diff --git a/policy-20070501.patch b/policy-20070501.patch index 354fddd..e2e0632 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -467,6 +467,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t role system_r types dmesg_t; ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-2.6.4/policy/modules/admin/dmidecode.te +--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-05-07 14:51:05.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-08-30 10:26:28.000000000 -0400 +@@ -22,6 +22,7 @@ + + # Allow dmidecode to read /dev/mem + dev_read_raw_memory(dmidecode_t) ++dev_search_sysfs(dmidecode_t) + + mls_file_read_up(dmidecode_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.6.4/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-05-07 14:51:05.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/admin/kudzu.te 2007-08-07 09:42:35.000000000 -0400 @@ -1266,6 +1277,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s -ifdef(`targeted_policy',`',` HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.6.4/policy/modules/apps/java.fc +--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-07 14:51:02.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/apps/java.fc 2007-08-27 09:50:36.000000000 -0400 +@@ -22,3 +22,5 @@ + /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.6.4/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/apps/java.if 2007-08-07 09:42:35.000000000 -0400 @@ -1465,7 +1485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp auth_search_pam_console_data($1_userhelper_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-09-04 15:55:30.000000000 -0400 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1488,7 +1508,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) -@@ -248,6 +254,7 @@ +@@ -164,6 +170,8 @@ + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) + + /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + +@@ -248,6 +256,7 @@ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -1496,7 +1525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -256,3 +263,13 @@ +@@ -256,3 +265,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -1510,6 +1539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0) +/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-07 14:51:04.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-08-07 09:42:35.000000000 -0400 @@ -1604,7 +1634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-04 13:41:27.000000000 -0400 @@ -48,6 +48,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -1643,7 +1673,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) -@@ -159,6 +165,9 @@ +@@ -152,6 +158,7 @@ + type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon + network_port(uucpd, tcp,540,s0) + network_port(vnc, tcp,5900,s0) ++network_port(wccp, udp,2048,s0) + network_port(xen, tcp,8002,s0) + network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) + network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0) +@@ -159,6 +166,9 @@ # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -1970,7 +2008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-14 08:16:29.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-27 09:57:21.000000000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -2073,7 +2111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3310,6 +3346,24 @@ +@@ -3310,6 +3346,43 @@ ######################################## ## @@ -2095,10 +2133,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## ++## dontaudit Add and remove entries from /usr directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_rw_usr_dirs',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ dontaudit $1 usr_t:dir rw_dir_perms; ++') ++ ++ ++######################################## ++## ## Get the attributes of files in /usr. ## ## -@@ -3386,6 +3440,24 @@ +@@ -3386,6 +3459,24 @@ ######################################## ## @@ -2123,7 +2180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read symbolic links in /usr. ## ## -@@ -3432,6 +3504,24 @@ +@@ -3432,6 +3523,24 @@ ######################################## ## @@ -2148,7 +2205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to search /usr/src. ## ## -@@ -3637,7 +3727,7 @@ +@@ -3637,7 +3746,7 @@ type var_t; ') @@ -2157,7 +2214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3993,7 +4083,7 @@ +@@ -3993,7 +4102,7 @@ type var_lock_t; ') @@ -2166,7 +2223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4012,7 +4102,7 @@ +@@ -4012,7 +4121,7 @@ type var_t, var_lock_t; ') @@ -2175,7 +2232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4181,7 +4271,7 @@ +@@ -4181,7 +4290,7 @@ type var_run_t; ') @@ -2184,7 +2241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4529,6 +4619,8 @@ +@@ -4529,6 +4638,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -2193,7 +2250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4551,6 +4643,8 @@ +@@ -4551,6 +4662,8 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -2202,7 +2259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4588,3 +4682,28 @@ +@@ -4588,3 +4701,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -2380,7 +2437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-08-27 09:16:30.000000000 -0400 @@ -43,6 +43,11 @@ # # Non-persistent/pseudo filesystems @@ -2393,7 +2450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type bdev_t; fs_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) -@@ -54,17 +59,29 @@ +@@ -54,17 +59,30 @@ type capifs_t; fs_type(capifs_t) @@ -2417,13 +2474,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +type fusefs_t; +fs_noxattr_type(fusefs_t) +allow fusefs_t self:filesystem associate; ++allow fusefs_t fs_t:filesystem associate; +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) +genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) + type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -83,6 +100,11 @@ +@@ -83,6 +101,11 @@ fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -2435,7 +2493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type nfsd_fs_t; fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) -@@ -105,6 +127,16 @@ +@@ -105,6 +128,16 @@ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) @@ -2829,7 +2887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-13 19:33:33.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-30 13:53:01.000000000 -0400 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -3080,7 +3138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-20 18:21:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-27 09:57:52.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(apache,1.6.0) @@ -3266,7 +3324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -463,6 +526,10 @@ +@@ -463,6 +526,18 @@ ') optional_policy(` @@ -3274,10 +3332,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + +optional_policy(` ++ dbus_system_bus_client_template(httpd,httpd_t) ++ dbus_send_system_bus(httpd_t) ++ tunable_policy(`allow_httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') ++') ++ ++optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') -@@ -486,7 +553,6 @@ +@@ -486,7 +561,6 @@ optional_policy(` nagios_read_config(httpd_t) @@ -3285,7 +3351,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -606,6 +672,10 @@ +@@ -506,6 +580,7 @@ + ') + + optional_policy(` ++ files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) + ') +@@ -606,6 +681,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3296,7 +3370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -668,6 +738,12 @@ +@@ -668,6 +747,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -3309,7 +3383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -685,18 +761,6 @@ +@@ -685,18 +770,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3328,7 +3402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -706,7 +770,8 @@ +@@ -706,7 +779,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -3338,7 +3412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -720,21 +785,64 @@ +@@ -720,21 +794,64 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3358,15 +3432,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -3408,23 +3482,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -754,14 +862,8 @@ +@@ -754,14 +871,8 @@ # Apache unconfined script local policy # -unconfined_domain(httpd_unconfined_script_t) - --optional_policy(` + optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) -') - - optional_policy(` +-optional_policy(` - nscd_socket_use(httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) ') ######################################## -@@ -784,7 +886,26 @@ +@@ -784,7 +895,19 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -3437,6 +3511,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +files_search_var_lib(httpd_bugzilla_script_t) + ++mta_send_mail(httpd_bugzilla_script_t) ++ +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) @@ -3444,15 +3520,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) -+') -+ -+ -+optional_policy(` -+ dbus_system_bus_client_template(httpd,httpd_t) -+ dbus_send_system_bus(httpd_t) -+ tunable_policy(`allow_httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) -+ ') ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-2.6.4/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-07 14:51:01.000000000 -0400 @@ -5289,7 +5356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-09-04 11:12:55.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations @@ -5298,6 +5365,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## ##

