From bd10e1010b4115ff3cab8888859ef4938160cb70 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 18 Oct 2007 21:09:26 +0000 Subject: [PATCH] - Fix vpn to bind to port 4500 - Allow ssh to create shm - Allow rshd to bind to ports > 1023 --- policy-20070703.patch | 778 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 676 insertions(+), 102 deletions(-) diff --git a/policy-20070703.patch b/policy-20070703.patch index 9ae5d70b..f094ffa7 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -809,7 +809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-10-16 23:47:06.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-10-18 15:52:30.000000000 -0400 @@ -8,31 +8,47 @@ type alsa_t; @@ -1117,6 +1117,409 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo - domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t) -') ') dnl end TODO +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.0.8/policy/modules/admin/kismet.fc +--- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/kismet.fc 2007-10-18 16:29:35.000000000 -0400 +@@ -0,0 +1,5 @@ ++ ++/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) ++/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) ++/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) ++/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.0.8/policy/modules/admin/kismet.if +--- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/kismet.if 2007-10-18 16:33:14.000000000 -0400 +@@ -0,0 +1,328 @@ ++ ++## policy for kismet ++ ++######################################## ++## ++## Execute a domain transition to run kismet. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kismet_domtrans',` ++ gen_require(` ++ type kismet_t; ++ type kismet_exec_t; ++ ') ++ ++ domtrans_pattern($1,kismet_exec_t,kismet_t) ++') ++ ++ ++######################################## ++## ++## Read kismet PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_read_pid_files',` ++ gen_require(` ++ type kismet_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 kismet_var_run_t:file r_file_perms; ++') ++ ++######################################## ++## ++## Manage kismet var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_manage_var_run',` ++ gen_require(` ++ type kismet_var_run_t; ++ ') ++ ++ manage_dir_perms($1,kismet_var_run_t,kismet_var_run_t) ++ manage_file_perms($1,kismet_var_run_t,kismet_var_run_t) ++ manage_lnk_file_perms($1,kismet_var_run_t,kismet_var_run_t) ++') ++ ++ ++######################################## ++## ++## Search kismet lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_search_lib',` ++ gen_require(` ++ type kismet_var_lib_t; ++ ') ++ ++ allow $1 kismet_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read kismet lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_read_lib_files',` ++ gen_require(` ++ type kismet_var_lib_t; ++ ') ++ ++ allow $1 kismet_var_lib_t:file r_file_perms; ++ allow $1 kismet_var_lib_t:dir list_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## kismet lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_manage_lib_files',` ++ gen_require(` ++ type kismet_var_lib_t; ++ ') ++ ++ allow $1 kismet_var_lib_t:file manage_file_perms; ++ allow $1 kismet_var_lib_t:dir rw_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Manage kismet var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kismet_manage_var_lib',` ++ gen_require(` ++ type kismet_var_lib_t; ++ ') ++ ++ manage_dir_perms($1,kismet_var_lib_t,kismet_var_lib_t) ++ manage_file_perms($1,kismet_var_lib_t,kismet_var_lib_t) ++ manage_lnk_file_perms($1,kismet_var_lib_t,kismet_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Allow the specified domain to read kismet's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kismet_read_log',` ++ gen_require(` ++ type kismet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 kismet_log_t:dir r_dir_perms; ++ allow $1 kismet_log_t:file { read getattr lock }; ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## kismet log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kismet_manage_log',` ++ gen_require(` ++ type var_log_t, kismet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_files_pattern($1, kismet_log_t, kismet_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append ++## kismet log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kismet_append_log',` ++ gen_require(` ++ type var_log_t, kismet_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 kismet_log_t:dir r_dir_perms; ++ allow $1 kismet_log_t:file { getattr append }; ++') ++ ++######################################## ++## ++## Allow domain to manage kismet log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kismet_manage_log',` ++ gen_require(` ++ type kismet_log_t; ++ ') ++ ++ manage_dir_perms($1,kismet_log_t,kismet_log_t) ++ manage_file_perms($1,kismet_log_t,kismet_log_t) ++ manage_lnk_file_perms($1,kismet_log_t,kismet_log_t) ++') ++ ++######################################## ++## ++## Execute kismet in the kismet domain, and ++## allow the specified role the kismet domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the kismet domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`kismet_run',` ++ gen_require(` ++ type kismet_t; ++ ') ++ ++ kismet_domtrans($1) ++ role $2 types kismet_t; ++ dontaudit kismet_t $3:chr_file rw_term_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate an kismet environment ++## ++## ++## ++## Prefix of the domain. Example, user would be ++## the prefix for the uder_t domain. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the kismet domain. ++## ++## ++## ++# ++interface(`kismet_admin',` ++ gen_require(` ++ type kismet_t; ++ ') ++ ++ allow $2 kismet_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($2, kismet_t, kismet_t) ++ ++ ++ kismet_manage_var_run($2) ++ ++ kismet_manage_var_lib($2) ++ ++ kismet_manage_log($2) ++ ++') ++ ++######################################## ++## ++## Execute kismet programs in the kismet domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to allow the kismet domain. ++## ++## ++## ++## ++## The type of the terminal allow the kismet domain to use. ++## ++## ++## ++# ++interface(`kismet_run',` ++ gen_require(` ++ type kismet_t; ++ ') ++ ++ kismet_domtrans($1) ++ role $2 types kismet_t; ++ allow kismet_t $3:chr_file rw_term_perms; ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te +--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2007-10-18 16:30:41.000000000 -0400 +@@ -0,0 +1,58 @@ ++policy_module(kismet,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type kismet_t; ++type kismet_exec_t; ++application_domain(kismet_t, kismet_exec_t) ++role system_r types kismet_t; ++ ++ ++type kismet_var_run_t; ++files_pid_file(kismet_var_run_t) ++ ++type kismet_var_lib_t; ++files_type(kismet_var_lib_t) ++ ++type kismet_log_t; ++logging_log_file(kismet_log_t) ++ ++######################################## ++# ++# kismet local policy ++# ++ ++## internal communication is often done using fifo and unix sockets. ++#============= kismet_t ============== ++allow kismet_t self:capability { setuid setgid }; ++ ++corecmd_exec_bin(kismet_t) ++ ++auth_use_nsswitch(kismet_t) ++ ++allow kismet_t self:fifo_file rw_file_perms; ++allow kismet_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(kismet_t) ++ ++libs_use_ld_so(kismet_t) ++libs_use_shared_libs(kismet_t) ++ ++miscfiles_read_localization(kismet_t) ++ ++ ++allow kismet_t kismet_var_run_t:file manage_file_perms; ++allow kismet_t kismet_var_run_t:dir manage_dir_perms; ++files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir }) ++ ++allow kismet_t kismet_var_lib_t:file manage_file_perms; ++allow kismet_t kismet_var_lib_t:dir manage_dir_perms; ++files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir }) ++ ++allow kismet_t kismet_log_t:file manage_file_perms; ++allow kismet_t kismet_log_t:dir { rw_dir_perms setattr }; ++logging_log_filetrans(kismet_t,kismet_log_t,{ file dir }) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-08-22 07:14:14.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-10-03 11:10:24.000000000 -0400 @@ -1709,6 +2112,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`TODO',` allow $1_su_t $1_home_t:file manage_file_perms; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te +--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-08-22 07:14:14.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te 2007-10-18 16:33:45.000000000 -0400 +@@ -43,5 +43,10 @@ + cron_system_entry(tmpreaper_t,tmpreaper_exec_t) + + optional_policy(` ++ kismet_manage_log(tmpreaper_t) ++') ++ ++optional_policy(` + lpd_manage_spool(tmpreaper_t) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.8/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-09-12 10:34:51.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-10-03 11:10:24.000000000 -0400 @@ -1833,7 +2250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-17 10:38:01.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-18 13:19:26.000000000 -0400 @@ -22,7 +22,7 @@ # Local policy # @@ -1854,7 +2271,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) -@@ -96,7 +97,7 @@ +@@ -59,6 +60,7 @@ + corenet_udp_bind_all_nodes(vpnc_t) + corenet_udp_bind_generic_port(vpnc_t) + corenet_udp_bind_isakmp_port(vpnc_t) ++corenet_udp_bind_ipsecnat_port(vpnc_t) + corenet_tcp_connect_all_ports(vpnc_t) + corenet_sendrecv_all_client_packets(vpnc_t) + corenet_sendrecv_isakmp_server_packets(vpnc_t) +@@ -96,7 +98,7 @@ seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) @@ -3224,7 +3649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-10-17 16:56:01.000000000 -0400 @@ -45,6 +45,11 @@ # start with basic domain domain_base_type($1) @@ -3330,7 +3755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-11 14:49:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-10-18 16:47:15.000000000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -3460,7 +3885,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -3107,6 +3105,24 @@ +@@ -2023,6 +2021,31 @@ + + ######################################## + ## ++## Create a default directory in / ++## ++## ++##

