- Fix role transition from unconfined_r to system_r when running rpm

- Allow unconfined_domains to communicate with user dbus instances
This commit is contained in:
Daniel J Walsh 2007-12-30 14:55:38 +00:00
parent 5d13344539
commit ed3c8b6ddb

View File

@ -2437,7 +2437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# /bin # /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-24 06:47:25.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-26 18:15:18.000000000 -0500
@@ -35,7 +35,10 @@ @@ -35,7 +35,10 @@
template(`mozilla_per_role_template',` template(`mozilla_per_role_template',`
gen_require(` gen_require(`
@ -4446,7 +4446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500
@@ -20,6 +20,8 @@ @@ -20,6 +20,8 @@
# Declarations # Declarations
# #
@ -4643,7 +4643,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',` tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use; allow httpd_sys_script_t httpd_t:fd use;
@@ -437,8 +505,14 @@ @@ -425,6 +493,10 @@
')
optional_policy(`
+ application_exec(httpd_t)
+')
+
+optional_policy(`
calamaris_read_www_files(httpd_t)
')
@@ -437,8 +509,14 @@
') ')
optional_policy(` optional_policy(`
@ -4659,7 +4670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
') ')
optional_policy(` optional_policy(`
@@ -450,19 +524,13 @@ @@ -450,19 +528,13 @@
') ')
optional_policy(` optional_policy(`
@ -4680,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
') ')
optional_policy(` optional_policy(`
@@ -472,13 +540,14 @@ @@ -472,13 +544,14 @@
openca_kill(httpd_t) openca_kill(httpd_t)
') ')
@ -4699,7 +4710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
') ')
optional_policy(` optional_policy(`
@@ -486,6 +555,7 @@ @@ -486,6 +559,7 @@
') ')
optional_policy(` optional_policy(`
@ -4707,7 +4718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
') ')
@@ -521,6 +591,13 @@ @@ -521,6 +595,13 @@
userdom_use_sysadm_terms(httpd_helper_t) userdom_use_sysadm_terms(httpd_helper_t)
') ')
@ -4721,7 +4732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
######################################## ########################################
# #
# Apache PHP script local policy # Apache PHP script local policy
@@ -550,18 +627,24 @@ @@ -550,18 +631,24 @@
fs_search_auto_mountpoints(httpd_php_t) fs_search_auto_mountpoints(httpd_php_t)
@ -4749,7 +4760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
') ')
######################################## ########################################
@@ -585,6 +668,8 @@ @@ -585,6 +672,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -4758,7 +4769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t) kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t) kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t)
@@ -638,6 +723,12 @@ @@ -638,6 +727,12 @@
fs_exec_nfs_files(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t)
') ')
@ -4771,7 +4782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t)
@@ -655,10 +746,6 @@ @@ -655,10 +750,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
') ')
@ -4782,7 +4793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
######################################## ########################################
# #
# Apache system script local policy # Apache system script local policy
@@ -668,7 +755,8 @@ @@ -668,7 +759,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search; dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -4792,7 +4803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -682,15 +770,44 @@ @@ -682,15 +774,44 @@
# Should we add a boolean? # Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t) apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -4804,15 +4815,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', ` +tunable_policy(`httpd_use_nfs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t)
') ')
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms;
@ -4838,7 +4849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -700,9 +817,15 @@ @@ -700,9 +821,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t) clamav_domtrans_clamscan(httpd_sys_script_t)
') ')
@ -4854,7 +4865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
') ')
######################################## ########################################
@@ -724,3 +847,46 @@ @@ -724,3 +851,46 @@
logging_search_logs(httpd_rotatelogs_t) logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t)
@ -5473,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-27 07:19:39.000000000 -0500
@@ -50,6 +50,7 @@ @@ -50,6 +50,7 @@
type crond_tmp_t; type crond_tmp_t;
@ -5532,7 +5543,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
files_read_etc_files(crond_t) files_read_etc_files(crond_t)
files_read_generic_spool(crond_t) files_read_generic_spool(crond_t)
@@ -148,7 +156,9 @@ @@ -142,13 +150,16 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
auth_use_nsswitch(crond_t)
libs_use_ld_so(crond_t) libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t) libs_use_shared_libs(crond_t)
@ -5542,7 +5560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
seutil_read_config(crond_t) seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t) seutil_read_default_contexts(crond_t)
@@ -163,9 +173,6 @@ @@ -163,9 +174,6 @@
mta_send_mail(crond_t) mta_send_mail(crond_t)
ifdef(`distro_debian',` ifdef(`distro_debian',`
@ -5552,7 +5570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
optional_policy(` optional_policy(`
# Debian logcheck has the home dir set to its cache # Debian logcheck has the home dir set to its cache
logwatch_search_cache_dir(crond_t) logwatch_search_cache_dir(crond_t)
