd_t) ++corecmd_exec_shell(qdiskd_t) + ++kernel_read_system_state(qdiskd_t) ++kernel_read_software_raid_state(qdiskd_t) ++ ++dev_read_sysfs(qdiskd_t) ++dev_list_all_dev_nodes(qdiskd_t) ++dev_getattr_all_blk_files(qdiskd_t) ++dev_getattr_all_chr_files(qdiskd_t) ++dev_manage_generic_blk_files(qdiskd_t) ++dev_manage_generic_chr_files(qdiskd_t) ++ ++storage_raw_read_removable_device(qdiskd_t) ++storage_raw_write_removable_device(qdiskd_t) +storage_raw_read_fixed_disk(qdiskd_t) +storage_raw_write_fixed_disk(qdiskd_t) + ++domain_dontaudit_getattr_all_pipes(qdiskd_t) ++domain_dontaudit_getattr_all_sockets(qdiskd_t) ++ ++auth_use_nsswitch(qdiskd_t) ++ +files_read_etc_files(qdiskd_t) + +libs_use_ld_so(qdiskd_t) @@ -16697,10 +20184,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(qdiskd_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.32/policy/modules/services/ricci.te ++optional_policy(` ++ netutils_domtrans_ping(qdiskd_t) ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.33/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ricci.te 2009-09-29 09:58:56.000000000 -0400 -@@ -227,6 +227,10 @@ ++++ serefpolicy-3.6.33/policy/modules/services/ricci.te 2009-11-12 14:26:53.000000000 -0500 +@@ -194,10 +194,13 @@ + # ricci_modcluster local policy + # + +-allow ricci_modcluster_t self:capability sys_nice; ++allow ricci_modcluster_t self:capability { net_bind_service sys_nice }; + allow ricci_modcluster_t self:process setsched; + allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms; + ++corenet_tcp_bind_cluster_port(ricci_modclusterd_t) ++corenet_tcp_bind_reserved_port(ricci_modclusterd_t) ++ + kernel_read_kernel_sysctls(ricci_modcluster_t) + kernel_read_system_state(ricci_modcluster_t) + +@@ -227,6 +230,10 @@ ricci_stream_connect_modclusterd(ricci_modcluster_t) optional_policy(` @@ -16711,7 +20218,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_stream_connect(ricci_modcluster_t) ccs_domtrans(ricci_modcluster_t) ccs_manage_config(ricci_modcluster_t) -@@ -264,6 +268,7 @@ +@@ -245,6 +252,10 @@ + ') + + optional_policy(` ++ rgmanager_stream_connect(ricci_modclusterd_t) ++') ++ ++optional_policy(` + # XXX This has got to go. + unconfined_domain(ricci_modcluster_t) + ') +@@ -264,6 +275,7 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; @@ -16719,7 +20237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -@@ -306,6 +311,10 @@ +@@ -306,12 +318,20 @@ sysnet_dns_name_resolve(ricci_modclusterd_t) optional_policy(` @@ -16730,7 +20248,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_domtrans(ricci_modclusterd_t) ccs_stream_connect(ricci_modclusterd_t) ccs_read_config(ricci_modclusterd_t) -@@ -440,6 +449,10 @@ + ') + + optional_policy(` ++ rgmanager_stream_connect(ricci_modclusterd_t) ++') ++ ++optional_policy(` + unconfined_use_fds(ricci_modclusterd_t) + ') + +@@ -440,6 +460,10 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -16741,7 +20269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -@@ -457,6 +470,10 @@ +@@ -457,6 +481,10 @@ mount_domtrans(ricci_modstorage_t) optional_policy(` @@ -16752,9 +20280,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.32/policy/modules/services/rpcbind.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.33/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rpcbind.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rpcbind.if 2009-11-12 14:26:53.000000000 -0500 @@ -97,6 +97,26 @@ ######################################## @@ -16782,9 +20310,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an rpcbind environment ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.33/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rpcbind.te 2009-11-12 14:26:53.000000000 -0500 +@@ -42,6 +42,7 @@ + + kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) ++kernel_request_load_module(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) + corenet_all_recvfrom_netlabel(rpcbind_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.33/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 10:42:34.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rpc.if 2009-11-12 14:26:53.000000000 -0500 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -16813,9 +20352,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole($1_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.33/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 10:42:43.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rpc.te 2009-11-12 14:26:53.000000000 -0500 @@ -53,7 +53,7 @@ # RPC local policy # @@ -16888,7 +20427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) -@@ -199,6 +211,8 @@ +@@ -199,10 +211,13 @@ mount_signal(gssd_t) @@ -16897,9 +20436,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.32/policy/modules/services/rsync.te + userdom_read_user_tmp_symlinks(gssd_t) ++ userdom_dontaudit_write_user_tmp_files(gssd_t) + ') + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.33/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rsync.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rsync.te 2009-11-12 14:26:53.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -16942,9 +20486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + auth_can_read_shadow_passwords(rsync_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.6.32/policy/modules/services/rtkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.6.33/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rtkit.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rtkit.if 2009-11-12 14:26:53.000000000 -0500 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -16969,9 +20513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.6.32/policy/modules/services/rtkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.6.33/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rtkit.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/rtkit.te 2009-11-12 14:26:53.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -16984,9 +20528,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rtkit_daemon_t) fs_rw_anon_inodefs_files(rtkit_daemon_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.32/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.33/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/samba.fc 2009-11-12 14:26:53.000000000 -0500 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -16995,9 +20539,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.32/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.33/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/samba.if 2009-11-12 14:26:53.000000000 -0500 @@ -62,6 +62,25 @@ ######################################## @@ -17170,9 +20714,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.33/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-09-17 14:03:16.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/samba.te 2009-11-12 14:26:53.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -17404,9 +20948,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.32/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.33/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sasl.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/sasl.te 2009-11-12 14:26:53.000000000 -0500 @@ -31,7 +31,7 @@ # Local policy # @@ -17469,9 +21013,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.32/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.33/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sendmail.if 2009-09-29 17:16:32.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/sendmail.if 2009-11-12 14:26:53.000000000 -0500 @@ -59,20 +59,20 @@ ######################################## @@ -17644,9 +21188,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.33/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2009-09-21 08:22:05.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/sendmail.te 2009-11-12 14:26:53.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -17822,18 +21366,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.32/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.33/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.fc 2009-11-12 14:26:53.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.33/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-24 14:40:15.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.if 2009-11-12 14:26:53.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -17845,7 +21389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -36,6 +36,102 @@ +@@ -36,6 +36,123 @@ type setroubleshootd_t, setroubleshoot_var_run_t; ') @@ -17877,6 +21421,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## dontaudit send and receive messages from ++## setroubleshoot over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setroubleshoot_dontaudit_dbus_chat',` ++ gen_require(` ++ type setroubleshootd_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 setroubleshootd_t:dbus send_msg; ++ dontaudit setroubleshootd_t $1:dbus send_msg; ++') ++ ++######################################## ++## +## Send and receive messages from +## setroubleshoot over dbus. +## @@ -17949,9 +21514,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.33/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-09-24 14:38:01.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/setroubleshoot.te 2009-11-12 14:26:53.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -17993,7 +21558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) -+ domain_signull_all_domains(setroubleshootd_t) ++domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) @@ -18013,7 +21578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,72 @@ +@@ -94,23 +113,76 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -18040,7 +21605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ rpm_signull(setroubleshootd_t) ++ rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) @@ -18055,13 +21620,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; +allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + ++allow setroubleshoot_fixit_t setroubleshootd_t:process signull; ++ +setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +setroubleshoot_stream_connect(setroubleshoot_fixit_t) + +corecmd_exec_bin(setroubleshoot_fixit_t) +corecmd_exec_shell(setroubleshoot_fixit_t) + -+seutil_domtrans_restorecon(setroubleshoot_fixit_t) ++seutil_domtrans_setfiles(setroubleshoot_fixit_t) ++seutil_domtrans_setsebool(setroubleshoot_fixit_t) + +files_read_usr_files(setroubleshoot_fixit_t) +files_read_etc_files(setroubleshoot_fixit_t) @@ -18077,6 +21645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(setroubleshoot_fixit_t) + +userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) ++userdom_signull_unpriv_users(setroubleshoot_fixit_t) + +optional_policy(` + rpm_signull(setroubleshoot_fixit_t) @@ -18088,9 +21657,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + policykit_dbus_chat(setroubleshoot_fixit_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.33/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/smartmon.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/smartmon.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,14 +19,18 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -18151,9 +21720,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.32/policy/modules/services/snmp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.33/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.if 2009-09-16 12:22:59.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/snmp.if 2009-11-12 14:26:53.000000000 -0500 @@ -50,6 +50,24 @@ ######################################## @@ -18206,9 +21775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## All of the rules required to administrate -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.33/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2009-09-29 17:04:42.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/snmp.te 2009-11-12 14:26:53.000000000 -0500 @@ -27,7 +27,7 @@ # allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; @@ -18227,9 +21796,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.33/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-09-24 13:21:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -18259,9 +21828,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.33/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.if 2009-11-12 14:26:53.000000000 -0500 @@ -111,6 +111,27 @@ ') @@ -18370,9 +21939,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.33/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-09-24 13:20:36.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/spamassassin.te 2009-11-12 14:26:53.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -18490,11 +22059,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -246,9 +307,15 @@ +@@ -246,9 +307,16 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) +files_list_var_lib(spamc_t) ++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) @@ -18506,7 +22076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -256,27 +323,40 @@ +@@ -256,27 +324,40 @@ sysnet_read_config(spamc_t) @@ -18553,7 +22123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -288,7 +368,7 @@ +@@ -288,7 +369,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -18562,7 +22132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -304,10 +384,17 @@ +@@ -304,10 +385,17 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -18581,7 +22151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -316,10 +403,12 @@ +@@ -316,10 +404,12 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -18595,7 +22165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -369,22 +458,27 @@ +@@ -369,22 +459,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -18627,7 +22197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -402,23 +496,16 @@ +@@ -402,23 +497,16 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -18652,7 +22222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -433,6 +520,10 @@ +@@ -433,6 +521,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -18663,7 +22233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -445,5 +536,9 @@ +@@ -445,5 +537,9 @@ ') optional_policy(` @@ -18673,9 +22243,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` udev_read_db(spamd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.32/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.33/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/squid.