diff --git a/Changelog b/Changelog
index 2438d0b5..1d8999f3 100644
--- a/Changelog
+++ b/Changelog
@@ -63,6 +63,7 @@
Mon, 12 Jun 2006
Tue, 20 Jun 2006
Wed, 26 Jul 2006
+ Wed, 23 Aug 2006
- Added modules:
afs
amavis (Erich Schubert)
diff --git a/policy/mls b/policy/mls
index 3a35bde5..f9cd6717 100644
--- a/policy/mls
+++ b/policy/mls
@@ -184,19 +184,12 @@ mlsconstrain dir search
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
+mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 2780ecbf..b2a3c360 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -9,6 +9,7 @@
/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0)
/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index cf3b5528..46321761 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.3.4)
+policy_module(amanda,1.3.5)
#######################################
#
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 9ec5e445..69a3c68d 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -1,5 +1,5 @@
-policy_module(anaconda,1.0.0)
+policy_module(anaconda,1.0.1)
########################################
#
@@ -7,6 +7,7 @@ policy_module(anaconda,1.0.0)
#
type anaconda_t;
+type anaconda_exec_t;
domain_type(anaconda_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
@@ -16,6 +17,10 @@ role system_r types anaconda_t;
# Local policy
#
+allow anaconda_t self:process execmem;
+
+kernel_domtrans_to(anaconda_t,anaconda_exec_t)
+
# Run other rc scripts in the anaconda_t domain.
init_domtrans_script(anaconda_t)
@@ -25,8 +30,12 @@ logging_send_syslog_msg(anaconda_t)
modutils_domtrans_insmod(anaconda_t)
+seutil_domtrans_semanage(anaconda_t)
+
unconfined_domain(anaconda_t)
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
+
ifdef(`distro_redhat',`
bootloader_create_runtime_file(anaconda_t)
')
@@ -41,6 +50,7 @@ optional_policy(`
optional_policy(`
rpm_domtrans(anaconda_t)
+ rpm_domtrans_script(anaconda_t)
')
optional_policy(`
@@ -50,10 +60,3 @@ optional_policy(`
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')
-
-ifdef(`TODO',`
-optional_policy(`
- role system_r types sysadm_ssh_agent_t;
- domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 529bfe2e..a01e35d9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,5 +1,5 @@
-policy_module(bootloader,1.2.5)
+policy_module(bootloader,1.2.6)
########################################
#
@@ -83,8 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
-# for reading BIOS data
-dev_read_raw_memory(bootloader_t)
+# needed on some hardware
+dev_rw_nvram(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 84a53064..e7bd3fa8 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
-policy_module(consoletype,1.0.1)
+policy_module(consoletype,1.0.2)
########################################
#
@@ -113,4 +113,5 @@ optional_policy(`
kernel_write_xen_state(consoletype_t)
xen_append_log(consoletype_t)
xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+ xen_dontaudit_use_fds(consoletype_t)
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index b875c3f7..36f2154b 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.1.3)
+policy_module(firstboot,1.1.4)
gen_require(`
class passwd rootok;
@@ -106,7 +106,7 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- hal_dbus_send(firstboot_t)
+ hal_dbus_chat(firstboot_t)
')
optional_policy(`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index c53929bf..7b5c3f44 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.5)
+policy_module(prelink,1.1.6)
########################################
#
@@ -60,6 +60,8 @@ files_read_etc_runtime_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
+selinux_get_enforce_mode(prelink_t)
+
libs_use_ld_so(prelink_t)
libs_exec_ld_so(prelink_t)
libs_manage_ld_so(prelink_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index ee65a1e6..49ebcf15 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.8)
+policy_module(usermanage,1.3.9)
########################################
#
@@ -256,7 +256,7 @@ optional_policy(`
')
optional_policy(`
- nscd_exec(groupadd_t)
+ nscd_domtrans(groupadd_t)
')
optional_policy(`
@@ -481,6 +481,7 @@ auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
auth_rw_lastlog(useradd_t)
+auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
