+## Allow all daemons the ability to use unallocated ttys +##
+##
## Allow mount to mount any file
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index bcedf95e..31f64c26 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -6,7 +6,9 @@
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index a01e35d9..fe747510 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.6)
+policy_module(bootloader,1.2.7)
########################################
#
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 7f91460c..d635ec29 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead,1.2.1)
+policy_module(readahead,1.2.2)
########################################
#
@@ -52,6 +52,8 @@ fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
+mls_file_read_up(readahead_t)
+
term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 65dfdd01..5bdfa083 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.16)
+policy_module(corenetwork,1.1.17)
########################################
#
@@ -82,7 +82,7 @@ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 61d1524b..14336445 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -20,7 +20,7 @@ ifdef(`distro_redhat',`
')
ifdef(`distro_suse',`
-/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
#
@@ -49,7 +49,7 @@ ifdef(`distro_suse',`
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
@@ -58,7 +58,7 @@ ifdef(`distro_suse',`
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e35bab1d..a1f2e79a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.18)
+policy_module(files,1.2.19)
########################################
#
@@ -58,6 +58,8 @@ files_type(etc_t)
#
type etc_runtime_t;
files_type(etc_runtime_t)
+#Temporarily in policy until FC5 dissappears
+typealias etc_runtime_t alias firstboot_rw_t;
#
# file_t is the default type of a file that has not yet been
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c704c3f4..ae9c9f6d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -455,7 +455,7 @@ interface(`fs_register_binary_executable_type',`
')
allow $1 binfmt_misc_fs_t:dir { getattr search };
- allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
+ allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index dab24512..402fbb11 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.3.15)
+policy_module(filesystem,1.3.16)
########################################
#
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 02fdd40e..47131190 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.1.9)
+policy_module(bind,1.1.10)
########################################
#
@@ -223,6 +223,7 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
allow ndc_t named_t:unix_stream_socket connectto;
allow ndc_t named_conf_t:file { getattr read };
+allow ndc_t named_conf_t:lnk_file { getattr read };
allow ndc_t named_var_run_t:sock_file rw_file_perms;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
index 00f919a5..a950c32a 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -10,6 +10,7 @@
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 71c5ea73..fe25a509 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.13)
+policy_module(cron,1.3.14)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index bc7634ea..6c9faa13 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.13)
+policy_module(hal,1.3.14)
########################################
#
@@ -111,6 +111,10 @@ storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
storage_raw_write_fixed_disk(hald_t)
+# hal_probe_serial causes these
+term_setattr_unallocated_ttys(hald_t)
+term_dontaudit_use_unallocated_ttys(hald_t)
+
auth_use_nsswitch(hald_t)
init_use_fds(hald_t)
@@ -144,8 +148,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
ifdef(`targeted_policy',`
term_dontaudit_use_console(hald_t)
- term_setattr_unallocated_ttys(hald_t)
- term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
files_dontaudit_read_root_files(hald_t)
')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 6b157e7d..3b179f51 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.3.8)
+policy_module(networkmanager,1.3.9)
########################################
#
@@ -163,6 +163,7 @@ optional_policy(`
optional_policy(`
ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
+ ppp_signal(NetworkManager_t)
')
optional_policy(`
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index a073fdfc..8edef140 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.2.8)
+policy_module(nscd,1.2.9)
gen_require(`
class nscd all_nscd_perms;
@@ -89,6 +89,8 @@ domain_use_interactive_fds(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
init_use_fds(nscd_t)
init_use_script_ptys(nscd_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index 696b5c5b..3ca65e40 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -22,6 +22,7 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 60a5f71e..fb89cafd 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.13)
+policy_module(postfix,1.2.14)
########################################
#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 038743aa..e24bb9dd 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.3.12)
+policy_module(ssh,1.3.13)
########################################
#
@@ -71,12 +71,15 @@ ifdef(`targeted_policy',`
ifdef(`strict_policy',`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow sshd_t self:key { search link write };
allow sshd_t sshd_tmp_t:dir create_dir_perms;
allow sshd_t sshd_tmp_t:file create_file_perms;
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+ kernel_link_key(sshd_t)
+
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 435b60cd..22554b4d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -63,8 +63,11 @@ interface(`init_daemon_domain',`
attribute direct_run_init, direct_init, direct_init_entry;
type initrc_t;
role system_r;
+ attribute daemon;
')
+ typeattribute $1 daemon;
+
domain_type($1)
domain_entry_file($1,$2)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b95fa3d4..f6518ec2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.25)
+policy_module(init,1.3.26)
gen_require(`
class passwd rootok;
@@ -16,6 +16,9 @@ attribute direct_run_init;
attribute direct_init;
attribute direct_init_entry;
+# Mark process types as daemons
+attribute daemon;
+
#
# init_t is the domain of the init process.
#
@@ -206,6 +209,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
# Allow IPC with self
@@ -513,6 +517,11 @@ ifdef(`targeted_policy',`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ ')
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ee6a7d24..c172aec0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.11)
+policy_module(logging,1.3.12)
########################################
#
@@ -161,6 +161,7 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
mls_file_read_up(auditd_t)
+mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
mls_rangetrans_target(auditd_t)
seutil_dontaudit_read_config(auditd_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 20b73568..591e191f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.3.5)
+policy_module(udev,1.3.6)
########################################
#
@@ -92,6 +92,7 @@ dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
domain_read_all_domains_state(udev_t)
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d0cd6e1b..e98a911d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4317,6 +4317,7 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
+ dontaudit $1 user_home_t:dir search_dir_perms;
dontaudit $1 user_home_t:file r_file_perms;
',`
gen_require(`
@@ -4324,7 +4325,8 @@ interface(`userdom_dontaudit_read_sysadm_home_content_files',`
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir r_file_perms;
+ dontaudit $1 sysadm_home_t:dir search_dir_perms;
+ dontaudit $1 sysadm_home_t:file r_file_perms;
')
')
@@ -5121,6 +5123,28 @@ interface(`userdom_write_unpriv_users_tmp_files',`
allow $1 user_tmpfile:file { getattr write append };
')
+########################################
+##