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/squid.te 2009-11-12 14:26:53.000000000 -0500 @@ -67,7 +67,9 @@ can_exec(squid_t, squid_exec_t) @@ -18704,18 +22274,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.32/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.33/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ssh.fc 2009-11-12 14:26:53.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.33/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ssh.if 2009-11-12 14:26:53.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -18830,15 +22400,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -206,6 +198,7 @@ +@@ -206,6 +198,8 @@ allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) ++ kernel_request_load_module(ssh_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -221,7 +214,12 @@ +@@ -221,7 +215,12 @@ corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -18851,7 +22422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -237,18 +235,23 @@ +@@ -237,18 +236,23 @@ files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -18877,7 +22448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -257,15 +260,11 @@ +@@ -257,15 +261,11 @@ optional_policy(` kerberos_use($1_t) @@ -18895,7 +22466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -337,6 +336,7 @@ +@@ -337,6 +337,7 @@ allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config @@ -18903,7 +22474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($3, home_ssh_t, home_ssh_t) manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) -@@ -446,6 +446,24 @@ +@@ -446,6 +447,24 @@ ######################################## ## @@ -18928,7 +22499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -461,6 +479,23 @@ +@@ -461,6 +480,23 @@ allow $1 sshd_t:fifo_file { getattr read }; ') @@ -18952,7 +22523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -@@ -603,3 +638,83 @@ +@@ -603,3 +639,83 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -19036,9 +22607,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_pids($1) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.33/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-21 08:22:14.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/ssh.te 2009-11-12 14:26:53.000000000 -0500 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -19230,18 +22801,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ssh_keygen_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.33/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -1,4 +1,4 @@ ++++ serefpolicy-3.6.33/policy/modules/services/sssd.fc 2009-11-13 10:59:21.000000000 -0500 +@@ -1,6 +1,9 @@ -/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if + /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++ ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++ + /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.33/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/sssd.if 2009-11-13 11:16:42.000000000 -0500 @@ -12,12 +12,32 @@ # interface(`sssd_domtrans',` @@ -19276,7 +22852,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read sssd PID files. -@@ -116,6 +136,27 @@ +@@ -96,6 +116,25 @@ + + ######################################## + ## ++## Read sssd config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_read_config_files',` ++ gen_require(` ++ type sssd_config_t; ++ ') ++ ++ sssd_search_lib($1) ++ read_files_pattern($1, sssd_config_t, sssd_config_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## sssd lib files. + ## +@@ -116,6 +155,27 @@ ######################################## ## @@ -19304,10 +22906,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## sssd over dbus. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.33/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-09-16 10:03:09.000000000 -0400 -@@ -23,7 +23,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/sssd.te 2009-11-13 10:59:01.000000000 -0500 +@@ -16,6 +16,9 @@ + type sssd_var_lib_t; + files_type(sssd_var_lib_t) + ++type sssd_var_log_t; ++logging_log_file(sssd_var_log_t) ++ + type sssd_var_run_t; + files_pid_file(sssd_var_run_t) + +@@ -23,7 +26,7 @@ # # sssd local policy # @@ -19316,7 +22928,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sssd_t self:process { setsched signal getsched }; allow sssd_t self:fifo_file rw_file_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -37,6 +37,8 @@ +@@ -33,10 +36,15 @@ + manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) + ++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) ++logging_log_filetrans(sssd_t, sssd_var_log_t, file) ++ + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -19325,7 +22944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) -@@ -58,6 +60,8 @@ +@@ -58,6 +66,8 @@ miscfiles_read_localization(sssd_t) @@ -19334,9 +22953,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.32/policy/modules/services/sysstat.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.33/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sysstat.te 2009-09-29 17:13:34.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/sysstat.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,14 +19,15 @@ # Local policy # @@ -19355,9 +22974,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.33/policy/modules/services/tftp.fc +--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/tftp.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -5,4 +5,4 @@ + /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) + /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) + +-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) ++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.33/policy/modules/services/tuned.te +--- nsaserefpolicy/policy/modules/services/tuned.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/services/tuned.te 2009-11-12 14:26:53.000000000 -0500 +@@ -16,12 +16,14 @@ + type tuned_var_run_t; + files_pid_file(tuned_var_run_t) + ++permissive tuned_t; ++ + ######################################## + # + # tuned local policy + # + +-dontaudit tuned_t self:capability dac_override; ++dontaudit tuned_t self:capability { dac_override sys_tty_config }; + + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) + files_pid_filetrans(tuned_t, tuned_var_run_t, file) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.33/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/uucp.te 2009-11-12 14:26:53.000000000 -0500 @@ -95,6 +95,8 @@ files_search_home(uucpd_t) files_search_spool(uucpd_t) @@ -19386,10 +23033,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.32/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.33/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.fc 2009-09-16 10:03:09.000000000 -0400 -@@ -8,5 +8,17 @@ ++++ serefpolicy-3.6.33/policy/modules/services/virt.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -8,5 +8,18 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) @@ -19399,6 +23046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) @@ -19407,9 +23055,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.33/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/virt.if 2009-11-12 14:26:53.000000000 -0500 @@ -136,7 +136,7 @@ ') @@ -19450,10 +23098,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -312,6 +314,41 @@ +@@ -304,8 +306,79 @@ + ') - ######################################## - ## + tunable_policy(`virt_use_samba',` +- fs_manage_nfs_files($1) + fs_manage_cifs_files($1) ++ fs_manage_cifs_files($1) ++ fs_read_cifs_symlinks($1) ++ ') ++') ++ ++######################################## ++## ++## Allow domain to read virt image files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`virt_read_images',` ++ gen_require(` ++ type virt_var_lib_t; ++ attribute virt_image_type; ++ ') ++ ++ virt_search_lib($1) ++ allow $1 virt_image_type:dir list_dir_perms; ++ list_dirs_pattern($1, virt_image_type, virt_image_type) ++ read_files_pattern($1, virt_image_type, virt_image_type) ++ read_lnk_files_pattern($1, virt_image_type, virt_image_type) ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ ++ tunable_policy(`virt_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ fs_read_nfs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ fs_read_cifs_symlinks($1) ++ ') ++') ++ ++######################################## ++## +## Allow domain to manage virt image files +## +## @@ -19472,7 +23165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + list_dirs_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) -+ rw_blk_files_pattern($1, virt_content_t, virt_content_t) ++ read_blk_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) @@ -19483,16 +23176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) -+ fs_read_cifs_symlinks($1) -+ ') -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an virt environment - ## -@@ -346,3 +383,79 @@ + fs_read_cifs_symlinks($1) + ') + ') +@@ -346,3 +419,95 @@ virt_manage_log($1) ') @@ -19510,6 +23197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +template(`virt_domain_template',` + gen_require(` ++ type virtd_t; + attribute virt_image_type; + attribute virt_domain; + ') @@ -19530,6 +23218,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_type($1_image_t) + dev_node($1_image_t) + ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -19545,6 +23236,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + ++ stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) ++ manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) ++ stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) ++ + optional_policy(` + xserver_rw_shm($1_t) + xserver_common_app($1_t) @@ -19572,9 +23275,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, svirt_cache_t, svirt_cache_t) + manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.33/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-09-21 08:22:24.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/virt.te 2009-11-13 08:13:08.000000000 -0500 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -19620,7 +23323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,27 +75,58 @@ +@@ -48,27 +75,55 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -19637,9 +23340,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type svirt_cache_t; +files_type(svirt_cache_t) -+ -+type svirt_var_run_t; -+files_pid_file(svirt_var_run_t) + ######################################## # @@ -19648,16 +23348,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -allow virtd_t self:process { getsched sigkill signal execmem }; +-allow virtd_t self:fifo_file rw_file_perms; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; + - allow virtd_t self:fifo_file rw_file_perms; ++allow virtd_t self:fifo_file rw_fifo_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; - allow virtd_t self:tun_socket create; - -+allow virtd_t virt_domain:process { setsched transition signal signull sigkill }; +-allow virtd_t self:tun_socket create; ++allow virtd_t self:tun_socket create_socket_perms; + ++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -19681,7 +23383,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,7 +144,8 @@ +@@ -76,6 +131,7 @@ + + manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) + manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) ++manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) + files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) + + manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -86,7 +142,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -19691,7 +23401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,30 +156,55 @@ +@@ -97,30 +154,50 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -19727,17 +23437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Manages /etc/sysconfig/system-config-firewall +iptables_manage_config(virtd_t) +files_manage_etc_files(virtd_t) -+ -+modutils_read_module_deps(virtd_t) -+modutils_read_module_config(virtd_t) fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +fs_list_inotifyfs(virtd_t) -+modutils_manage_module_config(virtd_t) -+ +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) storage_raw_write_removable_device(virtd_t) @@ -19750,8 +23455,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -130,7 +214,14 @@ +@@ -128,9 +205,22 @@ + miscfiles_read_localization(virtd_t) + miscfiles_read_certs(virtd_t) ++modutils_read_module_deps(virtd_t) ++modutils_read_module_config(virtd_t) ++modutils_manage_module_config(virtd_t) ++ logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) @@ -19762,10 +23473,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_list_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) +userdom_read_user_home_content_files(virtd_t) ++userdom_relabel_user_home_files(virtd_t) ++userdom_setattr_user_home_content_files(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +259,36 @@ +@@ -168,22 +258,36 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -19776,10 +23489,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) ') -#optional_policy(` @@ -19787,6 +23496,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# polkit_domtrans_resolve(virtd_t) -#') +optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) ++') + + optional_policy(` +- qemu_domtrans(virtd_t) + lvm_domtrans(virtd_t) +') + @@ -19796,9 +23510,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -19807,7 +23520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +301,160 @@ +@@ -196,8 +300,150 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -19822,9 +23535,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(virtd_t) ') + -+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -+ +######################################## +# +# svirt local policy @@ -19833,13 +23543,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) + -+manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) -+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t) -+ +read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) + +allow svirt_t svirt_image_t:dir search_dir_perms; @@ -19854,14 +23557,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_search_user_home_content(svirt_t) +userdom_read_all_users_state(svirt_t) + -+append_files_pattern(svirt_t, virt_log_t, virt_log_t) -+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t) -+ +allow svirt_t self:udp_socket create_socket_perms; + -+corecmd_exec_bin(svirt_t) -+corecmd_exec_shell(svirt_t) -+ +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -19873,6 +23570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_rw_printer(svirt_t) +') + ++dev_read_sysfs(svirt_t) ++ +tunable_policy(`virt_manage_sysfs',` + dev_rw_sysfs(svirt_t) +') @@ -19915,10 +23614,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; + -+stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +kernel_read_system_state(virt_domain) + ++corecmd_exec_bin(virt_domain) ++corecmd_exec_shell(virt_domain) ++ +corenet_all_recvfrom_unlabeled(virt_domain) +corenet_all_recvfrom_netlabel(virt_domain) +corenet_tcp_sendrecv_generic_if(virt_domain) @@ -19968,9 +23671,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.32/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.33/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/w3c.