From e8b5993e52acd465bd0209b12119dc8f1d419df6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Aug 2007 21:43:05 +0000 Subject: [PATCH] - Update an readd modules --- .cvsignore | 1 + modules-targeted.conf | 9 +- policy-20070703.patch | 386 ++++++++++++++++++++++++++++++------------ selinux-policy.spec | 12 +- sources | 2 +- 5 files changed, 296 insertions(+), 114 deletions(-) diff --git a/.cvsignore b/.cvsignore index ccd76b53..9683a79e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -124,3 +124,4 @@ serefpolicy-3.0.3.tgz serefpolicy-3.0.4.tgz serefpolicy-3.0.5.tgz serefpolicy-3.0.6.tgz +serefpolicy-3.0.7.tgz diff --git a/modules-targeted.conf b/modules-targeted.conf index 3b6bacaa..e6884da9 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1298,10 +1298,17 @@ usernetctl = module # Layer: system # Module: xen # -# TCP/IP encryption +# virtualization software # xen = base +# Layer: system +# Module: virt +# +# Virtualization libraries +# +virt = base + # Layer: system # Module: brctl # diff --git a/policy-20070703.patch b/policy-20070703.patch index fac8a980..1444c4be 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.6/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-24 16:06:03.000000000 -0400 @@ -19,20 +19,24 @@ # Local policy # @@ -342,7 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -@@ -43,7 +47,14 @@ +@@ -43,7 +47,13 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) @@ -356,7 +356,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te + hal_use_fds(alsa_t) + hal_write_log(alsa_t) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.6/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/admin/anaconda.te 2007-08-22 08:03:53.000000000 -0400 @@ -389,6 +388,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.6/policy/modules/admin/certwatch.if +--- nsaserefpolicy/policy/modules/admin/certwatch.if 2007-05-29 14:10:59.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/admin/certwatch.if 2007-08-25 06:42:08.000000000 -0400 +@@ -44,7 +44,7 @@ + ## + ## + # +-interface(`certwatach_run',` ++interface(`certwatch_run',` + gen_require(` + type certwatch_t; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.6/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/admin/consoletype.te 2007-08-22 08:03:53.000000000 -0400 @@ -1213,7 +1224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.6/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-24 16:33:17.000000000 -0400 @@ -32,4 +32,5 @@ optional_policy(` @@ -1500,6 +1511,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te - type gconfd_exec_t; application_executable_file(gconfd_exec_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.6/policy/modules/apps/java.fc +--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/apps/java.fc 2007-08-27 09:51:03.000000000 -0400 +@@ -11,6 +11,7 @@ + # + /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.6/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/apps/java.if 2007-08-22 08:03:53.000000000 -0400 @@ -2567,7 +2589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-27 09:57:19.000000000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -2652,10 +2674,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -3323,6 +3359,24 @@ +@@ -3323,6 +3359,42 @@ ######################################## ## ++## dontaudit Add and remove entries from /usr directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_rw_usr_dirs',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ dontaudit $1 usr_t:dir rw_dir_perms; ++') ++ ++######################################## ++## +## Create, read, write, and delete files in the /usr directory. +## +## @@ -2677,7 +2717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Get the attributes of files in /usr. ## ## -@@ -3381,7 +3435,7 @@ +@@ -3381,7 +3453,7 @@ ######################################## ## @@ -2686,7 +2726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3389,17 +3443,17 @@ +@@ -3389,17 +3461,17 @@ ## ## # @@ -2707,7 +2747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3407,12 +3461,12 @@ +@@ -3407,12 +3479,12 @@ ## ## # @@ -2722,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4043,7 +4097,7 @@ +@@ -4043,7 +4115,7 @@ type var_t, var_lock_t; ') @@ -2731,7 +2771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4560,6 +4614,8 @@ +@@ -4560,6 +4632,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -2740,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4582,6 +4638,11 @@ +@@ -4582,6 +4656,11 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -2752,7 +2792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4619,3 +4680,28 @@ +@@ -4619,3 +4698,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -2903,6 +2943,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.6/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-08-22 07:14:06.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/kernel/filesystem.te 2007-08-27 09:16:03.000000000 -0400 +@@ -80,6 +80,7 @@ + type fusefs_t; + fs_noxattr_type(fusefs_t) + allow fusefs_t self:filesystem associate; ++allow fusefs_t fs_t:filesystem associate; + genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) + genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.6/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/kernel/kernel.if 2007-08-22 08:03:53.000000000 -0400 @@ -3385,7 +3436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.6/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-27 17:32:31.