- Add fail2ban_var_lib_t

- Fixes for devicekit_power_t
This commit is contained in:
Daniel J Walsh 2009-04-14 11:02:35 +00:00
parent d4af172a64
commit 685032cae2
2 changed files with 237 additions and 59 deletions

View File

@ -242,7 +242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
$(verbose) $(INSTALL) -m 644 $< $@ $(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.12/man/man8/httpd_selinux.8 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.12/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500 --- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/httpd_selinux.8 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/man/man8/httpd_selinux.8 2009-04-13 10:52:18.000000000 -0400
@@ -22,7 +22,7 @@ @@ -22,7 +22,7 @@
.EX .EX
httpd_sys_content_t httpd_sys_content_t
@ -266,6 +266,88 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
.EX .EX
httpd_unconfined_script_exec_t httpd_unconfined_script_exec_t
.EE .EE
@@ -57,8 +57,7 @@
.EE
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
.PP
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
@@ -67,7 +66,7 @@
.EE
.PP
-httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
.EX
setsebool -P httpd_enable_homedirs 1
@@ -75,7 +74,7 @@
.EE
.PP
-httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
.EX
setsebool -P httpd_tty_comm 1
@@ -89,7 +88,7 @@
.EE
.PP
-httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
.EX
setsebool -P httpd_can_sendmail 1
@@ -102,7 +101,7 @@
.EE
.PP
-httpd scripts by default are not allowed to connect out to the network.
+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server and attacking
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.12/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/kerberos_selinux.8 2009-04-13 10:53:14.000000000 -0400
@@ -12,7 +12,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
.SH BOOLEANS
.PP
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500
+++ serefpolicy-3.6.12/man/man8/nfs_selinux.8 2009-04-13 10:49:43.000000000 -0400
@@ -6,7 +6,7 @@
Security Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
-SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.12/man/man8/ypbind_selinux.8
--- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.12/man/man8/ypbind_selinux.8 2009-04-13 10:54:03.000000000 -0400
@@ -4,7 +4,7 @@
.SH "DESCRIPTION"
Security-Enhanced Linux secures the system via flexible mandatory access
-control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network.
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
.SH BOOLEANS
.TP
You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.12/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500
+++ serefpolicy-3.6.12/policy/global_tunables 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/global_tunables 2009-04-07 16:01:44.000000000 -0400
@ -5413,7 +5495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-13 08:28:24.000000000 -0400
@@ -1197,6 +1197,26 @@ @@ -1197,6 +1197,26 @@
') ')
@ -9163,7 +9245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.12/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/bind.fc 2009-04-13 10:45:45.000000000 -0400
@@ -1,17 +1,22 @@ @@ -1,17 +1,22 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@ -9187,12 +9269,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian',` ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,8 +45,8 @@ @@ -40,8 +45,12 @@
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)? <<none>> +/var/named/chroot/proc(/.*)? <<none>>
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@ -11327,7 +11413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-13 10:31:12.000000000 -0400
@@ -44,6 +44,7 @@ @@ -44,6 +44,7 @@
attribute session_bus_type; attribute session_bus_type;
@ -11362,16 +11448,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files($1_dbusd_t) files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t) files_list_home($1_dbusd_t)
@@ -145,6 +147,8 @@ @@ -145,7 +147,10 @@
seutil_read_config($1_dbusd_t) seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t)
+ term_use_all_terms($1_dbusd_t) + term_use_all_terms($1_dbusd_t)
+ +
userdom_read_user_home_content_files($1_dbusd_t) userdom_read_user_home_content_files($1_dbusd_t)
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
ifdef(`hide_broken_symptoms', ` ifdef(`hide_broken_symptoms', `
@@ -160,6 +164,10 @@ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -160,6 +165,10 @@
') ')
optional_policy(` optional_policy(`
@ -11382,7 +11470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hal_dbus_chat($1_dbusd_t) hal_dbus_chat($1_dbusd_t)
') ')
@@ -185,10 +193,12 @@ @@ -185,10 +194,12 @@
type system_dbusd_t, system_dbusd_t; type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg; class dbus send_msg;
@ -11396,7 +11484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1) files_search_var_lib($1)
