- Allow certmaster to override dac permissions

2009-07-27 22:09:57 +00:00 · 2009-07-27 22:09:57 +00:00 · 9160520a0e
parent ca183583d7
commit 9160520a0e
4 changed files with 127 additions and 89 deletions
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -243,10 +243,6 @@ allow_nsplugin_execmem=true
 # 
 allow_unconfined_nsplugin_transition=true

-# Allow unconfined domains mmap low kernel memory
-# 
-allow_unconfined_mmap_low = false
-
 # System uses init upstart program
 # 
 init_upstart = true
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -243,10 +243,6 @@ allow_nsplugin_execmem=true
 # 
 allow_unconfined_nsplugin_transition=true

-# Allow unconfined domains mmap low kernel memory
-# 
-allow_unconfined_mmap_low = false
-
 # System uses init upstart program
 # 
 init_upstart = true
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -262,7 +262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
 	$(verbose) $(INSTALL) -m 644 $< $@
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.23/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/global_tunables	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/global_tunables	2009-07-27 13:55:41.000000000 -0400
@@ -61,15 +61,6 @@
 
 ## <desc>
@ -293,10 +293,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +## <desc>
 +## <p>
-+## Allow unconfined domain to map low memory in the kernel
+## Allow certain domains to map low memory in the kernel
 +## </p>
 +## </desc>
-+gen_tunable(allow_unconfined_mmap_low, false)
+gen_tunable(mmap_low_allowed, false)
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.23/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-07-14 14:19:57.000000000 -0400
@ -1488,16 +1488,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.23/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te	2009-07-23 16:39:09.000000000 -0400
-@@ -23,6 +23,7 @@
+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te	2009-07-27 13:54:52.000000000 -0400
+@@ -23,7 +23,11 @@
 dev_rwx_zero(vbetool_t)
 dev_read_sysfs(vbetool_t)
 
 +domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
 domain_mmap_low(vbetool_t)
+')
+
 
 term_use_unallocated_ttys(vbetool_t)
-@@ -34,3 +35,9 @@
+ 
+@@ -34,3 +38,9 @@
 	hal_write_log(vbetool_t)
 	hal_dontaudit_append_lib_files(vbetool_t)
 ')
@ -4650,8 +4654,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.23/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/apps/wine.te	2009-07-23 16:39:09.000000000 -0400
-@@ -9,20 +9,33 @@
+++ serefpolicy-3.6.23/policy/modules/apps/wine.te	2009-07-27 13:54:28.000000000 -0400
+@@ -9,20 +9,35 @@
 type wine_t;
 type wine_exec_t;
 application_domain(wine_t, wine_exec_t)
@ -4669,7 +4673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	unconfined_domain_noaudit(wine_t)
 +
 +domain_mmap_low_type(wine_t)
-+domain_mmap_low(wine_t)
+tunable_policy(`mmap_low_allowed',`
+	domain_mmap_low(wine_t)
+')
 +
 	files_execmod_all_files(wine_t)
 
@ -8754,7 +8760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.23/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/apache.te	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/apache.te	2009-07-27 14:13:27.000000000 -0400
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -8798,7 +8804,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## Allow HTTPD scripts and modules to connect to the network using TCP.
 ## </p>
 ## </desc>
-@@ -108,6 +124,29 @@
+@@ -87,6 +103,13 @@
+ 
+ ## <desc>
+ ## <p>
+## Allow httpd to read user content 
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
+## <desc>
+## <p>
+ ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+ ## </p>
+ ## </desc>
+@@ -108,6 +131,29 @@
 ## </desc>
 gen_tunable(httpd_unified, false)
 
@ -8828,7 +8848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 attribute httpdcontent;
 attribute httpd_user_content_type;
 
-@@ -140,6 +179,9 @@
+@@ -140,6 +186,9 @@
 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
 role system_r types httpd_helper_t;
 
@ -8838,7 +8858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
-@@ -180,6 +222,10 @@
+@@ -180,6 +229,10 @@
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
 
@ -8849,7 +8869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
-@@ -187,15 +233,20 @@
+@@ -187,15 +240,20 @@
 files_tmpfs_file(httpd_tmpfs_t)
 
 apache_content_template(user)
@ -8873,7 +8893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
 typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
 typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-@@ -230,7 +281,7 @@
+@@ -230,7 +288,7 @@
 # Apache server local policy
 #
 