corecmd_exec_shell(useradd_t)
@@ -526,7 +527,7 @@ optional_policy(`
')
optional_policy(`
- nscd_exec(useradd_t)
+ nscd_domtrans(useradd_t)
')
optional_policy(`
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index 918774ec..b1e6a5aa 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -8,5 +8,12 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index 0c6045d0..4ba05b8d 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java,1.1.2)
+policy_module(java,1.1.3)
########################################
#
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index d4480b2a..4d1b3328 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -63,6 +63,7 @@ template(`mozilla_per_userdomain_template',`
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
allow $1_mozilla_t self:tcp_socket create_socket_perms;
+ allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
@@ -170,6 +171,7 @@ template(`mozilla_per_userdomain_template',`
logging_send_syslog_msg($1_mozilla_t)
miscfiles_read_fonts($1_mozilla_t)
+ miscfiles_read_localization($1_mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 5de7b51b..fd9428c5 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla,1.0.4)
+policy_module(mozilla,1.0.5)
########################################
#
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
index 60aa4cf2..dca2001b 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,5 @@
-policy_module(wine,1.1.2)
+policy_module(wine,1.1.3)
########################################
#
@@ -18,7 +18,7 @@ domain_entry_file(wine_t,wine_exec_t)
#
ifdef(`targeted_policy',`
- allow wine_t self:process { execstack execmem };
+ allow wine_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(wine_t)
files_execmod_all_files(wine_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index bcf84b38..e5101fd8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -61,6 +61,7 @@ ifdef(`distro_redhat',`
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_debian',`
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 5805cd07..3952087d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.3.12)
+policy_module(corecommands,1.3.13)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index f27cc838..6d978b2a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.13)
+policy_module(corenetwork,1.1.14)
########################################
#
@@ -84,7 +84,7 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -100,6 +100,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index f8735a47..c2737f8f 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -36,7 +36,7 @@
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a9b14599..e17a5d57 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1819,6 +1819,25 @@ interface(`dev_create_null_dev',`
allow $1 self:capability mknod;
')
+########################################
+##
+## Read and write BIOS non-volatile RAM.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_rw_nvram',`
+ gen_require(`
+ type nvram_device_t;
+ ')
+
+ allow $1 device_t:dir search_dir_perms;
+ allow $1 nvram_device_t:chr_file rw_file_perms;
+')
+
########################################
##
## Get the attributes of the printer device nodes.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 2f5ad4d7..c5575ad3 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.18)
+policy_module(devices,1.1.19)
########################################
#
@@ -105,6 +105,12 @@ dev_node(null_device_t)
mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0)
+#
+# Type for /dev/nvram
+#
+type nvram_device_t;
+dev_node(nvram_device_t)
+
#
# Type for /dev/pmu
#
@@ -166,7 +172,7 @@ type vmware_device_t;
dev_node(vmware_device_t)
type watchdog_device_t;
-dev_node(vmware_device_t)
+dev_node(watchdog_device_t)
type xen_device_t;
dev_node(xen_device_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a61282da..41236786 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2932,6 +2932,24 @@ interface(`files_search_tmp',`
allow $1 tmp_t:dir search_dir_perms;
')
+########################################
+##
+## Do not audit attempts to search the tmp directory (/tmp).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir search_dir_perms;
+')