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/w3c.te 2009-11-12 14:26:53.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -19990,16 +23693,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.33/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 10:58:35.000000000 -0400 -@@ -3,12 +3,17 @@ ++++ serefpolicy-3.6.33/policy/modules/services/xserver.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -3,12 +3,19 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) ++HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) ++HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) @@ -20011,7 +23716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /dev # -@@ -32,11 +37,6 @@ +@@ -32,11 +39,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -20023,7 +23728,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -61,7 +61,9 @@ +@@ -47,10 +49,10 @@ + # /tmp + # + +-/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.ICE-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0) + /tmp/\.ICE-unix/.* -s <> + /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) +-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.X11-unix -d gen_context(system_u:object_r:xserver_tmp_t,s0) + /tmp/\.X11-unix/.* -s <> + + # +@@ -61,7 +63,9 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -20033,7 +23751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,16 +91,28 @@ +@@ -89,16 +93,31 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -20044,15 +23762,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++ +/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + ++/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) + +/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -20065,10 +23786,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.33/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-09-16 10:03:09.000000000 -0400 -@@ -211,6 +211,7 @@ ++++ serefpolicy-3.6.33/policy/modules/services/xserver.if 2009-11-12 14:26:53.000000000 -0500 +@@ -74,6 +74,12 @@ + + domtrans_pattern($2, iceauth_exec_t, iceauth_t) + ++ifdef(`hide_broken_symptoms', ` ++ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms; ++ dontaudit iceauth_t $2:tcp_socket rw_socket_perms; ++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) ++') ++ + allow $2 iceauth_home_t:file read_file_perms; + + domtrans_pattern($2, xauth_exec_t, xauth_t) +@@ -89,8 +95,8 @@ + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; + allow $2 xdm_t:fifo_file { getattr read write ioctl }; +- allow $2 xdm_tmp_t:dir search; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xserver_tmp_t:dir search; ++ allow $2 xserver_tmp_t:sock_file { read write }; + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Client read xserver shm +@@ -211,6 +217,7 @@ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -20076,7 +23821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -245,7 +246,7 @@ +@@ -245,7 +252,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -20085,7 +23830,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Client read xserver shm allow $1 xserver_t:fd use; -@@ -308,12 +309,12 @@ +@@ -299,7 +306,7 @@ + interface(`xserver_user_client',` + refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') + gen_require(` +- type xdm_t, xdm_tmp_t; ++ type xdm_t, xserver_tmp_t; + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + ') + +@@ -308,14 +315,14 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -20097,11 +23851,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; +- allow $1 xdm_tmp_t:dir search; +- allow $1 xdm_tmp_t:sock_file { read write }; + allow $1 xdm_t:fifo_file rw_fifo_file_perms; - allow $1 xdm_tmp_t:dir search; - allow $1 xdm_tmp_t:sock_file { read write }; ++ allow $1 xserver_tmp_t:dir search; ++ allow $1 xserver_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -367,7 +368,6 @@ + + # Allow connections to X server. +@@ -367,7 +374,6 @@ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; @@ -20109,7 +23867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol attribute xproperty_type; attribute xevent_type; attribute input_xevent_type; -@@ -376,6 +376,8 @@ +@@ -376,6 +382,8 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -20118,7 +23876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -383,20 +385,11 @@ +@@ -383,20 +391,11 @@ # Local Policy # @@ -20139,7 +23897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; -@@ -409,8 +402,10 @@ +@@ -409,8 +408,10 @@ type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; type_transition $2 client_xevent_t:x_event $1_client_xevent_t; type_transition $2 xevent_t:x_event $1_default_xevent_t; @@ -20151,9 +23909,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -486,11 +481,12 @@ +@@ -484,13 +485,14 @@ + # + template(`xserver_user_x_domain_template',` gen_require(` - type xdm_t, xdm_tmp_t; +- type xdm_t, xdm_tmp_t; ++ type xdm_t, xserver_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + class x_screen all_x_screen_perms; ') @@ -20167,16 +23928,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; -@@ -498,7 +494,7 @@ +@@ -498,9 +500,9 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; +- allow $2 xdm_tmp_t:dir search_dir_perms; +- allow $2 xdm_tmp_t:sock_file { read write }; + allow $2 xdm_t:fifo_file rw_fifo_file_perms; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xserver_tmp_t:dir search_dir_perms; ++ allow $2 xserver_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -526,6 +522,10 @@ + + # Allow connections to X server. +@@ -526,6 +528,10 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -20187,7 +23952,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -728,7 +728,7 @@ +@@ -585,6 +591,12 @@ + ') + + domtrans_pattern($1, xauth_exec_t, xauth_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms; ++ dontaudit xauth_t $1:tcp_socket rw_socket_perms; ++ fs_dontaudit_rw_anon_inodefs_files(xauth_t) ++') + ') + + ######################################## +@@ -728,7 +740,7 @@ type xdm_t; ') @@ -20196,15 +23974,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -827,6 +827,7 @@ +@@ -764,11 +776,11 @@ + # + interface(`xserver_stream_connect_xdm',` + gen_require(` +- type xdm_t, xdm_tmp_t; ++ type xdm_t, xserver_tmp_t; + ') + files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ allow $1 xdm_tmp_t:sock_file unlink; +- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xdm_t) ') ######################################## -@@ -845,7 +846,44 @@ +@@ -802,10 +814,10 @@ + # + interface(`xserver_setattr_xdm_tmp_dirs',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + +- allow $1 xdm_tmp_t:dir setattr; ++ allow $1 xserver_tmp_t:dir setattr; + ') + + ######################################## +@@ -821,12 +833,13 @@ + # + interface(`xserver_create_xdm_tmp_sockets',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + + files_search_tmp($1) +- allow $1 xdm_tmp_t:dir list_dir_perms; +- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ allow $1 xserver_tmp_t:dir list_dir_perms; ++ create_sock_files_pattern($1, xserver_tmp_t, xserver_tmp_t) ++ allow $1 xserver_tmp_t:sock_file unlink; + ') + + ######################################## +@@ -845,7 +858,44 @@ ') files_search_pids($1) @@ -20250,7 +24064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -868,6 +906,50 @@ +@@ -868,6 +918,75 @@ ######################################## ## @@ -20297,11 +24111,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +######################################## ++## ++## Execute xsever in the xserver domain, and ++## allow the specified role the xserver domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the xserver domain. ++## ++## ++# ++interface(`xserver_run_xauth',` ++ gen_require(` ++ type xauth_t; ++ ') ++ ++ xserver_domtrans_xauth($1) ++ role $2 types xauth_t; ++') ++ ++######################################## +## ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -886,6 +968,24 @@ +@@ -886,6 +1005,24 @@ ######################################## ## @@ -20326,7 +24165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -961,6 +1061,27 @@ +@@ -961,6 +1098,27 @@ ######################################## ## @@ -20354,7 +24193,77 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1107,10 +1228,11 @@ +@@ -1014,11 +1172,11 @@ + # + interface(`xserver_read_xdm_tmp_files',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + + files_search_tmp($1) +- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ read_files_pattern($1, xserver_tmp_t, xserver_tmp_t) + ') + + ######################################## +@@ -1033,11 +1191,11 @@ + # + interface(`xserver_dontaudit_read_xdm_tmp_files',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:dir search_dir_perms; +- dontaudit $1 xdm_tmp_t:file read_file_perms; ++ dontaudit $1 xserver_tmp_t:dir search_dir_perms; ++ dontaudit $1 xserver_tmp_t:file read_file_perms; + ') + + ######################################## +@@ -1052,11 +1210,11 @@ + # + interface(`xserver_rw_xdm_tmp_files',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + +- allow $1 xdm_tmp_t:dir search_dir_perms; +- allow $1 xdm_tmp_t:file rw_file_perms; ++ allow $1 xserver_tmp_t:dir search_dir_perms; ++ allow $1 xserver_tmp_t:file rw_file_perms; + ') + + ######################################## +@@ -1071,10 +1229,10 @@ + # + interface(`xserver_manage_xdm_tmp_files',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + +- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ manage_files_pattern($1, xserver_tmp_t, xserver_tmp_t) + ') + + ######################################## +@@ -1089,10 +1247,10 @@ + # + interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + gen_require(` +- type xdm_tmp_t; ++ type xserver_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xserver_tmp_t:sock_file getattr; + ') + + ######################################## +@@ -1107,10 +1265,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -20367,7 +24276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1248,6 +1370,278 @@ +@@ -1248,6 +1407,278 @@ ######################################## ## @@ -20521,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`xserver_use_xdm',` + gen_require(` -+ type xdm_t, xdm_tmp_t; ++ type xdm_t, xserver_tmp_t; + type xdm_xproperty_t; + type xdm_home_t; + class x_client all_x_client_perms; @@ -20646,7 +24555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1261,7 +1655,103 @@ +@@ -1261,7 +1692,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -20655,7 +24564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1 xserver_unconfined_type; + typeattribute $1 x_domain; -+') + ') + +######################################## +## @@ -20683,7 +24592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 $1:x_drawable all_x_drawable_perms; + allow $1 $2:x_resource all_x_resource_perms; + allow $2 $1:x_resource all_x_resource_perms; - ') ++') + +####################################### +## @@ -20750,9 +24659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.33/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-30 13:28:34.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/services/xserver.te 2009-11-12 14:26:53.