##
@@ -34,20 +26,29 @@
#
# Git daemon global private declarations.
#
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
type gitd_exec_t;
-type gitd_t, gitd_type;
-inetd_service_domain(gitd_t, gitd_exec_t)
-role system_r types gitd_t;
+########################################
+#
+# Git daemon system private declarations.
+#
-type git_data_t, git_content_type;
-files_type(git_data_t)
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
-permissive gitd_t;
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
########################################
#
-# Git daemon session session private declarations.
+# Git daemon session private declarations.
#
##
@@ -58,85 +59,82 @@
##
gen_tunable(git_session_bind_all_unreserved_ports, false)
-type gitd_session_t, gitd_type;
-application_domain(gitd_session_t, gitd_exec_t)
-ubac_constrained(gitd_session_t)
-
-type git_home_t, git_content_type;
-userdom_user_home_content(git_home_t)
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
-permissive gitd_session_t;
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
########################################
#
# Git daemon global private policy.
#
-allow gitd_type self:fifo_file rw_fifo_file_perms;
-allow gitd_type self:tcp_socket create_socket_perms;
-allow gitd_type self:udp_socket create_socket_perms;
-allow gitd_type self:unix_dgram_socket create_socket_perms;
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket { create_socket_perms listen };
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
-corenet_all_recvfrom_netlabel(gitd_type)
-corenet_all_recvfrom_unlabeled(gitd_type)
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
-corenet_tcp_sendrecv_all_if(gitd_type)
-corenet_tcp_sendrecv_all_nodes(gitd_type)
-corenet_tcp_sendrecv_all_ports(gitd_type)
+corenet_tcp_bind_generic_node(git_domains)
-corenet_tcp_bind_all_nodes(gitd_type)
-corenet_tcp_bind_git_port(gitd_type)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
-corecmd_exec_bin(gitd_type)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
-files_read_etc_files(gitd_type)
-files_read_usr_files(gitd_type)
+corecmd_exec_bin(git_domains)
-fs_search_auto_mountpoints(gitd_type)
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
-kernel_read_system_state(gitd_type)
+fs_search_auto_mountpoints(git_domains)
-logging_send_syslog_msg(gitd_type)
+kernel_read_system_state(git_domains)
-auth_use_nsswitch(gitd_type)
+auth_use_nsswitch(git_domains)
-miscfiles_read_localization(gitd_type)
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
########################################
#
# Git daemon system repository private policy.
#
-list_dirs_pattern(gitd_t, git_content_type, git_content_type)
-read_files_pattern(gitd_t, git_content_type, git_content_type)
-files_search_var(gitd_t)
-
-# This will not work since git-shell needs to execute gitd content thus public content files.
-# There is currently no clean way to execute public content files.
-# miscfiles_read_public_files(gitd_t)
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var(git_system_t)
tunable_policy(`git_system_enable_homedirs', `
- userdom_search_user_home_dirs(gitd_t)
+ userdom_search_user_home_dirs(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
- fs_list_nfs(gitd_t)
- fs_read_nfs_files(gitd_t)
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
')
tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
- fs_list_cifs(gitd_t)
- fs_read_cifs_files(gitd_t)
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_cifs', `
- fs_list_cifs(gitd_t)
- fs_read_cifs_files(gitd_t)
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
')
tunable_policy(`git_system_use_nfs', `
- fs_list_nfs(gitd_t)
- fs_read_nfs_files(gitd_t)
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
')