+
########################################
##
## Read the tmp directory (/tmp).
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index cf928945..99012618 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.13)
+policy_module(files,1.2.14)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index fc3c3354..6f7d4427 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -279,6 +279,42 @@ interface(`kernel_load_module',`
typeattribute $1 can_load_kernmodule;
')
+########################################
+##
+## Allow search the kernel key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key search;
+')
+
+########################################
+##
+## Allow link to the kernel key ring.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_link_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key link;
+')
+
########################################
##
## Allows caller to read the ring buffer.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 84e208db..34b4d1bd 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.14)
+policy_module(kernel,1.3.15)
########################################
#
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 774450ef..5e65156b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -276,6 +276,24 @@ interface(`term_create_console_dev',`
allow $1 self:capability mknod;
')
+########################################
+##
+## Get the attributes of a pty filesystem
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_getattr_pty_fs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem getattr;
+')
+
########################################
##
## Do not audit attempts to get the
@@ -330,6 +348,7 @@ interface(`term_dontaudit_search_ptys',`
type devpts_t;
')
+ dev_dontaudit_list_all_dev_nodes($1)
dontaudit $1 devpts_t:dir search;
')
@@ -1007,4 +1026,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
dontaudit $1 ttynode:chr_file { read write };
')
-
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index c2f36395..273d72ec 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.5)
+policy_module(terminal,1.1.6)
########################################
#
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 3dbd868a..1908b925 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.0.6)
+policy_module(amavis,1.0.7)
########################################
#
@@ -62,10 +62,12 @@ allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
# Spool Files
+files_search_spool(amavis_t)
allow amavis_t amavis_spool_t:dir manage_dir_perms;
allow amavis_t amavis_spool_t:file manage_file_perms;
allow amavis_t amavis_spool_t:sock_file manage_file_perms;
files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
@@ -116,6 +118,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t)
# bind to incoming port
corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
+corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@@ -164,6 +167,10 @@ optional_policy(`
dcc_stream_connect_dccifd(amavis_t)
')
+optional_policy(`
+ postfix_read_config(amavis_t)
+')
+
optional_policy(`
pyzor_domtrans(amavis_t)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 2b6db562..c9996e2c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.3.16)
+policy_module(apache,1.3.17)
#
# NOTES:
@@ -271,7 +271,6 @@ seutil_dontaudit_search_config(httpd_t)
sysnet_read_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
-userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
mta_send_mail(httpd_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index d1d378f3..b40896ac 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.2.4)
+policy_module(avahi,1.2.5)
########################################
#
@@ -64,6 +64,7 @@ domain_use_interactive_fds(avahi_t)
files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
+files_read_usr_files(avahi_t)
init_use_fds(avahi_t)
init_use_script_ptys(avahi_t)
@@ -76,6 +77,7 @@ libs_use_shared_libs(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
+miscfiles_read_certs(avahi_t)
sysnet_read_config(avahi_t)
sysnet_use_ldap(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 24727322..02fdd40e 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.1.8)
+policy_module(bind,1.1.9)
########################################
#
@@ -218,6 +218,7 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file { getattr read };
+allow ndc_t dnssec_t:lnk_file { getattr read };
allow ndc_t named_t:unix_stream_socket connectto;
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index 256df782..3027ed69 100644
--- a/policy/modules/services/cpucontrol.te
+++ b/policy/modules/services/cpucontrol.te
@@ -1,5 +1,5 @@
-policy_module(cpucontrol,1.0.1)
+policy_module(cpucontrol,1.0.2)
########################################
#
@@ -25,7 +25,7 @@ files_pid_file(cpuspeed_var_run_t)
# CPU microcode loader local policy
#
-allow cpucontrol_t self:capability sys_rawio;
+allow cpucontrol_t self:capability { ipc_lock sys_rawio };