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -20848,20 +24757,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -174,6 +185,12 @@ +@@ -174,13 +185,21 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) +-type xdm_tmp_t; +-files_tmp_file(xdm_tmp_t) +-typealias xdm_tmp_t alias ice_tmp_t; +type xserver_var_lib_t; +files_type(xserver_var_lib_t) + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) -+ - type xdm_tmp_t; - files_tmp_file(xdm_tmp_t) - typealias xdm_tmp_t alias ice_tmp_t; -@@ -181,6 +198,12 @@ + type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) @@ -20874,7 +24782,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -202,8 +225,8 @@ +@@ -196,14 +215,14 @@ + ubac_constrained(xserver_t) + + type xserver_tmp_t; +-typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; ++typealias xserver_tmp_t alias { xdm_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; + typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; + files_tmp_file(xserver_tmp_t) ubac_constrained(xserver_tmp_t) type xserver_tmpfs_t; @@ -20885,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,19 +273,21 @@ +@@ -250,23 +269,28 @@ # Xauth local policy # @@ -20893,6 +24808,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xauth_t self:process signal; allow xauth_t self:unix_stream_socket create_stream_socket_perms; ++allow xauth_t xdm_t:process sigchld; ++ allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) @@ -20910,7 +24827,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) -@@ -300,20 +325,31 @@ + files_search_pids(xauth_t) ++files_dontaudit_getattr_all_dirs(xauth_t) + + fs_getattr_xattr_fs(xauth_t) + fs_search_auto_mountpoints(xauth_t) +@@ -279,6 +303,11 @@ + userdom_use_user_terminals(xauth_t) + userdom_read_user_tmp_files(xauth_t) + ++ifdef(`hide_broken_symptoms', ` ++ userdom_manage_user_home_content_files(xauth_t) ++ userdom_manage_user_tmp_files(xauth_t) ++') ++ + xserver_rw_xdm_tmp_files(xauth_t) + + tunable_policy(`use_nfs_home_dirs',` +@@ -289,6 +318,11 @@ + fs_manage_cifs_files(xauth_t) + ') + ++ifdef(`hide_broken_symptoms', ` ++ term_dontaudit_use_unallocated_ttys(xauth_t) ++ dev_dontaudit_rw_dri(xauth_t) ++') ++ + optional_policy(` + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) +@@ -300,20 +334,31 @@ # XDM Local policy # @@ -20932,7 +24878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; -+allow xdm_t xauth_home_t:file rw_file_perms; ++allow xdm_t xauth_home_t:file manage_file_perms; + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -20945,12 +24891,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,22 +365,39 @@ - manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) -+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +@@ -325,26 +370,43 @@ + # this is ugly, daemons should not create files under /etc! + manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) + +-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++manage_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) ++manage_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) ++manage_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) ++files_tmp_filetrans(xdm_t, xserver_tmp_t, { file dir sock_file }) ++relabelfrom_dirs_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) ++relabelfrom_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -20988,7 +24942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +411,7 @@ +@@ -358,6 +420,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -20996,7 +24950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +420,14 @@ +@@ -366,10 +429,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -21012,7 +24966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +447,13 @@ +@@ -389,11 +456,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -21026,7 +24980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +461,7 @@ +@@ -401,6 +470,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -21034,7 +24988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +474,17 @@ +@@ -413,14 +483,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -21054,7 +25008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +495,13 @@ +@@ -431,9 +504,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -21068,7 +25022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +510,7 @@ +@@ -442,6 +519,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -21076,7 +25030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +519,7 @@ +@@ -450,6 +528,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -21084,11 +25038,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +530,11 @@ +@@ -460,10 +539,12 @@ logging_read_generic_logs(xdm_t) +miscfiles_dontaudit_write_fonts(xdm_t) ++miscfiles_search_man_pages(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) - @@ -21098,17 +25053,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +543,9 @@ +@@ -472,6 +553,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) ++userdom_stream_connect(xdm_t) +userdom_manage_user_tmp_dirs(xdm_t) +userdom_manage_user_tmp_sockets(xdm_t) +userdom_manage_tmpfs_role(system_r, xdm_t) xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +578,12 @@ +@@ -504,10 +589,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -21121,7 +25077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +591,46 @@ +@@ -515,12 +602,47 @@ ') optional_policy(` @@ -21129,6 +25085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_role_template(xdm, system_r, xdm_t) + + dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; ++ xserver_xdm_append_log(xdm_dbusd_t) + + corecmd_bin_entry_type(xdm_t) + @@ -21168,7 +25125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +652,38 @@ +@@ -542,6 +664,38 @@ ') optional_policy(` @@ -21207,7 +25164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +692,9 @@ +@@ -550,8 +704,9 @@ ') optional_policy(` @@ -21219,7 +25176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +703,6 @@ +@@ -560,7 +715,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -21227,7 +25184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +713,10 @@ +@@ -571,6 +725,10 @@ ') optional_policy(` @@ -21238,7 +25195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +733,9 @@ +@@ -587,10 +745,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -21250,7 +25207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +747,12 @@ +@@ -602,9 +759,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -21263,7 +25220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +764,14 @@ +@@ -616,13 +776,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -21279,7 +25236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +784,19 @@ +@@ -635,9 +796,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21299,7 +25256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +830,6 @@ +@@ -671,7 +842,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -21307,7 +25264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +839,12 @@ +@@ -681,9 +851,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -21321,7 +25278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +859,12 @@ +@@ -698,8 +871,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21334,7 +25291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +886,7 @@ +@@ -721,6 +898,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -21342,7 +25299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +909,7 @@ +@@ -743,7 +921,7 @@ ') ifdef(`enable_mls',` @@ -21351,7 +25308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +941,20 @@ +@@ -775,12 +953,20 @@ ') optional_policy(` @@ -21373,7 +25330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,7 +981,7 @@ +@@ -807,12 +993,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -21381,8 +25338,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. - manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -828,9 +1002,14 @@ +-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) ++manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) ++manage_lnk_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) ++manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) + + # Run xkbcomp. + allow xserver_t xkb_var_lib_t:lnk_file read; +@@ -828,9 +1014,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -21397,7 +25362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1024,14 @@ +@@ -845,11 +1036,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -21413,7 +25378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1064,8 @@ +@@ -882,6 +1076,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -21422,7 +25387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1090,8 @@ +@@ -906,6 +1102,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -21431,7 +25396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1159,49 @@ +@@ -973,17 +1171,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -21493,9 +25458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.32/policy/modules/system/application.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.33/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/application.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/application.if 2009-11-12 14:26:53.000000000 -0500 @@ -2,7 +2,7 @@ ######################################## @@ -21527,9 +25492,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 application_domain_type:process signull; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.33/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/application.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/application.te 2009-11-12 14:26:53.000000000 -0500 @@ -7,7 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -21549,9 +25514,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sudo_sigchld(application_domain_type) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.32/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.33/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/authlogin.fc 2009-11-12 14:26:53.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -21577,9 +25542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.33/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-09-21 08:40:36.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/authlogin.if 2009-11-13 11:28:07.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -21666,7 +25631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for fingerprint readers dev_rw_input_dev($1) dev_rw_generic_usb_dev($1) -@@ -86,27 +143,44 @@ +@@ -86,27 +143,45 @@ mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -21687,6 +25652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - logging_send_audit_msgs($1) - logging_send_syslog_msg($1) logging_set_loginuid($1) ++ logging_set_tty_audit($1) seutil_read_config($1) seutil_read_default_contexts($1) @@ -21724,7 +25690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -258,6 +332,7 @@ +@@ -258,6 +333,7 @@ type auth_cache_t; ') @@ -21732,7 +25698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, auth_cache_t, auth_cache_t) ') -@@ -305,19 +380,16 @@ +@@ -305,19 +381,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -21757,7 +25723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -328,6 +400,29 @@ +@@ -328,6 +401,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -21787,7 +25753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -352,6 +447,7 @@ +@@ -352,6 +448,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -21795,7 +25761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1129,6 +1225,32 @@ +@@ -1129,6 +1226,32 @@ ######################################## ## @@ -21828,7 +25794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1254,6 +1376,25 @@ +@@ -1254,6 +1377,25 @@ ######################################## ## @@ -21854,7 +25820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write to ## login records files. ## -@@ -1395,6 +1536,14 @@ +@@ -1395,16 +1537,33 @@ ') optional_policy(` @@ -21869,28 +25835,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1403,8 +1552,17 @@ - ') - optional_policy(` +- nscd_socket_use($1) ++ nscd_use($1) ++ ') ++ ++ optional_policy(` + nslcd_stream_connect($1) + ') + + optional_policy(` + sssd_stream_connect($1) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) + samba_dontaudit_write_var_files($1) ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.33/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-09-16 10:03:09.000000000 -0400 -@@ -125,9 +125,18 @@ ++++ serefpolicy-3.6.33/policy/modules/system/authlogin.te 2009-11-12 14:26:53.000000000 -0500 +@@ -103,6 +103,7 @@ + + fs_dontaudit_getattr_xattr_fs(chkpwd_t) + ++term_dontaudit_use_console(chkpwd_t) + term_dontaudit_use_unallocated_ttys(chkpwd_t) + term_dontaudit_use_generic_ptys(chkpwd_t) + +@@ -125,9 +126,18 @@ ') optional_policy(` @@ -21909,15 +25885,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # PAM local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.33/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/fstools.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -21,7 +20,6 @@ +@@ -6,6 +5,7 @@ + /sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -21,7 +21,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -21925,9 +25909,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.32/policy/modules/system/fstools.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.33/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/fstools.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/fstools.te 2009-11-13 07:59:52.000000000 -0500 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -21957,9 +25941,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.32/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.33/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.fc 2009-09-18 09:48:19.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/init.fc 2009-11-12 14:26:53.000000000 -0500 @@ -4,10 +4,10 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -21983,18 +25967,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-09-16 10:03:09.000000000 -0400 -@@ -174,6 +174,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.33/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/system/init.if 2009-11-12 14:26:53.000000000 -0500 +@@ -162,6 +162,7 @@ + gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; + type initrc_t; ++ type init_t; + role system_r; + attribute daemon; + ') +@@ -174,6 +175,11 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; ++ ++ # Handle upstart direct transition to a executable ++ domtrans_pattern(init_t,$2,$1) ++ allow init_t $1:process siginh; # daemons started from init will # inherit fds from init for the console -@@ -272,6 +273,7 @@ +@@ -272,6 +278,7 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -22002,7 +25998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +282,36 @@ +@@ -280,6 +287,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -22039,7 +26035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -546,7 +578,7 @@ +@@ -546,7 +583,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -22048,7 +26044,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +651,19 @@ +@@ -619,18 +656,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -22072,7 +26068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,23 +679,43 @@ +@@ -646,19 +684,39 @@ # interface(`init_domtrans_script',` gen_require(` @@ -22093,11 +26089,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -22110,17 +26106,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -904,6 +957,24 @@ + ') + + ######################################## +@@ -923,6 +981,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -22145,7 +26137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1123,7 +1194,7 @@ +@@ -1142,7 +1218,7 @@ type initrc_t; ') @@ -22154,7 +26146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,6 +1362,25 @@ +@@ -1310,6 +1386,25 @@ ######################################## ## @@ -22180,7 +26172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1611,51 @@ +@@ -1540,3 +1635,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -22232,9 +26224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-09-16 10:03:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.33/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/system/init.te 2009-11-12 14:26:53.