########################################
@@ -144,24 +142,24 @@
# Git daemon session repository private policy.
#
-list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
-read_files_pattern(gitd_session_t, git_home_t, git_home_t)
-userdom_search_user_home_dirs(gitd_session_t)
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
-userdom_use_user_terminals(gitd_session_t)
+userdom_use_user_terminals(git_session_t)
tunable_policy(`git_session_bind_all_unreserved_ports', `
- corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
')
tunable_policy(`use_nfs_home_dirs', `
- fs_list_nfs(gitd_session_t)
- fs_read_nfs_files(gitd_session_t)
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
')
tunable_policy(`use_samba_home_dirs', `
- fs_list_cifs(gitd_session_t)
- fs_read_cifs_files(gitd_session_t)
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
')
########################################
@@ -169,5 +167,16 @@
# cgi git Declarations
#
+optional_policy(`
apache_content_template(git)
-git_read_data_content(httpd_git_script_t)
+ git_read_session_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.32/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-01-18 18:24:22.799531033 +0100
+++ serefpolicy-3.6.32/policy/modules/services/kerberos.if 2010-01-22 17:08:10.300604739 +0100
@@ -85,7 +85,7 @@
seutil_dontaudit_read_file_contexts($1)
optional_policy(`
- sssd_read_config_files($1)
+ sssd_read_public_files($1)
')
tunable_policy(`allow_kerberos',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-09 10:45:23.074866029 +0100
@@ -1,8 +1,12 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
ifdef(`distro_debian',`
/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -10,8 +14,12 @@
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0)
/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.32/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ldap.te 2010-01-29 10:41:13.184864510 +0100
@@ -28,6 +28,9 @@
type slapd_replog_t;
files_type(slapd_replog_t)
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
@@ -68,6 +71,10 @@
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100
+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-02-01 20:50:49.950161278 +0100
@@ -1,5 +1,5 @@
-policy_module(lircd, 1.0.0)
+policy_module(lircd, 1.0.1)
########################################
#
@@ -24,9 +24,10 @@
# lircd local policy
#
-allow lircd_t self:process signal;
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process { fork signal };
allow lircd_t self:unix_dgram_socket create_socket_perms;
-allow lircd_t self:fifo_file rw_file_perms;
+allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
# etc file
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100
@@ -55,6 +55,7 @@
apache_search_sys_script_state(mailman_cgi_t)
apache_read_config(mailman_cgi_t)
apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+ apache_dontaudit_leaks(mailman_cgi_t)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100
+++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100
@@ -1,5 +1,5 @@
-policy_module(memcached, 1.1.0)
+policy_module(memcached, 1.1.1)
########################################
#
@@ -22,9 +22,12 @@
#
allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { fork setrlimit signal_perms };
allow memcached_t self:tcp_socket create_stream_socket_perms;
allow memcached_t self:udp_socket { create_socket_perms listen };
allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
corenet_all_recvfrom_unlabeled(memcached_t)
corenet_udp_sendrecv_generic_if(memcached_t)
@@ -42,12 +45,15 @@
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
-files_read_etc_files(memcached_t)
-
+kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
+files_read_etc_files(memcached_t)
+
auth_use_nsswitch(memcached_t)
miscfiles_read_localization(memcached_t)
-sysnet_dns_name_resolve(memcached_t)
+term_dontaudit_use_all_user_ptys(memcached_t)
+term_dontaudit_use_all_user_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-09 12:33:50.721866005 +0100
@@ -786,6 +786,25 @@
allow $1 mqueue_spool_t:dir search_dir_perms;
')
+#####################################
+##
+## List the mail queue.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mta_list_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
#######################################
##
## Read the mail queue.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100
@@ -132,6 +132,7 @@
optional_policy(`
fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.32/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2010-01-18 18:24:22.815530066 +0100
+++ serefpolicy-3.6.32/policy/modules/services/munin.te 2010-02-09 12:34:15.400865901 +0100
@@ -134,6 +134,7 @@
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
+ mta_list_queue(munin_t)
mta_read_queue(munin_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100
+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-02-08 11:12:04.320336459 +0100
@@ -44,7 +44,7 @@
# Local policy
#
-allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+allow mysqld_t self:capability { dac_override setgid setuid sys_resource ipc_lock net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -147,6 +147,8 @@
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t mysqld_t:process signal_perms;
+
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-02-09 13:30:45.031616023 +0100
@@ -23,30 +23,66 @@
/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
# system plugins
-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
# services plugins
/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-01-18 18:24:22.821530899 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2010-02-09 12:44:57.821616516 +0100
@@ -150,6 +150,8 @@
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
# cjp: leaked file descriptor
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-02-09 13:29:19.023616028 +0100
@@ -45,6 +45,11 @@
type nrpe_var_run_t;
files_pid_file(nrpe_var_run_t)
+# creates nagios_admin_plugin_exec_t for executable
+# and nagios_admin_plugin_t for domain
+nagios_plugin_template(admin)
+permissive nagios_admin_plugin_t;
+
# creates nagios_checkdisk_plugin_exec_t for executable
# and nagios_checkdisk_plugin_t for domain
nagios_plugin_template(checkdisk)
@@ -118,6 +123,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
dev_read_sysfs(nagios_t)
dev_read_urand(nagios_t)
@@ -264,6 +272,41 @@
udev_read_db(nrpe_t)
')
+######################################
+#
+# local policy for admin check plugins
+#
+
+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
+
+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_admin_plugin_t)
+kernel_read_kernel_sysctls(nagios_admin_plugin_t)
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+