@@ -180,21 +187,45 @@ @@ -180,21 +188,45 @@
') ')
') ')
@ -5599,7 +5617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
') ')
optional_policy(` optional_policy(`
@@ -267,9 +298,16 @@ @@ -267,9 +299,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@ -5617,7 +5635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
kernel_read_kernel_sysctls(system_crond_t) kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t) kernel_read_system_state(system_crond_t)
@@ -323,7 +361,7 @@ @@ -323,7 +362,7 @@
init_read_utmp(system_crond_t) init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit # prelink tells init to restart it self, we either need to allow or dontaudit
@ -5626,7 +5644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
auth_use_nsswitch(system_crond_t) auth_use_nsswitch(system_crond_t)
@@ -333,6 +371,7 @@ @@ -333,6 +372,7 @@
libs_exec_ld_so(system_crond_t) libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t) logging_read_generic_logs(system_crond_t)
@ -5634,7 +5652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
logging_send_syslog_msg(system_crond_t) logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t) miscfiles_read_localization(system_crond_t)
@@ -383,6 +422,14 @@ @@ -383,6 +423,14 @@
') ')
optional_policy(` optional_policy(`
@ -5649,7 +5667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
mrtg_append_create_logs(system_crond_t) mrtg_append_create_logs(system_crond_t)
') ')
@@ -415,8 +462,7 @@ @@ -415,8 +463,7 @@
') ')
optional_policy(` optional_policy(`
@ -5659,7 +5677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
') ')
optional_policy(` optional_policy(`
@@ -424,8 +470,13 @@ @@ -424,8 +471,13 @@
') ')
optional_policy(` optional_policy(`
@ -6031,8 +6049,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
-') -')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-24 06:16:06.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-30 09:53:47.000000000 -0500
@@ -91,7 +91,9 @@ @@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined;
')
##############################
@@ -84,6 +85,9 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t dbusd_unconfined:dbus send_msg;
+
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@@ -91,7 +95,9 @@
# SE-DBus specific permissions # SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; allow $2 $1_dbusd_t:dbus { send_msg acquire_svc };
@ -6043,7 +6079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -104,8 +106,7 @@ @@ -104,8 +110,7 @@
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
allow $2 $1_dbusd_t:process { sigkill signal }; allow $2 $1_dbusd_t:process { sigkill signal };
@ -6053,7 +6089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t $2:process sigkill; allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -161,7 +162,9 @@ @@ -161,7 +166,9 @@
seutil_read_config($1_dbusd_t) seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t)
@ -6064,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`hide_broken_symptoms', ` ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
@@ -214,7 +217,7 @@ @@ -214,7 +221,7 @@
# SE-DBus specific permissions # SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@ -6073,7 +6109,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2) files_search_var_lib($2)
@@ -263,6 +266,7 @@ @@ -251,6 +258,7 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
+ attribute dbusd_unconfined;
class dbus send_msg;
')
@@ -263,6 +271,7 @@
# For connecting to the bus # For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto; allow $3 $1_dbusd_t:unix_stream_socket connectto;
@ -6081,7 +6125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
') ')
######################################## ########################################
@@ -292,6 +296,59 @@ @@ -292,6 +301,59 @@
######################################## ########################################
## <summary> ## <summary>
@ -6141,7 +6185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration. ## Read dbus configuration.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -366,3 +423,53 @@ @@ -366,3 +428,53 @@
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
@ -7328,7 +7372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t) +files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-27 11:44:00.000000000 -0500
@@ -133,6 +133,12 @@ @@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t) sendmail_create_log($1_mail_t)
') ')
@ -7415,7 +7459,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
') ')
optional_policy(` optional_policy(`
@@ -438,20 +491,18 @@ @@ -422,6 +475,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
+ apache_append_log($1)
')
')
@@ -438,20 +492,18 @@
interface(`mta_send_mail',` interface(`mta_send_mail',`
gen_require(` gen_require(`
attribute mta_user_agent; attribute mta_user_agent;
@ -7442,7 +7494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
') ')
######################################## ########################################
@@ -586,6 +637,25 @@ @@ -586,6 +638,25 @@
files_search_etc($1) files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr }; allow $1 etc_aliases_t:file { rw_file_perms setattr };
') ')
@ -7468,6 +7520,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
####################################### #######################################
## <summary> ## <summary>
@@ -837,6 +908,25 @@
########################################
## <summary>
+## read mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mail queue files.
