- Update an readd modules

This commit is contained in:
Daniel J Walsh 2007-08-27 21:43:05 +00:00
parent 7f9951d4d3
commit e8b5993e52
5 changed files with 296 additions and 114 deletions

View File

@ -124,3 +124,4 @@ serefpolicy-3.0.3.tgz
serefpolicy-3.0.4.tgz
serefpolicy-3.0.5.tgz
serefpolicy-3.0.6.tgz
serefpolicy-3.0.7.tgz

View File

@ -1298,10 +1298,17 @@ usernetctl = module
# Layer: system
# Module: xen
#
# TCP/IP encryption
# virtualization software
#
xen = base
# Layer: system
# Module: virt
#
# Virtualization libraries
#
virt = base
# Layer: system
# Module: brctl
#

View File

@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.6/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-24 16:06:03.000000000 -0400
@@ -19,20 +19,24 @@
# Local policy
#
@ -342,7 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -43,7 +47,14 @@
@@ -43,7 +47,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -356,7 +356,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.6/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/anaconda.te 2007-08-22 08:03:53.000000000 -0400
@ -389,6 +388,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.6/policy/modules/admin/certwatch.if
--- nsaserefpolicy/policy/modules/admin/certwatch.if 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/certwatch.if 2007-08-25 06:42:08.000000000 -0400
@@ -44,7 +44,7 @@
## </param>
## <rolecap/>
#
-interface(`certwatach_run',`
+interface(`certwatch_run',`
gen_require(`
type certwatch_t;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/consoletype.te 2007-08-22 08:03:53.000000000 -0400
@ -1213,7 +1224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.6/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-24 16:33:17.000000000 -0400
@@ -32,4 +32,5 @@
optional_policy(`
@ -1500,6 +1511,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/apps/java.fc 2007-08-27 09:51:03.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/apps/java.if 2007-08-22 08:03:53.000000000 -0400
@ -2567,7 +2589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-27 09:57:19.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@ -2652,10 +2674,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -3323,6 +3359,24 @@
@@ -3323,6 +3359,42 @@
########################################
## <summary>
+## dontaudit Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
@ -2677,7 +2717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
@@ -3381,7 +3435,7 @@
@@ -3381,7 +3453,7 @@
########################################
## <summary>
@ -2686,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## </summary>
## <param name="domain">
## <summary>
@@ -3389,17 +3443,17 @@
@@ -3389,17 +3461,17 @@
## </summary>
## </param>
#
@ -2707,7 +2747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## </summary>
## <param name="domain">
## <summary>
@@ -3407,12 +3461,12 @@
@@ -3407,12 +3479,12 @@
## </summary>
## </param>
#
@ -2722,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
@@ -4043,7 +4097,7 @@
@@ -4043,7 +4115,7 @@
type var_t, var_lock_t;
')
@ -2731,7 +2771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
@@ -4560,6 +4614,8 @@
@@ -4560,6 +4632,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@ -2740,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
@@ -4582,6 +4638,11 @@
@@ -4582,6 +4656,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@ -2752,7 +2792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
@@ -4619,3 +4680,28 @@
@@ -4619,3 +4698,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@ -2903,6 +2943,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.6/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/filesystem.te 2007-08-27 09:16:03.000000000 -0400
@@ -80,6 +80,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.6/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/kernel.if 2007-08-22 08:03:53.000000000 -0400
@ -3385,7 +3436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-27 17:32:31.000000000 -0400
@@ -30,6 +30,13 @@
## <desc>
@ -3466,7 +3517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
@@ -202,7 +245,7 @@
@@ -202,9 +245,11 @@
# Apache server local policy
#
@ -3474,8 +3525,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+dontaudit httpd_t self:process setfscreate;
+
allow httpd_t self:fd use;
@@ -244,6 +287,7 @@
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
@@ -244,6 +289,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@ -3483,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -284,6 +328,7 @@
@@ -284,6 +330,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@ -3491,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -330,6 +375,9 @@
@@ -330,6 +377,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@ -3501,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
@@ -348,7 +396,9 @@
@@ -348,7 +398,9 @@
userdom_use_unpriv_users_fds(httpd_t)
@ -3512,7 +3567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
@@ -360,6 +410,7 @@
@@ -360,6 +412,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@ -3520,7 +3575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
@@ -367,6 +418,16 @@
@@ -367,6 +420,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@ -3537,7 +3592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
@@ -387,6 +448,17 @@
@@ -387,6 +450,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@ -3555,7 +3610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -404,11 +476,21 @@
@@ -404,11 +478,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@ -3577,7 +3632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -430,6 +512,12 @@
@@ -430,6 +514,12 @@
')
optional_policy(`
@ -3590,7 +3645,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
calamaris_read_www_files(httpd_t)
')
@@ -461,7 +549,6 @@
@@ -442,6 +532,13 @@
')
optional_policy(`
+ dbus_system_bus_client_template(httpd,httpd_t)
+ dbus_send_system_bus(httpd_t)
+ tunable_policy(`allow_httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+optional_policy(`
kerberos_use(httpd_t)
kerberos_read_kdc_config(httpd_t)
')
@@ -461,7 +558,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@ -3598,7 +3667,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