+libs_use_lib_files(nagios_admin_plugin_t)
+libs_use_ld_so(nagios_admin_plugin_t)
+
+logging_send_syslog_msg(nagios_admin_plugin_t)
+
+sysnet_read_config(nagios_admin_plugin_t)
+
+nscd_dontaudit_search_pid(nagios_admin_plugin_t)
+
+optional_policy(`
+ mta_read_config(nagios_admin_plugin_t)
+ mta_list_queue(nagios_admin_plugin_t)
+ mta_read_queue(nagios_admin_plugin_t)
+ mta_sendmail_exec(nagios_admin_plugin_t)
+')
######################################
#
@@ -315,6 +358,10 @@
mysql_stream_connect(nagios_services_plugin_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
######################################
#
# local policy for system check plugins
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-01-18 18:24:22.823530245 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2010-02-01 18:05:10.499091573 +0100
@@ -17,6 +17,7 @@
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wicd.* gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-01-18 18:24:22.825542512 +0100
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2010-02-01 20:40:02.343160698 +0100
@@ -51,6 +51,7 @@
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.32/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2010-01-18 18:24:22.826540614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.fc 2010-01-29 09:57:02.171614102 +0100
@@ -14,3 +14,8 @@
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.32/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2010-01-18 18:24:22.828542614 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nis.te 2010-01-29 09:57:06.796318812 +0100
@@ -47,6 +47,9 @@
type ypxfr_exec_t;
init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
type nis_initrc_exec_t;
init_script_file(nis_initrc_exec_t)
@@ -312,6 +315,9 @@
allow ypxfr_t ypserv_conf_t:file read_file_perms;
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
corenet_all_recvfrom_unlabeled(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100
@@ -18,6 +18,24 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+#######################################
+##
+## Execute the NX server.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`nx_exec_server',`
+ gen_require(`
+ type nx_server_exec_t;
+ ')
+
+ can_exec($1, nx_server_exec_t)
+')
+
########################################
##
## Read nx home directory content
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100
+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-26 14:19:37.820463477 +0100
@@ -85,6 +85,7 @@
corenet_udp_bind_generic_node(openvpn_t)
corenet_tcp_bind_openvpn_port(openvpn_t)
corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
corenet_tcp_connect_http_cache_port(openvpn_t)
@@ -102,6 +103,9 @@
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
+init_dontaudit_write_utmp(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te
--- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100
+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-02-09 10:12:27.273913281 +0100
@@ -41,6 +41,19 @@
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
+
kernel_read_system_state(plymouthd_t)
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)
@@ -56,21 +69,9 @@
files_read_usr_files(plymouthd_t)
miscfiles_read_localization(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
-manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-files_pid_filetrans(plymouthd_t,plymouthd_var_run_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
-manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
-files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
-
-manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
-files_spool_filetrans(plymouthd_t,plymouthd_spool_t, { file dir sock_file })
-
########################################
#
# Plymouth private policy
@@ -80,8 +81,11 @@
allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+kernel_read_system_state(plymouth_t)
kernel_stream_connect(plymouth_t)
+term_use_ptmx(plymouth_t)
+
domain_use_interactive_fds(plymouth_t)
files_read_etc_files(plymouth_t)
@@ -90,6 +94,8 @@
plymouth_stream_connect(plymouth_t)
+sysnet_read_config(plymouth_t)
+
optional_policy(`
lvm_domtrans(plymouth_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100
+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-02 15:30:16.529067989 +0100
@@ -89,6 +89,10 @@
')
')
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
########################################
#
# polkit_auth local policy
@@ -115,6 +119,8 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+dev_read_video_dev(policykit_auth_t)
+
files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
files_search_home(policykit_auth_t)
@@ -129,7 +135,9 @@
miscfiles_read_localization(policykit_auth_t)
miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100
+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100
@@ -443,6 +443,7 @@
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
')
optional_policy(`
@@ -486,7 +487,7 @@
')
optional_policy(`
- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -573,6 +574,8 @@
# Postfix smtp delivery local policy
#
+allow postfix_smtp_t self:capability { sys_chroot };
+
# connect to master process
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.32/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/ppp.fc 2010-02-01 15:04:13.696080784 +0100
@@ -3,6 +3,8 @@
#
/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-01 17:54:50.906099781 +0100
@@ -71,7 +71,7 @@
# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
allow pppd_t self:process signal;
allow pppd_t self:fifo_file rw_fifo_file_perms;
@@ -192,6 +192,10 @@
')
optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(pppd_t)
+')
+
+optional_policy(`
mta_send_mail(pppd_t)
mta_system_content(pppd_etc_t)
mta_system_content(pppd_etc_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100
+++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100
@@ -250,6 +250,8 @@
files_read_etc_files(prelude_lml_t)
files_read_etc_runtime_files(prelude_lml_t)
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.6.32/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-01-18 18:24:22.870539995 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.if 2010-01-29 10:16:32.195864190 +0100
@@ -16,7 +16,7 @@
')
corecmd_search_bin($1)
- domrans_pattern($1,rgmanager_exec_t,rgmanager_t)
+ domtrans_pattern($1,rgmanager_exec_t,rgmanager_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-04 21:16:05.525935129 +0100
@@ -22,6 +22,9 @@
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
# log files
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
@@ -51,6 +54,10 @@
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
+
# log files
manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file })
@@ -60,9 +67,6 @@
