diff --git a/policy-20071130.patch b/policy-20071130.patch index 66030ba..82d3eb7 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -8,106 +8,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/ - Label /proc/kallsyms with system_map_t. - 64-bit capabilities from Stephen Smalley. - Labeled networking peer object class updates. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile ---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 -@@ -235,7 +235,7 @@ - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -309,20 +309,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -521,6 +523,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -147,7 +147,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic ---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 -@@ -96,7 +96,7 @@ - # - # Load the binary policy - # --reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) -+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-21 11:02:47.859787000 -0400 @@ -791,6 +691,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile +--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 ++++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 +@@ -235,7 +235,7 @@ + appdir := $(contextpath) + user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) + user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) + net_contexts := $(builddir)net_contexts + + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -309,20 +309,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile +@@ -521,6 +523,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-21 11:02:47.931714000 -0400 @@ -2577,6 +2533,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 +@@ -55,7 +55,7 @@ + # + + # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; ++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { setexec setrlimit }; + allow $1_sudo_t self:fd use; +@@ -68,33 +68,35 @@ + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; ++ allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_t:key search; + + # Enter this derived domain from the user domain + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t,$2) ++ corecmd_bin_domtrans($1_sudo_t,$2) + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; + + kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) +- kernel_search_key($1_sudo_t) ++ kernel_link_key($1_sudo_t) + + dev_read_urand($1_sudo_t) + + fs_search_auto_mountpoints($1_sudo_t) + fs_getattr_xattr_fs($1_sudo_t) + +- auth_domtrans_chk_passwd($1_sudo_t) ++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + + corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_getattr_all_executables($1_sudo_t) ++ corecmd_exec_all_executables($1_sudo_t) + + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) +@@ -106,32 +108,42 @@ + files_getattr_usr_files($1_sudo_t) + # for some PAM modules and for cwd + files_dontaudit_search_home($1_sudo_t) ++ files_list_tmp($1_sudo_t) + + init_rw_utmp($1_sudo_t) + + libs_use_ld_so($1_sudo_t) + libs_use_shared_libs($1_sudo_t) + ++ logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + + miscfiles_read_localization($1_sudo_t) + ++ mta_per_role_template($1, $1_sudo_t, $3) ++ + userdom_manage_user_home_content_files($1,$1_sudo_t) + userdom_manage_user_home_content_symlinks($1,$1_sudo_t) + userdom_manage_user_tmp_files($1,$1_sudo_t) + userdom_manage_user_tmp_symlinks($1,$1_sudo_t) ++ userdom_exec_user_home_content_files($1,$1_sudo_t) + userdom_use_user_terminals($1,$1_sudo_t) + userdom_use_unpriv_users_fds($1_sudo_t) + # for some PAM modules and for cwd ++ userdom_search_sysadm_home_content_dirs($1_sudo_t) + userdom_dontaudit_search_all_users_home_content($1_sudo_t) + +- ifdef(`TODO',` +- # for when the network connection is killed +- dontaudit unpriv_userdomain $1_sudo_t:process signal; +- +- ifdef(`mta.te', ` +- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +- ') ++ domain_role_change_exemption($1_sudo_t) ++ userdom_spec_domtrans_all_users($1_sudo_t) + +- ') dnl end TODO ++ selinux_validate_context($1_sudo_t) ++ selinux_compute_relabel_context($1_sudo_t) ++ selinux_getattr_fs($1_sudo_t) ++ seutil_read_config($1_sudo_t) ++ seutil_search_default_contexts($1_sudo_t) ++ ++ term_use_all_user_ttys($1_sudo_t) ++ term_use_all_user_ptys($1_sudo_t) ++ term_relabel_all_user_ttys($1_sudo_t) ++ term_relabel_all_user_ptys($1_sudo_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-21 11:02:48.064582000 -0400 @@ -2707,109 +2766,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 -@@ -55,7 +55,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -68,33 +68,35 @@ - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; -+ allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$2) -+ corecmd_bin_domtrans($1_sudo_t,$2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_getattr_all_executables($1_sudo_t) -+ corecmd_exec_all_executables($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +108,42 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - libs_use_ld_so($1_sudo_t) - libs_use_shared_libs($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - -+ mta_per_role_template($1, $1_sudo_t, $3) -+ - userdom_manage_user_home_content_files($1,$1_sudo_t) - userdom_manage_user_home_content_symlinks($1,$1_sudo_t) - userdom_manage_user_tmp_files($1,$1_sudo_t) - userdom_manage_user_tmp_symlinks($1,$1_sudo_t) -+ userdom_exec_user_home_content_files($1,$1_sudo_t) - userdom_use_user_terminals($1,$1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) - # for some PAM modules and for cwd -+ userdom_search_sysadm_home_content_dirs($1_sudo_t) - userdom_dontaudit_search_all_users_home_content($1_sudo_t) - -- ifdef(`TODO',` -- # for when the network connection is killed -- dontaudit unpriv_userdomain $1_sudo_t:process signal; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -- ') -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) - -- ') dnl end TODO -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ term_use_all_user_ttys($1_sudo_t) -+ term_use_all_user_ptys($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-21 11:02:48.075572000 -0400 @@ -6849,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-21 11:02:48.458345000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-22 15:54:10.151463000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -7520,8 +7476,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /emul diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-21 16:42:25.522539000 -0400 -@@ -1266,6 +1266,24 @@ ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-23 10:14:31.898476000 -0400 +@@ -110,6 +110,11 @@ + ## + # + interface(`files_config_file',` ++ gen_require(` ++ attribute etcfile; ++ ') ++ ++ typeattribute $1 etcfile; + files_type($1) + ') + +@@ -1266,6 +1271,24 @@ ######################################## ## @@ -7546,7 +7514,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Unmount a rootfs filesystem. ## ## -@@ -2187,6 +2205,49 @@ +@@ -1852,6 +1875,26 @@ + + ######################################## + ## ++## Read config files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_config_files',` ++ gen_require(` ++ attribute etcfile; ++ ') ++ ++ allow $1 etcfile:dir list_dir_perms; ++ read_files_pattern($1,etcfile,etcfile) ++ read_lnk_files_pattern($1,etcfile,etcfile) ++') ++ ++######################################## ++## + ## Do not audit attempts to write generic files in /etc. + ## + ## +@@ -2072,7 +2115,8 @@ + # + interface(`files_read_etc_runtime_files',` + gen_require(` +- type etc_t, etc_runtime_t; ++ type etc_t; ++ type etc_runtime_t; + ') + + allow $1 etc_t:dir list_dir_perms; +@@ -2114,7 +2158,8 @@ + # + interface(`files_rw_etc_runtime_files',` + gen_require(` +- type etc_t, etc_runtime_t; ++ type etc_t; ++ type etc_runtime_t; + ') + + allow $1 etc_t:dir list_dir_perms; +@@ -2136,7 +2181,8 @@ + # + interface(`files_manage_etc_runtime_files',` + gen_require(` +- type etc_t, etc_runtime_t; ++ type etc_t; ++ type etc_runtime_t; + ') + + manage_files_pattern($1,{ etc_t etc_runtime_t },etc_runtime_t) +@@ -2160,7 +2206,8 @@ + # + interface(`files_etc_filetrans_etc_runtime',` + gen_require(` +- type etc_t, etc_runtime_t; ++ type etc_t; ++ type etc_runtime_t; + ') + + filetrans_pattern($1,etc_t,etc_runtime_t,$2) +@@ -2187,6 +2234,49 @@ ######################################## ## @@ -7596,7 +7631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -2707,6 +2768,24 @@ +@@ -2707,6 +2797,24 @@ ######################################## ## @@ -7621,7 +7656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -3357,6 +3436,8 @@ +@@ -3357,6 +3465,8 @@ delete_lnk_files_pattern($1,tmpfile,tmpfile) delete_fifo_files_pattern($1,tmpfile,tmpfile) delete_sock_files_pattern($1,tmpfile,tmpfile) @@ -7630,7 +7665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3510,6 +3591,24 @@ +@@ -3510,6 +3620,24 @@ ######################################## ## @@ -7655,7 +7690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Relabel a file to the type used in /usr. ## ## -@@ -4712,12 +4811,14 @@ +@@ -4712,12 +4840,14 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7671,7 +7706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -4756,3 +4857,54 @@ +@@ -4756,3 +4886,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -7728,8 +7763,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.3.1/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2008-02-18 14:30:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-04-21 11:02:48.521282000 -0400 -@@ -55,6 +55,8 @@ ++++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-04-23 15:35:25.733975000 -0400 +@@ -50,11 +50,15 @@ + # + # etc_t is the type of the system etc directories. + # +-type etc_t; ++attribute etcfile; ++ ++type etc_t, etcfile; + files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -7738,7 +7781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various -@@ -195,10 +197,7 @@ +@@ -195,10 +199,7 @@ # # Rules for all tmp file types # @@ -8622,7 +8665,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te --- nsaserefpolicy/policy/modules/services/amavis.te 2008-02-18 14:30:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-21 11:02:48.620183000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-23 15:44:23.414526000 -0400 +@@ -13,7 +13,7 @@ + + # configuration files + type amavis_etc_t; +-files_type(amavis_etc_t) ++files_config_file(amavis_etc_t) + + # pid files + type amavis_var_run_t; @@ -38,6 +38,9 @@ type amavis_spool_t; files_type(amavis_spool_t) @@ -11264,7 +11316,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.3.1/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-04-21 11:02:48.824978000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-04-23 15:44:28.165531000 -0400 +@@ -13,7 +13,7 @@ + + # configuration files + type clamd_etc_t; +-files_type(clamd_etc_t) ++files_config_file(clamd_etc_t) + + # tmp files + type clamd_tmp_t; @@ -48,6 +48,9 @@ type freshclam_var_log_t; logging_log_file(freshclam_var_log_t) @@ -11470,6 +11531,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + fs_dontaudit_rw_cifs_files(consolekit_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.3.1/policy/modules/services/courier.te +--- nsaserefpolicy/policy/modules/services/courier.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-04-23 15:44:33.699904000 -0400 +@@ -9,7 +9,7 @@ + courier_domain_template(authdaemon) + + type courier_etc_t; +-files_type(courier_etc_t) ++files_config_file(courier_etc_t) + + courier_domain_template(pcp) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-04-21 11:02:48.885917000 -0400 @@ -13258,15 +13331,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-21 11:02:48.979823000 -0400 -@@ -9,6 +9,7 @@ ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-23 15:44:38.592767000 -0400 +@@ -9,9 +9,10 @@ # # Delcarations # +attribute dbusd_unconfined; type dbusd_etc_t alias etc_dbusd_t; - files_type(dbusd_etc_t) +-files_type(dbusd_etc_t) ++files_config_file(dbusd_etc_t) + + type system_dbusd_t alias dbusd_t; + type system_dbusd_exec_t; @@ -21,11 +22,23 @@ files_tmp_file(system_dbusd_tmp_t) @@ -13655,7 +13732,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.te serefpolicy-3.3.1/policy/modules/services/ddclient.te --- nsaserefpolicy/policy/modules/services/ddclient.