@ -8882,7 +8902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
-@@ -272,6 +323,7 @@
+@@ -272,6 +330,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -8890,7 +8910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +335,9 @@
+@@ -283,9 +342,9 @@
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
@ -8903,7 +8923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +353,7 @@
+@@ -301,6 +360,7 @@
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
 
@ -8911,7 +8931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,6 +365,7 @@
+@@ -312,6 +372,7 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -8919,7 +8939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_all_recvfrom_unlabeled(httpd_t)
 corenet_all_recvfrom_netlabel(httpd_t)
-@@ -322,6 +376,7 @@
+@@ -322,6 +383,7 @@
 corenet_tcp_sendrecv_all_ports(httpd_t)
 corenet_udp_sendrecv_all_ports(httpd_t)
 corenet_tcp_bind_generic_node(httpd_t)
@ -8927,7 +8947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +390,11 @@
+@@ -335,12 +397,11 @@
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -8942,7 +8962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 domain_use_interactive_fds(httpd_t)
 
-@@ -358,6 +412,10 @@
+@@ -358,6 +419,10 @@
 files_read_var_lib_symlinks(httpd_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -8953,7 +8973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_read_lib_files(httpd_t)
 
-@@ -372,18 +430,33 @@
+@@ -372,18 +437,33 @@
 
 userdom_use_unpriv_users_fds(httpd_t)
 
@ -8991,7 +9011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ')
 
-@@ -391,20 +464,54 @@
+@@ -391,20 +471,54 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
@ -9047,7 +9067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +522,28 @@
+@@ -415,20 +529,28 @@
 	corenet_tcp_bind_ftp_port(httpd_t)
 ')
 
@ -9080,7 +9100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +566,10 @@
+@@ -451,6 +573,10 @@
 ')
 
 optional_policy(`
@ -9091,7 +9111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	cron_system_entry(httpd_t, httpd_exec_t)
 ')
 
-@@ -459,8 +578,13 @@
+@@ -459,8 +585,13 @@
 ')
 
 optional_policy(`
@ -9107,7 +9127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -468,22 +592,18 @@
+@@ -468,22 +599,18 @@
 	mailman_domtrans_cgi(httpd_t)
 	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
@ -9132,7 +9152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -494,12 +614,23 @@
+@@ -494,12 +621,23 @@
 ')
 
 optional_policy(`
@ -9156,7 +9176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -508,6 +639,7 @@
+@@ -508,6 +646,7 @@
 ')
 
 optional_policy(`
@ -9164,7 +9184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -535,6 +667,22 @@
+@@ -535,6 +674,22 @@
 
 userdom_use_user_terminals(httpd_helper_t)
 
@ -9187,7 +9207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -564,20 +712,25 @@
+@@ -564,20 +719,25 @@
 
 fs_search_auto_mountpoints(httpd_php_t)
 
@ -9219,7 +9239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -595,23 +748,24 @@
+@@ -595,23 +755,24 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 
@ -9248,7 +9268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +778,7 @@
+@@ -624,6 +785,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 
 miscfiles_read_localization(httpd_suexec_t)
@ -9256,7 +9276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +796,20 @@
+@@ -641,12 +803,20 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
 
@ -9280,7 +9300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +835,14 @@
+@@ -672,15 +842,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -9299,7 +9319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +861,24 @@
+@@ -699,12 +868,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
@ -9326,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +886,35 @@
+@@ -712,6 +893,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
@ -9362,7 +9382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +927,10 @@
+@@ -724,6 +934,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -9373,7 +9393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -735,6 +942,8 @@
+@@ -735,6 +949,8 @@
 # httpd_rotatelogs local policy
 #
 
