- Allow NetworkManager to read inotifyfs

This commit is contained in:
Daniel J Walsh 2009-06-11 21:26:42 +00:00
parent aa7b9cbc5e
commit 6b838056a8
2 changed files with 161 additions and 103 deletions

View File

@ -5325,7 +5325,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.14/policy/modules/kernel/devices.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.14/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/kernel/devices.if 2009-06-11 08:31:29.000000000 -0400
@@ -1655,6 +1655,78 @@ @@ -1655,6 +1655,78 @@
######################################## ########################################
@ -5780,7 +5780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.14/policy/modules/kernel/files.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.14/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/kernel/files.if 2009-06-11 11:53:08.000000000 -0400
@@ -110,6 +110,11 @@ @@ -110,6 +110,11 @@
## </param> ## </param>
# #
@ -5855,10 +5855,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Mount a filesystem on a directory with the default file type. ## Mount a filesystem on a directory with the default file type.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1915,6 +1957,26 @@ @@ -1911,6 +1953,27 @@
allow $1 etc_t:dir list_dir_perms;
######################################## read_files_pattern($1, etc_t, etc_t)
## <summary> read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+')
+
+########################################
+## <summary>
+## Read config files in /etc. +## Read config files in /etc.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -5875,14 +5880,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 etcfile:dir list_dir_perms; + allow $1 etcfile:dir list_dir_perms;
+ read_files_pattern($1, etcfile, etcfile) + read_files_pattern($1, etcfile, etcfile)
+ read_lnk_files_pattern($1, etcfile, etcfile) + read_lnk_files_pattern($1, etcfile, etcfile)
+') ')
+
+######################################## ########################################
+## <summary> @@ -2250,6 +2313,49 @@
## Do not audit attempts to write generic files in /etc.
## </summary>
## <param name="domain">
@@ -2250,6 +2312,49 @@
######################################## ########################################
## <summary> ## <summary>
@ -5932,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to search directories on new filesystems ## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled. ## that have not yet been labeled.
## </summary> ## </summary>
@@ -2820,6 +2925,7 @@ @@ -2820,6 +2926,7 @@
') ')
allow $1 modules_object_t:dir search_dir_perms; allow $1 modules_object_t:dir search_dir_perms;
@ -5940,7 +5941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -3390,6 +3496,24 @@ @@ -3390,6 +3497,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -5965,7 +5966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read all tmp files. ## Read all tmp files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3456,6 +3580,8 @@ @@ -3456,6 +3581,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -5974,7 +5975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -3546,7 +3672,7 @@ @@ -3546,7 +3673,7 @@
type usr_t; type usr_t;
') ')
@ -5983,7 +5984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -3564,7 +3690,12 @@ @@ -3564,7 +3691,12 @@
type usr_t; type usr_t;
') ')
@ -5997,7 +5998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -4413,6 +4544,28 @@ @@ -4413,6 +4545,28 @@
######################################## ########################################
## <summary> ## <summary>
@ -6026,7 +6027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create an object in the locks directory, with a private ## Create an object in the locks directory, with a private
