patch from dan Thu, 18 May 2006 11:56:22 -0400

refpolicy/policy/global_tunables

@@ -85,6 +85,14 @@ gen_tunable(allow_java_execstack,false)
 ## </desc>
 gen_tunable(allow_kerberos,false)
 
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
 ## <desc>
 ## <p>
 ## Allow rsync to modify public files

refpolicy/policy/modules/admin/consoletype.te

@@ -1,5 +1,5 @@
 
-policy_module(consoletype,1.0.0)
+policy_module(consoletype,1.0.1)
 
 ########################################
 #
@@ -107,3 +107,10 @@ optional_policy(`
 optional_policy(`
 	userdom_use_unpriv_users_fds(consoletype_t)
 ')
+
+optional_policy(`
+	kernel_read_xen_state(consoletype_t)
+	kernel_write_xen_state(consoletype_t)
+	xen_append_log(consoletype_t)
+	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+')

refpolicy/policy/modules/admin/prelink.te

@@ -1,5 +1,5 @@
 
-policy_module(prelink,1.1.1)
+policy_module(prelink,1.1.2)
 
 ########################################
 #
@@ -10,6 +10,7 @@ attribute prelink_object;
 type prelink_t;
 type prelink_exec_t;
 init_system_domain(prelink_t,prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
 
 type prelink_cache_t;
 files_type(prelink_cache_t)

refpolicy/policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.3.0)
+policy_module(mls,1.3.1)
 
 ########################################
 #
@@ -57,6 +57,7 @@ attribute mlsrangetrans;
 #
 
 type lvm_exec_t;
+type run_init_t;
 type setrans_exec_t;
 
 ifdef(`enable_mls',`
@@ -64,4 +65,5 @@ range_transition initrc_t auditd_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 range_transition initrc_t setrans_exec_t s15:c0.c255;
+range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
 ')

refpolicy/policy/modules/kernel/terminal.if

@@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
 		type devpts_t;
 	')
 
-	dontaudit $1 devpts_t:chr_file { getattr read write };
+	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
 ########################################

refpolicy/policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.1)
+policy_module(terminal,1.1.2)
 
 ########################################
 #

refpolicy/policy/modules/services/amavis.fc

@@ -8,4 +8,5 @@
 /var/lib/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_lib_t,s0)
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
 /var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)

refpolicy/policy/modules/services/amavis.te

@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.0.3)
+policy_module(amavis,1.0.4)
 
 ########################################
 #
@@ -35,12 +35,15 @@ files_tmp_file(amavis_tmp_t)
 type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
 ########################################
 #
 # amavis local policy
 #
 
-allow amavis_t self:capability { chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
 dontaudit amavis_t self:capability sys_tty_config;
 allow amavis_t self:process { signal sigchld signull };
 allow amavis_t self:fifo_file rw_file_perms;
@@ -58,6 +61,11 @@ allow amavis_t amavis_quarantine_t:file create_file_perms;
 allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
 allow amavis_t amavis_quarantine_t:dir create_dir_perms;
 
+# Spool Files
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+
 # tmp files
 allow amavis_t amavis_tmp_t:file create_file_perms;
 allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
@@ -82,8 +90,10 @@ allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
 allow amavis_t amavis_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
 
+kernel_read_kernel_sysctls(amavis_t)
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
 corecmd_exec_bin(amavis_t)
@@ -115,6 +125,7 @@ auth_dontaudit_read_shadow(amavis_t)
 
 init_use_fds(amavis_t)
 init_use_script_ptys(amavis_t)
+init_stream_connect_script(amavis_t)
 
 libs_use_ld_so(amavis_t)
 libs_use_shared_libs(amavis_t)
@@ -134,8 +145,13 @@ cron_rw_pipes(amavis_t)
 
 mta_read_config(amavis_t)
 
+ifdef(`targeted_policy',`
+	term_dontaudit_use_generic_ptys(amavis_t)
+')
+
 optional_policy(`
 	clamav_stream_connect(amavis_t)
+	clamav_domtrans_clamscan(amavis_t)
 ')
 
 optional_policy(`

refpolicy/policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.1.3)
+policy_module(bind,1.1.4)
 
 ########################################
 #
@@ -123,6 +123,8 @@ term_dontaudit_use_console(named_t)
 
 corecmd_search_sbin(named_t)
 
+dev_read_urand(named_t)
+
 domain_use_interactive_fds(named_t)
 
 files_read_etc_files(named_t)
@@ -137,6 +139,7 @@ libs_use_shared_libs(named_t)
 logging_send_syslog_msg(named_t)
 
 miscfiles_read_localization(named_t)
+miscfiles_read_certs(named_t)
 
 sysnet_read_config(named_t)
 

refpolicy/policy/modules/services/bluetooth.te

@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.4)
+policy_module(bluetooth,1.2.5)
 