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/ddclient.te 2008-04-21 11:02:49.006797000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/ddclient.te 2008-04-23 15:44:44.645621000 -0400 +@@ -11,7 +11,7 @@ + init_daemon_domain(ddclient_t,ddclient_exec_t) + + type ddclient_etc_t; +-files_type(ddclient_etc_t) ++files_config_file(ddclient_etc_t) + + type ddclient_log_t; + logging_log_file(ddclient_log_t) @@ -25,6 +25,9 @@ type ddclient_var_run_t; files_pid_file(ddclient_var_run_t) @@ -14855,7 +14941,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.3.1/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/fetchmail.te 2008-04-21 11:02:49.112690000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/fetchmail.te 2008-04-23 10:05:38.630717000 -0400 +@@ -14,7 +14,7 @@ + files_pid_file(fetchmail_var_run_t) + + type fetchmail_etc_t; +-files_type(fetchmail_etc_t) ++files_config_file(fetchmail_etc_t) + + type fetchmail_uidl_cache_t; + files_type(fetchmail_uidl_cache_t) @@ -90,6 +90,10 @@ ') @@ -18242,6 +18337,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oav.te serefpolicy-3.3.1/policy/modules/services/oav.te +--- nsaserefpolicy/policy/modules/services/oav.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/oav.te 2008-04-23 10:05:51.242047000 -0400 +@@ -12,7 +12,7 @@ + + # cjp: may be collapsable to etc_t + type oav_update_etc_t; +-files_type(oav_update_etc_t) ++files_config_file(oav_update_etc_t) + + type oav_update_var_lib_t; + files_type(oav_update_var_lib_t) +@@ -22,7 +22,7 @@ + init_daemon_domain(scannerdaemon_t,scannerdaemon_exec_t) + + type scannerdaemon_etc_t; +-files_type(scannerdaemon_etc_t) ++files_config_file(scannerdaemon_etc_t) + + type scannerdaemon_log_t; + logging_log_file(scannerdaemon_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.3.1/policy/modules/services/oddjob.fc --- nsaserefpolicy/policy/modules/services/oddjob.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/oddjob.fc 2008-04-21 11:02:49.500460000 -0400 @@ -18330,6 +18446,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openca.te serefpolicy-3.3.1/policy/modules/services/openca.te +--- nsaserefpolicy/policy/modules/services/openca.te 2007-04-23 09:36:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/openca.te 2008-04-23 10:06:13.680203000 -0400 +@@ -18,7 +18,7 @@ + + # /etc/openca standard files + type openca_etc_t; +-files_type(openca_etc_t) ++files_config_file(openca_etc_t) + + # /etc/openca template files + type openca_etc_in_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.3.1/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/openct.te 2008-04-21 11:02:49.515445000 -0400 @@ -18433,7 +18561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.3.1/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-04-21 11:02:49.538422000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-04-23 10:08:10.784604000 -0400 @@ -8,7 +8,7 @@ ## @@ -18443,6 +18571,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open ##

## gen_tunable(openvpn_enable_homedirs,false) +@@ -20,7 +20,7 @@ + + # configuration files + type openvpn_etc_t; +-files_type(openvpn_etc_t) ++files_config_file(openvpn_etc_t) + + # log files + type openvpn_var_log_t; @@ -30,12 +30,15 @@ type openvpn_var_run_t; files_pid_file(openvpn_var_run_t) @@ -18915,6 +19052,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + type system_crond_var_lib_t; +') +manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.3.1/policy/modules/services/portslave.te +--- nsaserefpolicy/policy/modules/services/portslave.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/portslave.te 2008-04-23 10:08:09.033037000 -0400 +@@ -12,7 +12,7 @@ + init_daemon_domain(portslave_t,portslave_exec_t) + + type portslave_etc_t; +-files_type(portslave_etc_t) ++files_config_file(portslave_etc_t) + + type portslave_lock_t; + files_lock_file(portslave_lock_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.3.1/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/postfix.fc 2008-04-21 11:02:49.570389000 -0400 @@ -19008,9 +19157,103 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 +@@ -3,3 +3,5 @@ + /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) + + /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) ++ ++/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 +@@ -1 +1,68 @@ + ## Postfix policy server ++ ++######################################## ++## ++## Execute postfixpolicyd server in the postfixpolicyd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`postfixpolicyd_script_domtrans',` ++ gen_require(` ++ type postfix_policyd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an postfixpolicyd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the postfixpolicyd domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`postfixpolicyd_admin',` ++ gen_require(` ++ type postfix_policyd_t; ++ type postfix_policyd_script_exec_t; ++ type postfix_policyd_conf_t; ++ type postfix_policyd_var_run_t; ++ ') ++ ++ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) ++ ++ # Allow postfix_policyd_t to restart the apache service ++ postfixpolicyd_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 postfix_policyd_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ manage_all_pattern($1,postfix_policyd_conf_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,postfix_policyd_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 +@@ -16,6 +16,9 @@ + type