## type using a type transition. ## type using a type transition.
## </summary> ## </summary>
@@ -4532,7 +4685,8 @@ @@ -4532,7 +4686,8 @@
type var_t, var_run_t; type var_t, var_run_t;
') ')
@ -6036,7 +6037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -4873,7 +5027,7 @@ @@ -4873,7 +5028,7 @@
selinux_compute_member($1) selinux_compute_member($1)
# Need sys_admin capability for mounting # Need sys_admin capability for mounting
@ -6045,7 +6046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Need to give access to the directories to be polyinstantiated # Need to give access to the directories to be polyinstantiated
allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
@@ -4895,12 +5049,15 @@ @@ -4895,12 +5050,15 @@
allow $1 poly_t:dir { create mounton }; allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1) fs_unmount_xattr_fs($1)
@ -6062,7 +6063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -4921,3 +5078,173 @@ @@ -4921,3 +5079,173 @@
typeattribute $1 files_unconfined_type; typeattribute $1 files_unconfined_type;
') ')
@ -6611,7 +6612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.14/policy/modules/kernel/terminal.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.14/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/kernel/terminal.if 2009-06-11 10:02:52.000000000 -0400
@@ -173,7 +173,7 @@ @@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -6657,6 +6658,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## ioctl of generic pty devices. ## ioctl of generic pty devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -552,6 +571,25 @@
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
+')
+
########################################
## <summary>
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.14/policy/modules/roles/guest.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.14/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400 --- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/roles/guest.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/roles/guest.te 2009-06-08 21:43:15.000000000 -0400
@ -10170,7 +10197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.14/policy/modules/services/avahi.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.14/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/avahi.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/avahi.te 2009-06-11 08:36:56.000000000 -0400
@@ -33,6 +33,7 @@ @@ -33,6 +33,7 @@
allow avahi_t self:tcp_socket create_stream_socket_perms; allow avahi_t self:tcp_socket create_stream_socket_perms;
allow avahi_t self:udp_socket create_socket_perms; allow avahi_t self:udp_socket create_socket_perms;
@ -12318,7 +12345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.14/policy/modules/services/dbus.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.14/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/dbus.te 2009-06-11 11:10:09.000000000 -0400
@@ -9,14 +9,15 @@ @@ -9,14 +9,15 @@
# #
# Delcarations # Delcarations
@ -12382,15 +12409,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -75,6 +92,7 @@ @@ -73,8 +90,10 @@
dev_read_urand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t) +fs_dontaudit_list_nfs(system_dbusd_t)
selinux_get_fs_mount(system_dbusd_t) selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t) selinux_validate_context(system_dbusd_t)
@@ -91,9 +109,9 @@ @@ -91,9 +110,9 @@
corecmd_list_bin(system_dbusd_t) corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t)
@ -12401,7 +12431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(system_dbusd_t) files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t) files_list_home(system_dbusd_t)
@@ -101,6 +119,8 @@ @@ -101,6 +120,8 @@
init_use_fds(system_dbusd_t) init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t) init_use_script_ptys(system_dbusd_t)
@ -12410,7 +12440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_audit_msgs(system_dbusd_t) logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t)
@@ -128,9 +148,38 @@ @@ -128,9 +149,38 @@
') ')
optional_policy(` optional_policy(`
@ -12706,8 +12736,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.14/policy/modules/services/devicekit.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.14/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/devicekit.te 2009-06-11 08:32:14.000000000 -0400
@@ -0,0 +1,233 @@ @@ -0,0 +1,234 @@
+policy_module(devicekit,1.0.0) +policy_module(devicekit,1.0.0)
+ +
+######################################## +########################################
@ -12785,6 +12815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t)
+ +
+dev_read_input(devicekit_power_t)
+dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t) +dev_rw_sysfs(devicekit_power_t)
@ -13511,8 +13542,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.14/policy/modules/services/fprintd.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.14/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/fprintd.te 2009-06-11 09:53:33.000000000 -0400
@@ -0,0 +1,52 @@ @@ -0,0 +1,54 @@