++## Create a default_t direcrory in / ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_create_default_dir',` ++ gen_require(` ++ type root_t, default_t; ++ ') ++ ++ allow $1 default_t:dir create; ++ filetrans_pattern($1,root_t,default_t,dir) ++') ++ ++######################################## ++## + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. + ## +@@ -3107,6 +3130,24 @@ ######################################## ## @@ -3485,7 +3942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3198,6 +3214,44 @@ +@@ -3198,6 +3239,44 @@ ######################################## ## @@ -3530,7 +3987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read all tmp files. ## ## -@@ -3323,6 +3377,42 @@ +@@ -3323,6 +3402,42 @@ ######################################## ## @@ -3573,7 +4030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Get the attributes of files in /usr. ## ## -@@ -3381,7 +3471,7 @@ +@@ -3381,7 +3496,7 @@ ######################################## ## @@ -3582,7 +4039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3389,17 +3479,17 @@ +@@ -3389,17 +3504,17 @@ ## ## # @@ -3603,7 +4060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3407,12 +3497,12 @@ +@@ -3407,12 +3522,12 @@ ## ## # @@ -3618,7 +4075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4043,7 +4133,7 @@ +@@ -4043,7 +4158,7 @@ type var_t, var_lock_t; ') @@ -3627,7 +4084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4560,6 +4650,8 @@ +@@ -4560,6 +4675,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -3636,7 +4093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4582,6 +4674,11 @@ +@@ -4582,6 +4699,11 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -3648,7 +4105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4619,3 +4716,28 @@ +@@ -4619,3 +4741,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -3707,7 +4164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-12 11:58:32.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-18 10:20:56.000000000 -0400 @@ -271,45 +271,6 @@ ######################################## @@ -5133,9 +5590,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if +--- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:50.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2007-10-18 09:23:16.000000000 -0400 +@@ -90,10 +90,29 @@ + ## + ## + # +-interface(`httpd_apcupsd_cgi_script_domtrans',` ++interface(`apcupsd_cgi_script_domtrans',` + gen_require(` + type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; + ') + + domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t) + ') ++ ++######################################## ++## ++## Read apcupsd tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apcupsd_read_tmp_files',` ++ gen_require(` ++ type apcupsd_tmp_t; ++ ') ++ ++ allow $1 apcupsd_tmp_t:file read_file_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.8/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apcupsd.te 2007-10-18 09:22:01.000000000 -0400 @@ -86,6 +86,11 @@ miscfiles_read_localization(apcupsd_t) @@ -5878,7 +6369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-10-18 15:33:17.000000000 -0400 @@ -8,17 +8,14 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5919,10 +6410,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -52,3 +54,4 @@ +@@ -51,4 +53,4 @@ + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2007-05-29 14:10:57.000000000 -0400 @@ -5934,7 +6426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-10-05 09:02:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-10-18 15:37:33.000000000 -0400 @@ -48,9 +48,8 @@ type hplip_t; type hplip_exec_t; @@ -6142,16 +6634,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -560,7 +588,7 @@ +@@ -560,7 +588,9 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) -dev_read_usbfs(hplip_t) +dev_rw_usbfs(hplip_t) ++ ++lpd_read_spool(hplip_t) fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,8 +615,6 @@ +@@ -587,8 +617,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -6160,7 +6654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) ') -@@ -668,3 +694,15 @@ +@@ -668,3 +696,15 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -7514,10 +8008,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktal - nscd_socket_use(ktalkd_t) -') +term_search_ptys(ktalkd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.0.8/policy/modules/services/lpd.fc +--- nsaserefpolicy/policy/modules/services/lpd.fc 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/lpd.fc 2007-10-18 15:33:22.000000000 -0400 +@@ -29,3 +29,4 @@ + # + /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) + /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) ++/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-10-03 11:10:24.000000000 -0400 -@@ -394,3 +394,22 @@ ++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-10-18 15:36:48.000000000 -0400 +@@ -303,6 +303,25 @@ + + ######################################## + ## ++## Read the contents of the printer spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lpd_read_spool',` ++ gen_require(` ++ type print_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1,print_spool_t,print_spool_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete printer spool files. + ## + ## +@@ -394,3 +413,22 @@ domtrans_pattern($2, lpr_exec_t, $1_lpr_t) ') @@ -7757,7 +8285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-15 13:11:26.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-18 09:24:04.000000000 -0400 @@ -6,6 +6,7 @@ # Declarations # @@ -7774,7 +8302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -44,23 +46,29 @@ +@@ -44,23 +46,33 @@ kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) @@ -7789,6 +8317,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. userdom_use_sysadm_terms(system_mail_t) userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) +userdom_dontaudit_search_all_users_home_content(system_mail_t) ++ ++optional_policy(` ++ apcupsd_read_tmp_files(system_mail_t) ++') optional_policy(` apache_read_squirrelmail_data(system_mail_t) @@ -7804,7 +8336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +81,7 @@ +@@ -73,6 +85,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -9510,7 +10042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. userdom_read_unpriv_users_tmp_files(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-03 11:10:24.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-18 14:07:32.000000000 -0400 @@ -16,10 +16,11 @@ # # Local policy @@ -9524,16 +10056,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd kernel_read_kernel_sysctls(rshd_t) -@@ -33,6 +34,8 @@ +@@ -33,6 +34,9 @@ corenet_udp_sendrecv_all_ports(rshd_t) corenet_tcp_bind_all_nodes(rshd_t) corenet_tcp_bind_rsh_port(rshd_t) +corenet_tcp_bind_all_rpc_ports(rshd_t) ++corenet_tcp_bind_all_unreserved_ports(rshd_t) +corenet_tcp_connect_all_rpc_ports(rshd_t) corenet_sendrecv_rsh_server_packets(rshd_t) dev_read_urand(rshd_t) -@@ -44,28 +47,44 @@ +@@ -44,28 +48,44 @@ selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) @@ -9581,7 +10114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) fs_read_nfs_symlinks(rshd_t) -@@ -76,15 +95,3 @@ +@@ -76,15 +96,3 @@ fs_read_cifs_symlinks(rshd_t) ') @@ -9817,7 +10350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-16 21:18:19.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-18 17:06:03.000000000 -0400 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -9917,22 +10450,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) -@@ -350,6 +347,14 @@ - ') - - optional_policy(` +@@ -347,6 +344,17 @@ + tunable_policy(`samba_share_nfs',` + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) ++ fs_manage_nfs_symlinks(smbd_t) ++ fs_manage_nfs_named_pipes(smbd_t) ++ fs_manage_nfs_named_sockets(smbd_t) ++') ++ ++optional_policy(` + kerberos_read_keytab(smbd_t) +') + +optional_policy(` + lpd_exec_lpr(smbd_t) -+') -+ -+optional_policy(` - cups_read_rw_config(smbd_t) - cups_stream_connect(smbd_t) ') -@@ -398,7 +403,7 @@ + + optional_policy(` +@@ -398,7 +406,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -9941,7 +10477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -410,8 +415,7 @@ +@@ -410,8 +418,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -9951,7 +10487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -421,6 +425,8 @@ +@@ -421,6 +428,8 @@ allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -9960,7 +10496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -462,17 +468,11 @@ +@@ -462,17 +471,11 @@ miscfiles_read_localization(nmbd_t) @@ -9978,7 +10514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(nmbd_t) ') -@@ -506,6 +506,8 @@ +@@ -506,6 +509,8 @@ manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) files_list_var_lib(smbmount_t) @@ -9987,7 +10523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_system_state(smbmount_t) corenet_all_recvfrom_unlabeled(smbmount_t) -@@ -533,6 +535,7 @@ +@@ -533,6 +538,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -9995,7 +10531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -553,16 +556,11 @@ +@@ -553,16 +559,11 @@ logging_search_logs(smbmount_t) @@ -10014,7 +10550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -570,24 +568,28 @@ +@@ -570,24 +571,28 @@ # SWAT Local policy # @@ -10051,7 +10587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -597,7 +599,11 @@ +@@ -597,7 +602,11 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -10064,7 +10600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,23 +628,24 @@ +@@ -622,23 +631,24 @@ dev_read_urand(swat_t) @@ -10091,7 +10627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -652,13 +659,16 @@ +@@ -652,13 +662,16 @@ kerberos_use(swat_t) ') @@ -10114,7 +10650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -672,7 +682,6 @@ +@@ -672,7 +685,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -10122,7 +10658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +718,8 @@ +@@ -709,6 +721,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -10131,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +744,9 @@ +@@ -733,7 +747,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -10141,7 +10677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +759,6 @@ +@@ -746,9 +762,6 @@ miscfiles_read_localization(winbind_t) @@ -10151,7 +10687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +768,6 @@ +@@ -758,10 +771,6 @@ ') optional_policy(` @@ -10162,7 +10698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -784,6 +790,8 @@ +@@ -784,6 +793,8 @@ allow winbind_helper_t samba_var_t:dir search; files_list_var_lib(winbind_helper_t) @@ -10171,7 +10707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) -@@ -804,6 +812,7 @@ +@@ -804,6 +815,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -10179,7 +10715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -828,3 +837,37 @@ +@@ -828,3 +840,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -10623,7 +11159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.0.8/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/squid.if 2007-10-03 11:10:25.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/squid.if 2007-10-18 17:05:00.000000000 -0400 @@ -131,3 +131,22 @@ interface(`squid_use',` refpolicywarn(`$0($*) has been deprecated.') @@ -10645,7 +11181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + type squid_t; + ') + -+ allow $1 squid_t:unix_stream_socket { read write }; ++ allow $1 squid_t:unix_stream_socket { getattr read write }; +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-07-25 10:37:42.000000000 -0400 @@ -10735,7 +11271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-10-09 15:53:25.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-10-18 14:05:49.000000000 -0400 @@ -202,6 +202,7 @@ # template(`ssh_per_role_template',` @@ -10744,7 +11280,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. type ssh_agent_exec_t, ssh_keysign_exec_t; ') -@@ -512,6 +513,7 @@ +@@ -450,6 +451,7 @@ + allow $1_t self:udp_socket create_socket_perms; + # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:shm create_shm_perms; + + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + term_create_pty($1_t,$1_devpts_t) +@@ -512,6 +514,7 @@ tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) @@ -10752,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') tunable_policy(`use_samba_home_dirs',` -@@ -520,6 +522,7 @@ +@@ -520,6 +523,7 @@ optional_policy(` kerberos_use($1_t) @@ -10760,7 +11304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -708,3 +711,42 @@ +@@ -708,3 +712,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -10805,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-10-03 11:10:25.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-10-18 14:05:10.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -11689,7 +12233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-09 10:32:37.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-18 17:06:56.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -11878,7 +12422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1407,9 @@ +@@ -1318,16 +1407,14 @@ ## # interface(`auth_use_nsswitch',` @@ -11892,8 +12436,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo - allow $1 var_auth_t:file manage_file_perms; files_list_var_lib($1) ++ # read /etc/nsswitch.conf ++ files_read_etc_files($1) ++ miscfiles_read_certs($1) -@@ -1347,6 +1431,8 @@ + + sysnet_dns_name_resolve($1) +@@ -1347,6 +1434,8 @@ optional_policy(` samba_stream_connect_winbind($1) @@ -11902,7 +12451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1381,3 +1467,163 @@ +@@ -1381,3 +1470,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -13128,7 +13677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-10-03 11:10:25.