dontaudit cpucontrol_t self:capability sys_tty_config;
allow cpucontrol_t self:process signal_perms;
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index e3b1abcc..3032a639 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -194,13 +194,14 @@ template(`cron_per_userdomain_template',`
allow crond_t $1_cron_spool_t:file create_file_perms;
# dac_override is to create the file in the directory under /tmp
- allow $1_crontab_t self:capability { setuid setgid chown dac_override };
+ allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
allow $1_crontab_t self:process signal_perms;
# create files in /var/spool/cron
- allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
- type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
+ allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
+ type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
+ files_search_spool($1_crontab_t)
# crontab signals crond by updating the mtime on the spooldir
allow $1_crontab_t cron_spool_t:dir setattr;
@@ -238,12 +239,16 @@ template(`cron_per_userdomain_template',`
# Read user crontabs
userdom_read_user_home_content_files($1,$1_crontab_t)
- tunable_policy(`fcron_crond', `
+ tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
dontaudit $1_crontab_t crond_t:process signal;
')
+ optional_policy(`
+ nscd_socket_use($1_crontab_t)
+ ')
+
ifdef(`TODO',`
allow $1_crond_t tmp_t:dir rw_dir_perms;
type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 3ee3cf3a..05c3ceaa 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.3.10)
+policy_module(cron,1.3.11)
gen_require(`
class passwd rootok;
@@ -138,6 +138,8 @@ userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_all_users_home_dirs(crond_t)
+mta_send_mail(crond_t)
+
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@@ -173,8 +175,6 @@ ifdef(`targeted_policy',`
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
-
- mta_send_mail(crond_t)
')
tunable_policy(`fcron_crond', `
@@ -341,8 +341,6 @@ ifdef(`targeted_policy',`
seutil_read_config(system_crond_t)
- mta_send_mail(system_crond_t)
-
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 15fe7acf..e879d56a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.11)
+policy_module(cups,1.3.12)
########################################
#
@@ -74,13 +74,14 @@ files_pid_file(ptal_var_run_t)
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config audit_write };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_selinux_socket create_socket_perms;
allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
@@ -152,6 +153,8 @@ dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
dev_read_usbfs(cupsd_t)
+domain_read_all_domains_state(cupsd_t)
+
fs_getattr_all_fs(cupsd_t)
fs_search_auto_mountpoints(cupsd_t)
# from old usercanread attrib:
@@ -186,6 +189,8 @@ files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
+selinux_compute_access_vector(cupsd_t)
+
init_use_fds(cupsd_t)
init_use_script_ptys(cupsd_t)
init_exec_script_files(cupsd_t)
@@ -201,7 +206,7 @@ miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
-seutil_dontaudit_read_config(cupsd_t)
+seutil_read_config(cupsd_t)
sysnet_read_config(cupsd_t)
@@ -219,7 +224,7 @@ ifdef(`targeted_policy',`
init_stream_connect_script(cupsd_t)
- unconfined_read_pipes(cupsd_t)
+ unconfined_rw_pipes(cupsd_t)
optional_policy(`
init_dbus_chat_script(cupsd_t)
@@ -230,6 +235,10 @@ ifdef(`targeted_policy',`
')
')
+optional_policy(`
+ apm_domtrans_client(cupsd_t)
+')
+
optional_policy(`
cron_system_entry(cupsd_t, cupsd_exec_t)
')
@@ -253,6 +262,10 @@ optional_policy(`
inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
')
+optional_policy(`
+ logrotate_domtrans(cupsd_t)
+')
+
optional_policy(`
nscd_socket_use(cupsd_t)
')
@@ -397,7 +410,7 @@ ifdef(`distro_redhat',`
')
')
-ifdef(`targeted_policy', `
+ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_config_t)
term_dontaudit_use_unallocated_ttys(cupsd_config_t)
@@ -588,6 +601,7 @@ dev_rw_printer(hplip_t)
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
+dev_read_usbfs(hplip_t)
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 6199142f..de78a50e 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.1.4)
+policy_module(cyrus,1.1.5)
########################################
#
@@ -69,10 +69,12 @@ corenet_tcp_sendrecv_all_ports(cyrus_t)
corenet_udp_sendrecv_all_ports(cyrus_t)
corenet_tcp_bind_all_nodes(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_lmtp_port(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_sendrecv_pop_server_packets(cyrus_t)
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_sendrecv_all_client_packets(cyrus_t)
dev_read_rand(cyrus_t)
@@ -139,6 +141,10 @@ optional_policy(`
seutil_sigchld_newrole(cyrus_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(cyrus_t)
+')
+
optional_policy(`
udev_read_db(cyrus_t)
')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index f134efa7..605f2537 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -139,6 +139,8 @@ template(`dbus_per_userdomain_template',`