+policy_module(fprintd,1.0.0) +policy_module(fprintd,1.0.0)
+ +
+######################################## +########################################
@ -13544,6 +13575,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_etc_files(fprintd_t) +files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t) +files_read_usr_files(fprintd_t)
+ +
+fs_list_inotifyfs(fprintd_t)
+
+kernel_read_system_state(fprintd_t) +kernel_read_system_state(fprintd_t)
+ +
+auth_use_nsswitch(fprintd_t) +auth_use_nsswitch(fprintd_t)
@ -14373,7 +14406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.14/policy/modules/services/kerneloops.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.14/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/kerneloops.te 2009-06-11 09:54:27.000000000 -0400
@@ -13,6 +13,9 @@ @@ -13,6 +13,9 @@
type kerneloops_initrc_exec_t; type kerneloops_initrc_exec_t;
init_script_file(kerneloops_initrc_exec_t) init_script_file(kerneloops_initrc_exec_t)
@ -14395,10 +14428,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_ring_buffer(kerneloops_t) kernel_read_ring_buffer(kerneloops_t)
@@ -38,14 +43,13 @@ @@ -38,14 +43,15 @@
files_read_etc_files(kerneloops_t) files_read_etc_files(kerneloops_t)
+fs_list_inotifyfs(kerneloops_t)
+
+auth_use_nsswitch(kerneloops_t) +auth_use_nsswitch(kerneloops_t)
+ +
logging_send_syslog_msg(kerneloops_t) logging_send_syslog_msg(kerneloops_t)
@ -15516,7 +15551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.14/policy/modules/services/networkmanager.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.14/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/networkmanager.te 2009-06-11 08:40:45.000000000 -0400
@@ -19,6 +19,9 @@ @@ -19,6 +19,9 @@
type NetworkManager_tmp_t; type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t) files_tmp_file(NetworkManager_tmp_t)
@ -15561,7 +15596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -81,10 +88,14 @@ @@ -81,13 +88,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t)
@ -15576,7 +15611,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(NetworkManager_t) fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t)
@@ -98,15 +109,19 @@ +fs_list_inotifyfs(NetworkManager_t)
mls_file_read_all_levels(NetworkManager_t)
@@ -98,15 +110,19 @@
domain_use_interactive_fds(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t)
@ -15597,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t) miscfiles_read_localization(NetworkManager_t)
@@ -116,25 +131,40 @@ @@ -116,25 +132,40 @@
seutil_read_config(NetworkManager_t) seutil_read_config(NetworkManager_t)
@ -15645,7 +15684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -146,8 +176,25 @@ @@ -146,8 +177,25 @@
') ')
optional_policy(` optional_policy(`
@ -15673,7 +15712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -155,23 +202,50 @@ @@ -155,23 +203,50 @@
') ')
optional_policy(` optional_policy(`
@ -15726,7 +15765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -179,12 +253,15 @@ @@ -179,12 +254,15 @@
') ')
optional_policy(` optional_policy(`
@ -20645,7 +20684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:43.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-11 08:41:02.000000000 -0400
@@ -11,6 +11,9 @@ @@ -11,6 +11,9 @@
domain_type(setroubleshootd_t) domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@ -20680,7 +20719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t)
@@ -68,16 +76,23 @@ @@ -68,16 +76,24 @@
dev_read_urand(setroubleshootd_t) dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t)
@ -20702,10 +20741,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_read_fusefs_symlinks(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t)
+fs_list_inotifyfs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t) selinux_validate_context(setroubleshootd_t)
@@ -94,22 +109,28 @@ @@ -94,22 +110,28 @@
locallogin_dontaudit_use_fds(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t)
@ -22436,8 +22476,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow the specified domain to append to ulogd's log files. ## Allow the specified domain to append to ulogd's log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.14/policy/modules/services/uucp.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.14/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/uucp.te 2009-06-11 09:57:39.000000000 -0400
@@ -129,6 +129,7 @@ @@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+term_setattr_controlling_term(uucpd_t)
+
auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
@@ -129,6 +131,7 @@
optional_policy(` optional_policy(`
mta_send_mail(uux_t) mta_send_mail(uux_t)
mta_read_queue(uux_t) mta_read_queue(uux_t)
@ -24065,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.14/policy/modules/services/xserver.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.14/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/services/xserver.te 2009-06-11 09:54:56.000000000 -0400
@@ -34,6 +34,13 @@ @@ -34,6 +34,13 @@