 ########################################
 #
@@ -211,6 +211,7 @@ sysnet_read_config(bluetooth_helper_t)
 
 ifdef(`targeted_policy',`
 	files_rw_generic_tmp_sockets(bluetooth_helper_t)
+	files_manage_generic_tmp_files(bluetooth_helper_t)
 
 	fs_rw_tmpfs_files(bluetooth_helper_t)
 
@@ -218,7 +219,7 @@ ifdef(`targeted_policy',`
 
 	unconfined_stream_connect(bluetooth_helper_t)
 
-	userdom_read_all_users_home_content_files(bluetooth_helper_t)
+	userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
 
 	optional_policy(`
 		xserver_stream_connect_xdm(bluetooth_helper_t)

refpolicy/policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.3)
+policy_module(cups,1.3.4)
 
 ########################################
 #
@@ -672,6 +672,7 @@ allow cupsd_lpd_t self:process signal_perms;
 allow cupsd_lpd_t self:fifo_file rw_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 allow cupsd_lpd_t self:udp_socket create_socket_perms;
+allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # for identd
 # cjp: this should probably only be inetd_child rules?
@@ -731,6 +732,8 @@ miscfiles_read_localization(cupsd_lpd_t)
 
 sysnet_read_config(cupsd_lpd_t)
 
+cups_stream_connect(cupsd_lpd_t)
+
 optional_policy(`
 	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
 ')

refpolicy/policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.6)
+policy_module(hal,1.3.7)
 
 ########################################
 #
@@ -93,6 +93,7 @@ files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
+files_read_kernel_img(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)

refpolicy/policy/modules/services/pyzor.fc

@@ -5,3 +5,7 @@
 
 /var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
 /var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+')

refpolicy/policy/modules/services/pyzor.te

@@ -1,5 +1,5 @@
 
-policy_module(pyzor,1.0.0)
+policy_module(pyzor,1.0.1)
 
 ########################################
 #

refpolicy/policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.3)
+policy_module(rpc,1.2.4)
 
 ########################################
 #
@@ -111,9 +111,17 @@ files_getattr_tmp_dirs(nfsd_t)
 # cjp: this should really have its own type
 files_manage_mounttab(rpcd_t)
 
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
 portmap_tcp_connect(nfsd_t) 
 portmap_udp_chat(nfsd_t)
 
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+	miscfiles_manage_public_files(nfsd_t)
+') 
+
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)

refpolicy/policy/modules/services/xfs.if

@@ -41,3 +41,23 @@ interface(`xfs_stream_connect',`
 	allow $1 xfs_tmp_t:sock_file write;
 	allow $1 xfs_t:unix_stream_socket connectto;
 ')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to execute xfs
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_exec',`
+	gen_require(`
+		type xfs_exec_t;
+	')
+
+	can_exec($1,xfs_exec_t)
+')

refpolicy/policy/modules/services/xfs.te

@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.0.1)
+policy_module(xfs,1.0.2)
 
 ########################################
 #
@@ -42,19 +42,22 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
 kernel_read_kernel_sysctls(xfs_t)
 kernel_read_system_state(xfs_t)
 
+corecmd_list_bin(xfs_t)
+corecmd_list_sbin(xfs_t)
+
 dev_read_sysfs(xfs_t)
 
 fs_getattr_all_fs(xfs_t)
 fs_search_auto_mountpoints(xfs_t)
 
-term_dontaudit_use_console(xfs_t)
-
 domain_use_interactive_fds(xfs_t)
 
 files_read_etc_files(xfs_t)
 files_read_etc_runtime_files(xfs_t)
 files_read_usr_files(xfs_t)
 
+term_dontaudit_use_console(xfs_t)
+
 init_use_fds(xfs_t)
 init_use_script_ptys(xfs_t)
 
@@ -69,6 +72,8 @@ miscfiles_read_fonts(xfs_t)
 userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
 
+xfs_exec(xfs_t)
+
 ifdef(`distro_debian',`
 	# for /tmp/.font-unix/fs7100
 	init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.12)
+policy_module(init,1.3.13)
 
 gen_require(`
 	class passwd rootok;
@@ -374,6 +374,7 @@ mls_file_write_down(initrc_t)
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
+mls_rangetrans_target(initrc_t)
 
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)

refpolicy/policy/modules/system/selinuxutil.fc

@@ -36,6 +36,8 @@
 /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
 /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_debian', `