@@ -512,10 +599,16 @@
@@ -481,6 +577,7 @@
')
optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -512,10 +609,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@ -3616,7 +3693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
@@ -567,7 +660,6 @@
@@ -567,7 +670,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@ -3624,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
@@ -581,6 +673,10 @@
@@ -581,6 +683,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -3635,7 +3712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -606,6 +702,10 @@
@@ -606,6 +712,10 @@
miscfiles_read_localization(httpd_suexec_t)
@ -3646,7 +3723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -620,10 +720,13 @@
@@ -620,10 +730,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@ -3661,7 +3738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
@@ -634,6 +737,12 @@
@@ -634,6 +747,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@ -3674,7 +3751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -651,18 +760,6 @@
@@ -651,18 +770,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -3693,7 +3770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
@@ -672,7 +769,8 @@
@@ -672,7 +779,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -3703,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -686,15 +784,66 @@
@@ -686,15 +794,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -3719,15 +3796,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
+
+tunable_policy(`httpd_use_nfs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -3771,7 +3848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -711,6 +860,19 @@
@@ -711,6 +870,19 @@
########################################
#
@ -3791,7 +3868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_rotatelogs local policy
#
@@ -728,3 +890,27 @@
@@ -728,3 +900,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@ -3802,6 +3879,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@ -3810,15 +3889,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
+
+optional_policy(`
+ dbus_system_bus_client_template(httpd,httpd_t)
+ dbus_send_system_bus(httpd_t)
+ tunable_policy(`allow_httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.6/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/apcupsd.fc 2007-08-22 08:03:53.000000000 -0400
@ -5028,6 +5098,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.6/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/dnsmasq.te 2007-08-27 10:56:52.000000000 -0400
@@ -94,3 +94,8 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
+ virt_read_lib_files(dnsmasq_t)
+ virt_append_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.6/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/dovecot.fc 2007-08-22 08:03:53.000000000 -0400
@ -6255,7 +6337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.6/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-24 16:30:03.000000000 -0400
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
@ -6304,7 +6386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
@@ -126,9 +139,14 @@
@@ -122,6 +135,10 @@
')
optional_policy(`
@ -6312,9 +6394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
+')
+
+optional_policy(`
seutil_sigchld_newrole(ntpd_t)
logrotate_exec(ntpd_t)
')
@@ -132,3 +149,4 @@
optional_policy(`
udev_read_db(ntpd_t)
')
@ -7822,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.6/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-24 16:10:39.000000000 -0400
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@ -7833,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
type soundd_state_t;
files_type(soundd_state_t)
@@ -28,20 +25,28 @@
@@ -28,20 +25,24 @@
########################################
#
@ -7852,10 +7935,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
+allow soundd_t self:capability { dac_override };
+
+fs_getattr_all_fs(soundd_t)
+
+optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
# for yiff
allow soundd_t self:shm create_shm_perms;
@ -7867,7 +7946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
@@ -55,8 +60,10 @@
@@ -55,8 +56,10 @@
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -7879,6 +7958,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
@@ -99,6 +102,10 @@
userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(soundd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.6/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/spamassassin.fc 2007-08-22 08:03:53.000000000 -0400
@ -9189,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.6/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-22 08:03:53.000000000 -0400
@@ -0,0 +1,50 @@
+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-27 10:44:36.000000000 -0400
@@ -0,0 +1,51 @@
+policy_module(brctl,1.0.0)
+
+########################################
@ -9213,6 +9303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
+dev_write_sysfs_dirs(brctl_t)
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
@ -9409,7 +9500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-27 10:45:03.000000000 -0400
@@ -33,7 +33,8 @@
#
@ -9803,7 +9894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-08-22 07:14:11.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-27 10:45:25.000000000 -0400
@@ -44,6 +44,8 @@
corenet_relabelto_all_packets(iptables_t)
@ -9821,20 +9912,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
@@ -96,10 +99,6 @@
@@ -96,11 +99,11 @@
')
optional_policy(`
- nscd_socket_use(iptables_t)
-')
-
-optional_policy(`
ppp_dontaudit_use_fds(iptables_t)
+ ppp_dontaudit_use_fds(iptables_t)
')
optional_policy(`
- ppp_dontaudit_use_fds(iptables_t)
+ rhgb_dontaudit_use_ptys(iptables_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-27 10:58:43.000000000 -0400
@@ -65,11 +65,12 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -9867,7 +9961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
@@ -284,3 +289,7 @@
@@ -284,3 +289,8 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -9875,6 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+/usr/lib/libtheora\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.6/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/libraries.te 2007-08-22 08:03:53.000000000 -0400