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -3466,7 +3517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) -@@ -202,7 +245,7 @@ +@@ -202,9 +245,11 @@ # Apache server local policy # @@ -3474,8 +3525,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++dontaudit httpd_t self:process setfscreate; ++ allow httpd_t self:fd use; -@@ -244,6 +287,7 @@ + allow httpd_t self:sock_file read_sock_file_perms; + allow httpd_t self:fifo_file rw_fifo_file_perms; +@@ -244,6 +289,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -3483,7 +3538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -284,6 +328,7 @@ +@@ -284,6 +330,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3491,7 +3546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -330,6 +375,9 @@ +@@ -330,6 +377,9 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -3501,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -348,7 +396,9 @@ +@@ -348,7 +398,9 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -3512,7 +3567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) -@@ -360,6 +410,7 @@ +@@ -360,6 +412,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -3520,7 +3575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -367,6 +418,16 @@ +@@ -367,6 +420,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -3537,7 +3592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +448,17 @@ +@@ -387,6 +450,17 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -3555,7 +3610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +476,21 @@ +@@ -404,11 +478,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -3577,7 +3632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +512,12 @@ +@@ -430,6 +514,12 @@ ') optional_policy(` @@ -3590,7 +3645,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -461,7 +549,6 @@ +@@ -442,6 +532,13 @@ + ') + + optional_policy(` ++ dbus_system_bus_client_template(httpd,httpd_t) ++ dbus_send_system_bus(httpd_t) ++ tunable_policy(`allow_httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') ++') ++optional_policy(` + kerberos_use(httpd_t) + kerberos_read_kdc_config(httpd_t) + ') +@@ -461,7 +558,6 @@ optional_policy(` nagios_read_config(httpd_t) @@ -3598,7 +3667,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -512,10 +599,16 @@ +@@ -481,6 +577,7 @@ + ') + + optional_policy(` ++ files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) + ') +@@ -512,10 +609,16 @@ tunable_policy(`httpd_tty_comm',` # cjp: this is redundant: term_use_controlling_term(httpd_helper_t) @@ -3616,7 +3693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -567,7 +660,6 @@ +@@ -567,7 +670,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -3624,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +673,10 @@ +@@ -581,6 +683,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3635,7 +3712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -606,6 +702,10 @@ +@@ -606,6 +712,10 @@ miscfiles_read_localization(httpd_suexec_t) @@ -3646,7 +3723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -620,10 +720,13 @@ +@@ -620,10 +730,13 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -3661,7 +3738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -634,6 +737,12 @@ +@@ -634,6 +747,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -3674,7 +3751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +760,6 @@ +@@ -651,18 +770,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3693,7 +3770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +769,8 @@ +@@ -672,7 +779,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -3703,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +784,66 @@ +@@ -686,15 +794,66 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3719,15 +3796,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + +tunable_policy(`httpd_use_nfs', ` - fs_read_nfs_files(httpd_sys_script_t) - fs_read_nfs_symlinks(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) +') + ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) + ') + +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -3771,7 +3848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -711,6 +860,19 @@ +@@ -711,6 +870,19 @@ ######################################## # @@ -3791,7 +3868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_rotatelogs local policy # -@@ -728,3 +890,27 @@ +@@ -728,3 +900,20 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -3802,6 +3879,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +files_search_var_lib(httpd_bugzilla_script_t) + ++mta_send_mail(httpd_bugzilla_script_t) ++ +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) @@ -3810,15 +3889,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) +') -+ -+ -+optional_policy(` -+ dbus_system_bus_client_template(httpd,httpd_t) -+ dbus_send_system_bus(httpd_t) -+ tunable_policy(`allow_httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) -+ ') -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.6/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/services/apcupsd.fc 2007-08-22 08:03:53.000000000 -0400 @@ -5028,6 +5098,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.6/policy/modules/services/dnsmasq.te +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/dnsmasq.te 2007-08-27 10:56:52.000000000 -0400 +@@ -94,3 +94,8 @@ + optional_policy(` + udev_read_db(dnsmasq_t) + ') ++ ++optional_policy(` ++ virt_read_lib_files(dnsmasq_t) ++ virt_append_lib_files(dnsmasq_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.6/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/services/dovecot.fc 2007-08-22 08:03:53.000000000 -0400 @@ -6255,7 +6337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.6/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-24 16:30:03.000000000 -0400 @@ -25,6 +25,12 @@ type ntpdate_exec_t; init_system_domain(ntpd_t,ntpdate_exec_t) @@ -6304,7 +6386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) -@@ -126,9 +139,14 @@ +@@ -122,6 +135,10 @@ ') optional_policy(` @@ -6312,9 +6394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. +') + +optional_policy(` - seutil_sigchld_newrole(ntpd_t) + logrotate_exec(ntpd_t) ') +@@ -132,3 +149,4 @@ optional_policy(` udev_read_db(ntpd_t) ') @@ -7822,7 +7905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.6/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-24 16:10:39.000000000 -0400 @@ -10,9 +10,6 @@ type soundd_exec_t; init_daemon_domain(soundd_t,soundd_exec_t) @@ -7833,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun type soundd_state_t; files_type(soundd_state_t) -@@ -28,20 +25,28 @@ +@@ -28,20 +25,24 @@ ######################################## # @@ -7852,10 +7935,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +allow soundd_t self:capability { dac_override }; + +fs_getattr_all_fs(soundd_t) -+ -+optional_policy(` -+ alsa_domtrans(soundd_t) -+') + # for yiff allow soundd_t self:shm create_shm_perms; @@ -7867,7 +7946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) -@@ -55,8 +60,10 @@ +@@ -55,8 +56,10 @@ manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -7879,6 +7958,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) +@@ -99,6 +102,10 @@ + userdom_dontaudit_search_sysadm_home_dirs(soundd_t) + + optional_policy(` ++ alsa_domtrans(soundd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(soundd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.6/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/services/spamassassin.fc 2007-08-22 08:03:53.000000000 -0400 @@ -9189,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.6/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-22 08:03:53.000000000 -0400 -@@ -0,0 +1,50 @@ ++++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-27 10:44:36.000000000 -0400 +@@ -0,0 +1,51 @@ +policy_module(brctl,1.0.0) + +######################################## @@ -9213,6 +9303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +allow brctl_t self:tcp_socket create_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; + ++dev_write_sysfs_dirs(brctl_t) +dev_rw_sysfs(brctl_t) + +# Init script handling @@ -9409,7 +9500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fuserm + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.6/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-27 10:45:03.000000000 -0400 @@ -33,7 +33,8 @@ # @@ -9803,7 +9894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.6/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2007-08-22 07:14:11.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-27 10:45:25.000000000 -0400 @@ -44,6 +44,8 @@ corenet_relabelto_all_packets(iptables_t) @@ -9821,20 +9912,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl libs_use_ld_so(iptables_t) libs_use_shared_libs(iptables_t) -@@ -96,10 +99,6 @@ +@@ -96,11 +99,11 @@ ') optional_policy(` - nscd_socket_use(iptables_t) --') -- --optional_policy(` - ppp_dontaudit_use_fds(iptables_t) ++ ppp_dontaudit_use_fds(iptables_t) ') + optional_policy(` +- ppp_dontaudit_use_fds(iptables_t) ++ rhgb_dontaudit_use_ptys(iptables_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.6/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-27 10:58:43.000000000 -0400 @@ -65,11 +65,12 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -9867,7 +9961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +289,7 @@ +@@ -284,3 +289,8 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -9875,6 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) ++/usr/lib/libtheora\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.6/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/system/libraries.te 2007-08-22 08:03:53.000000000 -0400 @@ -10437,7 +10532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.6/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-24 16:32:27.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -10544,7 +10639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.6/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-24 16:33:07.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -11695,7 +11790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-22 07:14:12.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-22 08:03:53.000000000 -0400 @@ -62,6 +62,10 @@ @@ -11719,22 +11814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -183,14 +191,6 @@ - read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t) - files_list_home($1_t) - -- # privileged home directory writers -- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) -- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) -- - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs_dirs($1_t) - fs_read_nfs_files($1_t) -@@ -323,13 +323,19 @@ +@@ -315,13 +323,19 @@ ## # template(`userdom_exec_home_template',` @@ -11757,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_exec_cifs_files($1_t) ') ') -@@ -403,7 +409,9 @@ +@@ -395,7 +409,9 @@ ## # template(`userdom_exec_tmp_template',` @@ -11768,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -517,10 +525,6 @@ +@@ -509,10 +525,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -11779,7 +11859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -538,9 +542,6 @@ +@@ -530,9 +542,6 @@ ## # template(`userdom_basic_networking_template',` @@ -11789,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -571,32 +572,29 @@ +@@ -563,32 +572,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -11843,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -672,67 +670,39 @@ +@@ -664,67 +670,39 @@ attribute unpriv_userdomain; ') @@ -11914,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_exec_etc_files($1_t) files_search_locks($1_t) # Check to see if cdrom is mounted -@@ -745,12 +715,6 @@ +@@ -737,12 +715,6 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -11927,7 +12007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -763,31 +727,16 @@ +@@ -755,31 +727,16 @@ storage_getattr_fixed_disk_dev($1_t) auth_read_login_records($1_t) @@ -11961,7 +12041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_t) -@@ -802,19 +751,12 @@ +@@ -794,19 +751,12 @@ files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) @@ -11981,7 +12061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -829,11 +771,6 @@ +@@ -821,11 +771,6 @@ ') optional_policy(` @@ -11993,7 +12073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:dbus send_msg; dbus_system_bus_client_template($1,$1_t) -@@ -842,21 +779,18 @@ +@@ -834,21 +779,18 @@ ') optional_policy(` @@ -12019,7 +12099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -884,17 +818,17 @@ +@@ -876,17 +818,17 @@ ') optional_policy(` @@ -12045,7 +12125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -908,16 +842,6 @@ +@@ -900,16 +842,6 @@ ') optional_policy(` @@ -12062,7 +12142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -927,11 +851,6 @@ +@@ -919,11 +851,6 @@ ') optional_policy(` @@ -12074,7 +12154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -962,21 +881,162 @@ +@@ -954,21 +881,162 @@ ## ## # @@ -12243,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -985,15 +1045,51 @@ +@@ -977,23 +1045,51 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -12288,10 +12368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + # Declarations # -- corecmd_exec_all_executables($1_t) +- # privileged home directory writers +- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t) +- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) + # Inherit rules for ordinary users. + userdom_common_user_template($1) -+ + +- corecmd_exec_all_executables($1_t) + ############################## + # + # Local policy @@ -12718,7 +12805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.6/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400 -+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-22 08:03:53.000000000 -0400 ++++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-27 17:33:50.000000000 -0400 @@ -74,6 +74,9 @@ # users home directory contents attribute home_type; @@ -12766,6 +12853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo apache_run_helper(sysadm_t,sysadm_r,admin_terminal) #apache_run_all_scripts(sysadm_t,sysadm_r) #apache_domtrans_sys_script(sysadm_t) +@@ -278,7 +283,7 @@ + ') + + optional_policy(` +- certwatach_run(sysadm_t,sysadm_r,admin_terminal) ++ certwatch_run(sysadm_t,sysadm_r,admin_terminal) + ') + + optional_policy(` @@ -286,14 +291,6 @@ ') @@ -12816,6 +12912,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +tunable_policy(`allow_console_login', ` + term_use_console(userdomain) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.6/policy/modules/system/virt.fc +--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.6/policy/modules/system/virt.fc 2007-08-27 10:52:37.000000000 -0400 +@@ -0,0 +1 @@ ++/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.6/policy/modules/system/virt.if +--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.6/policy/modules/system/virt.if 2007-08-27 10:53:48.000000000 -0400 +@@ -0,0 +1,58 @@ ++## Virtualization ++ ++######################################## ++## ++## Read virt library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_read_lib_files',` ++ gen_require(` ++ type virt_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t) ++') ++ ++######################################## ++## ++## append virt library files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_append_lib_files',` ++ gen_require(` ++ type virt_var_lib_t; ++ ') ++ ++ allow $1 virt_var_lib_t:file append; ++') ++ ++######################################## ++## ++## Allow the specified domain to read/write ++## virt library files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`virt_rw_lib_files',` ++ gen_require(` ++ type virt_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.6/policy/modules/system/virt.te +--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.6/policy/modules/system/virt.te 2007-08-27 10:52:32.000000000 -0400 +@@ -0,0 +1,3 @@ ++# var/lib files ++type virt_var_lib_t; ++files_type(virt_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.6/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-07-03 07:06:32.000000000 -0400 +++ serefpolicy-3.0.6/policy/modules/system/xen.if 2007-08-22 08:03:53.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index a64a27cf..e80025e3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,8 +16,8 @@ %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.0.6 -Release: 3%{?dist} +Version: 3.0.7 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -82,8 +82,8 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ -%define moduleList() %([ -f $RPM_SOURCE_DIR/modules-%{1}.conf ] && \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' $RPM_SOURCE_DIR/modules-%{1}.conf ) +%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf ) %define installCmds() \ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ @@ -289,6 +289,7 @@ semodule -s targeted -r moilscanner 2>/dev/null %loadpolicy targeted %relabel targeted if [ $1 = 0 ]; then +semanage login -m -s "system_u" __default__ 2> /dev/null semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u semanage user -a -P guest -R guest_r guest_u semanage user -a -P xguest -R xguest_r xguest_u @@ -361,6 +362,9 @@ exit 0 %endif %changelog +* Mon Aug 27 2007 Dan Walsh 3.0.7-1 +- Update an readd modules + * Fri Aug 24 2007 Dan Walsh 3.0.6-3 - Cleanup spec file diff --git a/sources b/sources index 80d4eca7..8ecb5276 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a5d797f1b43fd89f8f815f5cd2664999 serefpolicy-3.0.6.tgz +cf3ad58b7f285398e7b19a9f2d097f8e serefpolicy-3.0.7.tgz