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.6)
+policy_module(selinuxutil,1.2.7)
 
 gen_require(`
 	bool secure_mode;
@@ -92,7 +92,11 @@ role system_r types restorecond_t;
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 
+# real declaration moved to mls until
+# range transitions work in modules
+gen_require(`
 	type run_init_t;
+')
 type run_init_exec_t;
 domain_type(run_init_t)
 domain_entry_file(run_init_t,run_init_exec_t)
@@ -447,7 +451,7 @@ libs_use_shared_libs(restorecond_t)
 
 logging_send_syslog_msg(restorecond_t)
 
-miscfiles_read_localization(run_init_t)
+miscfiles_read_localization(restorecond_t)
 
 #################################
 #
@@ -461,6 +465,8 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
+mls_rangetrans_source(run_init_t)
+
 ifdef(`direct_sysadm_daemon',`',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
@@ -526,6 +532,8 @@ ifdef(`targeted_policy',`',`
 #
 
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow semanage_t policy_config_t:file { read write };
 
@@ -535,6 +543,8 @@ kernel_read_kernel_sysctls(semanage_t)
 corecmd_exec_bin(semanage_t)
 corecmd_exec_sbin(semanage_t)
 
+dev_read_urand(semanage_t)
+
 files_read_etc_files(semanage_t)
 files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
@@ -544,6 +554,8 @@ mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
 
 selinux_get_enforce_mode(semanage_t)
+# for setsebool:
+selinux_set_boolean(semanage_t)
 
 term_use_all_terms(semanage_t)
 
@@ -551,6 +563,8 @@ libs_use_ld_so(semanage_t)
 libs_use_shared_libs(semanage_t)
 libs_use_lib_files(semanage_t)
 
+logging_send_syslog_msg(semanage_t)
+
 miscfiles_read_localization(semanage_t)
 
 seutil_search_default_contexts(semanage_t)
@@ -565,6 +579,8 @@ seutil_manage_module_store(semanage_t)
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
 
+userdom_search_sysadm_home_dirs(semanage_t)
+
 ifdef(`targeted_policy',`
 # Handle pp files created in homedir and /tmp
 	files_read_generic_tmp_files(semanage_t)

refpolicy/policy/modules/system/setrans.te

@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.0.0)
+policy_module(setrans,1.0.1)
 
 ########################################
 #
@@ -23,7 +23,8 @@ mls_trusted_object(setrans_var_run_t)
 # setrans local policy
 #
 
-allow setrans_t self:process { setcap signal_perms };
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit setcap signal_perms };
 allow setrans_t self:unix_stream_socket create_stream_socket_perms;
 allow setrans_t self:unix_dgram_socket create_socket_perms;
 allow setrans_t self:netlink_selinux_socket create_socket_perms;
@@ -57,6 +58,7 @@ selinux_compute_access_vector(setrans_t)
 term_dontaudit_use_generic_ptys(setrans_t)
 
 init_use_fds(setrans_t)
+init_dontaudit_use_script_ptys(setrans_t)
 
 libs_use_ld_so(setrans_t)
 libs_use_shared_libs(setrans_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.4)
+policy_module(sysnetwork,1.1.5)
 
 ########################################
 #
@@ -247,6 +247,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kernel_read_xen_state(dhcpc_t)
+	kernel_write_xen_state(dhcpc_t)
 	xen_append_log(dhcpc_t)
 	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
 ')
@@ -349,6 +351,8 @@ optional_policy(`
 ')
 
 optional_policy(`
+	kernel_read_xen_state(ifconfig_t)
+	kernel_write_xen_state(ifconfig_t)
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')

refpolicy/policy/modules/system/xen.fc

@@ -12,6 +12,7 @@
 /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
 
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)

refpolicy/policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.3)
+policy_module(xen,1.0.4)
 
 ########################################
 #
@@ -77,7 +77,7 @@ allow xend_t self:packet_socket create_socket_perms;
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir rw_dir_perms;
+allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
 files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
 
 # log files
@@ -153,10 +153,12 @@ sysnet_dns_name_resolve(xend_t)
 sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 
-consoletype_exec(xend_t)
-
 xen_stream_connect_xenstore(xend_t)
 
+optional_policy(`
+	consoletype_domtrans(xend_t)
+')
+
 ########################################
 #
 # Xen console local policy
@@ -180,6 +182,7 @@ kernel_read_xen_state(xenconsoled_t)
 
 term_create_pty(xenconsoled_t,xen_devpts_t);
 term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenconsoled_t)
 
@@ -198,6 +201,7 @@ xen_stream_connect_xenstore(xenconsoled_t)
 
 allow xenstored_t self:capability { dac_override mknod ipc_lock };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
 # pid file
 allow xenstored_t xenstored_var_run_t:file manage_file_perms;
@@ -220,12 +224,15 @@ dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)
+term_dontaudit_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
 
 libs_use_ld_so(xenstored_t)
 libs_use_shared_libs(xenstored_t)
 
+logging_send_syslog_msg(xenstored_t)
+
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)