@ -10437,7 +10532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-24 16:32:27.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@ -10544,7 +10639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-24 16:33:07.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@ -11695,7 +11790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-22 07:14:12.000000000 -0400
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-22 08:03:53.000000000 -0400
@@ -62,6 +62,10 @@
@ -11719,22 +11814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
@@ -183,14 +191,6 @@
read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
files_list_home($1_t)
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
-
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs_dirs($1_t)
fs_read_nfs_files($1_t)
@@ -323,13 +323,19 @@
@@ -315,13 +323,19 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@ -11757,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_exec_cifs_files($1_t)
')
')
@@ -403,7 +409,9 @@
@@ -395,7 +409,9 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@ -11768,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
@@ -517,10 +525,6 @@
@@ -509,10 +525,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@ -11779,7 +11859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
@@ -538,9 +542,6 @@
@@ -530,9 +542,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@ -11789,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
@@ -571,32 +572,29 @@
@@ -563,32 +572,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@ -11843,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
@@ -672,67 +670,39 @@
@@ -664,67 +670,39 @@
attribute unpriv_userdomain;
')
@ -11914,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
@@ -745,12 +715,6 @@
@@ -737,12 +715,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@ -11927,7 +12007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
@@ -763,31 +727,16 @@
@@ -755,31 +727,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@ -11961,7 +12041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
@@ -802,19 +751,12 @@
@@ -794,19 +751,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@ -11981,7 +12061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
alsa_read_rw_config($1_t)
')
@@ -829,11 +771,6 @@
@@ -821,11 +771,6 @@
')
optional_policy(`
@ -11993,7 +12073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
@@ -842,21 +779,18 @@
@@ -834,21 +779,18 @@
')
optional_policy(`
@ -12019,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
@@ -884,17 +818,17 @@
@@ -876,17 +818,17 @@
')
optional_policy(`
@ -12045,7 +12125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
@@ -908,16 +842,6 @@
@@ -900,16 +842,6 @@
')
optional_policy(`
@ -12062,7 +12142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
resmgr_stream_connect($1_t)
')
@@ -927,11 +851,6 @@
@@ -919,11 +851,6 @@
')
optional_policy(`
@ -12074,7 +12154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
samba_stream_connect_winbind($1_t)
')
@@ -962,21 +881,162 @@
@@ -954,21 +881,162 @@
## </summary>
## </param>
#
@ -12243,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -985,15 +1045,51 @@
@@ -977,23 +1045,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@ -12288,10 +12368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ # Declarations
#
- corecmd_exec_all_executables($1_t)
- # privileged home directory writers
- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+ # Inherit rules for ordinary users.
+ userdom_common_user_template($1)
+
- corecmd_exec_all_executables($1_t)
+ ##############################
+ #
+ # Local policy
@ -12718,7 +12805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-27 17:33:50.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@ -12766,6 +12853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -278,7 +283,7 @@
')
optional_policy(`
- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+ certwatch_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`
@@ -286,14 +291,6 @@
')
@ -12816,6 +12912,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.6/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.fc 2007-08-27 10:52:37.000000000 -0400
@@ -0,0 +1 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.6/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.if 2007-08-27 10:53:48.000000000 -0400
@@ -0,0 +1,58 @@
+## <summary>Virtualization </summary>
+
+########################################
+## <summary>
+## Read virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## append virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:file append;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## virt library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_rw_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.6/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.6/policy/modules/system/virt.te 2007-08-27 10:52:32.000000000 -0400
@@ -0,0 +1,3 @@
+# var/lib files
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.6/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/xen.if 2007-08-22 08:03:53.000000000 -0400

View File

@ -16,8 +16,8 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.6
Release: 3%{?dist}
Version: 3.0.7
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -82,8 +82,8 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic}
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
%define moduleList() %([ -f $RPM_SOURCE_DIR/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' $RPM_SOURCE_DIR/modules-%{1}.conf )
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
@ -289,6 +289,7 @@ semodule -s targeted -r moilscanner 2>/dev/null
%loadpolicy targeted
%relabel targeted
if [ $1 = 0 ]; then
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u
@ -361,6 +362,9 @@ exit 0
%endif
%changelog
* Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1
- Update an readd modules
* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-3
- Cleanup spec file

View File

@ -1 +1 @@
a5d797f1b43fd89f8f815f5cd2664999 serefpolicy-3.0.6.tgz
cf3ad58b7f285398e7b19a9f2d097f8e serefpolicy-3.0.7.tgz