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
-aisexec_stream_connect(rgmanager_t)
-groupd_stream_connect(rgmanager_t)
-
corecmd_exec_bin(rgmanager_t)
corecmd_exec_sbin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
@@ -74,7 +78,8 @@
fs_getattr_xattr_fs(rgmanager_t)
# need to write to /dev/misc/dlm-control
-dev_manage_generic_chr_files(rgmanager_t)
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
@@ -109,6 +114,11 @@
')
# rgmanager can run resource scripts
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
+ groupd_stream_connect(rgmanager_t)
+')
optional_policy(`
apache_domtrans(rgmanager_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-04 14:38:28.643078705 +0100
@@ -1,19 +1,19 @@
-/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100
+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-04 21:25:24.804186866 +0100
@@ -126,12 +126,11 @@
files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-aisexec_stream_connect(dlm_controld_t)
-ccs_stream_connect(dlm_controld_t)
-groupd_stream_connect(dlm_controld_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
+dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
fs_manage_configfs_files(dlm_controld_t)
@@ -146,6 +145,12 @@
miscfiles_read_localization(dlm_controld_t)
+optional_policy(`
+ aisexec_stream_connect(dlm_controld_t)
+ ccs_stream_connect(dlm_controld_t)
+ corosync_stream_connect(dlm_controld_t)
+')
+
#######################################
#
# fenced local policy
@@ -183,8 +188,6 @@
files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-aisexec_stream_connect(fenced_t)
-ccs_stream_connect(fenced_t)
corecmd_exec_bin(fenced_t)
@@ -214,9 +217,11 @@
optional_policy(`
ccs_read_config(fenced_t)
+ ccs_stream_connect(fenced_t)
')
optional_policy(`
+ aisexec_stream_connect(fenced_t)
corosync_stream_connect(fenced_t)
')
@@ -253,19 +258,17 @@
manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
-stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
-
-aisexec_stream_connect(gfs_controld_t)
-ccs_stream_connect(gfs_controld_t)
-groupd_stream_connect(gfs_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(gfs_controld_t)
storage_getattr_removable_dev(gfs_controld_t)
-dev_manage_generic_chr_files(gfs_controld_t)
-#dev_read_sysfs(gfs_controld_t)
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+
dev_rw_sysfs(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -278,6 +281,12 @@
miscfiles_read_localization(gfs_controld_t)
optional_policy(`
+ aisexec_stream_connect(gfs_controld_t)
+ ccs_stream_connect(gfs_controld_t)
+ corosync_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
@@ -309,8 +318,6 @@
manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
-aisexec_stream_connect(groupd_t)
-
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
@@ -326,6 +333,10 @@
logging_send_syslog_msg(groupd_t)
+optional_policy(`
+ aisexec_stream_connect(groupd_t)
+')
+
######################################
#
# qdiskd local policy
@@ -359,9 +370,6 @@
manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
-aisexec_stream_connect(qdiskd_t)
-ccs_stream_connect(qdiskd_t)
-
corecmd_getattr_sbin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
@@ -399,6 +407,11 @@
miscfiles_read_localization(qdiskd_t)
optional_policy(`
+ aisexec_stream_connect(qdiskd_t)
+ ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100
+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-09 10:52:45.543866160 +0100
@@ -208,7 +208,7 @@
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-auth_rw_cache(samba_net_t)
+auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -286,6 +286,8 @@
allow smbd_t winbind_t:process { signal signull };
+allow smbd_t swat_t:process signal;
+
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
@@ -327,6 +329,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
@@ -350,7 +353,7 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-userdom_dontaudit_search_user_home_dirs(smbd_t)
+userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
usermanage_read_crack_db(smbd_t)
@@ -485,6 +488,8 @@
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t swat_t:process signal;
+
allow nmbd_t smbcontrol_t:process signal;
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -661,6 +666,7 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
+samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
@@ -829,6 +835,7 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -838,7 +845,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
-auth_rw_cache(winbind_t)
+auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-02-09 15:04:54.083866070 +0100
@@ -30,7 +30,7 @@
#
allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process { setpgid setrlimit signal signull };
+allow sendmail_t self:process { setpgid setsched setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -136,6 +136,8 @@
optional_policy(`
fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-01-18 18:24:22.891530024 +0100
+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2010-02-03 22:59:41.283821731 +0100
@@ -177,6 +177,10 @@
userdom_signull_unpriv_users(setroubleshoot_fixit_t)
optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshoot_fixit_t)
rpm_read_db(setroubleshoot_fixit_t)
rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100
@@ -25,9 +25,9 @@
#
# Local policy
#
-allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
-allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:process { signal signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-01-27 17:37:08.744613818 +0100
@@ -78,6 +78,7 @@
dev_read_sysfs(snort_t)
dev_read_rand(snort_t)
dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
domain_use_interactive_fds(snort_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100
@@ -267,6 +267,24 @@
stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
')
+######################################
+##
+## Send kill signal to spamassassin client
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
########################################
##
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-18 18:24:22.896530172 +0100
+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2010-02-09 12:37:21.512866130 +0100
@@ -147,6 +147,8 @@
kernel_read_kernel_sysctls(spamassassin_t)
+corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -470,6 +473,10 @@
userdom_search_user_home_dirs(spamd_t)
optional_policy(`
+ dcc_domtrans_cdcc(spamd_t)
+')
+
+optional_policy(`
exim_manage_spool_dirs(spamd_t)
exim_manage_spool_files(spamd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-02-08 00:22:54.835167354 +0100
@@ -8,31 +8,6 @@
##
##
-## Allow sftp to upload files, used for public file
-## transfer services. Directories must be labeled
-## public_content_rw_t.
