diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100
@@ -1,5 +1,7 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100
@@ -11,6 +11,7 @@
/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100
@@ -73,6 +73,7 @@
sysnet_dns_name_resolve(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
userdom_signal_unpriv_users(podsleuth_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-18 18:27:02.742545576 +0100
@@ -45,9 +45,10 @@
allow sandbox_x_domain $1:process { sigchld signal };
allow sandbox_x_domain sandbox_x_domain:process signal;
# Dontaudit leaked file descriptors
- dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -103,9 +104,10 @@
#
template(`sandbox_x_domain_template',`
gen_require(`
- type xserver_exec_t;
+ type xserver_exec_t, sandbox_devpts_t;
type sandbox_xserver_t;
attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type;
')
type $1_t, sandbox_x_domain;
@@ -163,10 +165,6 @@
manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
-
- optional_policy(`
- xserver_common_app($1_t)
- ')
')
########################################
@@ -187,3 +185,39 @@
allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-18 18:27:02.743530757 +0100
@@ -10,14 +10,15 @@
#
sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
sandbox_x_domain_template(sandbox_x)
sandbox_x_domain_template(sandbox_web)
sandbox_x_domain_template(sandbox_net)
type sandbox_xserver_t;
domain_type(sandbox_xserver_t)
-xserver_common_app(sandbox_xserver_t)
permissive sandbox_xserver_t;
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
type sandbox_xserver_tmpfs_t;
files_tmpfs_file(sandbox_xserver_tmpfs_t)
@@ -92,10 +93,6 @@
')
')
-optional_policy(`
- xserver_common_app(sandbox_xserver_t)
-')
-
########################################
#
# sandbox local policy
@@ -104,7 +101,7 @@
## internal communication is often done using fifo and unix sockets.
allow sandbox_domain self:fifo_file manage_file_perms;
allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
gen_require(`
type usr_t, lib_t, locale_t;
@@ -161,7 +158,7 @@
auth_dontaudit_read_login_records(sandbox_x_domain)
auth_dontaudit_write_login_records(sandbox_x_domain)
-#auth_use_nsswitch(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
auth_search_pam_console_data(sandbox_x_domain)
init_read_utmp(sandbox_x_domain)
@@ -179,12 +176,20 @@
miscfiles_read_fonts(sandbox_x_domain)
optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
gnome_read_gconf_config(sandbox_x_domain)
')
optional_policy(`
- cups_stream_connect(sandbox_x_domain)
- cups_read_rw_config(sandbox_x_domain)
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
')
userdom_dontaudit_use_user_terminals(sandbox_x_domain)
@@ -207,7 +212,7 @@
corenet_tcp_connect_ipp_port(sandbox_x_client_t)
-#auth_use_nsswitch(sandbox_x_client_t)
+auth_use_nsswitch(sandbox_x_client_t)
dbus_system_bus_client(sandbox_x_client_t)
dbus_read_config(sandbox_x_client_t)
@@ -267,7 +272,7 @@
corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
corenet_tcp_connect_speech_port(sandbox_web_client_t)
-#auth_use_nsswitch(sandbox_web_client_t)
+auth_use_nsswitch(sandbox_web_client_t)
dbus_system_bus_client(sandbox_web_client_t)
dbus_read_config(sandbox_web_client_t)
@@ -310,7 +315,7 @@
corenet_tcp_connect_all_ports(sandbox_net_client_t)
corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-#auth_use_nsswitch(sandbox_net_client_t)
+auth_use_nsswitch(sandbox_net_client_t)
dbus_system_bus_client(sandbox_net_client_t)
dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-18 18:27:02.744541291 +0100
@@ -143,6 +143,10 @@
userdom_unpriv_usertype($1, $1_wine_t)
userdom_manage_tmpfs_role($2, $1_wine_t)
+ tunable_policy(`wine_mmap_zero_ignore',`
+ allow $1_wine_t self:memprotect mmap_zero;
+ ')
+
domain_mmap_low_type($1_wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low($1_wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-18 18:24:22.664530344 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-18 18:27:02.745530942 +0100
@@ -6,6 +6,15 @@
# Declarations
#
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors
+## </p>
+## </desc>
+#
+gen_tunable(wine_mmap_zero_ignore, false)
+
+
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@@ -29,6 +38,11 @@
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
+tunable_policy(`wine_mmap_zero_ignore',`
+ allow wine_t self:memprotect mmap_zero;
+')
+
+
domain_mmap_low_type(wine_t)
tunable_policy(`mmap_low_allowed',`
domain_mmap_low(wine_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100
@@ -92,8 +92,8 @@
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0)
-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-18 18:27:02.746530790 +0100
@@ -162,6 +162,8 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
+
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-18 18:27:02.749530752 +0100
@@ -3833,6 +3833,24 @@