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
@ -7878,13 +7956,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) +/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500
@@ -13,6 +13,9 @@ @@ -13,6 +13,9 @@
type NetworkManager_var_run_t; type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t) files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t; +type NetworkManager_log_t;
+files_pid_file(NetworkManager_log_t) +logging_log_file(NetworkManager_log_t)
+ +
######################################## ########################################
# #
@ -8891,8 +8969,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
optional_policy(` optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500
@@ -133,3 +133,7 @@ @@ -129,7 +129,12 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
+ spamassassin_read_user_home_files(procmail_t)
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t) spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t) spamassassin_read_lib_files(procmail_t)
') ')
@ -8942,7 +9025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500
@@ -28,6 +28,9 @@ @@ -28,6 +28,9 @@
type pyzor_var_lib_t; type pyzor_var_lib_t;
files_type(pyzor_var_lib_t) files_type(pyzor_var_lib_t)
@ -8953,6 +9036,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
######################################## ########################################
# #
# Pyzor local policy # Pyzor local policy
@@ -68,6 +71,8 @@
miscfiles_read_localization(pyzor_t)
+mta_read_queue(pyzor_t)
+
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
@ -10149,7 +10241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-26 18:16:14.000000000 -0500
@@ -38,6 +38,8 @@ @@ -38,6 +38,8 @@
gen_require(` gen_require(`
type spamc_exec_t, spamassassin_exec_t; type spamc_exec_t, spamassassin_exec_t;
@ -10253,7 +10345,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_kernel_sysctls($1_spamassassin_t) kernel_read_kernel_sysctls($1_spamassassin_t)
@@ -528,3 +526,21 @@ @@ -407,6 +405,40 @@
########################################
## <summary>
+## Read spamassassin per user homedir
+## </summary>
+## <desc>
+## <p>
+## Read spamassassin per user homedir
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`spamassassin_read_user_home_files',`
+ gen_require(`
+ type user_spamassassin_home_t;
+ ')
+
+ allow $1 user_spamassassin_home_t:dir list_dir_perms;
+ allow $1 user_spamassassin_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Execute the spamassassin client
## program in the caller directory.
## </summary>
@@ -469,6 +501,7 @@
')
files_search_var_lib($1)
+ read_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
@@ -528,3 +561,22 @@
dontaudit $1 spamd_tmp_t:sock_file getattr; dontaudit $1 spamd_tmp_t:sock_file getattr;
') ')
@ -10275,6 +10416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ +
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) + stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
+') +')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500
@ -10812,7 +10954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-27 11:37:04.000000000 -0500
@@ -45,7 +45,7 @@ @@ -45,7 +45,7 @@
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -10822,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit $1_xserver_t self:capability chown; dontaudit $1_xserver_t self:capability chown;
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_xserver_t self:memprotect mmap_zero; allow $1_xserver_t self:memprotect mmap_zero;
@@ -115,8 +115,7 @@ @@ -115,18 +115,23 @@
dev_rw_agp($1_xserver_t) dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t) dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t) dev_manage_dri_dev($1_xserver_t)
@ -10832,7 +10974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# raw memory access is needed if not using the frame buffer # raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t) dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t)
@@ -125,8 +124,13 @@ # for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc($1_xserver_t)
+ dev_setattr_xserver_misc_dev($1_xserver_t)
# read events - the synaptics touchpad driver reads raw events # read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t) dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t) dev_rwx_zero($1_xserver_t)
@ -10846,7 +10990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files($1_xserver_t) files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t)
@@ -140,12 +144,16 @@ @@ -140,12 +145,16 @@
fs_getattr_xattr_fs($1_xserver_t) fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t) fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t)
@ -10864,7 +11008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t) term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t)
@@ -232,39 +240,26 @@ @@ -232,39 +241,26 @@
# Declarations # Declarations
# #
@ -10911,7 +11055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
############################## ##############################
# #
# $1_xserver_t Local policy # $1_xserver_t Local policy
@@ -272,12 +267,15 @@ @@ -272,12 +268,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