files_read_usr_files($1_dbusd_t)
files_dontaudit_search_var($1_dbusd_t)
+ auth_read_pam_console_data($1_dbusd_t)
+
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
@@ -160,7 +162,7 @@ template(`dbus_per_userdomain_template',`
')
optional_policy(`
- auth_read_pam_console_data($1_dbusd_t)
+ hal_dbus_chat($1_dbusd_t)
')
optional_policy(`
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index a20b9f20..5f47c5f7 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.2.7)
+policy_module(dbus,1.2.8)
gen_require(`
class dbus { send_msg acquire_svc };
@@ -38,6 +38,7 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -102,6 +103,7 @@ libs_use_shared_libs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index dca87b9b..6b914fb4 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.2.5)
+policy_module(dovecot,1.2.6)
########################################
#
@@ -193,6 +193,8 @@ miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
+sysnet_dns_name_resolve(dovecot_auth_t)
+
optional_policy(`
kerberos_use(dovecot_auth_t)
')
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index d5312191..f27fb242 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn,1.1.3)
+policy_module(inn,1.1.4)
########################################
#
@@ -36,6 +36,7 @@ allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow innd_t self:tcp_socket create_stream_socket_perms;
allow innd_t self:udp_socket create_socket_perms;
+allow innd_t self:netlink_route_socket r_netlink_socket_perms;
allow innd_t innd_etc_t:file r_file_perms;
allow innd_t innd_etc_t:dir r_dir_perms;
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index d19d68ba..3bd68bb5 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -2,6 +2,8 @@
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d4da5cba..49660817 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.3.8)
+policy_module(mta,1.3.9)
########################################
#
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 512ce2de..dcdafd6e 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.0.3)
+policy_module(openvpn,1.0.4)
########################################
#
@@ -33,7 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket create_socket_perms;
-allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
+allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
allow openvpn_t openvpn_etc_t:file r_file_perms;
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 1d7691e2..9f574d29 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.2.11)
+policy_module(postfix,1.2.12)
########################################
#
@@ -251,6 +251,8 @@ allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+corecmd_exec_bin(postfix_cleanup_t)
+
########################################
#
# Postfix local local policy
@@ -284,6 +286,10 @@ mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
+optional_policy(`
+ clamav_search_lib(postfix_local_t)
+')
+
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -520,6 +526,8 @@ allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+corecmd_exec_bin(postfix_qmgr_t)
+
########################################
#
# Postfix showq local policy
@@ -578,6 +586,8 @@ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_p
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+corecmd_exec_bin(postfix_smtpd_t)
+
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
mta_read_aliases(postfix_smtpd_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index d37997f4..6e8c9bb6 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql,1.1.3)
+policy_module(postgresql,1.1.4)
#################################
#
@@ -134,6 +134,7 @@ miscfiles_read_localization(postgresql_t)
seutil_dontaudit_search_config(postgresql_t)
sysnet_read_config(postgresql_t)
+sysnet_use_ldap(postgresql_t)
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 1def5654..43c39d3e 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.1.3)
+policy_module(radius,1.1.4)
########################################
#
@@ -31,7 +31,7 @@ files_pid_file(radiusd_var_run_t)
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process setsched;
+allow radiusd_t self:process { setsched signal };
allow radiusd_t self:fifo_file rw_file_perms;
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 510d5f58..9f76d615 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -51,6 +51,8 @@ template(`rpc_domain_template', `
kernel_rw_rpc_sysctls($1_t)
dev_read_sysfs($1_t)
+ dev_read_urand($1_t)
+ dev_read_rand($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 22cb0adf..b0525908 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.11)
+policy_module(rpc,1.2.12)
########################################
#
@@ -48,9 +48,6 @@ kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
-dev_read_urand(rpcd_t)
-dev_read_rand(rpcd_t)
-
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