-##
-##
-gen_tunable(allow_sftpd_anon_write, false)
-
-##
-##
-## Allow sftp to login to local users and
-## read/write all files on the system, governed by DAC.
-##
-##
-gen_tunable(allow_sftpd_full_access, false)
-
-##
-##
-## Allow interlnal-sftp to read and write files
-## in the user ssh home directories.
-##
-##
-gen_tunable(sftpd_ssh_home_dir, false)
-
-##
-##
## allow host key based authentication
##
##
@@ -69,10 +44,6 @@
type sshd_tmpfs_t;
files_tmpfs_file(sshd_tmpfs_t)
-type sftpd_t;
-domain_type(sftpd_t)
-role system_r types sftpd_t;
-
ifdef(`enable_mcs',`
init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
')
@@ -365,6 +337,11 @@
')
optional_policy(`
+ ftp_dyntransition_sftpd(sshd_t)
+ ftp_dyntransition_sftpd_anon(sshd_t)
+')
+
+optional_policy(`
xserver_getattr_xauth(sshd_t)
')
@@ -468,49 +445,3 @@
udev_read_db(ssh_keygen_t)
')
-#######################################
-#
-# sftp Local policy
-#
-
-allow ssh_server sftpd_t:process dyntransition;
-
-ssh_sigchld(sftpd_t)
-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-
-fs_read_noxattr_fs_files(sftpd_t)
-fs_read_nfs_files(sftpd_t)
-fs_read_cifs_files(sftpd_t)
-
-# allow access to /home by default
-userdom_manage_user_home_content_dirs(sftpd_t)
-userdom_manage_user_home_content_files(sftpd_t)
-userdom_manage_user_home_content_symlinks(sftpd_t)
-
-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
-
-tunable_policy(`allow_sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`allow_sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_shadow(sftpd_t)
-')
-
-tunable_policy(`sftpd_ssh_home_dir',`
- ssh_manage_user_home_files(sftpd_t)
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(sftpd_t)
- fs_manage_cifs_files(sftpd_t)
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-18 18:24:22.900529842 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2010-01-19 17:08:41.212631842 +0100
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-19 17:08:45.945631552 +0100
@@ -12,8 +12,7 @@
#
interface(`sssd_domtrans',`
gen_require(`
- type sssd_t;
- type sssd_exec_t;
+ type sssd_t, sssd_exec_t;
')
domtrans_pattern($1, sssd_exec_t, sssd_t)
@@ -26,7 +25,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -40,6 +39,25 @@
########################################
##
+## Read sssd public files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+##
## Read sssd PID files.
##
##
@@ -59,7 +77,7 @@
########################################
##
-## Manage sssd var_run files.
+## Read sssd config files.
##
##
##
@@ -67,18 +85,18 @@
##
##
#
-interface(`sssd_manage_pids',`
+interface(`sssd_read_config_files',`
gen_require(`
- type sssd_var_run_t;
+ type sssd_config_t;
')
- manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
- manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_config_t, sssd_config_t)
')
########################################
##
-## Search sssd lib directories.
+## Manage sssd var_run files.
##
##
##
@@ -86,18 +104,18 @@
##
##
#
-interface(`sssd_search_lib',`
+interface(`sssd_manage_pids',`
gen_require(`
- type sssd_var_lib_t;
+ type sssd_var_run_t;
')
- allow $1 sssd_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
########################################
##
-## Read sssd lib files.
+## Search sssd lib directories.
##
##
##
@@ -105,18 +123,18 @@
##
##
#
-interface(`sssd_read_lib_files',`
+interface(`sssd_search_lib',`
gen_require(`
type sssd_var_lib_t;
')
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
- read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
##
-## Read sssd config files.
+## dontaudit search sssd lib directories.
##
##
##
@@ -124,19 +142,18 @@
##
##
#
-interface(`sssd_read_config_files',`
+interface(`sssd_dontaudit_search_lib',`
gen_require(`
- type sssd_config_t;
+ type sssd_var_lib_t;
')
- sssd_search_lib($1)
- read_files_pattern($1, sssd_config_t, sssd_config_t)
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
')
########################################
##
-## Create, read, write, and delete
-## sssd lib files.