+@@ -62,7 +63,7 @@ + # Use capabilities. Surplus capabilities may be allowed. + allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; + dontaudit kadmind_t self:capability sys_tty_config; +-allow kadmind_t self:process signal_perms; ++allow kadmind_t self:process { setfscreate signal_perms }; + allow kadmind_t self:netlink_route_socket r_netlink_socket_perms; + allow kadmind_t self:unix_dgram_socket { connect create write }; + allow kadmind_t self:tcp_socket connected_stream_socket_perms; @@ -91,6 +92,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) @@ -5324,7 +5400,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -@@ -227,6 +233,7 @@ +@@ -142,6 +148,7 @@ + + optional_policy(` + seutil_sigchld_newrole(kadmind_t) ++ seutil_read_file_contexts(kadmind_t) + ') + + optional_policy(` +@@ -227,6 +234,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) @@ -5332,7 +5416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -248,3 +255,36 @@ +@@ -248,3 +256,36 @@ optional_policy(` udev_read_db(krb5kdc_t) ') @@ -5369,6 +5453,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + pcscd_stream_connect(kerberosclient) + ') +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-2.6.4/policy/modules/services/ktalk.te +--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ktalk.te 2007-09-04 09:20:32.000000000 -0400 +@@ -49,6 +49,8 @@ + manage_files_pattern(ktalkd_t,ktalkd_var_run_t,ktalkd_var_run_t) + files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file) + ++auth_use_nsswitch(ktalkd_t) ++ + kernel_read_kernel_sysctls(ktalkd_t) + kernel_read_system_state(ktalkd_t) + kernel_read_network_state(ktalkd_t) +@@ -75,17 +77,9 @@ + + miscfiles_read_localization(ktalkd_t) + +-sysnet_read_config(ktalkd_t) +- + ifdef(`targeted_policy',` + term_dontaudit_use_generic_ptys(ktalkd_t) + term_dontaudit_use_unallocated_ttys(ktalkd_t) + ') + +-optional_policy(` +- nis_use_ypbind(ktalkd_t) +-') +- +-optional_policy(` +- nscd_socket_use(ktalkd_t) +-') ++term_search_ptys(ktalkd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.6.4/policy/modules/services/lpd.if --- nsaserefpolicy/policy/modules/services/lpd.if 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-08-07 09:42:35.000000000 -0400 @@ -5613,8 +5728,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -4,13 +4,13 @@ ++++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400 +@@ -4,13 +4,14 @@ /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) @@ -5625,6 +5740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ifdef(`distro_debian',` /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) @@ -5633,7 +5749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-09-04 12:41:37.000000000 -0400 @@ -10,10 +10,6 @@ type nagios_exec_t; init_daemon_domain(nagios_t,nagios_exec_t) @@ -5645,7 +5761,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nagios_etc_t; files_config_file(nagios_etc_t) -@@ -73,8 +69,10 @@ +@@ -26,6 +22,9 @@ + type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + ++type nagios_spool_t; ++files_type(nagios_spool_t) ++ + type nrpe_t; + type nrpe_exec_t; + init_daemon_domain(nrpe_t,nrpe_exec_t) +@@ -60,6 +59,8 @@ + manage_files_pattern(nagios_t,nagios_var_run_t,nagios_var_run_t) + files_pid_filetrans(nagios_t,nagios_var_run_t,file) + ++rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++ + kernel_read_system_state(nagios_t) + kernel_read_kernel_sysctls(nagios_t) + +@@ -73,8 +74,10 @@ corenet_udp_sendrecv_all_nodes(nagios_t) corenet_tcp_sendrecv_all_ports(nagios_t) corenet_udp_sendrecv_all_ports(nagios_t) @@ -5656,7 +5791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi domain_use_interactive_fds(nagios_t) # for ps -@@ -97,8 +95,6 @@ +@@ -97,8 +100,6 @@ miscfiles_read_localization(nagios_t) @@ -5665,7 +5800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_sysadm_home_dirs(nagios_t) -@@ -121,7 +117,7 @@ +@@ -121,7 +122,7 @@ ') optional_policy(` @@ -5674,7 +5809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') optional_policy(` -@@ -141,42 +137,31 @@ +@@ -141,42 +142,31 @@ # # Nagios CGI local policy # @@ -5687,41 +5822,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi - -read_files_pattern(nagios_cgi_t,nagios_t,nagios_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t) -- ++allow httpd_nagios_script_t self:process signal_perms; + -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t) -+allow httpd_nagios_script_t self:process signal_perms; ++read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t) -+read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t) - --kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t) --corecmd_exec_bin(nagios_cgi_t) +-kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t) --domain_dontaudit_read_all_domains_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +kernel_read_system_state(httpd_nagios_script_t) +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - --libs_use_ld_so(nagios_cgi_t) --libs_use_shared_libs(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) +-libs_use_ld_so(nagios_cgi_t) +-libs_use_shared_libs(nagios_cgi_t) +- -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) - @@ -5951,10 +6086,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + samba_read_var_files(nscd_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-2.6.4/policy/modules/services/ntp.fc +--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ntp.fc 2007-09-04 11:51:35.000000000 -0400 +@@ -17,3 +17,8 @@ + /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) + + /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++ ++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) ++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++ ++/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-2.6.4/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ntp.if 2007-09-04 11:52:25.000000000 -0400 +@@ -53,3 +53,22 @@ + corecmd_search_bin($1) + domtrans_pattern($1,ntpdate_exec_t,ntpd_t) + ') ++ ++######################################## ++##

++## Execute ntp server in the ntpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ntp_script_domtrans',` ++ gen_require(` ++ type ntpd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,ntpd_script_exec_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.6.4/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-08-07 09:42:35.000000000 -0400 -@@ -36,6 +36,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-09-04 11:51:02.000000000 -0400 +@@ -25,6 +25,12 @@ + type ntpdate_exec_t; + init_system_domain(ntpd_t,ntpdate_exec_t) + ++type ntpd_key_t; ++files_type(ntpd_key_t) ++ ++type ntpd_script_exec_t; ++init_script_type(ntpd_script_exec_t) ++ + ######################################## + # + # Local policy +@@ -36,6 +42,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; @@ -5962,7 +6148,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -81,6 +82,8 @@ +@@ -49,6 +56,8 @@ + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) + logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) + ++read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t) ++ + # for some reason it creates a file in /tmp + manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) + manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t) +@@ -81,6 +90,8 @@ fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -5971,7 +6166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. auth_use_nsswitch(ntpd_t) -@@ -106,6 +109,8 @@ +@@ -106,6 +117,8 @@ sysnet_read_config(ntpd_t) @@ -5980,7 +6175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dirs(ntpd_t) userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) -@@ -137,6 +142,10 @@ +@@ -137,6 +150,10 @@ ') optional_policy(` @@ -6349,8 +6544,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.6.4/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-08-07 09:42:35.000000000 -0400 -@@ -38,8 +38,6 @@ ++++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-09-01 07:03:12.000000000 -0400 +@@ -38,12 +38,11 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:tcp_socket create_stream_socket_perms; @@ -6359,7 +6554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega allow pegasus_t pegasus_conf_t:dir rw_dir_perms; allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; -@@ -96,13 +94,13 @@ + ++manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t) + filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir }) +@@ -96,13 +95,13 @@ auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -6376,7 +6576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) -@@ -116,6 +114,7 @@ +@@ -116,6 +115,7 @@ miscfiles_read_localization(pegasus_t) sysnet_read_config(pegasus_t) @@ -6384,7 +6584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) -@@ -129,6 +128,7 @@ +@@ -129,6 +129,7 @@ optional_policy(` logging_send_syslog_msg(pegasus_t) @@ -6539,8 +6739,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-08-13 19:36:56.000000000 -0400 -@@ -84,6 +84,12 @@ ++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-09-04 16:10:20.000000000 -0400 +@@ -6,6 +6,14 @@ + # Declarations + # + ++## ++##