@@ -129,8 +126,6 @@ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
-dev_read_urand(gssd_t)
-
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 0a4cca7d..961a0002 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.2.9)
+policy_module(samba,1.2.10)
#################################
#
@@ -171,7 +171,7 @@ optional_policy(`
#
# smbd Local policy
#
-allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -191,7 +191,7 @@ allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
+allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t samba_log_t:file { create ra_file_perms };
@@ -359,7 +359,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
+allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t samba_var_t:dir rw_dir_perms;
@@ -638,8 +638,8 @@ allow winbind_t samba_secrets_t:file create_file_perms;
allow winbind_t samba_etc_t:dir rw_dir_perms;
type_transition winbind_t samba_etc_t:file samba_secrets_t;
-allow winbind_t samba_log_t:dir rw_dir_perms;
-allow winbind_t samba_log_t:file create_file_perms;
+allow winbind_t samba_log_t:dir manage_dir_perms;
+allow winbind_t samba_log_t:file manage_file_perms;
allow winbind_t samba_log_t:lnk_file create_lnk_perms;
allow winbind_t samba_var_t:dir rw_dir_perms;
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 31f15ca6..5367cd32 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.3.10)
+policy_module(spamassassin,1.3.11)
########################################
#
@@ -169,6 +169,10 @@ optional_policy(`
nis_use_ypbind(spamd_t)
')
+optional_policy(`
+ postfix_read_config(spamd_t)
+')
+
optional_policy(`
postgresql_stream_connect(spamd_t)
')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index eb8bd962..5d38434a 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.1.5)
+policy_module(squid,1.1.6)
########################################
#
@@ -28,9 +28,9 @@ files_pid_file(squid_var_run_t)
# Local policy
#
-allow squid_t self:capability { setgid setuid dac_override };
+allow squid_t self:capability { setgid setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_file_perms;
allow squid_t self:sock_file r_file_perms;
allow squid_t self:fd use;
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 21ac35ae..ae5e8b08 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
-policy_module(sysstat,1.0.0)
+policy_module(sysstat,1.0.1)
########################################
#
@@ -50,6 +50,7 @@ files_read_etc_files(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
term_use_console(sysstat_t)
+term_use_all_terms(sysstat_t)
init_use_fds(sysstat_t)
init_use_script_ptys(sysstat_t)
@@ -57,6 +58,8 @@ init_use_script_ptys(sysstat_t)
libs_use_ld_so(sysstat_t)
libs_use_shared_libs(sysstat_t)
+locallogin_use_fds(sysstat_t)
+
miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_sysadm_home_dirs(sysstat_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 1f592c67..aefc9e21 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -109,7 +109,7 @@ template(`xserver_common_domain_template',`
corenet_sendrecv_xserver_server_packets($1_xserver_t)
corenet_sendrecv_all_client_packets($1_xserver_t)
- dev_read_sysfs($1_xserver_t)
+ dev_rw_sysfs($1_xserver_t)
dev_rw_mouse($1_xserver_t)
dev_rw_mtrr($1_xserver_t)
dev_rw_apm_bios($1_xserver_t)
@@ -120,7 +120,7 @@ template(`xserver_common_domain_template',`
dev_setattr_generic_dirs($1_xserver_t)
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
- dev_write_raw_memory($1_xserver_t)
+ dev_wx_raw_memory($1_xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events
@@ -159,6 +159,10 @@ template(`xserver_common_domain_template',`
sysnet_read_config($1_xserver_t)
+ optional_policy(`
+ apm_stream_connect($1_xserver_t)
+ ')
+
optional_policy(`
auth_search_pam_console_data($1_xserver_t)
')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index dacc624f..5121a2b8 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.1.13)
+policy_module(xserver,1.1.14)
########################################
#
@@ -81,15 +81,18 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:netlink_route_socket r_netlink_socket_perms;
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
-allow xdm_t self:key write;
+allow xdm_t self:socket create_socket_perms;
+allow xdm_t self:appletalk_socket create_socket_perms;
+allow xdm_t self:key { search link write };
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -106,6 +109,8 @@ allow xdm_t xdm_rw_etc_t:file create_file_perms;
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
+kernel_read_net_sysctls(xdm_t)
+kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -154,6 +159,7 @@ domain_use_interactive_fds(xdm_t)
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
+files_read_var_files(xdm_t)
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
@@ -180,6 +186,8 @@ term_setattr_unallocated_ttys(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
+auth_rw_faillog(xdm_t)
+auth_write_login_records(xdm_t)
init_use_script_ptys(xdm_t)