+## Read sssd lib files.
##
##
##
@@ -144,18 +161,19 @@
##
##
#
-interface(`sssd_manage_lib_files',`
+interface(`sssd_read_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
- manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
##
-## Manage sssd var_lib files.
+## Create, read, write, and delete
+## sssd lib files.
##
##
##
@@ -163,17 +181,15 @@
##
##
#
-interface(`sssd_manage_var_lib',`
+interface(`sssd_manage_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
- manage_dirs_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
+ files_search_var_lib($1)
manage_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
- manage_lnk_files_pattern($1,sssd_var_lib_t,sssd_var_lib_t)
')
-
########################################
##
## Send and receive messages from
@@ -238,16 +254,13 @@
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t;
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
- gen_require(`
- type sssd_initrc_exec_t;
- ')
-
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -257,4 +270,6 @@
sssd_manage_pids($1)
sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-18 18:24:22.901529830 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2010-01-19 17:08:54.487643800 +0100
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
########################################
#
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -31,6 +34,9 @@
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -43,8 +49,6 @@
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-fs_list_inotifyfs(sssd_t)
-
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
@@ -58,6 +62,8 @@
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
+fs_list_inotifyfs(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -69,7 +75,7 @@
miscfiles_read_localization(sssd_t)
-userdom_manage_tmp_role(system_t, sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
optional_policy(`
dbus_system_bus_client(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100
@@ -50,6 +50,7 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-01-18 18:24:22.905534669 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2010-01-26 14:33:27.943463104 +0100
@@ -63,6 +63,7 @@
files_read_etc_files(tgtd_t)
storage_getattr_fixed_disk_dev(tgtd_t)
+storage_manage_fixed_disk(tgtd_t)
logging_send_syslog_msg(tgtd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
--- nsaserefpolicy/policy/modules/services/tuned.fc 2010-01-18 18:24:22.907534364 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2010-02-03 17:28:43.165143461 +0100
@@ -3,4 +3,7 @@
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-03 17:35:32.298159249 +0100
@@ -13,6 +13,9 @@
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
@@ -26,6 +29,10 @@
dontaudit tuned_t self:capability { dac_override sys_tty_config };
allow tuned_t self:fifo_file rw_fifo_file_perms;
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
@@ -36,7 +43,7 @@
kernel_read_system_state(tuned_t)
dev_read_sysfs(tuned_t)
-
+dev_read_urand(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.fc 2010-02-02 19:00:16.333067308 +0100
@@ -0,0 +1,6 @@
+
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+
+/var/run/usbmuxd\.lock -- gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.6.32/policy/modules/services/usbmuxd.if
--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.if 2010-02-02 19:06:22.735067968 +0100
@@ -0,0 +1,64 @@
+## Daemon for communicating with Apple's iPod Touch and iPhone
+
+########################################
+##
+## Execute a domain transition to run usbmuxd.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`usbmuxd_domtrans',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#######################################
+##
+## Execute usbmuxd in the usbmuxd domain, and
+## allow the specified role the usbmuxd domain.
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## The role to be allowed the usbmuxd domain.
+##
+##
+#
+interface(`usbmuxd_run',`
+ gen_require(`
+ type usbmuxd_t;
+ ')
+
+ usbmuxd_domtrans($1)
+ role $2 types usbmuxd_t;
+')
+
+#####################################
+##
+## Connect to usbmuxd over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`usbmuxd_stream_connect',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 19:28:04.029318349 +0100
@@ -0,0 +1,44 @@
+
+policy_module(usbmuxd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+permissive usbmuxd_t;
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100
+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-02-01 17:46:33.611080298 +0100
@@ -226,7 +226,7 @@
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
-userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_list_admin_dir(virtd_t)
userdom_getattr_all_users(virtd_t)
userdom_list_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
@@ -370,6 +370,7 @@
tunable_policy(`virt_use_fusefs',`
fs_read_fusefs_files(svirt_t)
+ fs_read_fusefs_symlinks(svirt_t)
')
tunable_policy(`virt_use_nfs',`
@@ -430,6 +431,8 @@
corenet_tcp_connect_virt_migration_port(virt_domain)
dev_read_sound(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_urand(virt_domain)
dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -105,6 +107,7 @@
/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
@@ -116,7 +119,11 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-09 10:08:14.902615674 +0100
@@ -253,6 +253,7 @@
allow xdm_t iceauth_home_t:file read_file_perms;
dev_read_rand(iceauth_t)
+dev_dontaudit_read_urand(iceauth_t)
fs_search_auto_mountpoints(iceauth_t)
@@ -301,6 +302,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+domain_dontaudit_leaks(xauth_t)
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
@@ -309,8 +313,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+fs_dontaudit_leaks(xauth_t)
fs_getattr_all_fs(xauth_t)
+fs_read_nfs_symlinks(xauth_t)
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
@@ -506,6 +514,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
+dev_read_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