@ -10928,7 +11072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
@@ -307,6 +305,7 @@ @@ -307,6 +306,7 @@
userdom_use_user_ttys($1,$1_xserver_t) userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@ -10936,7 +11080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_user_fonts($1,$1_xserver_t) xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t) xserver_rw_xdm_tmp_files($1_xauth_t)
@@ -330,12 +329,12 @@ @@ -330,12 +330,12 @@
allow $1_xauth_t self:process signal; allow $1_xauth_t self:process signal;
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
@ -10954,7 +11098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domtrans_pattern($2, xauth_exec_t, $1_xauth_t) domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
@@ -344,12 +343,6 @@ @@ -344,12 +344,6 @@
# allow ps to show xauth # allow ps to show xauth
ps_process_pattern($2,$1_xauth_t) ps_process_pattern($2,$1_xauth_t)
@ -10967,7 +11111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t) domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t) files_read_etc_files($1_xauth_t)
@@ -378,6 +371,14 @@ @@ -378,6 +372,14 @@
') ')
optional_policy(` optional_policy(`
@ -10982,7 +11126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ssh_sigchld($1_xauth_t) ssh_sigchld($1_xauth_t)
ssh_read_pipes($1_xauth_t) ssh_read_pipes($1_xauth_t)
ssh_dontaudit_rw_tcp_sockets($1_xauth_t) ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
@@ -390,16 +391,16 @@ @@ -390,16 +392,16 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@ -11004,7 +11148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_search_auto_mountpoints($1_iceauth_t) fs_search_auto_mountpoints($1_iceauth_t)
@@ -523,17 +524,16 @@ @@ -523,17 +525,16 @@
template(`xserver_user_client_template',` template(`xserver_user_client_template',`
gen_require(` gen_require(`
@ -11029,7 +11173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use; allow $2 xdm_t:fd use;
@@ -542,25 +542,55 @@ @@ -542,25 +543,55 @@
allow $2 xdm_tmp_t:sock_file { read write }; allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write }; dontaudit $2 xdm_t:tcp_socket { read write };
@ -11093,7 +11237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
') ')
@@ -613,6 +643,24 @@ @@ -613,6 +644,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -11118,7 +11262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -646,6 +694,73 @@ @@ -646,6 +695,73 @@
######################################## ########################################
## <summary> ## <summary>
@ -11192,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -671,10 +786,10 @@ @@ -671,10 +787,10 @@
# #
template(`xserver_user_home_dir_filetrans_user_xauth',` template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(` gen_require(`
@ -11205,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -760,7 +875,7 @@ @@ -760,7 +876,7 @@
type xconsole_device_t; type xconsole_device_t;
') ')
@ -11214,7 +11358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -860,6 +975,25 @@ @@ -860,6 +976,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -11240,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files. ## Read xdm-writable configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -914,6 +1048,7 @@ @@ -914,6 +1049,7 @@
files_search_tmp($1) files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms; allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -11248,7 +11392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -974,6 +1109,37 @@ @@ -974,6 +1110,37 @@
######################################## ########################################
## <summary> ## <summary>
@ -11286,7 +11430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1123,7 +1289,7 @@ @@ -1123,7 +1290,7 @@
type xdm_xserver_tmp_t; type xdm_xserver_tmp_t;
') ')
@ -11295,7 +11439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1312,3 +1478,45 @@ @@ -1312,3 +1479,45 @@
files_search_tmp($1) files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
') ')
@ -12467,8 +12611,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500
@@ -292,6 +292,8 @@ @@ -183,6 +183,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -242,7 +243,8 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -292,6 +294,8 @@
# #
# /var # /var
# #
@ -12477,6 +12639,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -304,3 +308,4 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500
@ -12710,7 +12877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-25 07:00:24.000000000 -0500
@@ -61,6 +61,12 @@ @@ -61,6 +61,12 @@
logging_log_file(var_log_t) logging_log_file(var_log_t)
files_mountpoint(var_log_t) files_mountpoint(var_log_t)
@ -12724,7 +12891,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
ifdef(`enable_mls',` ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
') ')
@@ -202,6 +208,7 @@ @@ -165,6 +171,10 @@
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
optional_policy(`
+ mta_send_mail(auditd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
@@ -202,6 +212,7 @@
fs_getattr_all_fs(klogd_t) fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t) fs_search_auto_mountpoints(klogd_t)