# Run telinit->init to shutdown.
@@ -257,7 +265,7 @@ ifdef(`strict_policy',`
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
allow xdm_t xdm_xserver_tmp_t:file unlink;
- allow xdm_t xserver_log_t:dir { rw_dir_perms setattr };
+ allow xdm_t xserver_log_t:dir manage_dir_perms;
allow xdm_t xserver_log_t:file manage_file_perms;
allow xdm_t xserver_log_t:fifo_file manage_file_perms;
logging_log_filetrans(xdm_t,xserver_log_t,file)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1b0376da..769abdc4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.12)
+policy_module(authlogin,1.3.13)
########################################
#
@@ -215,6 +215,7 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index dbe028b0..8c5271ed 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
-policy_module(hostname,1.2.0)
+policy_module(hostname,1.2.1)
########################################
#
@@ -56,6 +56,6 @@ miscfiles_read_localization(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
-
-
-
+optional_policy(`
+ xen_dontaudit_use_fds(hostname_t)
+')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 7c2b112d..76cf6f77 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -110,7 +110,6 @@ ifdef(`distro_gentoo',`
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -122,6 +121,8 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -182,6 +183,7 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/seamonkey.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -213,8 +215,8 @@ ifdef(`distro_redhat',`
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 01236031..1206d2cb 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.11)
+policy_module(libraries,1.3.12)
########################################
#
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 0b999f47..7a747b4e 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,5 +1,5 @@
-policy_module(locallogin,1.2.5)
+policy_module(locallogin,1.2.6)
########################################
#
@@ -47,7 +47,7 @@ allow local_login_t self:shm create_shm_perms;
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
-allow local_login_t self:key write;
+allow local_login_t self:key { search write };
allow local_login_t local_login_lock_t:file create_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
@@ -58,6 +58,8 @@ files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctls(local_login_t)
+kernel_search_key(local_login_t)
+kernel_link_key(local_login_t)
dev_setattr_mouse_dev(local_login_t)
dev_getattr_mouse_dev(local_login_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 553f6ac3..b9d91bfe 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -30,6 +30,8 @@ ifdef(`distro_suse', `
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4efe47f2..62f61004 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -149,6 +149,27 @@ interface(`logging_run_auditd',`
allow auditd_t $3:chr_file rw_term_perms;
')
+########################################
+##
+## Connect to auditdstored over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_stream_connect_auditd',`
+ gen_require(`
+ type auditd_t, auditd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 auditd_var_run_t:dir search_dir_perms;
+ allow $1 auditd_var_run_t:sock_file rw_file_perms;
+ allow $1 auditd_t:unix_stream_socket connectto;
+')
+
########################################
##
## Manage the auditd configuration files.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 195a1a12..ee6a7d24 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.10)
+policy_module(logging,1.3.11)
########################################
#
@@ -120,9 +120,10 @@ allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
allow auditd_t var_log_t:dir search;
-allow auditd_t auditd_var_run_t:file create_file_perms;
+allow auditd_t auditd_var_run_t:sock_file manage_file_perms;
+allow auditd_t auditd_var_run_t:file manage_file_perms;
allow auditd_t auditd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(auditd_t,auditd_var_run_t,file)
+files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 0339693e..86feb567 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -85,6 +85,6 @@
#
# /var
#
-/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
-
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 5c4a37d8..114e1d8f 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.3.5)
+policy_module(lvm,1.3.6)
########################################
#
@@ -133,6 +133,7 @@ allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
+allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms;
@@ -150,9 +151,10 @@ allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
files_lock_filetrans(lvm_t,lvm_lock_t,file)
-allow lvm_t lvm_var_run_t:file create_file_perms;
-allow lvm_t lvm_var_run_t:dir create_dir_perms;
-files_pid_filetrans(lvm_t,lvm_var_run_t,file)
+allow lvm_t lvm_var_run_t:file manage_file_perms;
+allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
+allow lvm_t lvm_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(lvm_t,lvm_var_run_t,{ file sock_file })
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 7f4bdcd2..fb19fce2 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -8,6 +8,7 @@ ifdef(`distro_gentoo',`
#
# /etc
#
+/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 7838a107..0c934e19 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -114,6 +114,26 @@ interface(`miscfiles_read_localization',`