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -22359,7 +26351,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) -@@ -249,10 +287,15 @@ +@@ -246,13 +284,19 @@ + kernel_clear_ring_buffer(initrc_t) + kernel_get_sysvipc_info(initrc_t) + kernel_read_all_sysctls(initrc_t) ++kernel_request_load_module(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -22377,7 +26373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -272,16 +315,63 @@ +@@ -272,16 +316,63 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -22442,7 +26438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -291,7 +381,7 @@ +@@ -291,7 +382,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -22451,7 +26447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -306,14 +396,15 @@ +@@ -306,14 +397,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -22469,7 +26465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -324,48 +415,16 @@ +@@ -324,48 +416,16 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -22522,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -374,19 +433,22 @@ +@@ -374,19 +434,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -22546,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -422,8 +484,6 @@ +@@ -422,16 +485,12 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -22555,7 +26551,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) -@@ -450,11 +510,9 @@ + + # /lib/rcscripts/net/system.sh rewrites resolv.conf :( +- sysnet_create_config(initrc_t) +- sysnet_write_config(initrc_t) +- sysnet_setattr_config(initrc_t) ++ sysnet_manage_config(initrc_t) + + optional_policy(` + arpwatch_manage_data_files(initrc_t) +@@ -450,11 +509,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -22568,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -464,6 +522,7 @@ +@@ -464,6 +521,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -22576,7 +26581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -492,11 +551,17 @@ +@@ -492,11 +550,17 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -22594,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,6 +580,33 @@ +@@ -515,6 +579,33 @@ ') ') @@ -22628,7 +26633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -567,10 +659,19 @@ +@@ -567,10 +658,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -22648,7 +26653,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -590,6 +691,10 @@ +@@ -590,6 +690,10 @@ ') optional_policy(` @@ -22659,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +751,20 @@ +@@ -646,20 +750,20 @@ ') optional_policy(` @@ -22686,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +773,7 @@ +@@ -668,6 +772,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -22694,7 +26699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -696,7 +802,6 @@ +@@ -700,7 +805,6 @@ ') optional_policy(` @@ -22702,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -718,8 +823,6 @@ +@@ -722,8 +826,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -22711,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -732,13 +835,16 @@ +@@ -736,13 +838,16 @@ squid_manage_logs(initrc_t) ') @@ -22728,7 +26733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -747,6 +853,7 @@ +@@ -751,6 +856,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -22736,7 +26741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -754,6 +861,15 @@ +@@ -758,6 +864,15 @@ ') optional_policy(` @@ -22752,13 +26757,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(initrc_t) ifdef(`distro_redhat',` -@@ -764,6 +880,13 @@ +@@ -768,6 +883,21 @@ optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) ++ ++ ++ optional_policy(` ++ gen_require(` ++ type unconfined_execmem_t, execmem_exec_t; ++ ') ++ init_system_domain(unconfined_execmem_t, execmem_exec_t) ++ ') +') + +optional_policy(` @@ -22766,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -789,3 +912,31 @@ +@@ -793,3 +923,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -22798,9 +26811,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + fail2ban_read_lib_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.32/policy/modules/system/ipsec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.33/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/ipsec.fc 2009-11-13 08:03:05.000000000 -0500 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -22808,9 +26821,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.32/policy/modules/system/ipsec.if +@@ -34,6 +37,8 @@ + + /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) + ++/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) ++ + /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) + +-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.33/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/ipsec.if 2009-11-12 14:26:53.000000000 -0500 @@ -229,3 +229,28 @@ ipsec_domtrans_setkey($1) role $2 types setkey_t; @@ -22840,9 +26863,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ipsec_domtrans_racoon($1) + role $2 types racoon_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.33/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/ipsec.te 2009-11-13 08:03:41.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -22867,7 +26890,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for file(s) containing ipsec keys - RSA or preshared type ipsec_key_file_t; files_type(ipsec_key_file_t) -@@ -43,6 +53,9 @@ +@@ -22,6 +32,9 @@ + # Default type for IPSEC SPD entries + type ipsec_spd_t; + ++type ipsec_log_t; ++logging_log_file(ipsec_log_t) ++ + # type for runtime files, including pluto.ctl + type ipsec_var_run_t; + files_pid_file(ipsec_var_run_t) +@@ -43,6 +56,9 @@ init_daemon_domain(racoon_t, racoon_exec_t) role system_r types racoon_t; @@ -22877,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type setkey_t; type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) -@@ -53,21 +66,23 @@ +@@ -53,21 +69,23 @@ # ipsec Local policy # @@ -22885,7 +26918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; -allow ipsec_t self:process { signal setsched }; -+allow ipsec_t self:process { getsched signal setsched }; ++allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; @@ -22904,7 +26937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -82,7 +97,7 @@ +@@ -82,16 +100,17 @@ # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; @@ -22912,8 +26945,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; - kernel_read_kernel_sysctls(ipsec_t) -@@ -120,7 +135,9 @@ +-kernel_read_kernel_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) ++kernel_read_kernel_sysctls(ipsec_t) + kernel_read_proc_symlinks(ipsec_t) + # allow pluto to access /proc/net/ipsec_eroute; + kernel_read_system_state(ipsec_t) + kernel_read_network_state(ipsec_t) + kernel_read_software_raid_state(ipsec_t) ++kernel_request_load_module(ipsec_t) + kernel_getattr_core_if(ipsec_t) + kernel_getattr_message_if(ipsec_t) + +@@ -120,7 +139,9 @@ domain_use_interactive_fds(ipsec_t) @@ -22923,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) -@@ -154,12 +171,12 @@ +@@ -154,16 +175,19 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; @@ -22938,7 +26982,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -241,6 +258,7 @@ + ++manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) ++logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) ++ + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) + +@@ -241,6 +265,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -22946,7 +26997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ipsec_mgmt_t) -@@ -280,6 +298,13 @@ +@@ -280,6 +305,13 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; @@ -22960,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # manage pid file manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -297,6 +322,13 @@ +@@ -297,6 +329,13 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -22974,7 +27025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) -@@ -314,6 +346,8 @@ +@@ -314,6 +353,8 @@ files_read_etc_files(racoon_t) @@ -22983,7 +27034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) -@@ -328,6 +362,14 @@ +@@ -328,6 +369,14 @@ miscfiles_read_localization(racoon_t) @@ -22998,7 +27049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Setkey local policy -@@ -347,6 +389,7 @@ +@@ -347,6 +396,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -23006,9 +27057,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.33/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/iptables.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,7 +1,16 @@ -/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) + @@ -23030,9 +27081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.33/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2009-09-16 12:21:50.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/iptables.if 2009-11-12 14:26:53.000000000 -0500 @@ -19,6 +19,24 @@ domtrans_pattern($1, iptables_exec_t, iptables_t) ') @@ -23141,9 +27192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, iptables_conf_t, iptables_conf_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.33/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-09-21 08:19:48.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/iptables.te 2009-11-12 14:26:53.000000000 -0500 @@ -11,6 +11,12 @@ init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; @@ -23194,9 +27245,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_dontaudit_use_ptys(iptables_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.32/policy/modules/system/iscsi.if +@@ -108,5 +123,10 @@ + ') + + optional_policy(` ++ shorewall_rw_var_lib(iptables_t) ++') ++ ++optional_policy(` + udev_read_db(iptables_t) + ') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.33/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/iscsi.if 2009-11-12 14:26:53.000000000 -0500 @@ -17,3 +17,43 @@ domtrans_pattern($1, iscsid_exec_t, iscsid_t) @@ -23241,9 +27303,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.33/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/iscsi.te 2009-11-12 14:26:53.000000000 -0500 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) @@ -23267,9 +27329,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.33/policy/modules/system/kdump.te +--- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/kdump.te 2009-11-12 14:26:53.000000000 -0500 +@@ -21,7 +21,7 @@ + # kdump local policy + # + +-allow kdump_t self:capability { sys_boot dac_override }; ++allow kdump_t self:capability { sys_boot sys_rawio dac_override }; + + read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) + +@@ -29,8 +29,11 @@ + files_read_kernel_img(kdump_t) + + kernel_read_system_state(kdump_t) ++kernel_read_core_if(kdump_t) + + dev_read_framebuffer(kdump_t) + dev_read_sysfs(kdump_t) + + term_use_console(kdump_t) ++ ++permissive kdump_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.33/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/libraries.fc 2009-11-12 14:26:53.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -23319,7 +27405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,27 +120,30 @@ +@@ -115,27 +120,37 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23330,8 +27416,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libADM5avcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23347,6 +27438,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23358,7 +27451,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +151,8 @@ +@@ -143,11 +158,8 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23370,7 +27463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +173,12 @@ +@@ -168,12 +180,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -23385,7 +27478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +190,10 @@ +@@ -185,15 +197,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23402,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +228,17 @@ +@@ -228,31 +235,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23438,7 +27531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,8 +254,8 @@ +@@ -268,8 +261,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23449,7 +27542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +281,8 @@ +@@ -295,6 +288,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23458,7 +27551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +295,96 @@ +@@ -307,10 +302,102 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -23469,12 +27562,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + -+/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23487,6 +27581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + @@ -23517,6 +27612,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23525,8 +27627,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23534,9 +27634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23555,10 +27653,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.33/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-09-16 10:03:09.000000000 -0400 -@@ -247,7 +247,7 @@ ++++ serefpolicy-3.6.33/policy/modules/system/libraries.if 2009-11-12 14:26:53.000000000 -0500 +@@ -17,6 +17,7 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) ++ allow $1 ldconfig_t:process noatsecure; + ') + + ######################################## +@@ -247,7 +248,7 @@ type lib_t; ') @@ -23567,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol list_dirs_pattern($1, lib_t, lib_t) read_files_pattern($1, lib_t, lib_t) read_lnk_files_pattern($1, lib_t, lib_t) -@@ -401,7 +401,7 @@ +@@ -401,7 +402,7 @@ type lib_t, textrel_shlib_t; ') @@ -23576,9 +27683,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.32/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-09-16 11:55:28.