@@ -197,6 +207,10 @@ @@ -197,6 +208,10 @@
files_search_pids($1) files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1) dbus_read_config($1)
@ -11407,7 +11495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -244,6 +258,35 @@ @@ -244,6 +259,35 @@
######################################## ########################################
## <summary> ## <summary>
@ -11443,7 +11531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read dbus configuration. ## Read dbus configuration.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -318,3 +361,77 @@ @@ -318,3 +362,79 @@
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
@ -11501,6 +11589,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ifdef(`hide_broken_symptoms', ` + ifdef(`hide_broken_symptoms', `
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ '); + ');
+
+ userdom_dontaudit_search_admin_dir($1)
+') +')
+ +
+######################################## +########################################
@ -11894,8 +11984,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-11 08:02:27.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-13 08:28:53.000000000 -0400
@@ -0,0 +1,235 @@ @@ -0,0 +1,237 @@
+policy_module(devicekit,1.0.0) +policy_module(devicekit,1.0.0)
+ +
+######################################## +########################################
@ -11960,6 +12050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) +files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+files_read_kernel_img(devicekit_power_t)
+ +
+corecmd_exec_bin(devicekit_power_t) +corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t) +corecmd_exec_shell(devicekit_power_t)
@ -11968,9 +12059,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+domain_read_all_domains_state(devicekit_power_t) +domain_read_all_domains_state(devicekit_power_t)
+ +
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t) +kernel_read_system_state(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t)
+ +
+dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_usb_dev(devicekit_power_t)
@ -12761,10 +12853,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ spamassassin_exec(exim_t) + spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t) + spamassassin_exec_client(exim_t)
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.6.12/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.fc 2009-04-13 08:03:31.000000000 -0400
@@ -2,5 +2,9 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+
+
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.12/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-04-13 08:04:42.000000000 -0400
@@ -20,6 +20,25 @@
########################################
## <summary>
+## Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+ gen_require(`
+ type fail2ban_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Allow the specified domain to read fail2ban's log files.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-04-13 08:09:29.000000000 -0400
@@ -26,6 +26,7 @@ @@ -17,6 +17,9 @@
type fail2ban_log_t;
logging_log_file(fail2ban_log_t)
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
# pid files
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -26,6 +29,7 @@
# fail2ban local policy # fail2ban local policy
# #
@ -12772,6 +12916,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow fail2ban_t self:process signal; allow fail2ban_t self:process signal;
allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -36,6 +40,10 @@
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
# pid file
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-04-07 16:01:44.000000000 -0400
@ -17475,7 +17630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-13 11:44:30.000000000 -0400
@@ -6,6 +6,15 @@ @@ -6,6 +6,15 @@
# Declarations # Declarations
# #
@ -19215,6 +19370,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t) userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(` optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.12/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2008-11-11 16:13:45.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/razor.fc 2009-04-13 10:23:30.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.12/policy/modules/services/razor.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.12/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/razor.if 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/razor.if 2009-04-07 16:01:44.000000000 -0400
@ -20495,7 +20658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-04-13 11:43:41.000000000 -0400
@@ -20,13 +20,17 @@ @@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t) mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t) mta_mailserver_sender(sendmail_t)
@ -20555,7 +20718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(sendmail_t) auth_use_nsswitch(sendmail_t)