write_chr_files_pattern($1, device_t, v4l_device_t)
')
+#####################################
+## <summary>
+## Read or write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
## <summary>
## Read and write VMWare devices.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-18 18:27:02.751530797 +0100
@@ -233,6 +233,12 @@
type usb_device_t;
dev_node(usb_device_t)
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100
@@ -2,7 +2,7 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-18 18:27:02.753530981 +0100
@@ -39,6 +39,8 @@
type unconfined_exec_t;
init_system_domain(unconfined_t, unconfined_exec_t)
role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100
+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-18 18:27:02.754531109 +0100
@@ -15,7 +15,7 @@
## <desc>
## <p>
-## Allow xguest to configure Network Manager
+## Allow xguest to configure Network Manager and connect to apache ports
## </p>
## </desc>
gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-18 18:27:02.754531109 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
+dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-18 18:27:02.756530665 +0100
@@ -16,6 +16,7 @@
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
')
#This type is for webpages
type httpd_$1_content_t;
@@ -123,6 +124,8 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
')
tunable_policy(`httpd_enable_cgi',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100
@@ -31,7 +31,7 @@
#
allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-allow apcupsd_t self:process signal;
+allow apcupsd_t self:process { signal signull };
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 11:57:43.789607625 +0100
@@ -6,4 +6,4 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100
+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-18 18:27:02.758531199 +0100
@@ -555,6 +555,7 @@
logging_send_syslog_msg(cupsd_lpd_t)
miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
cups_stream_connect(cupsd_lpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100
+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-18 18:32:00.705531307 +0100
@@ -277,6 +277,8 @@
')
tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
fs_manage_nfs_files(dovecot_deliver_t)
fs_manage_nfs_symlinks(dovecot_deliver_t)
fs_manage_nfs_files(dovecot_t)
@@ -284,6 +286,8 @@
')
tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(dovecot_deliver_t)
+ fs_manage_cifs_dirs(dovecot_t)
fs_manage_cifs_files(dovecot_deliver_t)
fs_manage_cifs_symlinks(dovecot_deliver_t)
fs_manage_cifs_files(dovecot_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100
+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100
@@ -138,6 +138,24 @@
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')
+#######################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-18 18:27:02.762530869 +0100
@@ -115,6 +115,43 @@
role $2 types ftpdctl_t;
')
+######################################
+## <summary>
+## Allow domain dyntransition to sftpd-anon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd_anon',`
+ gen_require(`
+ type anon_sftpd_t;
+ ')
+
+ allow $1 anon_sftpd_t:process dyntransition;
+')
+
+######################################
+## <summary>
+## Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntransition_sftpd',`
+ gen_require(`
+ type sftpd_t;
+ ')
+
+ allow $1 sftpd_t:process dyntransition;
+ allow sftpd_t $1:process sigchld;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-18 18:27:02.763531066 +0100
@@ -53,6 +53,39 @@
## </desc>
gen_tunable(ftp_home_dir, false)
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftp_enable_homedirs, false)
+
type ftpd_t;
type ftpd_exec_t;
init_daemon_domain(ftpd_t, ftpd_exec_t)
@@ -93,6 +126,14 @@
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
')
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type sftpd_anon_t;
+domain_type(sftpd_anon_t)
+role system_r types sftpd_anon_t;
+
########################################
#
# ftpd local policy
@@ -342,3 +383,76 @@
files_read_etc_files(ftpdctl_t)
userdom_use_user_terminals(ftpdctl_t)
+
+#######################################
+#
+# sftpd-anon local policy
+#
+
+files_read_etc_files(sftpd_anon_t)
+
+miscfiles_read_public_files(sftpd_anon_t)
+
+tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(sftpd_anon_t)
+')
+
+#######################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_user_home_files(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content(sftpd_t)
+
+ auth_read_all_dirs_except_shadow(sftpd_t)
+ auth_read_all_files_except_shadow(sftpd_t)
+ auth_read_all_symlinks_except_shadow(sftpd_t)
+', `
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+ fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+ fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(sftpd_t)
+ fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100
+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-18 18:27:02.764531054 +0100
@@ -73,7 +73,7 @@
#
allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
+allow gitd_type self:tcp_socket create_stream_socket_perms;
allow gitd_type self:udp_socket create_socket_perms;
allow gitd_type self:unix_dgram_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-19 17:08:35.663632666 +0100
@@ -86,6 +86,7 @@
optional_policy(`
sssd_read_config_files($1)
+ sssd_read_public_files($1)
')
tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
@@ -1,5 +1,5 @@
-policy_module(memcached, 1.1.0)
+policy_module(memcached, 1.1.1)
########################################
#
@@ -22,9 +22,12 @@
#
allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { fork setrlimit signal_perms };
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket { create_socket_perms listen };
allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
corenet_all_recvfrom_unlabeled(memcached_t)
corenet_udp_sendrecv_generic_if(memcached_t)
@@ -42,12 +45,15 @@
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
-files_read_etc_files(memcached_t)
-
+kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
+files_read_etc_files(memcached_t)
+
auth_use_nsswitch(memcached_t)
miscfiles_read_localization(memcached_t)
-sysnet_dns_name_resolve(memcached_t)
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100
@@ -27,26 +27,62 @@
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-18 18:27:02.766531099 +0100
@@ -118,6 +118,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100
@@ -85,6 +85,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -443,6 +443,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
')
optional_policy(`
@@ -486,7 +487,7 @@
')
optional_policy(`
- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -573,6 +574,8 @@
# Postfix smtp delivery local policy
#
+allow postfix_smtp_t self:capability { sys_chroot };
+
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
+allow smbd_t swat_t:process signal;
+
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -485,6 +487,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t swat_t:process signal;
+
allow nmbd_t smbcontrol_t:process signal;
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +665,7 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
+samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-18 18:27:02.771531176 +0100
@@ -136,6 +136,8 @@
optional_policy(`
fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100
@@ -25,9 +25,9 @@
#
# Local policy
#
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
+######################################
+## <summary>
+## Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-18 18:27:02.774530790 +0100
@@ -8,31 +8,6 @@
## <desc>
## <p>
-## Allow sftp to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Allow sftp to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_ssh_home_dir, false)
-
-## <desc>
-## <p>
## allow host key based authentication
## </p>
## </desc>
@@ -69,10 +44,6 @@
type sshd_tmpfs_t;
files_tmpfs_file(sshd_tmpfs_t)
-type sftpd_t;
-domain_type(sftpd_t)
-role system_r types sftpd_t;
-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
@@ -361,6 +332,11 @@
')
optional_policy(`
+ ftp_dyntransition_sftpd(sshd_t)
+ ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
gitosis_manage_var_lib(sshd_t)
')
@@ -468,49 +444,3 @@
udev_read_db(ssh_keygen_t)
')
-#######################################
-#
-# sftp Local policy
-#
-
-allow ssh_server sftpd_t:process dyntransition;
-
-ssh_sigchld(sftpd_t)
-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-
-fs_read_noxattr_fs_files(sftpd_t)
-fs_read_nfs_files(sftpd_t)
-fs_read_cifs_files(sftpd_t)
-
-# allow access to /home by default
-userdom_manage_user_home_content_dirs(sftpd_t)
-userdom_manage_user_home_content_files(sftpd_t)
-userdom_manage_user_home_content_symlinks(sftpd_t)
-
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-
-tunable_policy(`allow_sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`allow_sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
-')
-
-tunable_policy(`sftpd_ssh_home_dir',`
- ssh_manage_user_home_files(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-19 17:08:45.945631552 +0100
@@ -12,8 +12,7 @@
#
interface(`sssd_domtrans',`
gen_require(`
- type sssd_t;
- type sssd_exec_t;
+ type sssd_t, sssd_exec_t;
')
domtrans_pattern($1, sssd_exec_t, sssd_t)
@@ -26,7 +25,7 @@
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -40,6 +39,25 @@
########################################
## <summary>
+## Read sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
## Read sssd PID files.
## </summary>
## <param name="domain">
@@ -59,7 +77,7 @@
########################################
## <summary>
-## Manage sssd var_run files.
+## Read sssd config files.