++## Allow postfix_local domain full write access to mail_spool directories ++## ++##

++## ++gen_tunable(allow_postfix_local_write_mail_spool,false) ++ + attribute postfix_user_domains; + # domains that transition to the + # postfix user domains +@@ -27,6 +35,10 @@ + postfix_server_domain_template(local) + mta_mailserver_delivery(postfix_local_t) + ++tunable_policy(`allow_postfix_local_write_mail_spool', ` ++ mta_rw_spool(postfix_local_t) ++') ++ + type postfix_local_tmp_t; + files_tmp_file(postfix_local_tmp_t) + +@@ -84,6 +96,12 @@ type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -6553,7 +6779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix master process local policy -@@ -169,12 +175,18 @@ +@@ -169,12 +187,18 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -6572,7 +6798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cyrus_stream_connect(postfix_master_t) ') -@@ -184,9 +196,17 @@ +@@ -184,9 +208,17 @@ ') optional_policy(` @@ -6590,7 +6816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ########################################################### # # Partially converted rules. THESE ARE ONLY TEMPORARY -@@ -268,6 +288,8 @@ +@@ -268,6 +300,8 @@ files_read_etc_files(postfix_local_t) @@ -6599,7 +6825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -386,7 +408,7 @@ +@@ -386,7 +420,7 @@ # Postfix pipe local policy # @@ -6608,7 +6834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -395,6 +417,10 @@ +@@ -395,6 +429,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -6619,7 +6845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -441,6 +467,10 @@ +@@ -441,6 +479,10 @@ ') optional_policy(` @@ -6630,7 +6856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) ') -@@ -519,8 +549,6 @@ +@@ -519,8 +561,6 @@ # Postfix smtp delivery local policy # @@ -6639,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -528,6 +556,8 @@ +@@ -528,6 +568,8 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -6648,7 +6874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -536,6 +566,7 @@ +@@ -536,6 +578,7 @@ # # Postfix smtpd local policy # @@ -6656,7 +6882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; # connect to master process -@@ -552,9 +583,45 @@ +@@ -552,9 +595,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -7456,7 +7682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-23 17:07:33.000000000 -0400 @@ -28,6 +28,35 @@ ## gen_tunable(samba_share_nfs,false) @@ -7579,10 +7805,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -319,6 +363,10 @@ +@@ -319,6 +363,14 @@ ') optional_policy(` ++ kerberos_read_keytab(smbd_t) ++') ++ ++optional_policy(` + lpd_exec_lpr(smbd_t) +') + @@ -7590,7 +7820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -339,6 +387,23 @@ +@@ -339,6 +391,23 @@ udev_read_db(smbd_t) ') @@ -7614,7 +7844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # nmbd Local policy -@@ -352,7 +417,7 @@ +@@ -352,7 +421,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -7623,7 +7853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -362,9 +427,12 @@ +@@ -362,9 +431,12 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) @@ -7637,7 +7867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) allow nmbd_t samba_log_t:dir setattr; -@@ -391,6 +459,7 @@ +@@ -391,6 +463,7 @@ corenet_udp_bind_nmbd_port(nmbd_t) corenet_sendrecv_nmbd_server_packets(nmbd_t) corenet_sendrecv_nmbd_client_packets(nmbd_t) @@ -7645,7 +7875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t) -@@ -457,6 +526,7 @@ +@@ -457,6 +530,7 @@ allow smbmount_t samba_secrets_t:file manage_file_perms; @@ -7653,7 +7883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbmount_t samba_var_t:dir rw_dir_perms; manage_files_pattern(smbmount_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) -@@ -514,7 +584,7 @@ +@@ -514,7 +588,7 @@ userdom_use_sysadm_ttys(smbmount_t) optional_policy(` @@ -7662,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -534,7 +604,6 @@ +@@ -534,7 +608,6 @@ allow swat_t self:process signal_perms; allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -7670,7 +7900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; allow swat_t self:netlink_route_socket r_netlink_socket_perms; -@@ -588,6 +657,7 @@ +@@ -588,6 +661,7 @@ fs_getattr_xattr_fs(swat_t) auth_domtrans_chk_passwd(swat_t) @@ -7678,7 +7908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb libs_use_ld_so(swat_t) libs_use_shared_libs(swat_t) -@@ -625,19 +695,25 @@ +@@ -625,19 +699,25 @@ # Winbind local policy # @@ -7705,7 +7935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t) filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file) -@@ -645,6 +721,8 @@ +@@ -645,6 +725,8 @@ manage_files_pattern(winbind_t,samba_log_t,samba_log_t) manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t) @@ -7714,7 +7944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t) -@@ -682,7 +760,9 @@ +@@ -682,7 +764,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -7724,7 +7954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -695,9 +775,6 @@ +@@ -695,9 +779,6 @@ miscfiles_read_localization(winbind_t) @@ -7734,7 +7964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -713,10 +790,6 @@ +@@ -713,10 +794,6 @@ ') optional_policy(` @@ -7745,7 +7975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -736,6 +809,7 @@ +@@ -736,6 +813,7 @@ read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) @@ -7753,7 +7983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_helper_t samba_var_t:dir search; stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) -@@ -763,4 +837,25 @@ +@@ -763,4 +841,25 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -7921,7 +8151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp /usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.6.4/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-09-04 10:34:35.000000000 -0400 @@ -9,9 +9,6 @@ type snmpd_exec_t; init_daemon_domain(snmpd_t,snmpd_exec_t) @@ -7949,7 +8179,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t snmpd_log_t:file manage_file_perms; logging_log_filetrans(snmpd_t,snmpd_log_t,file) -@@ -135,18 +130,19 @@ +@@ -50,6 +45,7 @@ + + kernel_read_device_sysctls(snmpd_t) + kernel_read_kernel_sysctls(snmpd_t) ++kernel_read_fs_sysctls(snmpd_t) + kernel_read_net_sysctls(snmpd_t) + kernel_read_proc_symlinks(snmpd_t) + kernel_read_system_state(snmpd_t) +@@ -84,9 +80,7 @@ + files_read_etc_files(snmpd_t) + files_read_usr_files(snmpd_t) + files_read_etc_runtime_files(snmpd_t) +-files_search_home(snmpd_t) +-files_getattr_boot_dirs(snmpd_t) +-files_dontaudit_getattr_home_dir(snmpd_t) ++auth_read_all_dirs_except_shadow(snmpd_t) + + fs_getattr_all_dirs(snmpd_t) + fs_getattr_all_fs(snmpd_t) +@@ -135,18 +129,19 @@ optional_policy(` mta_read_config(snmpd_t) @@ -8101,8 +8350,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-08-07 09:42:35.000000000 -0400 -@@ -108,6 +108,8 @@ ++++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-09-04 13:40:38.000000000 -0400 +@@ -91,6 +91,7 @@ + corenet_udp_bind_gopher_port(squid_t) + corenet_tcp_bind_squid_port(squid_t) + corenet_udp_bind_squid_port(squid_t) ++corenet_udp_bind_wccp_port(squid_t) + corenet_tcp_connect_ftp_port(squid_t) + corenet_tcp_connect_gopher_port(squid_t) + corenet_tcp_connect_http_port(squid_t) +@@ -108,6 +109,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) @@ -8111,7 +8368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi selinux_dontaudit_getattr_dir(squid_t) -@@ -181,7 +183,11 @@ +@@ -181,7 +184,11 @@ udev_read_db(squid_t) ') @@ -9005,7 +9262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-09-04 10:57:17.000000000 -0400 @@ -9,6 +9,7 @@ type fsadm_t; type fsadm_exec_t; @@ -9014,7 +9271,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool role system_r types fsadm_t; type fsadm_log_t; -@@ -184,3 +185,9 @@ +@@ -108,8 +109,7 @@ + + term_use_console(fsadm_t) + +-corecmd_list_bin(fsadm_t) +-corecmd_read_bin_symlinks(fsadm_t) ++corecmd_exec_bin(fsadm_t) + #RedHat bug #201164 + corecmd_exec_shell(fsadm_t) + +@@ -184,3 +184,9 @@ fs_dontaudit_write_ramfs_pipes(fsadm_t) rhgb_stub(fsadm_t) ') @@ -9175,7 +9442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.6.4/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/init.