postfix_policyd_var_run_t; + files_pid_file(postfix_policyd_var_run_t) + ++type postfix_policyd_script_exec_t; ++init_script_type(postfix_policyd_script_exec_t) ++ + ######################################## + # + # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-21 11:02:49.583377000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-23 15:05:37.257075000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -19026,12 +19269,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post attribute postfix_user_domains; # domains that transition to the # postfix user domains +@@ -19,7 +27,7 @@ + postfix_server_domain_template(cleanup) + + type postfix_etc_t; +-files_type(postfix_etc_t) ++files_config_file(postfix_etc_t) + + type postfix_exec_t; + application_executable_file(postfix_exec_t) @@ -27,6 +35,10 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) +tunable_policy(`allow_postfix_local_write_mail_spool', ` -+ mta_rw_spool(postfix_local_t) ++ mta_manage_spool(postfix_local_t) +') + type postfix_local_tmp_t; @@ -19191,100 +19443,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 -@@ -3,3 +3,5 @@ - /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) - - /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) -+ -+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 -@@ -1 +1,68 @@ - ## Postfix policy server -+ -+######################################## -+## -+## Execute postfixpolicyd server in the postfixpolicyd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`postfixpolicyd_script_domtrans',` -+ gen_require(` -+ type postfix_policyd_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an postfixpolicyd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postfixpolicyd domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`postfixpolicyd_admin',` -+ gen_require(` -+ type postfix_policyd_t; -+ type postfix_policyd_script_exec_t; -+ type postfix_policyd_conf_t; -+ type postfix_policyd_var_run_t; -+ ') -+ -+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) -+ -+ # Allow postfix_policyd_t to restart the apache service -+ postfixpolicyd_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 postfix_policyd_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ manage_all_pattern($1,postfix_policyd_conf_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,postfix_policyd_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 -@@ -16,6 +16,9 @@ - type postfix_policyd_var_run_t; - files_pid_file(postfix_policyd_var_run_t) - -+type postfix_policyd_script_exec_t; -+init_script_type(postfix_policyd_script_exec_t) -+ - ######################################## - # - # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-21 11:02:49.603357000 -0400 @@ -20332,7 +20490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.3.1/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-04-21 11:02:49.725235000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/pyzor.te 2008-04-23 10:08:05.686909000 -0400 +@@ -17,7 +17,7 @@ + init_daemon_domain(pyzord_t,pyzord_exec_t) + + type pyzor_etc_t; +-files_type(pyzor_etc_t) ++files_config_file(pyzor_etc_t) + + type pyzord_log_t; + logging_log_file(pyzord_log_t) @@ -28,6 +28,12 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -20379,7 +20546,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmai + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.3.1/policy/modules/services/qmail.te --- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/qmail.te 2008-04-21 11:02:49.738222000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/qmail.te 2008-04-23 10:08:04.028252000 -0400 +@@ -14,7 +14,7 @@ + qmail_child_domain_template(qmail_clean, qmail_start_t) + + type qmail_etc_t; +-files_type(qmail_etc_t) ++files_config_file(qmail_etc_t) + + type qmail_exec_t; + files_type(qmail_exec_t) @@ -85,6 +85,8 @@ libs_use_ld_so(qmail_inject_t) libs_use_shared_libs(qmail_inject_t) @@ -20954,6 +21130,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun ######################################## # # Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 +@@ -5,3 +5,5 @@ + /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) ++ ++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 +@@ -95,3 +95,70 @@ + manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_search_var_lib($1) + ') ++ ++######################################## ++## ++## Execute rpcbind server in the rpcbind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`rpcbind_script_domtrans',` ++ gen_require(` ++ type rpcbind_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,rpcbind_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rpcbind environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rpcbind domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`rpcbind_admin',` ++ gen_require(` ++ type rpcbind_t; ++ type rpcbind_script_exec_t; ++ type rpcbind_var_lib_t; ++ type rpcbind_var_run_t; ++ ') ++ ++ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, rpcbind_t, rpcbind_t) ++ ++ # Allow rpcbind_t to restart the apache service ++ rpcbind_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rpcbind_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_var_lib($1) ++ manage_all_pattern($1,rpcbind_var_lib_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,rpcbind_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 +@@ -16,16 +16,21 @@ + type rpcbind_var_lib_t; + files_type(rpcbind_var_lib_t) + ++type rpcbind_script_exec_t; ++init_script_type(rpcbind_script_exec_t) ++ + ######################################## + # + # rpcbind local policy + # + +-allow rpcbind_t self:capability setuid; ++allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; + allow rpcbind_t self:fifo_file rw_file_perms; + allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; + allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; + allow rpcbind_t self:udp_socket create_socket_perms; ++# BROKEN ... ++dontaudit rpcbind_t self:udp_socket listen; + allow rpcbind_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +42,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-04-21 11:02:49.875087000 -0400 @@ -20997,7 +21290,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-21 11:02:49.882078000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-23 10:03:48.199613000 -0400 +@@ -23,7 +23,7 @@ + gen_tunable(allow_nfsd_anon_write,false) + + type exports_t; +-files_type(exports_t) ++files_config_file(exports_t) + + rpc_domain_template(gssd) + @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -21081,123 +21383,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 -@@ -5,3 +5,5 @@ - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) -+ -+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 -@@ -95,3 +95,70 @@ - manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_search_var_lib($1) - ') -+ -+######################################## -+## -+## Execute rpcbind server in the rpcbind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`rpcbind_script_domtrans',` -+ gen_require(` -+ type rpcbind_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,rpcbind_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rpcbind environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the rpcbind domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`rpcbind_admin',` -+ gen_require(` -+ type rpcbind_t; -+ type rpcbind_script_exec_t; -+ type rpcbind_var_lib_t; -+ type rpcbind_var_run_t; -+ ') -+ -+ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, rpcbind_t, rpcbind_t) -+ -+ # Allow rpcbind_t to restart the apache service -+ rpcbind_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rpcbind_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ manage_all_pattern($1,rpcbind_var_lib_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,rpcbind_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 -@@ -16,16 +16,21 @@ - type rpcbind_var_lib_t; - files_type(rpcbind_var_lib_t) - -+type rpcbind_script_exec_t; -+init_script_type(rpcbind_script_exec_t) -+ - ######################################## - # - # rpcbind local policy - # - --allow rpcbind_t self:capability setuid; -+allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; - allow rpcbind_t self:fifo_file rw_file_perms; - allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; - allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; - allow rpcbind_t self:udp_socket create_socket_perms; -+# BROKEN ... -+dontaudit rpcbind_t self:udp_socket listen; - allow rpcbind_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -@@ -37,6 +42,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) - -+kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - - corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-04-21 11:02:49.902059000 -0400 @@ -21800,7 +21985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-21 11:02:49.953006000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-23 10:02:23.430077000 -0400 @@ -59,6 +59,13 @@ ## gen_tunable(samba_share_nfs,false) @@ -22835,6 +23020,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te +--- nsaserefpolicy/policy/modules/services/snort.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-04-23 10:08:01.979984000 -0400 +@@ -11,7 +11,7 @@ + init_daemon_domain(snort_t,snort_exec_t) + + type snort_etc_t; +-files_type(snort_etc_t) ++files_config_file(snort_etc_t) + + type snort_log_t; + logging_log_file(snort_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.3.1/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/soundserver.fc 2008-04-21 11:02:50.045914000 -0400 @@ -22934,7 +23131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.3.1/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/soundserver.te 2008-04-21 11:02:50.055904000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/soundserver.te 2008-04-23 10:07:55.149707000 -0400 @@ -10,9 +10,6 @@ type soundd_exec_t; init_daemon_domain(soundd_t,soundd_exec_t) @@ -22950,7 +23147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun files_pid_file(soundd_var_run_t) +type soundd_etc_t; -+files_type(soundd_etc_t) ++files_config_file(soundd_etc_t) + +type soundd_script_exec_t; +init_script_type(soundd_script_exec_t) @@ -24400,6 +24597,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun + domtrans_pattern(stunnel_t,$2,$1) + allow $1 stunnel_t:tcp_socket rw_socket_perms; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.3.1/policy/modules/services/stunnel.te +--- nsaserefpolicy/policy/modules/services/stunnel.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/stunnel.te 2008-04-23 10:06:53.948261000 -0400 +@@ -20,7 +20,7 @@ + ') + + type stunnel_etc_t; +-files_type(stunnel_etc_t) ++files_config_file(stunnel_etc_t) + + type stunnel_tmp_t; + files_tmp_file(stunnel_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/telnet.te 2008-04-21 11:02:50.119840000 -0400 @@ -26153,7 +26362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-21 16:59:43.326893000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-23 10:06:49.639936000 -0400 @@ -8,6 +8,14 @@ ## @@ -26251,6 +26460,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # this is not actually a device, its a pipe type xconsole_device_t; +@@ -48,7 +114,7 @@ + files_lock_file(xdm_lock_t) + + type xdm_rw_etc_t; +-files_type(xdm_rw_etc_t) ++files_config_file(xdm_rw_etc_t) + + type xdm_var_lib_t; + files_type(xdm_var_lib_t) @@ -56,6 +122,12 @@ type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -28795,7 +29013,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-21 11:02:50.432685000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-23 10:09:00.750545000 -0400 +@@ -22,7 +22,7 @@ + role system_r types lvm_t; + + type lvm_etc_t; +-files_type(lvm_etc_t) ++files_config_file(lvm_etc_t) + + type lvm_lock_t; + files_lock_file(lvm_lock_t) @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -31398,7 +31625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-22 15:47:48.878576000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-23 10:15:18.704057000 -0400 @@ -29,9 +29,14 @@ ') @@ -31904,7 +32131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -568,30 +551,32 @@ +@@ -568,30 +551,33 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -31917,6 +32144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dev_read_input($1_t) - dev_read_misc($1_t) - dev_write_misc($1_t) ++ dev_rwx_zero($1_usertype) + dev_rw_xserver_misc($1_usertype) + dev_rw_power_management($1_usertype) + dev_read_input($1_usertype) @@ -31953,7 +32181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -622,13 +607,7 @@ +@@ -622,13 +608,7 @@ ## ## The template for allowing the user to change roles. ## @@ -31968,7 +32196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +671,193 @@ +@@ -692,183 +672,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -32023,6 +32251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) ++ files_read_config_files($1_usertype) + + tunable_policy(`user_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_usertype) @@ -32124,29 +32353,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - bluetooth_dbus_chat($1_t) -+ bluetooth_dbus_chat($1_usertype) ++ avahi_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ evolution_dbus_chat($1,$1_usertype) -+ evolution_alarm_dbus_chat($1,$1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ evolution_dbus_chat($1,$1_usertype) ++ evolution_alarm_dbus_chat($1,$1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) ++ networkmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + vpnc_dbus_chat($1_usertype) ') ') @@ -32243,7 +32476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -895,6 +884,8 @@ +@@ -895,6 +890,8 @@ ## # template(`userdom_login_user_template', ` @@ -32252,7 +32485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,70 +914,69 @@ +@@ -923,70 +920,69 @@ allow $1_t self:context contains; @@ -32356,7 +32589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1010,6 @@ +@@ -1020,9 +1016,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -32366,7 +32599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1018,29 @@ +@@ -1031,16 +1024,29 @@ # # privileged home directory writers @@ -32403,7 +32636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1068,13 @@ +@@ -1068,6 +1074,13 @@ userdom_restricted_user_template($1) @@ -32417,7 +32650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1083,16 @@ +@@ -1076,14 +1089,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -32439,7 +32672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1100,29 @@ +@@ -1091,32 +1106,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -32483,7 +32716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1133,10 @@ +@@ -1127,10 +1139,10 @@ ## ## ##

@@ -32498,7 +32731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1170,6 @@ +@@ -1164,7 +1176,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -32506,26 +32739,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1193,12 +1198,15 @@ +@@ -1193,12 +1204,15 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ hal_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` + cron_per_role_template($1, $1_t, $1_r) ') # Run pppd in pppd_t by default for user -@@ -1207,7 +1215,27 @@ +@@ -1207,7 +1221,27 @@ ') optional_policy(` @@ -32554,7 +32787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1312,6 @@ +@@ -1284,8 +1318,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -32563,7 +32796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1333,6 @@ +@@ -1307,8 +1339,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32572,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1387,6 @@ +@@ -1363,13 +1393,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32586,7 +32819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1439,7 @@ +@@ -1422,6 +1445,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32594,7 +32827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1805,14 @@ +@@ -1787,10 +1811,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -32610,7 +32843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1908,11 @@ +@@ -1886,11 +1914,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -32624,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1942,11 @@ +@@ -1920,11 +1948,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -32638,7 +32871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1990,12 @@ +@@ -1968,12 +1996,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -32654,7 +32887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2025,11 @@ +@@ -2003,10 +2031,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -32668,7 +32901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2061,47 @@ +@@ -2038,11 +2067,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -32718,7 +32951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2133,10 @@ +@@ -2074,10 +2139,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -32731,7 +32964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2166,11 @@ +@@ -2107,11 +2172,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -32745,7 +32978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2200,11 @@ +@@ -2141,11 +2206,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32760,7 +32993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2234,14 @@ +@@ -2175,10 +2240,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -32777,7 +33010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2271,11 @@ +@@ -2208,11 +2277,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -32791,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2305,11 @@ +@@ -2242,11 +2311,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -32805,7 +33038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2339,10 @@ +@@ -2276,10 +2345,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -32818,7 +33051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2374,12 @@ +@@ -2311,12 +2380,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -32834,7 +33067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2411,10 @@ +@@ -2348,10 +2417,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -32847,7 +33080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2446,12 @@ +@@ -2383,12 +2452,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -32863,7 +33096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2483,12 @@ +@@ -2420,12 +2489,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -32879,7 +33112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2520,12 @@ +@@ -2457,12 +2526,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -32895,7 +33128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2570,11 @@ +@@ -2507,11 +2576,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -32909,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2619,11 @@ +@@ -2556,11 +2625,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -32923,7 +33156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2663,11 @@ +@@ -2600,11 +2669,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -32937,7 +33170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2697,11 @@ +@@ -2634,11 +2703,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -32951,7 +33184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2731,11 @@ +@@ -2668,11 +2737,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -32965,7 +33198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2767,10 @@ +@@ -2704,10 +2773,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -32978,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2802,10 @@ +@@ -2739,10 +2808,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -32991,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2835,12 @@ +@@ -2772,12 +2841,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -33007,7 +33240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2872,10 @@ +@@ -2809,10 +2878,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -33020,7 +33253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2907,48 @@ +@@ -2844,10 +2913,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -33071,7 +33304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2978,12 @@ +@@ -2877,12 +2984,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -33087,7 +33320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3015,10 @@ +@@ -2914,10 +3021,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -33100,7 +33333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3050,12 @@ +@@ -2949,12 +3056,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -33116,7 +33349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3087,11 @@ +@@ -2986,11 +3093,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -33130,7 +33363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3123,11 @@ +@@ -3022,11 +3129,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -33144,7 +33377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3159,11 @@ +@@ -3058,11 +3165,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -33158,7 +33391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3195,11 @@ +@@ -3094,11 +3201,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -33172,7 +33405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3231,11 @@ +@@ -3130,11 +3237,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -33186,7 +33419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3280,10 @@ +@@ -3179,10 +3286,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -33199,7 +33432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3324,10 @@ +@@ -3223,10 +3330,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -33212,7 +33445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3355,24 @@ +@@ -3254,24 +3361,24 @@ ## ## # @@ -33241,7 +33474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,23 +3391,24 @@ +@@ -3290,23 +3397,24 @@ ## ## # @@ -33273,7 +33506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3321,18 +3423,89 @@ +@@ -3321,13 +3429,84 @@ ## ## ##

@@ -33287,11 +33520,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo gen_require(` - type $1_untrusted_content_t; + type $1_tmpfs_t; - ') - -- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; --') -- ++ ') ++ + fs_search_tmpfs($2) + allow $2 $1_tmpfs_t:dir list_dir_perms; + delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) @@ -33361,15 +33591,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +template(`userdom_dontaudit_list_user_untrusted_content',` + gen_require(` + type $1_untrusted_content_t; -+ ') -+ -+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; -+') -+ - ######################################## - ## - ## Read user untrusted files. -@@ -4231,11 +4404,11 @@ + ') + + dontaudit $2 $1_untrusted_content_t:dir list_dir_perms; +@@ -4231,11 +4410,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -33383,7 +33608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4424,10 @@ +@@ -4251,10 +4430,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -33396,7 +33621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4443,11 @@ +@@ -4270,11 +4449,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -33410,7 +33635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4462,16 @@ +@@ -4289,16 +4468,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -33430,7 +33655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4480,35 @@ +@@ -4307,12 +4486,35 @@ ## ## # @@ -33439,8 +33664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo gen_require(` - type staff_home_t; + type user_home_t; -+ ') -+ + ') + +- dontaudit $1 staff_home_t:file append; + dontaudit $1 user_home_t:file append_file_perms; + + tunable_policy(`use_nfs_home_dirs',` @@ -33449,10 +33675,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + tunable_policy(`use_samba_home_dirs',` + fs_dontaudit_append_cifs_files($1) - ') ++ ') +') - -- dontaudit $1 staff_home_t:file append; ++ +######################################## +## +## Do not audit attempts to append to the staff @@ -33469,7 +33694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4523,13 @@ +@@ -4327,13 +4529,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -33487,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4727,10 @@ +@@ -4531,10 +4733,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -33500,7 +33725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4747,10 @@ +@@ -4551,10 +4753,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -33513,7 +33738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4765,10 @@ +@@ -4569,10 +4771,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -33526,7 +33751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4784,10 @@ +@@ -4588,10 +4790,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -33539,7 +33764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4802,10 @@ +@@ -4606,10 +4808,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -33552,7 +33777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4821,10 @@ +@@ -4625,10 +4827,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -33565,7 +33790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4840,11 @@ +@@ -4644,12 +4846,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -33581,7 +33806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4871,10 @@ +@@ -4676,10 +4877,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -33594,7 +33819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4889,10 @@ +@@ -4694,10 +4895,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -33607,7 +33832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4907,13 @@ +@@ -4712,13 +4913,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -33625,7 +33850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4949,49 @@ +@@ -4754,11 +4955,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -33676,7 +33901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5011,14 @@ +@@ -4778,6 +5017,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -33691,7 +33916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5080,26 @@ +@@ -4839,6 +5086,26 @@ ######################################## ## @@ -33718,7 +33943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5120,25 @@ +@@ -4859,6 +5126,25 @@ ######################################## ## @@ -33744,7 +33969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5159,26 @@ +@@ -4879,6 +5165,26 @@ ######################################## ## @@ -33771,7 +33996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5415,7 @@ +@@ -5115,7 +5421,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -33780,7 +34005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5604,63 @@ +@@ -5304,6 +5610,63 @@ ######################################## ## @@ -33844,7 +34069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,7 +5866,7 @@ +@@ -5509,7 +5872,7 @@ ######################################## ## @@ -33853,7 +34078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5517,18 +5874,17 @@ +@@ -5517,18 +5880,17 @@ ## ## # @@ -33876,7 +34101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5536,17 +5892,17 @@ +@@ -5536,17 +5898,17 @@ ## ## # @@ -33898,7 +34123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5554,12 +5910,49 @@ +@@ -5554,18 +5916,55 @@ ## ## # @@ -33910,11 +34135,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - read_files_pattern($1,userdomain,userdomain) +- kernel_search_proc($1) + allow $1 user_ttynode:chr_file rw_term_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of all user domains. +## Do not audit attempts to use unprivileged +## user ttys. +## @@ -33948,10 +34175,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + ps_process_pattern($1,userdomain) - kernel_search_proc($1) - ') - -@@ -5674,6 +6067,42 @@ ++ kernel_search_proc($1) ++') ++ ++######################################## ++## ++## Get the attributes of all user domains. + ## + ## + ## +@@ -5674,6 +6073,42 @@ ######################################## ## @@ -33994,7 +34227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6133,370 @@ +@@ -5704,3 +6139,370 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -35020,7 +35253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-21 11:02:50.611505000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400 @@ -0,0 +1,174 @@ + +policy_module(virt,1.0.0) @@ -35058,7 +35291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +files_type(virt_var_lib_t) + +type virt_etc_t; -+files_type(virt_etc_t) ++files_config_file(virt_etc_t) + +type virt_etc_rw_t; +files_type(virt_etc_rw_t) @@ -35867,3 +36100,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular +--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 +@@ -73,8 +73,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -129,7 +129,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -147,7 +147,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic +--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 +@@ -96,7 +96,7 @@ + # + # Load the binary policy + # +-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) ++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) + @echo "Loading $(NAME) $(loadpath)" + $(verbose) $(LOADPOLICY) -q $(loadpath) + @touch $(tmpdir)/load diff --git a/selinux-policy.spec b/selinux-policy.spec index ff08933..8f68461 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,8 +385,8 @@ exit 0 %endif %changelog -* Tue Apr 22 2008 Dan Walsh 3.3.1-38 -- Bump for release +* Wed Apr 23 2008 Dan Walsh 3.3.1-39 +- Change etc files to config files to allow users to read them * Fri Apr 14 2008 Dan Walsh 3.3.1-37 - Lots of fixes for confined domains on NFS_t homedir