## </summary>
## <param name="domain">
## <summary>
@@ -67,18 +85,18 @@
## </summary>
## </param>
#
-interface(`sssd_manage_pids',`
+interface(`sssd_read_config_files',`
gen_require(`
- type sssd_var_run_t;
+ type sssd_config_t;
')
- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_config_t, sssd_config_t)
')
########################################
## <summary>
-## Search sssd lib directories.
+## Manage sssd var_run files.
## </summary>
## <param name="domain">
## <summary>
@@ -86,18 +104,18 @@
## </summary>
## </param>
#
-interface(`sssd_search_lib',`
+interface(`sssd_manage_pids',`
gen_require(`
- type sssd_var_lib_t;
+ type sssd_var_run_t;
')
- allow $1 sssd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
########################################
## <summary>
-## Read sssd lib files.
+## Search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -105,18 +123,18 @@
## </summary>
## </param>
#
-interface(`sssd_read_lib_files',`
+interface(`sssd_search_lib',`
gen_require(`
type sssd_var_lib_t;
')
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
-## Read sssd config files.
+## dontaudit search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
@@ -124,19 +142,18 @@
## </summary>
## </param>
#
-interface(`sssd_read_config_files',`
+interface(`sssd_dontaudit_search_lib',`
gen_require(`
- type sssd_config_t;
+ type sssd_var_lib_t;
')
- sssd_search_lib($1)
- read_files_pattern($1, sssd_config_t, sssd_config_t)
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
## <summary>
-## Create, read, write, and delete
-## sssd lib files.
+## Read sssd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -144,18 +161,19 @@
## </summary>
## </param>
#
-interface(`sssd_manage_lib_files',`
+interface(`sssd_read_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
-## Manage sssd var_lib files.
+## Create, read, write, and delete
+## sssd lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -163,17 +181,15 @@
## </summary>
## </param>
#
-interface(`sssd_manage_var_lib',`
+interface(`sssd_manage_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
- manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ files_search_var_lib($1)
manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
- manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
')
-
########################################
## <summary>
## Send and receive messages from
@@ -238,16 +254,13 @@
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t;
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
- gen_require(`
- type sssd_initrc_exec_t;
- ')
-
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -257,4 +270,6 @@
sssd_manage_pids($1)
sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-01-19 17:08:54.487643800 +0100
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
########################################
#
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -31,6 +34,9 @@
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -43,8 +49,6 @@
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-fs_list_inotifyfs(sssd_t)
-
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
@@ -58,6 +62,8 @@
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+fs_list_inotifyfs(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -69,7 +75,7 @@
miscfiles_read_localization(sssd_t)
-userdom_manage_tmp_role(system_t, sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
optional_policy(`
dbus_system_bus_client(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
@@ -50,6 +50,7 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100
@@ -226,7 +226,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
-userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_list_admin_dir(virtd_t)
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
@@ -430,6 +430,8 @@
corenet_tcp_connect_virt_migration_port(virt_domain)
dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-18 18:27:02.777542764 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,6 +119,7 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-18 18:27:02.779530727 +0100
@@ -301,6 +301,8 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
')
optional_policy(`
+ brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
consoletype_exec(hotplug_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100
@@ -212,6 +212,10 @@
')
optional_policy(`
+ dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
@@ -872,6 +876,7 @@
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100
@@ -1,3 +1,5 @@
+
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-18 18:27:02.783531305 +0100
@@ -35,10 +35,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
allow iscsid_t self:tcp_socket create_stream_socket_perms;
+can_exec(iscsid_t, iscsid_exec_t)
+
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
@@ -67,6 +70,7 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-19 12:16:16.415620342 +0100
@@ -245,6 +245,7 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +434,14 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/MATHWORKS_R2009B/bin/glnxa64/libtbb.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-18 18:27:02.787531116 +0100
@@ -618,3 +618,22 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
+#######################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-18 18:27:02.788530824 +0100
@@ -181,6 +181,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
@@ -190,6 +190,7 @@
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
miscfiles_read_localization(load_policy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:socket_class_set create_socket_perms;
+
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100
@@ -6,4 +6,5 @@
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-18 18:27:02.794530889 +0100
@@ -3631,6 +3631,24 @@
########################################
## <summary>
+## Allow domain to list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow Search /root
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-18 18:27:02.796530655 +0100
@@ -248,6 +248,7 @@
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -268,6 +269,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
########################################
#
# Xen store local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-18 18:27:02.798533004 +0100
@@ -28,7 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no