@ -9382,7 +9402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +963,12 @@
+@@ -754,6 +970,12 @@
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9395,11 +9415,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +977,67 @@
+@@ -762,3 +984,76 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
 +
+tunable_policy(`httpd_read_user_content',`
+	userdom_read_user_home_content_files(httpd_user_script_t)
+	userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+	userdom_read_user_home_content_files(httpd_t)
+')
+
 +#============= bugzilla policy ==============
 +apache_content_template(bugzilla)
 +
@ -9607,6 +9636,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.23/policy/modules/services/certmaster.te
+--- nsaserefpolicy/policy/modules/services/certmaster.te	2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/certmaster.te	2009-07-27 14:06:05.000000000 -0400
+@@ -30,7 +30,7 @@
+ # certmaster local policy 
+ #
+ 
+-allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+ allow certmaster_t self:tcp_socket create_stream_socket_perms;
+ 
+ # config files
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.23/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2009-07-23 14:11:04.000000000 -0400
 +++ serefpolicy-3.6.23/policy/modules/services/clamav.te	2009-07-23 16:39:09.000000000 -0400
@ -10486,8 +10527,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.23/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/cups.fc	2009-07-23 16:39:09.000000000 -0400
-@@ -5,27 +5,40 @@
+++ serefpolicy-3.6.23/policy/modules/services/cups.fc	2009-07-27 13:42:47.000000000 -0400
+@@ -5,27 +5,38 @@
 /etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -10526,13 +10567,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# keep as separate lines to ensure proper sorting
 +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
 +/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib/cups/filter/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib64/cups/filter/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
 +
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +46,7 @@
+@@ -33,7 +44,7 @@
 
 /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -10541,7 +10580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +56,19 @@
+@@ -43,10 +54,19 @@
 /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
 /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
@ -14810,13 +14849,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.23/policy/modules/services/policykit.fc
 --- nsaserefpolicy/policy/modules/services/policykit.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc	2009-07-27 09:04:55.000000000 -0400
@@ -1,7 +1,7 @@
 /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
 /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
 /usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
 -/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/libexec/polkitd.*			--	gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.*				gen_context(system_u:object_r:policykit_exec_t,s0)
 
 /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
 /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
@ -14874,7 +14913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.23/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/policykit.te	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.te	2009-07-27 11:48:01.000000000 -0400
@@ -38,9 +38,10 @@
 
 allow policykit_t self:capability { setgid setuid };
@ -14888,8 +14927,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 policykit_domtrans_auth(policykit_t)
 
-@@ -70,6 +71,14 @@
+@@ -68,8 +69,17 @@
 
+ miscfiles_read_localization(policykit_t)
+ 
+userdom_getattr_all_users(policykit_t)
 userdom_read_all_users_state(policykit_t)
 
 +optional_policy(`
@ -14903,7 +14945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # polkit_auth local policy
-@@ -77,7 +86,8 @@
+@@ -77,7 +87,8 @@
 
 allow policykit_auth_t self:capability setgid;
 allow policykit_auth_t self:process getattr;
@ -14913,7 +14955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
 allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -104,6 +114,8 @@
+@@ -104,6 +115,8 @@
 userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
 
 optional_policy(`
@ -14922,7 +14964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dbus_session_bus_client(policykit_auth_t)
 
 	optional_policy(`
-@@ -116,6 +128,10 @@
+@@ -116,6 +129,10 @@
 	hal_read_state(policykit_auth_t)
 ')
 
@ -14933,7 +14975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # polkit_grant local policy
-@@ -123,7 +139,8 @@
+@@ -123,7 +140,8 @@
 
 allow policykit_grant_t self:capability setuid;
 allow policykit_grant_t self:process getattr;
@ -14943,7 +14985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
 allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
 
-@@ -153,9 +170,12 @@
+@@ -153,9 +171,12 @@
 userdom_read_all_users_state(policykit_grant_t)
 
 optional_policy(`
@ -14957,7 +14999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		consolekit_dbus_chat(policykit_grant_t)
 	')
 ')
-@@ -167,7 +187,8 @@
+@@ -167,7 +188,8 @@
 
 allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
 allow policykit_resolve_t self:process getattr;
@ -15234,7 +15276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.23/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/postfix.te	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/postfix.te	2009-07-27 09:06:16.000000000 -0400
@@ -6,6 +6,15 @@
 # Declarations
 #
@ -16840,7 +16882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.23/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/samba.te	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/samba.te	2009-07-27 11:16:18.000000000 -0400
@@ -66,6 +66,13 @@
 ## </desc>
 gen_tunable(samba_share_nfs, false)
@ -17001,13 +17043,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`hide_broken_symptoms', `
 	files_dontaudit_getattr_default_dirs(smbd_t)
 	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -333,25 +361,33 @@
+@@ -333,25 +361,34 @@
 