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.33/policy/modules/system/libraries.te +--- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/modules/system/libraries.te 2009-11-12 14:26:53.000000000 -0500 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -23593,7 +27700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -76,16 +76,21 @@ +@@ -76,21 +76,27 @@ fs_getattr_xattr_fs(ldconfig_t) @@ -23615,7 +27722,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(ldconfig_t) -@@ -100,6 +105,10 @@ + logging_send_syslog_msg(ldconfig_t) + ++term_use_console(ldconfig_t) + userdom_use_user_terminals(ldconfig_t) + userdom_use_all_users_fds(ldconfig_t) + +@@ -100,6 +106,10 @@ ') ') @@ -23626,7 +27739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -123,3 +132,7 @@ +@@ -127,3 +137,7 @@ # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') @@ -23634,9 +27747,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.33/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/locallogin.te 2009-11-12 14:26:53.000000000 -0500 +@@ -33,7 +33,7 @@ + # Local login local policy + # + +-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; ++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; + allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow local_login_t self:process { setrlimit setexec }; + allow local_login_t self:fd use; @@ -74,6 +74,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -23716,9 +27838,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.33/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2009-09-29 07:51:07.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/logging.fc 2009-11-12 14:26:53.000000000 -0500 @@ -51,17 +51,21 @@ ifdef(`distro_redhat',` @@ -23745,10 +27867,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.33/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2009-09-21 08:38:49.000000000 -0400 -@@ -624,7 +624,7 @@ ++++ serefpolicy-3.6.33/policy/modules/system/logging.if 2009-11-12 14:26:53.000000000 -0500 +@@ -69,6 +69,20 @@ + + ######################################## + ## ++## Set tty auditing ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_set_tty_audit',` ++ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; ++') ++ ++######################################## ++## + ## Set up audit + ## + ## +@@ -624,7 +638,7 @@ ') files_search_var($1) @@ -23757,7 +27900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -708,6 +708,8 @@ +@@ -708,6 +722,8 @@ files_search_var($1) manage_files_pattern($1, logfile, logfile) read_lnk_files_pattern($1, logfile, logfile) @@ -23766,9 +27909,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.33/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2009-09-29 07:52:08.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/logging.te 2009-11-12 14:26:53.000000000 -0500 @@ -123,10 +123,10 @@ allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; @@ -23876,9 +28019,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol inn_manage_log(syslogd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.6.33/policy/modules/system/lvm.if +--- nsaserefpolicy/policy/modules/system/lvm.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/lvm.if 2009-11-12 14:26:53.000000000 -0500 +@@ -21,6 +21,26 @@ + + ######################################## + ## ++## Execute lvm programs in the caller domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`lvm_exec',` ++ gen_require(` ++ type lvm_exec_t; ++ ') ++ ++ corecmd_search_sbin($1) ++ can_exec($1, lvm_exec_t) ++ ++') ++ ++######################################## ++## + ## Execute lvm programs in the lvm domain. + ## + ## +@@ -85,3 +105,22 @@ + manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) + manage_files_pattern($1, lvm_etc_t, lvm_etc_t) + ') ++ ++###################################### ++## ++## Execute a domain transition to run clvmd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lvm_clvmd_domtrans',` ++ gen_require(` ++ type clvmd_t, clvmd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,clvmd_exec_t,clvmd_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.33/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-09-29 09:58:56.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/lvm.te 2009-11-12 14:26:53.000000000 -0500 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -23987,10 +28183,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` modutils_domtrans_insmod(lvm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if +@@ -329,6 +352,10 @@ + ') + + optional_policy(` ++ virt_manage_images(lvm_t) ++') ++ ++optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.33/policy/modules/system/miscfiles.fc +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.fc 2009-11-12 14:26:53.000000000 -0500 +@@ -85,3 +85,5 @@ + /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + ') ++ ++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.33/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-09-27 09:27:40.000000000 -0400 -@@ -87,6 +87,44 @@ ++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.if 2009-11-12 14:26:53.000000000 -0500 +@@ -23,6 +23,28 @@ + + ######################################## + ## ++## Read system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_read_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 home_cert_t:dir list_dir_perms; ++ read_files_pattern($1, home_cert_t, home_cert_t) ++ read_lnk_files_pattern($1, home_cert_t, home_cert_t) ++') ++ ++######################################## ++## + ## manange system SSL certificates. + ## + ## +@@ -87,6 +109,44 @@ ######################################## ## @@ -24035,9 +28280,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write fonts. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.32/policy/modules/system/modutils.fc +@@ -255,6 +315,24 @@ + + ######################################## + ## ++## Allow process to search man pages. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`miscfiles_search_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ allow $1 man_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to search man pages. + ## + ## +@@ -268,7 +346,7 @@ + type man_t; + ') + +- dontaudit $1 man_t:dir search; ++ dontaudit $1 man_t:dir search_dir_perms; + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.33/policy/modules/system/miscfiles.te +--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/miscfiles.te 2009-11-12 14:26:53.000000000 -0500 +@@ -12,6 +12,9 @@ + type cert_t; + files_type(cert_t) + ++type home_cert_t; ++userdom_user_home_content(home_cert_t) ++ + # + # fonts_t is the type of various font + # files in /usr +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.33/policy/modules/system/modutils.fc --- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/modutils.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,6 +1,7 @@ /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) @@ -24046,9 +28338,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` # gentoo init scripts still manage this file -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.32/policy/modules/system/modutils.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.33/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/modutils.if 2009-11-12 14:26:53.000000000 -0500 @@ -1,5 +1,24 @@ ## Policy for kernel module utilities @@ -24122,9 +28414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.33/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2009-09-18 09:27:21.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/modutils.te 2009-11-12 14:26:53.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -24142,7 +28434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow depmod_t modules_dep_t:file manage_file_perms; files_kernel_modules_filetrans(depmod_t, modules_dep_t, file) -@@ -56,6 +57,7 @@ +@@ -56,12 +57,14 @@ domain_use_interactive_fds(depmod_t) @@ -24150,7 +28442,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) files_read_etc_runtime_files(depmod_t) -@@ -83,7 +85,13 @@ + files_read_etc_files(depmod_t) + files_read_usr_src_files(depmod_t) + files_list_usr(depmod_t) ++files_read_boot_files(depmod_t) + + fs_getattr_xattr_fs(depmod_t) + +@@ -75,6 +78,14 @@ + # Read System.map from home directories. + files_list_home(depmod_t) + userdom_read_user_home_content_files(depmod_t) ++userdom_manage_user_tmp_files(depmod_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(depmod_t) ++') ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(depmod_t) ++') + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -83,7 +94,13 @@ ') optional_policy(` @@ -24164,7 +28478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -91,19 +99,23 @@ +@@ -91,19 +108,23 @@ # insmod local policy # @@ -24190,7 +28504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) -@@ -112,6 +124,7 @@ +@@ -112,6 +133,7 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) @@ -24198,7 +28512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(insmod_t) corecmd_exec_shell(insmod_t) -@@ -124,9 +137,7 @@ +@@ -124,9 +146,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -24209,11 +28523,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -144,11 +155,14 @@ +@@ -144,11 +164,15 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) +fs_dontaudit_use_tmpfs_chr_dev(insmod_t) ++fs_mount_rpc_pipefs(insmod_t) init_rw_initctl(insmod_t) init_use_fds(insmod_t) @@ -24224,7 +28539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -157,19 +171,31 @@ +@@ -157,19 +181,31 @@ seutil_read_file_contexts(insmod_t) @@ -24259,7 +28574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hotplug_search_config(insmod_t) ') -@@ -228,7 +254,7 @@ +@@ -228,7 +264,7 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration @@ -24268,9 +28583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file) files_etc_filetrans(update_modules_t, modules_conf_t, file) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.32/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.33/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/mount.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,4 +1,9 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -24282,9 +28597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.32/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.33/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/mount.if 2009-11-12 14:26:53.000000000 -0500 @@ -84,9 +84,11 @@ interface(`mount_signal',` gen_require(` @@ -24297,9 +28612,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.33/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-09-21 08:19:17.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/mount.te 2009-11-13 07:48:55.000000000 -0500 @@ -18,8 +18,12 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -24330,7 +28645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:process { ptrace signal }; ++allow mount_t self:process { getsched ptrace signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; @@ -24450,10 +28765,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -172,6 +212,21 @@ +@@ -172,6 +212,25 @@ ') optional_policy(` ++ cron_system_entry(mount_t, mount_exec_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(mount_t) + + optional_policy(` @@ -24472,7 +28791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +234,11 @@ +@@ -179,6 +238,11 @@ ') ') @@ -24484,7 +28803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +246,7 @@ +@@ -186,6 +250,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -24492,7 +28811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,5 +256,8 @@ +@@ -195,5 +260,8 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -24502,18 +28821,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpc_domtrans_rpcd(unconfined_mount_t) ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.6.32/policy/modules/system/raid.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.6.33/policy/modules/system/raid.fc --- nsaserefpolicy/policy/modules/system/raid.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/raid.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/raid.fc 2009-11-12 14:26:53.000000000 -0500 @@ -3,3 +3,5 @@ /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) + +/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.32/policy/modules/system/raid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.33/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/raid.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/raid.te 2009-11-12 14:26:53.000000000 -0500 @@ -14,6 +14,9 @@ type mdadm_var_run_t; files_pid_file(mdadm_var_run_t) @@ -24541,9 +28860,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.32/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.33/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.fc 2009-11-12 14:26:53.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -24583,9 +28902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.33/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 23:11:24.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.if 2009-11-12 14:26:53.000000000 -0500 @@ -351,6 +351,27 @@ ######################################## @@ -24941,9 +29260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.33/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-09-24 14:41:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/selinuxutil.te 2009-11-12 14:26:53.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -25041,7 +29360,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) -@@ -336,6 +342,8 @@ +@@ -313,6 +319,8 @@ + kernel_rw_pipes(restorecond_t) + kernel_read_system_state(restorecond_t) + ++files_dontaudit_read_all_symlinks(restorecond_t) ++ + fs_relabelfrom_noxattr_fs(restorecond_t) + fs_dontaudit_list_nfs(restorecond_t) + fs_getattr_xattr_fs(restorecond_t) +@@ -336,6 +344,8 @@ seutil_libselinux_linked(restorecond_t) @@ -25050,7 +29378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -354,7 +362,7 @@ +@@ -354,7 +364,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -25059,7 +29387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -383,7 +391,6 @@ +@@ -383,7 +393,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -25067,7 +29395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -406,6 +413,10 @@ +@@ -406,6 +415,10 @@ ') ') @@ -25078,7 +29406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -421,61 +432,22 @@ +@@ -421,61 +434,22 @@ # semodule local policy # @@ -25086,13 +29414,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; - +- -allow semanage_t policy_config_t:file rw_file_perms; -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - +- -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) @@ -25103,9 +29427,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -domain_use_interactive_fds(semanage_t) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -25127,13 +29455,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -+# Admins are creating pp files in random locations -+auth_read_all_files_except_shadow(semanage_t) - +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) -- ++# Admins are creating pp files in random locations ++auth_read_all_files_except_shadow(semanage_t) + -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -25148,7 +29476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +456,23 @@ +@@ -484,12 +458,23 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -25172,7 +29500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,111 +482,40 @@ +@@ -499,111 +484,41 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -25302,15 +29630,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') + setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t) ++ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t) ') optional_policy(` - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.32/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.33/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/setrans.