@@ -89,23 +100,38 @@ @@ -89,23 +100,42 @@
libs_read_lib_files(sendmail_t) libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t) logging_send_syslog_msg(sendmail_t)
@ -20592,11 +20755,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
+ +
+optional_policy(` +optional_policy(`
+ fail2ban_read_lib_files(sendmail_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(sendmail, sendmail_t) + kerberos_keytab_template(sendmail, sendmail_t)
') ')
optional_policy(` optional_policy(`
@@ -113,13 +139,19 @@ @@ -113,13 +143,19 @@
') ')
optional_policy(` optional_policy(`
@ -20617,7 +20784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -127,24 +159,29 @@ @@ -127,24 +163,29 @@
') ')
optional_policy(` optional_policy(`
@ -22083,8 +22250,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-04-14 06:59:02.000000000 -0400
@@ -0,0 +1,68 @@ @@ -0,0 +1,70 @@
+policy_module(sssd,1.0.0) +policy_module(sssd,1.0.0)
+ +
+######################################## +########################################
@ -22143,6 +22310,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_files(sssd_t) +files_read_usr_files(sssd_t)
+ +
+auth_use_nsswitch(sssd_t) +auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+ +
+logging_send_syslog_msg(sssd_t) +logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t) +logging_send_audit_msgs(sssd_t)
@ -24897,7 +25066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-09 10:06:45.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-13 10:35:22.000000000 -0400
@@ -280,6 +280,29 @@ @@ -280,6 +280,29 @@
kernel_dontaudit_use_fds($1) kernel_dontaudit_use_fds($1)
') ')
@ -25089,7 +25258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-09 10:19:55.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-13 08:06:15.000000000 -0400
@@ -17,6 +17,20 @@ @@ -17,6 +17,20 @@
## </desc> ## </desc>
gen_tunable(init_upstart,false) gen_tunable(init_upstart,false)
@ -25426,7 +25595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
vmware_read_system_config(initrc_t) vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t) vmware_append_system_config(initrc_t)
') ')
@@ -790,3 +877,21 @@ @@ -790,3 +877,25 @@
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -25448,6 +25617,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
+ +
+init_rw_script_stream_sockets(daemon) +init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400
@ -28678,7 +28851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-11 07:13:54.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-13 10:33:55.000000000 -0400
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -29115,7 +29288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -512,189 +518,199 @@ @@ -512,189 +518,200 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -29284,6 +29457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
- hal_dbus_chat($1_t) - hal_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_power_dbus_chat($1_usertype) + devicekit_power_dbus_chat($1_usertype)
+ devicekit_disk_dbus_chat($1_usertype) + devicekit_disk_dbus_chat($1_usertype)
') ')
@ -29396,7 +29570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -722,13 +738,26 @@ @@ -722,13 +739,26 @@
userdom_base_user_template($1) userdom_base_user_template($1)
@ -29428,7 +29602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1) userdom_change_password_template($1)
@@ -746,70 +775,71 @@ @@ -746,70 +776,71 @@
allow $1_t self:context contains; allow $1_t self:context contains;
@ -29533,7 +29707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -846,6 +876,28 @@ @@ -846,6 +877,28 @@
# Local policy # Local policy
# #
@ -29562,7 +29736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
loadkeys_run($1_t,$1_r) loadkeys_run($1_t,$1_r)
') ')
@@ -876,7 +928,7 @@ @@ -876,7 +929,7 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -29571,7 +29745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -884,14 +936,19 @@ @@ -884,14 +937,19 @@
# #
auth_role($1_r, $1_t) auth_role($1_r, $1_t)
@ -29596,7 +29770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t) logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain # Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -899,28 +956,33 @@ @@ -899,28 +957,33 @@
selinux_get_enforce_mode($1_t) selinux_get_enforce_mode($1_t)
optional_policy(` optional_policy(`
@ -29637,7 +29811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -954,8 +1016,8 @@ @@ -954,8 +1017,8 @@
# Declarations # Declarations
# #
@ -29647,7 +29821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1) userdom_common_user_template($1)
############################## ##############################
@@ -964,11 +1026,12 @@ @@ -964,11 +1027,12 @@
# #
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
@ -29662,7 +29836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why? # cjp: why?