## <desc> ## <desc>
@ -24268,7 +24317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary # Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t) can_exec(xdm_t, xdm_exec_t)
@@ -329,22 +362,37 @@ @@ -329,22 +362,39 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@ -24281,7 +24330,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+fs_getattr_all_fs(xdm_t) +fs_getattr_all_fs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t) +fs_read_noxattr_fs_files(xdm_t)
+ +
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@ -24309,7 +24360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_t:unix_stream_socket connectto;
@@ -358,6 +406,7 @@ @@ -358,6 +408,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms; allow xdm_t xserver_t:shm rw_shm_perms;
@ -24317,7 +24368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket # connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
@@ -366,10 +415,14 @@ @@ -366,10 +417,14 @@
delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) delete_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t) delete_sock_files_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t)
@ -24333,7 +24384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xdm_t) kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t) kernel_read_kernel_sysctls(xdm_t)
@@ -389,11 +442,13 @@ @@ -389,11 +444,13 @@
corenet_udp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t) corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t)
@ -24347,7 +24398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t) dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t) dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t) dev_getattr_framebuffer_dev(xdm_t)
@@ -401,6 +456,7 @@ @@ -401,6 +458,7 @@
dev_getattr_mouse_dev(xdm_t) dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t) dev_rw_apm_bios(xdm_t)
@ -24355,7 +24406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t) dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t) dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t) dev_rw_agp(xdm_t)
@@ -413,14 +469,17 @@ @@ -413,14 +471,17 @@
dev_setattr_video_dev(xdm_t) dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t) dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t)
@ -24375,7 +24426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t) files_read_etc_files(xdm_t)
files_read_var_files(xdm_t) files_read_var_files(xdm_t)
@@ -431,9 +490,13 @@ @@ -431,9 +492,13 @@
files_read_usr_files(xdm_t) files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm # Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t) files_create_boot_flag(xdm_t)
@ -24389,7 +24440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t)
@@ -442,6 +505,7 @@ @@ -442,6 +507,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t)
@ -24397,7 +24448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t) term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t) term_use_unallocated_ttys(xdm_t)
@@ -450,6 +514,7 @@ @@ -450,6 +516,7 @@
auth_domtrans_pam_console(xdm_t) auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t) auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t) auth_manage_pam_console_data(xdm_t)
@ -24405,7 +24456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t) auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t) auth_write_login_records(xdm_t)
@@ -460,10 +525,10 @@ @@ -460,10 +527,10 @@
logging_read_generic_logs(xdm_t) logging_read_generic_logs(xdm_t)
@ -24418,7 +24469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t) userdom_create_all_users_keys(xdm_t)
@@ -472,6 +537,9 @@ @@ -472,6 +539,9 @@
# Search /proc for any user domain processes. # Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t) userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t) userdom_signal_all_users(xdm_t)
@ -24428,7 +24479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session(xdm_t,xdm_tmpfs_t) xserver_rw_session(xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t) xserver_unconfined(xdm_t)
@@ -504,10 +572,12 @@ @@ -504,10 +574,12 @@
optional_policy(` optional_policy(`
alsa_domtrans(xdm_t) alsa_domtrans(xdm_t)
@ -24441,7 +24492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -515,12 +585,45 @@ @@ -515,12 +587,45 @@
') ')
optional_policy(` optional_policy(`
@ -24487,7 +24538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -542,6 +645,23 @@ @@ -542,6 +647,23 @@
') ')
optional_policy(` optional_policy(`
@ -24511,7 +24562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t) seutil_sigchld_newrole(xdm_t)
') ')
@@ -550,8 +670,9 @@ @@ -550,8 +672,9 @@
') ')
optional_policy(` optional_policy(`
@ -24523,7 +24574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
@@ -560,7 +681,6 @@ @@ -560,7 +683,6 @@
ifdef(`distro_rhel4',` ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem }; allow xdm_t self:process { execheap execmem };
') ')
@ -24531,7 +24582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
userhelper_dontaudit_search_config(xdm_t) userhelper_dontaudit_search_config(xdm_t)
@@ -571,6 +691,10 @@ @@ -571,6 +693,10 @@
') ')
optional_policy(` optional_policy(`