 tunable_policy(`samba_domain_controller',`
 	usermanage_domtrans_passwd(smbd_t)
 +	usermanage_kill_passwd(smbd_t)
 	usermanage_domtrans_useradd(smbd_t)
 	usermanage_domtrans_groupadd(smbd_t)
+	allow smbd_t self:passwd passwd;
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
@ -17041,7 +17084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
-@@ -359,6 +395,16 @@
+@@ -359,6 +396,16 @@
 
 optional_policy(`
 	kerberos_use(smbd_t)
@ -17058,7 +17101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -376,13 +422,15 @@
+@@ -376,13 +423,15 @@
 tunable_policy(`samba_create_home_dirs',`
 	allow smbd_t self:capability chown;
 	userdom_create_user_home_dirs(smbd_t)
@ -17075,7 +17118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	auth_read_all_files_except_shadow(nmbd_t)
 ')
 
-@@ -391,8 +439,8 @@
+@@ -391,8 +440,8 @@
 	auth_manage_all_files_except_shadow(smbd_t)
 	fs_read_noxattr_fs_files(nmbd_t) 
 	auth_manage_all_files_except_shadow(nmbd_t)
@ -17085,7 +17128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
-@@ -417,14 +465,11 @@
+@@ -417,14 +466,11 @@
 files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
 
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@ -17101,7 +17144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 
 allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -553,21 +598,36 @@
+@@ -553,21 +599,36 @@
 userdom_use_user_terminals(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 
@ -17141,7 +17184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 append_files_pattern(swat_t, samba_log_t, samba_log_t)
 
-@@ -585,6 +645,9 @@
+@@ -585,6 +646,9 @@
 files_pid_filetrans(swat_t, swat_var_run_t, file)
 
 allow swat_t winbind_exec_t:file mmap_file_perms;
@ -17151,7 +17194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -609,6 +672,7 @@
+@@ -609,6 +673,7 @@
 
 dev_read_urand(swat_t)
 
@ -17159,7 +17202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
-@@ -618,6 +682,7 @@
+@@ -618,6 +683,7 @@
 auth_use_nsswitch(swat_t)
 
 logging_send_syslog_msg(swat_t)
@ -17167,7 +17210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
-@@ -635,14 +700,25 @@
+@@ -635,14 +701,25 @@
 	kerberos_use(swat_t)
 ')
 
@ -17195,7 +17238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow winbind_t self:fifo_file rw_fifo_file_perms;
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +759,10 @@
+@@ -683,9 +760,10 @@
 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
 files_pid_filetrans(winbind_t, winbind_var_run_t, file)
 
@ -17208,7 +17251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_all_recvfrom_unlabeled(winbind_t)
 corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +786,12 @@
+@@ -709,10 +787,12 @@
 
 auth_domtrans_chk_passwd(winbind_t)
 auth_use_nsswitch(winbind_t)
@ -17221,7 +17264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 logging_send_syslog_msg(winbind_t)
 
-@@ -768,8 +847,13 @@
+@@ -768,8 +848,13 @@
 userdom_use_user_terminals(winbind_helper_t)
 
 optional_policy(`
@ -17235,7 +17278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -778,6 +862,16 @@
+@@ -778,6 +863,16 @@
 #
 
 optional_policy(`
@ -17252,7 +17295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type samba_unconfined_script_t;
 	type samba_unconfined_script_exec_t;
 	domain_type(samba_unconfined_script_t)
-@@ -788,9 +882,43 @@
+@@ -788,9 +883,43 @@
 	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 
@ -19889,7 +19932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.23/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc	2009-07-27 13:50:30.000000000 -0400
@@ -3,12 +3,16 @@
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -19953,7 +19996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/slim.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 +
 +/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 +/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
@ -25143,7 +25186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.23/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if	2009-07-27 13:54:34.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -25188,7 +25231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	ubac_process_exempt($1)
 +
-+	tunable_policy(`allow_unconfined_mmap_low',`
+	tunable_policy(`mmap_low_allowed',`
 +		domain_mmap_low($1)
 +	')
 +
@ -25888,7 +25931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.23/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if	2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if	2009-07-27 14:11:20.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.23
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -475,6 +475,9 @@ exit 0
 %endif

 %changelog
+* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2
+- Allow certmaster to override dac permissions
+
 * Thu Jul 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-1
 - Update to upstream