files_read_kernel_symbol_table($1_t) files_read_kernel_symbol_table($1_t)
@@ -986,37 +1049,47 @@ @@ -986,37 +1050,47 @@
') ')
') ')
@ -29724,7 +29898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -1050,7 +1123,7 @@ @@ -1050,7 +1124,7 @@
# #
template(`userdom_admin_user_template',` template(`userdom_admin_user_template',`
gen_require(` gen_require(`
@ -29733,7 +29907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
############################## ##############################
@@ -1059,8 +1132,7 @@ @@ -1059,8 +1133,7 @@
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
@ -29743,7 +29917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t) domain_obj_id_change_exemption($1_t)
role system_r types $1_t; role system_r types $1_t;
@@ -1083,7 +1155,8 @@ @@ -1083,7 +1156,8 @@
# Skip authentication when pam_rootok is specified. # Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok; allow $1_t self:passwd rootok;
@ -29753,7 +29927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
@@ -1099,6 +1172,7 @@ @@ -1099,6 +1173,7 @@
kernel_sigstop_unlabeled($1_t) kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t) kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t) kernel_sigchld_unlabeled($1_t)
@ -29761,7 +29935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels # allow setting up tunnels
@@ -1106,8 +1180,6 @@ @@ -1106,8 +1181,6 @@
dev_getattr_generic_blk_files($1_t) dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t) dev_getattr_generic_chr_files($1_t)
@ -29770,7 +29944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work # Allow MAKEDEV to work
dev_create_all_blk_files($1_t) dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t) dev_create_all_chr_files($1_t)
@@ -1162,20 +1234,6 @@ @@ -1162,20 +1235,6 @@
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -29791,7 +29965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1221,6 +1279,7 @@ @@ -1221,6 +1280,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -29799,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1286,11 +1345,15 @@ @@ -1286,11 +1346,15 @@
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -29815,7 +29989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1387,7 +1450,7 @@ @@ -1387,7 +1451,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -29824,7 +29998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1420,6 +1483,14 @@ @@ -1420,6 +1484,14 @@
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -29839,7 +30013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1435,9 +1506,11 @@ @@ -1435,9 +1507,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -29851,7 +30025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1494,6 +1567,25 @@ @@ -1494,6 +1568,25 @@
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -29877,7 +30051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1568,6 +1660,8 @@ @@ -1568,6 +1661,8 @@
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -29886,7 +30060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1643,6 +1737,7 @@ @@ -1643,6 +1738,7 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -29894,7 +30068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1) files_search_home($1)
') ')
@@ -1741,30 +1836,80 @@ @@ -1741,30 +1837,80 @@
######################################## ########################################
## <summary> ## <summary>
@ -29985,7 +30159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1787,6 +1932,46 @@ @@ -1787,6 +1933,46 @@
######################################## ########################################
## <summary> ## <summary>
@ -30032,7 +30206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files ## Create, read, write, and delete files
## in a user home subdirectory. ## in a user home subdirectory.
## </summary> ## </summary>
@@ -1799,6 +1984,7 @@ @@ -1799,6 +1985,7 @@
interface(`userdom_manage_user_home_content_files',` interface(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
@ -30040,7 +30214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
manage_files_pattern($1, user_home_t, user_home_t) manage_files_pattern($1, user_home_t, user_home_t)
@@ -2328,7 +2514,7 @@ @@ -2328,7 +2515,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -30049,7 +30223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2814,7 +3000,25 @@ @@ -2814,7 +3001,25 @@
type user_tmp_t; type user_tmp_t;
') ')
@ -30076,7 +30250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2851,6 +3055,7 @@ @@ -2851,6 +3056,7 @@
') ')
read_files_pattern($1,userdomain,userdomain) read_files_pattern($1,userdomain,userdomain)
@ -30084,7 +30258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -2981,3 +3186,482 @@ @@ -2981,3 +3187,482 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.12 Version: 3.6.12
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -440,6 +440,10 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Apr 13 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-4
- Add fail2ban_var_lib_t
- Fixes for devicekit_power_t
* Thu Apr 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-3 * Thu Apr 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-3
- Separate out the ucnonfined user from the unconfined.pp package - Separate out the ucnonfined user from the unconfined.pp package