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/init.if 2007-09-04 11:59:57.000000000 -0400 @@ -194,11 +194,14 @@ gen_require(` type initrc_t; @@ -9191,16 +9458,164 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i role system_r types $1; domtrans_pattern(initrc_t,$2,$1) -@@ -1088,7 +1091,7 @@ +@@ -554,18 +557,19 @@ + # + interface(`init_spec_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute initscript; ') - files_search_tmp($1) -- rw_files_pattern($1,initrc_tmp_t,initrc_tmp_t) -+ allow $1 initrc_tmp_t:file rw_file_perms; + files_list_etc($1) +- spec_domtrans_pattern($1,initrc_exec_t,initrc_t) ++ spec_domtrans_pattern($1,initscript,initrc_t) + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 initscript:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 initscript:process s0 - mls_systemhigh; + ') + ') + +@@ -581,18 +585,46 @@ + # + interface(`init_domtrans_script',` + gen_require(` +- type initrc_t, initrc_exec_t; ++ type initrc_t; ++ attribute initscript; + ') + + files_list_etc($1) +- domtrans_pattern($1,initrc_exec_t,initrc_t) ++ domtrans_pattern($1,initscript,initrc_t) + + ifdef(`enable_mcs',` +- range_transition $1 initrc_exec_t:process s0; ++ range_transition $1 initscript:process s0; + ') + + ifdef(`enable_mls',` +- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; ++ range_transition $1 initscript:process s0 - mls_systemhigh; ++ ') ++') ++ ++######################################## ++## ++## Execute init a specific script with an automatic domain transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_script_domtrans_spec',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ files_list_etc($1) ++ domtrans_pattern($1,$2,initrc_t) ++ ++ ifdef(`enable_mcs',` ++ range_transition $1 $2:process s0; ++ ') ++ ++ ifdef(`enable_mls',` ++ range_transition $1 $2:process s0 - mls_systemhigh; + ') + ') + +@@ -623,11 +655,11 @@ + # cjp: added for gentoo integrated run_init + interface(`init_script_file_domtrans',` + gen_require(` +- type initrc_exec_t; ++ attribute initscript; + ') + + files_list_etc($1) +- domain_auto_trans($1,initrc_exec_t,$2) ++ domain_auto_trans($1,initscript,$2) ') ######################################## -@@ -1248,7 +1251,7 @@ +@@ -698,11 +730,11 @@ + # + interface(`init_getattr_script_files',` + gen_require(` +- type initrc_exec_t; ++ attribute initscript; + ') + + files_list_etc($1) +- allow $1 initrc_exec_t:file getattr; ++ allow $1 initscript:file getattr; + ') + + ######################################## +@@ -717,11 +749,11 @@ + # + interface(`init_exec_script_files',` + gen_require(` +- type initrc_exec_t; ++ attribute initscript; + ') + + files_list_etc($1) +- can_exec($1,initrc_exec_t) ++ can_exec($1,initscript) + ') + + ######################################## +@@ -948,6 +980,25 @@ + + ######################################## + ## ++## Send messages to init scripts over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dbus_send_script',` ++ gen_require(` ++ type initrc_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 initrc_t:dbus send_msg; ++') ++ ++######################################## ++## + ## Send and receive messages from + ## init scripts over dbus. + ## +@@ -1026,11 +1077,11 @@ + # + interface(`init_read_script_files',` + gen_require(` +- type initrc_exec_t; ++ attribute initscript; + ') + + files_search_etc($1) +- allow $1 initrc_exec_t:file read_file_perms; ++ allow $1 initscript:file read_file_perms; + ') + + ######################################## +@@ -1248,7 +1299,7 @@ type initrc_var_run_t; ') @@ -9209,7 +9624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1269,3 +1272,42 @@ +@@ -1269,3 +1320,64 @@ files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') @@ -9252,9 +9667,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + + allow $1 init_t:process ptrace; +') ++ ++######################################## ++## ++## Make the specified type usable for initscripts ++## in a filesystem. ++## ++## ++## ++## Type to be used for files. ++## ++## ++# ++interface(`init_script_type',` ++ gen_require(` ++ type initrc_t; ++ attribute initscript; ++ ') ++ ++ typeattribute $1 initscript; ++ domain_entry_file(initrc_t,$1) ++ ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-09-04 12:06:53.000000000 -0400 @@ -10,13 +10,20 @@ # Declarations # @@ -9277,7 +9714,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') # used for direct running of init scripts -@@ -82,7 +89,7 @@ +@@ -28,6 +35,9 @@ + # Mark process types as daemons + attribute daemon; + ++# Mark /etc/init.d scripts types as initscripts ++attribute initscript; ++ + # + # init_t is the domain of the init process. + # +@@ -54,7 +64,7 @@ + mls_trusted_object(initctl_t) + + type initrc_t; +-type initrc_exec_t; ++type initrc_exec_t, initscript; + domain_type(initrc_t) + domain_entry_file(initrc_t,initrc_exec_t) + role system_r types initrc_t; +@@ -82,7 +92,7 @@ # # Use capabilities. old rule: @@ -9286,7 +9742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -198,7 +205,7 @@ +@@ -198,7 +208,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -9295,7 +9751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -@@ -213,8 +220,7 @@ +@@ -213,10 +223,9 @@ allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) @@ -9303,9 +9759,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t -init_exec(initrc_t) +init_telinit(initrc_t) - can_exec(initrc_t,initrc_exec_t) +-can_exec(initrc_t,initrc_exec_t) ++can_exec(initrc_t,initscript) -@@ -508,6 +514,12 @@ + manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) + manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) +@@ -508,6 +517,12 @@ ') ') @@ -9318,7 +9777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`targeted_policy',` domain_subj_id_change_exemption(initrc_t) unconfined_domain(initrc_t) -@@ -520,11 +532,22 @@ +@@ -520,11 +535,22 @@ tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) @@ -9343,7 +9802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ',` # cjp: require doesnt work in the else of optionals :\ # this also would result in a type transition -@@ -735,6 +758,9 @@ +@@ -735,6 +761,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -10539,7 +10998,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-08-22 08:36:58.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-09-04 11:49:43.000000000 -0400 +@@ -45,7 +45,7 @@ + dontaudit dhcpc_t self:capability sys_tty_config; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process signal_perms; ++allow dhcpc_t self:process { ptrace signal_perms }; + allow dhcpc_t self:fifo_file rw_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; + allow dhcpc_t self:udp_socket create_socket_perms; @@ -164,6 +164,10 @@ dbus_connect_system_bus(dhcpc_t) dbus_send_system_bus(dhcpc_t) @@ -10551,15 +11019,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` networkmanager_dbus_chat(dhcpc_t) ') -@@ -211,6 +215,7 @@ - # dhclient sometimes starts ntpd - init_exec_script_files(dhcpc_t) - ntp_domtrans(dhcpc_t) -+ ntp_domtrans_ntpdate(dhcpc_t) +@@ -208,9 +212,7 @@ + ') + + optional_policy(` +- # dhclient sometimes starts ntpd +- init_exec_script_files(dhcpc_t) +- ntp_domtrans(dhcpc_t) ++ ntp_script_domtrans(dhcpc_t) ') optional_policy(` -@@ -221,6 +226,7 @@ +@@ -221,6 +223,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -10567,7 +11038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -259,6 +265,7 @@ +@@ -259,6 +262,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -10577,7 +11048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow ifconfig_t self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-08-31 06:15:18.000000000 -0400 @@ -18,11 +18,6 @@ type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -10609,17 +11080,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_read_system_state(udev_t) kernel_getattr_core_if(udev_t) -@@ -83,16 +80,23 @@ +@@ -82,6 +79,11 @@ + kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) - ++files_read_kernel_modules(udev_t) ++ +#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 +kernel_rw_net_sysctls(udev_t) +kernel_read_network_state(udev_t) -+ + corecmd_exec_all_executables(udev_t) - dev_rw_sysfs(udev_t) +@@ -89,10 +91,13 @@ dev_manage_all_dev_nodes(udev_t) dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) @@ -10633,7 +11106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) -@@ -142,8 +146,14 @@ +@@ -142,8 +147,14 @@ seutil_read_file_contexts(udev_t) seutil_domtrans_restorecon(udev_t) @@ -10648,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t userdom_use_sysadm_ttys(udev_t) userdom_dontaudit_search_all_users_home_content(udev_t) -@@ -176,6 +186,10 @@ +@@ -176,6 +187,10 @@ ') optional_policy(` @@ -10659,7 +11132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -184,6 +198,10 @@ +@@ -184,6 +199,10 @@ ') optional_policy(` @@ -10670,7 +11143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t hal_dgram_send(udev_t) ') -@@ -194,5 +212,24 @@ +@@ -194,5 +213,24 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d2f2bb2..93304fc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 40%{?dist} +Release: 41%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -162,7 +162,7 @@ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ selinuxenabled; \ if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \ fixfiles -C ${FILE_CONTEXT}.pre restore; \ - restorecon -R /var/log 2> /dev/null; \ + restorecon -R /var/log /var/run 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; @@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Tue Sep 4 2007 Dan Walsh 2.6.4-41 +- Allow ktalkd to look at terminals + * Tue Aug 21 2007 Dan Walsh 2.6.4-40 - Allow modutil sys_nice - Allow automount to run smbclient