@@ -582,6 +591,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
@@ -668,6 +678,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
+ gnome_read_config(xdm_t)
')
optional_policy(`
@@ -675,6 +686,10 @@
')
optional_policy(`
+ java_exec(xdm_t)
+')
+
+optional_policy(`
loadkeys_exec(xdm_t)
')
@@ -712,6 +727,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
+ pulseaudio_stream_connect(xdm_t)
')
# On crash gdm execs gdb to dump stack
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100
+++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-09 12:51:23.459615874 +0100
@@ -1,5 +1,5 @@
-policy_module(application, 1.1.0)
+policy_module(application, 1.1.1)
# Attribute of user applications
attribute application_domain_type;
@@ -7,14 +7,18 @@
# Executables to be run by user
attribute application_exec_type;
-userdom_append_user_home_content_files(application_domain_type)
-userdom_write_user_tmp_files(application_domain_type)
-logging_rw_all_logs(application_domain_type)
+userdom_inherit_append_user_home_content_files(application_domain_type)
userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
files_dontaudit_search_all_dirs(application_domain_type)
optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100
@@ -18,6 +18,7 @@
/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.32/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hostname.te 2010-01-29 10:03:19.733864870 +0100
@@ -27,15 +27,18 @@
dev_read_sysfs(hostname_t)
+domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t)
files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100
@@ -125,6 +125,10 @@
')
optional_policy(`
+ brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
consoletype_exec(hotplug_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-09 09:59:47.912615584 +0100
@@ -165,6 +165,7 @@
type init_t;
role system_r;
attribute daemon;
+ attribute initrc_transition_domain;
')
typeattribute $1 daemon;
@@ -180,6 +181,8 @@
# Handle upstart direct transition to a executable
domtrans_pattern(init_t,$2,$1)
allow init_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
# daemons started from init will
# inherit fds from init for the console
@@ -273,6 +276,7 @@
gen_require(`
type initrc_t;
role system_r;
+ attribute initrc_transition_domain;
')
application_domain($1,$2)
@@ -281,6 +285,8 @@
domtrans_pattern(initrc_t,$2,$1)
allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -554,7 +560,7 @@
')
dev_list_all_dev_nodes($1)
- allow $1 initctl_t:fifo_file write;
+ allow $1 initctl_t:fifo_file write_file_perms;
')
########################################
@@ -775,8 +781,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
@@ -1686,3 +1694,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
+#######################################
+##
+## Dontaudit read and write an leaked init scrip file descriptors
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`init_dontaudit_script_leaks',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
+ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
+ init_dontaudit_use_script_ptys($1)
+ init_dontaudit_use_script_fds($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-09 15:33:01.072616199 +0100
@@ -40,6 +40,7 @@
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
# Mark process types as daemons
attribute daemon;
@@ -47,7 +48,7 @@
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -118,6 +119,7 @@
allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
@@ -191,6 +193,7 @@
')
ifdef(`distro_redhat',`
+ fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -212,6 +215,11 @@
')
optional_policy(`
+ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
+')
+
+optional_policy(`
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
@@ -224,6 +232,10 @@
')
optional_policy(`
+ sssd_stream_connect(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -312,6 +324,7 @@
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
dev_rw_sysfs(initrc_t)
@@ -531,6 +544,7 @@
# Needs to cp localtime to /var dirs
files_write_var_dirs(initrc_t)
+ fs_read_tmpfs_symlinks(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
storage_manage_fixed_disk(initrc_t)
@@ -872,6 +886,7 @@
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -885,6 +900,9 @@
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
+ optional_policy(`
+ rtkit_daemon_system_domain(initrc_t)
+ ')
optional_policy(`
gen_require(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100
+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-01-27 17:43:20.027613211 +0100
@@ -215,6 +215,8 @@
allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+
allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2010-02-09 10:36:30.616615893 +0100
@@ -67,6 +67,13 @@
optional_policy(`
modutils_run_insmod(iptables_t, $2)
')
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit iptables_t $1:unix_stream_socket rw_socket_perms;
+ dontaudit iptables_t $1:tcp_socket rw_socket_perms;
+ dontaudit iptables_t $1:udp_socket rw_socket_perms;
+')
+
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-02 15:25:03.135335306 +0100
@@ -52,6 +52,7 @@
kernel_use_fds(iptables_t)
corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -71,6 +72,7 @@
auth_use_nsswitch(iptables_t)
+init_dontaudit_script_leaks(iptables_t)
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100
@@ -1,5 +1,8 @@
+
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-02-02 15:08:50.761068281 +0100
@@ -14,6 +14,9 @@
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
type iscsi_tmp_t;
files_tmp_file(iscsi_tmp_t)
@@ -35,10 +38,13 @@
allow iscsid_t self:unix_dgram_socket create_socket_perms;
allow iscsid_t self:sem create_sem_perms;
allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t self:netlink_socket create_socket_perms;
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
allow iscsid_t self:tcp_socket create_stream_socket_perms;
+can_exec(iscsid_t, iscsid_exec_t)
+
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
@@ -51,6 +57,9 @@
read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