@ -24542,7 +24593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -587,7 +711,7 @@ @@ -587,7 +713,7 @@
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -24551,7 +24602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit xserver_t self:capability chown; dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero; allow xserver_t self:memprotect mmap_zero;
@@ -602,9 +726,11 @@ @@ -602,9 +728,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms; allow xserver_t self:udp_socket create_socket_perms;
@ -24563,7 +24614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send; allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
@@ -616,13 +742,14 @@ @@ -616,13 +744,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send; allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@ -24579,7 +24630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,9 +762,19 @@ @@ -635,9 +764,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -24599,7 +24650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(xserver_t) kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t) kernel_read_device_sysctls(xserver_t)
@@ -680,9 +817,14 @@ @@ -680,9 +819,14 @@
dev_rw_xserver_misc(xserver_t) dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events # read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t) dev_rw_input_dev(xserver_t)
@ -24614,7 +24665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t) files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t) files_read_etc_runtime_files(xserver_t)
@@ -697,8 +839,12 @@ @@ -697,8 +841,12 @@
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -24627,7 +24678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t) selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t) selinux_compute_access_vector(xserver_t)
@@ -720,6 +866,7 @@ @@ -720,6 +868,7 @@
miscfiles_read_localization(xserver_t) miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t) miscfiles_read_fonts(xserver_t)
@ -24635,7 +24686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t) modutils_domtrans_insmod(xserver_t)
@@ -742,7 +889,7 @@ @@ -742,7 +891,7 @@
') ')
ifdef(`enable_mls',` ifdef(`enable_mls',`
@ -24644,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
') ')
@@ -774,12 +921,16 @@ @@ -774,12 +923,16 @@
') ')
optional_policy(` optional_policy(`
@ -24662,7 +24713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domtrans(xserver_t) unconfined_domtrans(xserver_t)
') ')
@@ -806,7 +957,7 @@ @@ -806,7 +959,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read }; allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search; dontaudit xserver_t xdm_var_lib_t:dir search;
@ -24671,7 +24722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -827,9 +978,14 @@ @@ -827,9 +980,14 @@
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_user_home_content_files(xserver_t) userdom_read_user_home_content_files(xserver_t)
@ -24686,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t) fs_manage_nfs_files(xserver_t)
@@ -844,11 +1000,14 @@ @@ -844,11 +1002,14 @@
optional_policy(` optional_policy(`
dbus_system_bus_client(xserver_t) dbus_system_bus_client(xserver_t)
@ -24702,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -856,6 +1015,11 @@ @@ -856,6 +1017,11 @@
rhgb_rw_tmpfs_files(xserver_t) rhgb_rw_tmpfs_files(xserver_t)
') ')
@ -24714,7 +24765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# Rules common to all X window domains # Rules common to all X window domains
@@ -881,6 +1045,8 @@ @@ -881,6 +1047,8 @@
# X Server # X Server
# can read server-owned resources # can read server-owned resources
allow x_domain xserver_t:x_resource read; allow x_domain xserver_t:x_resource read;
@ -24723,7 +24774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients # can mess with own clients
allow x_domain self:x_client { manage destroy }; allow x_domain self:x_client { manage destroy };
@@ -905,6 +1071,8 @@ @@ -905,6 +1073,8 @@
# operations allowed on my windows # operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24732,7 +24783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps # X Colormaps
# can use the default colormap # can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color }; allow x_domain rootwindow_t:x_colormap { read use add_color };
@@ -972,17 +1140,49 @@ @@ -972,17 +1142,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -25621,7 +25672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.14/policy/modules/system/init.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.14/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/system/init.te 2009-06-11 09:54:00.000000000 -0400
@@ -17,6 +17,20 @@ @@ -17,6 +17,20 @@
## </desc> ## </desc>
gen_tunable(init_upstart,false) gen_tunable(init_upstart,false)
@ -25749,7 +25800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -270,16 +305,20 @@ @@ -270,17 +305,22 @@
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@ -25769,9 +25820,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_getattr_all_blk_files(initrc_t) +dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t) +dev_getattr_all_chr_files(initrc_t)
+fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -328,7 +367,7 @@ fs_write_ramfs_pipes(initrc_t)
@@ -328,7 +368,7 @@
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -25780,7 +25833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -343,14 +382,14 @@ @@ -343,14 +383,14 @@
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -25797,7 +25850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t) files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
@@ -366,7 +405,9 @@ @@ -366,7 +406,9 @@
libs_rw_ld_so_cache(initrc_t) libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t) libs_exec_lib_files(initrc_t)
@ -25807,7 +25860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t) logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t) logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t) logging_read_all_logs(initrc_t)
@@ -451,7 +492,7 @@ @@ -451,7 +493,7 @@
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -25816,7 +25869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t) selinux_set_enforce_mode(initrc_t)
@@ -465,6 +506,7 @@ @@ -465,6 +507,7 @@
storage_raw_read_fixed_disk(initrc_t) storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t)
@ -25824,7 +25877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory # wants to read /.fonts directory
@@ -498,6 +540,7 @@ @@ -498,6 +541,7 @@
optional_policy(` optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports #for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
@ -25832,7 +25885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -516,6 +559,33 @@ @@ -516,6 +560,33 @@
') ')
') ')
@ -25866,7 +25919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -570,6 +640,10 @@ @@ -570,6 +641,10 @@
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
optional_policy(` optional_policy(`
@ -25877,7 +25930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t) networkmanager_dbus_chat(initrc_t)
') ')
') ')
@@ -591,6 +665,10 @@ @@ -591,6 +666,10 @@
') ')
optional_policy(` optional_policy(`
@ -25888,7 +25941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t) dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc # init scripts run /etc/hotplug/usb.rc
@@ -647,20 +725,20 @@ @@ -647,20 +726,20 @@
') ')
optional_policy(` optional_policy(`
@ -25915,7 +25968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@@ -719,8 +797,6 @@ @@ -719,8 +798,6 @@
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -25924,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -733,10 +809,12 @@ @@ -733,10 +810,12 @@
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -25937,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -754,6 +832,11 @@ @@ -754,6 +833,11 @@
uml_setattr_util_sockets(initrc_t) uml_setattr_util_sockets(initrc_t)
') ')
@ -25949,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
unconfined_domain(initrc_t) unconfined_domain(initrc_t)
@@ -765,6 +848,13 @@ @@ -765,6 +849,13 @@
optional_policy(` optional_policy(`
mono_domtrans(initrc_t) mono_domtrans(initrc_t)
') ')
@ -25963,7 +26016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -790,3 +880,35 @@ @@ -790,3 +881,35 @@
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -26167,7 +26220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+miscfiles_read_localization(iscsid_t) +miscfiles_read_localization(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.14/policy/modules/system/libraries.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.14/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400 --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400
+++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/system/libraries.fc 2009-06-11 11:46:19.000000000 -0400
@@ -60,12 +60,15 @@ @@ -60,12 +60,15 @@
# #
# /opt # /opt
@ -26327,7 +26380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_suse',` ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
') ')
@@ -311,3 +339,37 @@ @@ -311,3 +339,39 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -26365,6 +26418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+ +
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.14/policy/modules/system/libraries.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.14/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500 --- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.14/policy/modules/system/libraries.if 2009-06-08 21:43:15.000000000 -0400 +++ serefpolicy-3.6.14/policy/modules/system/libraries.if 2009-06-08 21:43:15.000000000 -0400

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.14 Version: 3.6.14
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -473,6 +473,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Jun 11 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-3
- Allow NetworkManager to read inotifyfs
* Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2 * Wed Jun 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.14-2
- Allow setroubleshoot to run mlocate - Allow setroubleshoot to run mlocate