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/setrans.if 2009-11-12 14:26:53.000000000 -0500 @@ -21,3 +21,23 @@ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) @@ -25335,9 +29664,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.33/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.fc 2009-11-12 14:26:53.000000000 -0500 @@ -11,15 +11,20 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -25366,9 +29695,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.33/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.if 2009-11-12 14:26:53.000000000 -0500 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -25546,9 +29875,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.33/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-09-21 08:24:25.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/sysnetwork.te 2009-11-12 14:26:53.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -25597,7 +29926,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_etc_filetrans(dhcpc_t, net_conf_t, file) # create temp files -@@ -107,11 +114,13 @@ +@@ -81,6 +88,7 @@ + kernel_read_system_state(dhcpc_t) + kernel_read_network_state(dhcpc_t) + kernel_read_kernel_sysctls(dhcpc_t) ++kernel_request_load_module(dhcpc_t) + kernel_use_fds(dhcpc_t) + + corecmd_exec_bin(dhcpc_t) +@@ -107,14 +115,17 @@ # for SSP: dev_read_urand(dhcpc_t) @@ -25612,7 +29949,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) -@@ -183,25 +192,23 @@ ++files_getattr_generic_locks(dhcpc_t) + + fs_getattr_all_fs(dhcpc_t) + fs_search_auto_mountpoints(dhcpc_t) +@@ -183,25 +194,23 @@ ') optional_policy(` @@ -25646,7 +29987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,6 +219,7 @@ +@@ -212,6 +221,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -25654,7 +29995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -223,6 +231,10 @@ +@@ -223,6 +233,10 @@ ') optional_policy(` @@ -25665,7 +30006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -235,7 +247,6 @@ +@@ -235,7 +249,6 @@ # allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -25673,7 +30014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -249,6 +260,8 @@ +@@ -249,6 +262,8 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -25682,7 +30023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -@@ -260,7 +273,9 @@ +@@ -260,7 +275,9 @@ kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) @@ -25692,7 +30033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +284,23 @@ +@@ -269,15 +286,23 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -25717,7 +30058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +317,8 @@ +@@ -294,6 +319,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -25726,7 +30067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +355,21 @@ +@@ -330,8 +357,22 @@ ') optional_policy(` @@ -25747,10 +30088,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dontaudit_rw_dgram_sockets(dhcpc_t) + hal_dontaudit_rw_pipes(ifconfig_t) ++ hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.32/policy/modules/system/udev.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.33/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/udev.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/udev.fc 2009-11-12 14:26:53.000000000 -0500 @@ -7,6 +7,9 @@ /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) @@ -25761,10 +30103,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.32/policy/modules/system/udev.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.33/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/udev.if 2009-09-16 10:03:09.000000000 -0400 -@@ -168,4 +168,25 @@ ++++ serefpolicy-3.6.33/policy/modules/system/udev.if 2009-11-12 14:26:53.000000000 -0500 +@@ -168,4 +168,43 @@ dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; @@ -25789,10 +30131,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_var_lib($1) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ++') ++ ++######################################## ++## ++## Send signal to udev process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_signal',` ++ gen_require(` ++ type udev_t; ++ ') ++ ++ allow $1 udev_t:process signal; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.33/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/udev.te 2009-11-12 14:26:53.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -25801,7 +30161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -66,6 +67,7 @@ +@@ -66,9 +67,11 @@ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -25809,7 +30169,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) kernel_read_system_state(udev_t) -@@ -111,6 +113,7 @@ ++kernel_request_load_module(udev_t) + kernel_getattr_core_if(udev_t) + kernel_use_fds(udev_t) + kernel_read_device_sysctls(udev_t) +@@ -111,6 +114,7 @@ fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) @@ -25817,7 +30181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_ptrace_all(udev_t) -@@ -140,6 +143,7 @@ +@@ -140,6 +144,7 @@ logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) @@ -25825,7 +30189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(udev_t) # read modules.inputmap: -@@ -194,6 +198,10 @@ +@@ -194,6 +199,10 @@ ') optional_policy(` @@ -25836,7 +30200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol brctl_domtrans(udev_t) ') -@@ -202,14 +210,27 @@ +@@ -202,14 +211,27 @@ ') optional_policy(` @@ -25864,7 +30228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +240,7 @@ +@@ -219,6 +241,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -25872,7 +30236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,6 +250,10 @@ +@@ -228,6 +251,10 @@ ') optional_policy(` @@ -25883,7 +30247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +268,18 @@ +@@ -242,6 +269,18 @@ ') optional_policy(` @@ -25902,9 +30266,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.32/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.33/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/unconfined.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/unconfined.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,16 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -25922,9 +30286,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.33/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/unconfined.if 2009-11-12 14:26:53.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -26428,9 +30792,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - - allow $1 unconfined_t:dbus acquire_svc; -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.32/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.33/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/unconfined.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/unconfined.te 2009-11-12 14:26:53.000000000 -0500 @@ -5,227 +5,5 @@ # # Declarations @@ -26660,9 +31024,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.33/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/userdomain.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,4 +1,8 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -26673,9 +31037,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.33/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-28 10:22:23.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/userdomain.if 2009-11-13 11:30:17.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -27045,7 +31409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -420,35 +414,48 @@ +@@ -420,35 +414,58 @@ ## is the prefix for user_t). ## ## @@ -27075,7 +31439,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri($1_t) + dev_getattr_agp_dev($1) -+ dev_dontaudit_rw_dri($1) ++ ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($1) ++ ',` ++ dev_dontaudit_rw_dri($1) ++ ') ++ # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) + dev_rw_usbfs($1) @@ -27083,15 +31453,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1) + dev_write_video_dev($1) + dev_rw_wireless($1) ++ ++ miscfiles_dontaudit_write_fonts($1) ++ ++ optional_policy(` ++ udev_read_db($1) ++ ') - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) -+ miscfiles_dontaudit_write_fonts($1) -+ + optional_policy(` -+ udev_read_db($1) ++ setroubleshoot_dontaudit_dbus_chat($1) + ') + + optional_policy(` @@ -27113,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -498,7 +505,7 @@ +@@ -498,7 +515,7 @@ attribute unpriv_userdomain; ') @@ -27122,7 +31496,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +515,209 @@ +@@ -508,182 +525,213 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -27143,27 +31517,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corecmd_exec_bin($1_t) -+ corenet_udp_bind_generic_node($1_usertype) -+ corenet_udp_bind_generic_port($1_usertype) - - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) -+ dev_read_rand($1_usertype) -+ dev_write_sound($1_usertype) -+ dev_read_sound($1_usertype) -+ dev_read_sound_mixer($1_usertype) -+ dev_write_sound_mixer($1_usertype) ++ corenet_udp_bind_generic_node($1_usertype) ++ corenet_udp_bind_generic_port($1_usertype) - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) -- ++ dev_read_rand($1_usertype) ++ dev_write_sound($1_usertype) ++ dev_read_sound($1_usertype) ++ dev_read_sound_mixer($1_usertype) ++ dev_write_sound_mixer($1_usertype) + - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -27227,7 +31601,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) -+ seutil_exec_restorecond($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. @@ -27236,37 +31609,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) + dev_read_mouse($1_usertype) ++ ') ++ ++ optional_policy(` ++ alsa_read_rw_config($1_usertype) ') - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + optional_policy(` -+ alsa_read_rw_config($1_usertype) - ') - - optional_policy(` -- alsa_read_rw_config($1_t) + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) ') + optional_policy(` +- alsa_read_rw_config($1_t) ++ canna_stream_connect($1_usertype) + ') + optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` ++ chrome_role($1_r, $1_usertype) + ') + + optional_policy(` +- canna_stream_connect($1_t) + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + bluetooth_dbus_chat($1_usertype) ') @@ -27274,35 +31651,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dbus_system_bus_client($1_t) + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) -+ ') ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ hal_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_var_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpnc_dbus_chat($1_usertype) ++ vpnc_dbus_chat($1_usertype) ') ') @@ -27389,7 +31767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_t, $1_r) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` @@ -27405,7 +31783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -711,13 +745,26 @@ +@@ -711,13 +759,26 @@ userdom_base_user_template($1) @@ -27416,7 +31794,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -27427,9 +31807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -27437,7 +31815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -735,70 +782,72 @@ +@@ -735,70 +796,72 @@ allow $1_t self:context contains; @@ -27543,24 +31921,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -835,6 +884,32 @@ - # Local policy +@@ -826,6 +889,8 @@ + ') + + userdom_login_user_template($1) ++ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; ++ dontaudit $1_t self:netlink_audit_socket create_socket_perms; + + typeattribute $1_t unpriv_userdomain; + domain_interactive_fd($1_t) +@@ -836,6 +901,26 @@ # -+ tunable_policy(`user_rw_noexattrfile',` -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) -+ fs_manage_dos_dirs($1_usertype) -+ fs_manage_dos_files($1_usertype) -+ ') -+ -+ optional_policy(` + optional_policy(` + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + abrt_dbus_chat($1_usertype) ++ abrt_run_helper($1_usertype, $1_r) + ') + + optional_policy(` @@ -27573,10 +31953,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + ') + - optional_policy(` ++ optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -865,51 +940,81 @@ + ') +@@ -865,51 +950,93 @@ userdom_restricted_user_template($1) @@ -27593,12 +31974,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -27611,18 +31992,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ fs_manage_dos_dirs($1_usertype) ++ fs_manage_dos_files($1_usertype) ++ storage_raw_read_removable_device($1_usertype) ++ storage_raw_write_removable_device($1_usertype) ++ ') ++ + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) - -- xserver_restricted_role($1_r, $1_t) ++ seutil_exec_restorecond($1_t) ++ seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) ++ + optional_policy(` + alsa_read_rw_config($1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + apache_role($1_r, $1_usertype) + ') @@ -27671,7 +32064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1048,8 @@ +@@ -943,8 +1070,8 @@ # Declarations # @@ -27681,7 +32074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,11 +1058,12 @@ +@@ -953,58 +1080,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -27689,72 +32082,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) ++ corenet_tcp_bind_all_nodes($1_usertype) - files_exec_usr_files($1_t) +- # cjp: why? +- files_read_kernel_symbol_table($1_t) + storage_rw_fuse($1_t) -+ - # cjp: why? - files_read_kernel_symbol_table($1_t) -@@ -975,36 +1081,53 @@ +- ifndef(`enable_mls',` +- fs_exec_noxattr($1_t) ++ # Allow users to run TCP servers (bind to ports and accept connection from ++ # the same domain and outside users) disabling this forces FTP passive mode ++ # and may change other protocols ++ tunable_policy(`user_tcp_server',` ++ corenet_tcp_bind_all_unreserved_ports($1_usertype) ++ ') + +- tunable_policy(`user_rw_noexattrfile',` +- fs_manage_noxattr_fs_files($1_t) +- fs_manage_noxattr_fs_dirs($1_t) +- # Write floppies +- storage_raw_read_removable_device($1_t) +- storage_raw_write_removable_device($1_t) +- ',` +- storage_raw_read_removable_device($1_t) ++ optional_policy(` ++ cdrecord_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ cron_role($1_r, $1_t) ') ++ ++ optional_policy(` ++ games_rw_data($1_usertype) ') - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) -- ') -- - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` ++ optional_policy(` ++ gpg_role($1_r, $1_usertype) + ') + +- # Allow users to run TCP servers (bind to ports and accept connection from +- # the same domain and outside users) disabling this forces FTP passive mode +- # and may change other protocols +- tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) -+ corenet_tcp_bind_all_nodes($1_usertype) -+ corenet_tcp_bind_all_unreserved_ports($1_usertype) ++ optional_policy(` ++ gpm_stream_connect($1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) -+ cdrecord_role($1_r, $1_t) ++ execmem_role_template($1, $1_r, $1_t) ') optional_policy(` - postgresql_role($1_r,$1_t) -+ cron_role($1_r, $1_t) ++ java_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ games_rw_data($1_usertype) ++ mono_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) -+ gpg_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ mono_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + mount_run($1_t, $1_r) + ') + + optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + ') + @@ -27764,7 +32172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1163,7 @@ +@@ -1040,7 +1176,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -27773,7 +32181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1172,7 @@ +@@ -1049,8 +1185,7 @@ # # Inherit rules for ordinary users. @@ -27783,7 +32191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1197,9 @@ +@@ -1075,6 +1210,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -27793,7 +32201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1214,7 @@ +@@ -1089,6 +1227,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -27801,7 +32209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1222,6 @@ +@@ -1096,8 +1235,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27810,7 +32218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1248,8 @@ +@@ -1124,12 +1261,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -27819,7 +32227,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1278,6 @@ +- storage_raw_read_removable_device($1_t) +- storage_raw_write_removable_device($1_t) +- + term_use_all_terms($1_t) + + auth_getattr_shadow($1_t) +@@ -1152,20 +1288,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27840,7 +32254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1323,7 @@ +@@ -1211,6 +1333,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27848,7 +32262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1389,15 @@ +@@ -1276,11 +1399,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27864,7 +32278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1508,13 @@ +@@ -1391,12 +1518,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -27879,7 +32293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1547,14 @@ +@@ -1429,6 +1557,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27894,7 +32308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1570,11 @@ +@@ -1444,9 +1580,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27906,7 +32320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1631,25 @@ +@@ -1503,6 +1641,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27928,11 +32342,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 user_home_t:file relabelto; +') ++######################################## ++## ++## Relabel user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file { relabelto relabelfrom }; ++') + ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1724,8 @@ +@@ -1577,6 +1751,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27941,7 +32372,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1819,7 @@ +@@ -1619,6 +1795,24 @@ + + ######################################## + ## ++## Set the attributes of user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_setattr_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file setattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to set the + ## attributes of user home files. + ## +@@ -1670,6 +1864,7 @@ type user_home_dir_t, user_home_t; ') @@ -27949,7 +32405,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1947,32 @@ +@@ -1686,11 +1881,11 @@ + # + interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; ++ dontaudit $1 user_home_type:dir list_dir_perms; ++ dontaudit $1 user_home_type:file read_file_perms; + ') + + ######################################## +@@ -1797,19 +1992,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -27989,7 +32460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2007,7 @@ +@@ -1844,6 +2052,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -27997,36 +32468,193 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2555,7 @@ +@@ -2196,7 +2405,7 @@ ######################################## ## --## Read user tmpfs files. --## --## --## +-## Do not audit attempts to manage users ++## Do not audit attempts to write users + ## temporary files. + ## + ## +@@ -2205,37 +2414,56 @@ + ## + ## + # +-interface(`userdom_dontaudit_manage_user_tmp_files',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + +- dontaudit $1 user_tmp_t:file manage_file_perms; ++ dontaudit $1 user_tmp_t:file write; + ') + + ######################################## + ## +-## Read user temporary symbolic links. ++## Do not audit attempts to manage users ++## temporary files. + ## + ## + ## -## Domain allowed access. --## --## --# --interface(`userdom_read_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) --') -- --######################################## --## ++## Domain to not audit. + ## + ## + # +-interface(`userdom_read_user_tmp_symlinks',` ++interface(`userdom_dontaudit_manage_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + +- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) +- allow $1 user_tmp_t:dir list_dir_perms; +- files_search_tmp($1) ++ dontaudit $1 user_tmp_t:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete user ++## Read user temporary symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_user_tmp_symlinks',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 user_tmp_t:dir list_dir_perms; ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary directories. + ## + ## +@@ -2276,6 +2504,46 @@ + ######################################## + ## + ## Create, read, write, and delete user ++## temporary chr files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_chr_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary blk files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_blk_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary symbolic links. + ## + ## +@@ -2391,7 +2659,7 @@ + + ######################################## + ## -## Read user tmpfs files. +## Read/Write user tmpfs files. ## ## ## -@@ -2765,11 +2909,32 @@ +@@ -2399,19 +2667,21 @@ + ## + ## + # +-interface(`userdom_read_user_tmpfs_files',` ++interface(`userdom_rw_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + +- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) + ') + +-######################################## ++ ++###################################### + ## +-## Read user tmpfs files. ++## Manage user tmpfs files. + ## + ## + ## +@@ -2419,15 +2689,14 @@ + ## + ## + # +-interface(`userdom_rw_user_tmpfs_files',` ++interface(`userdom_manage_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + +- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) ++ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + ') + + ######################################## +@@ -2749,7 +3018,7 @@ + + domain_entry_file_spec_domtrans($1, unpriv_userdomain) + allow unpriv_userdomain $1:fd use; +- allow unpriv_userdomain $1:fifo_file rw_file_perms; ++ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; + allow unpriv_userdomain $1:process sigchld; + ') + +@@ -2765,11 +3034,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -28061,7 +32689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3062,25 @@ +@@ -2897,7 +3187,43 @@ type user_tmp_t; ') @@ -28071,6 +32699,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Write all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file write; ++') ++ ++######################################## ++## +## Delete all users files in /tmp +## +## @@ -28088,7 +32734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3117,7 @@ +@@ -2934,6 +3260,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -28096,7 +32742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3248,559 @@ +@@ -3064,3 +3391,578 @@ allow $1 userdomain:dbus send_msg; ') @@ -28362,6 +33008,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 unpriv_userdomain:unix_dgram_socket sendto; +') + ++###################################### ++## ++## Send a message to users over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_users_dgram_send',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:unix_dgram_socket sendto; ++') ++ +####################################### +## +## Allow execmod on files in homedirectory @@ -28656,9 +33321,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 user_tmp_t:file { getattr append }; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.33/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/userdomain.te 2009-11-12 14:26:53.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -28673,21 +33338,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow users to connect to PostgreSQL ##

## -@@ -29,13 +22,6 @@ +@@ -29,10 +22,10 @@ ## ##

-## Allow users to read system messages. --##

--## --gen_tunable(user_dmesg, false) -- --## --##

- ## Allow user to r/w files on filesystems - ## that do not have extended attributes (FAT, CDROM, FLOPPY) ++## Allow regular users direct dri device access ##

-@@ -54,11 +40,20 @@ + ## +-gen_tunable(user_dmesg, false) ++gen_tunable(user_direct_dri, false) + + ## + ##

+@@ -54,11 +47,20 @@ # all user domains attribute userdomain; @@ -28710,7 +33374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) -@@ -72,6 +67,7 @@ +@@ -72,6 +74,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -28718,7 +33382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +93,25 @@ +@@ -97,3 +100,25 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -28744,9 +33408,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +allow userdomain userdomain:process signull; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.32/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.33/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.fc 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/xen.fc 2009-11-12 14:26:53.000000000 -0500 @@ -1,5 +1,7 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) @@ -28774,9 +33438,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.33/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.if 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/xen.if 2009-11-12 14:26:53.000000000 -0500 @@ -71,6 +71,8 @@ ') @@ -28827,9 +33491,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.33/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/modules/system/xen.te 2009-11-12 14:26:53.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -29021,7 +33685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -+allow xm_t self:process signal; ++allow xm_t self:process { getsched signal }; # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file rw_fifo_file_perms; @@ -29127,9 +33791,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t) +files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-09-16 10:03:09.000000000 -0400 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.33/policy/support/obj_perm_sets.spt +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.6.33/policy/support/obj_perm_sets.spt 2009-11-12 14:26:53.000000000 -0500 @@ -201,7 +201,7 @@ define(`setattr_file_perms',`{ setattr }') define(`read_file_perms',`{ getattr open read lock ioctl }') @@ -29162,9 +33826,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.33/policy/users --- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/users 2009-09-16 10:03:09.000000000 -0400 ++++ serefpolicy-3.6.33/policy/users 2009-11-12 14:26:53.000000000 -0500 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # diff --git a/selinux-policy.spec b/selinux-policy.spec index b8f6dd29..6a64b711 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,12 +19,12 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.32 -Release: 16%{?dist} +Version: 3.6.33 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-F12.patch +patch: policy-F13.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Thu Nov 12 2009 Dan Walsh 3.6.33-1 +- Update to upstream + * Thu Oct 1 2009 Dan Walsh 3.6.32-17 - Allow vpnc request the kernel to load modules diff --git a/sources b/sources index 07d51654..3e8fe507 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 3651679c4b12a31d2ba5f4305bba5540 config.tgz -d3d5eaf6fd6ca9f09f8912d694810268 serefpolicy-3.6.32.tgz +e82cab8a9681ae7851aec03029f68285 serefpolicy-3.6.33.tgz