files_search_var_lib(iscsid_t)
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
@@ -67,6 +76,7 @@
corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_read_all_domains_state(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100
+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-02 10:45:09.949162869 +0100
@@ -245,8 +245,12 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -396,10 +400,8 @@
/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -433,8 +435,16 @@
/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/MATHWORKS_R2009B/bin/glnxa(64)?/libtbb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.32/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-01-18 18:24:22.948530849 +0100
+++ serefpolicy-3.6.32/policy/modules/system/locallogin.te 2010-01-21 14:31:52.834862007 +0100
@@ -207,7 +207,7 @@
allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
-allow sulogin_t self:fifo_file rw_file_perms;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
@@ -241,6 +241,9 @@
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
ifdef(`enable_mls',`
sysadm_shell_domtrans(sulogin_t)
',`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.32/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-18 18:24:22.949542779 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.fc 2010-02-01 20:28:30.386409309 +0100
@@ -69,3 +69,5 @@
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.32/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-01-18 18:24:22.950540043 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.if 2010-02-09 12:55:48.458629829 +0100
@@ -641,6 +641,24 @@
append_files_pattern($1, logfile, logfile)
')
+######################################
+##
+## Append to all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append };
+')
+
########################################
##
## Read all log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100
+++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-09 15:09:42.278616082 +0100
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
@@ -489,6 +490,10 @@
')
optional_policy(`
+ mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
postgresql_stream_connect(syslogd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100
+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100
@@ -618,3 +618,40 @@
manage_lnk_files_pattern($1, locale_t, locale_t)
')
+#######################################
+##
+## Set the attributes on a fonts cache directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
+#######################################
+##
+## Dontaudit attempts to set the attributes on a fonts cache directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.32/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-01-18 18:24:22.959530712 +0100
+++ serefpolicy-3.6.32/policy/modules/system/modutils.te 2010-02-09 09:59:53.815865530 +0100
@@ -131,6 +131,7 @@
kernel_read_debugfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
+kernel_request_load_module(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100
+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-02-08 11:03:56.385336831 +0100
@@ -155,6 +155,8 @@
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+userdom_read_user_home_content_files(mount_t)
userdom_manage_user_home_content_dirs(mount_t)
ifdef(`distro_redhat',`
@@ -181,6 +183,7 @@
auth_read_all_dirs_except_shadow(mount_t)
auth_read_all_files_except_shadow(mount_t)
files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
')
optional_policy(`
@@ -260,6 +263,18 @@
samba_read_config(mount_t)
')
+optional_policy(`
+ ssh_exec(mount_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
+')
+
########################################
#
# Unconfined mount local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100
@@ -190,6 +190,7 @@
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
miscfiles_read_localization(load_policy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100
+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-01-27 18:34:03.409614110 +0100
@@ -87,6 +87,7 @@
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
+++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-09 09:59:57.514626722 +0100
@@ -100,6 +100,7 @@
# udev_node.c/node_symlink() symlink labels are explicitly
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
+dev_manage_generic_symlinks(udev_t)
domain_read_all_domains_state(udev_t)
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -273,6 +274,10 @@
')
optional_policy(`
+ usbmuxd_domtrans(udev_t)
+')
+
+optional_policy(`
vbetool_domtrans(udev_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100
@@ -21,6 +21,8 @@
allow $1 self:capability all_capabilities;
allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:socket_class_set create_socket_perms;
+
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100
@@ -6,4 +6,5 @@
/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-02-01 20:32:18.731160012 +0100
@@ -3631,6 +3631,24 @@
########################################
##
+## Allow domain to list /root
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+##
## Allow Search /root
##
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-25 17:55:42.768687784 +0100
@@ -248,6 +248,7 @@
#
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -268,6 +269,7 @@
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
fs_list_tmpfs(xenconsoled_t)
@@ -286,6 +288,10 @@
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
########################################
#
# Xen store local policy
@@ -329,6 +335,7 @@
files_read_usr_files(xenstored_t)
+fs_manage_xenfs_files(xenstored_t)
fs_search_xenfs(xenstored_t)
storage_raw_read_fixed_disk(xenstored_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100
+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-02-09 10:00:01.300658461 +0100
@@ -28,8 +28,7 @@
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
#
# Datagram socket classes.
@@ -227,7 +226,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no