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-10-17 16:52:35.000000000 -0400 @@ -33,8 +33,27 @@ ## # @@ -15151,8 +15700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-17 15:57:54.000000000 -0400 -@@ -5,28 +5,38 @@ ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-18 16:48:24.000000000 -0400 +@@ -5,36 +5,48 @@ # # Declarations # @@ -15198,7 +15747,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t) files_create_boot_flag(unconfined_t) -@@ -35,6 +45,7 @@ ++files_create_default_dir(unconfined_t) + + mcs_killall(unconfined_t) mcs_ptrace_all(unconfined_t) init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -15206,7 +15757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,37 +53,30 @@ +@@ -42,37 +54,30 @@ logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -15252,7 +15803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -107,6 +111,10 @@ +@@ -107,6 +112,10 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -15263,7 +15814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +126,11 @@ +@@ -118,11 +127,11 @@ ') optional_policy(` @@ -15277,7 +15828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,11 +142,7 @@ +@@ -134,11 +143,7 @@ ') optional_policy(` @@ -15290,7 +15841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -155,32 +159,23 @@ +@@ -155,32 +160,23 @@ optional_policy(` postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -15327,28 +15878,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +200,18 @@ +@@ -205,11 +201,22 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` -+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mozilla_t) -+ allow unconfined_mozilla_t self:process { execstack execmem }; ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) ++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) ++ unconfined_domain(unconfined_mozilla_t) ++ allow unconfined_mozilla_t self:process { execstack execmem }; ++') ++ ++optional_policy(` ++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) ++') ++ ++optional_policy(` + xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## -@@ -225,8 +227,21 @@ +@@ -225,8 +232,21 @@ init_dbus_chat_script(unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) @@ -15381,7 +15936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-17 15:10:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-18 16:49:15.000000000 -0400 @@ -29,8 +29,9 @@ ') @@ -16281,7 +16836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1642,9 +1740,13 @@ +@@ -1277,6 +1375,7 @@ + dev_relabel_all_dev_nodes($1) + + files_create_boot_flag($1) ++ files_create_default_dir($1) + + # Necessary for managing /boot/efi + fs_manage_dos_files($1) +@@ -1642,9 +1741,13 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -16295,7 +16858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1996,46 @@ +@@ -1894,10 +1997,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -16343,7 +16906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3078,7 +3216,7 @@ +@@ -3078,7 +3217,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -16352,7 +16915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4609,11 +4747,29 @@ +@@ -4609,11 +4748,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -16383,7 +16946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4789,14 @@ +@@ -4633,6 +4790,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -16398,7 +16961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5487,7 @@ +@@ -5323,7 +5488,7 @@ attribute user_tmpfile; ') @@ -16407,7 +16970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5559,3 +5723,380 @@ +@@ -5559,3 +5724,380 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -16790,7 +17353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-17 16:35:19.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-18 16:49:05.000000000 -0400 @@ -24,13 +24,6 @@ ## @@ -16867,7 +17430,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo cron_admin_template(sysadm,sysadm_t,sysadm_r) ') -@@ -394,6 +384,10 @@ +@@ -359,6 +349,10 @@ + ') + + optional_policy(` ++ kismet_run(sysadm_t, sysadm_r, admin_terminal) ++') ++ ++optional_policy(` + lvm_run(sysadm_t,sysadm_r,admin_terminal) + ') + +@@ -394,6 +388,10 @@ ') optional_policy(` @@ -16878,7 +17452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run(sysadm_t,sysadm_r,admin_terminal) netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) -@@ -443,15 +437,20 @@ +@@ -443,15 +441,20 @@ optional_policy(` samba_run_net(sysadm_t,sysadm_r,admin_terminal) @@ -16899,7 +17473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ', ` userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) ') -@@ -494,3 +493,7 @@ +@@ -494,3 +497,7 @@ optional_policy(` yam_run(sysadm_t,sysadm_r,admin_terminal) ')