libs_read_lib_files($1)
')
+########################################
+##
+## Allow process to write localization info
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`miscfiles_rw_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ allow $1 locale_t:file rw_file_perms;
+')
+
########################################
##
## Allow process to read legacy time localization info
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 7ccd2bc4..5ca7951f 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
-policy_module(miscfiles,1.0.2)
+policy_module(miscfiles,1.0.3)
########################################
#
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 49662515..03a21565 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.3.9)
+policy_module(mount,1.3.10)
########################################
#
@@ -80,6 +80,7 @@ files_unmount_all_file_type_fs(mount_t)
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
+files_list_mnt(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
@@ -97,6 +98,8 @@ mls_file_write_down(mount_t)
sysnet_use_portmap(mount_t)
+selinux_get_enforce_mode(mount_t)
+
userdom_use_all_users_fds(mount_t)
ifdef(`distro_redhat',`
@@ -166,6 +169,10 @@ optional_policy(`
samba_domtrans_smbmount(mount_t)
')
+optional_policy(`
+ nscd_socket_use(mount_t)
+')
+
########################################
#
# Unconfined mount local policy
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2e89f2b4..295ab39a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.12)
+policy_module(selinuxutil,1.2.13)
ifdef(`strict_policy',`
gen_require(`
@@ -462,6 +462,10 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
+optional_policy(`
+ rpm_use_script_fds(restorecond_t)
+')
+
optional_policy(`
# restorecond watches for users logging in,
# so it getspwnam when a user logs in to find his homedir
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 1a6c2885..b6523d73 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,5 +1,6 @@
# udev
+/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 1006bf02..7fadd24d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.3.4)
+policy_module(udev,1.3.5)
########################################
#
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 36d1bf31..26df7d59 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -37,6 +37,7 @@ interface(`unconfined_domain_noaudit',`
dev_unconfined($1)
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
+ domain_dontaudit_ptrace_all_domains($1)
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 790aa311..6920aad4 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined,1.3.13)
+policy_module(unconfined,1.3.14)
########################################
#
@@ -195,4 +195,11 @@ ifdef(`targeted_policy',`
ifdef(`targeted_policy',`
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+
+ optional_policy(`
+ dbus_stub(unconfined_execmem_t)
+
+ init_dbus_chat_script(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ ')
')
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index bfdc355a..fbc62fa0 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -23,6 +23,42 @@ interface(`xen_domtrans',`
allow xend_t $1:process sigchld;
')
+########################################
+##
+## Inherit and use xen file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ allow $1 xend_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit
+## xen file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`xen_dontaudit_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:fd use;
+')
########################################
##
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 720cfa75..4382e106 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.8)
+policy_module(xen,1.0.9)
########################################
#
@@ -69,7 +69,9 @@ init_daemon_domain(xm_t, xm_exec_t)
#
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
@@ -79,7 +81,7 @@ allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
allow xend_t xen_image_t:dir r_dir_perms;
-allow xend_t xen_image_t:file r_file_perms;
+allow xend_t xen_image_t:file rw_file_perms;
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
@@ -128,8 +130,10 @@ corenet_tcp_sendrecv_all_ports(xend_t)
corenet_tcp_bind_all_nodes(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
@@ -138,19 +142,24 @@ dev_rw_sysfs(xend_t)
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
+domain_dontaudit_ptrace_all_domains(xend_t)
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
files_read_kernel_img(xend_t)
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
+files_read_usr_files(xend_t)
storage_raw_read_fixed_disk(xend_t)
-term_dontaudit_getattr_all_user_ptys(xend_t)
-term_dontaudit_use_generic_ptys(xend_t)
+term_getattr_all_user_ptys(xend_t)
+term_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_pty_fs(xend_t)
init_use_fds(xend_t)
+init_use_script_ptys(xend_t)
libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)
@@ -195,11 +204,14 @@ kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)
+domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
term_create_pty(xenconsoled_t,xen_devpts_t);
-term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)
@@ -238,10 +250,11 @@ dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
-term_dontaudit_use_generic_ptys(xenstored_t)
-term_dontaudit_use_console(xenconsoled_t)
+term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)