diff --git a/policy-20071130.patch b/policy-20071130.patch index b03939d..df3f36c 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -3765,7 +3765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-24 12:34:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-31 08:37:54.000000000 -0500 @@ -0,0 +1,7 @@ + +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) @@ -4117,8 +4117,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-25 16:48:50.000000000 -0500 -@@ -0,0 +1,135 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-31 08:42:43.000000000 -0500 +@@ -0,0 +1,136 @@ +policy_module(nsplugin,1.0.0) + +######################################## @@ -4188,6 +4188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) ++miscfiles_manage_home_fonts(nsplugin_t) + +optional_policy(` + userdom_read_user_home_content_files(user, nsplugin_t) @@ -5909,7 +5910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav +/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.2.5/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2007-06-27 10:10:38.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-31 08:45:42.000000000 -0500 @@ -186,3 +186,88 @@ allow $1 amavis_var_run_t:file create_file_perms; files_search_pids($1) @@ -6370,7 +6371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-31 13:44:27.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -6505,7 +6506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,8 +388,6 @@ +@@ -351,25 +388,38 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -6514,7 +6515,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -361,6 +396,13 @@ + +-ifdef(`TODO', ` # # We need optionals to be able to be within booleans to make this work # @@ -6526,9 +6528,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +gen_tunable(allow_httpd_mod_auth_pam,false) + tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) +- auth_domtrans_chk_passwd(httpd_t) +-') ++ auth_domtrans_chkpwd(httpd_t) ') -@@ -370,6 +412,16 @@ + + tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') @@ -6545,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,6 +434,10 @@ +@@ -382,6 +432,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -6556,7 +6561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -399,11 +455,21 @@ +@@ -399,11 +453,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -6578,7 +6583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -437,8 +503,14 @@ +@@ -437,8 +501,14 @@ ') optional_policy(` @@ -6594,7 +6599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +522,13 @@ +@@ -450,19 +520,13 @@ ') optional_policy(` @@ -6615,7 +6620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +538,14 @@ +@@ -472,13 +536,14 @@ openca_kill(httpd_t) ') @@ -6634,7 +6639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +553,7 @@ +@@ -486,6 +551,7 @@ ') optional_policy(` @@ -6642,7 +6647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +589,13 @@ +@@ -521,6 +587,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -6656,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +625,24 @@ +@@ -550,18 +623,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -6684,7 +6689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +666,8 @@ +@@ -585,6 +664,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -6693,7 +6698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +676,7 @@ +@@ -593,9 +674,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -6704,7 +6709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -638,6 +719,12 @@ +@@ -638,6 +717,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6717,7 +6722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +742,6 @@ +@@ -655,10 +740,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6728,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +751,8 @@ +@@ -668,7 +749,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6738,7 +6743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +766,44 @@ +@@ -682,15 +764,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6784,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +813,15 @@ +@@ -700,9 +811,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -6800,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +843,46 @@ +@@ -724,3 +841,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -7581,7 +7586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.5/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-31 09:00:42.000000000 -0500 @@ -53,6 +53,9 @@ init_system_domain(ndc_t,ndc_exec_t) role system_r types ndc_t; @@ -7592,6 +7597,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind ######################################## # # Named local policy +@@ -222,6 +225,7 @@ + corenet_tcp_sendrecv_all_nodes(ndc_t) + corenet_tcp_sendrecv_all_ports(ndc_t) + corenet_tcp_connect_rndc_port(ndc_t) ++corenet_tcp_bind_all_nodes(ndc_t) + corenet_sendrecv_rndc_client_packets(ndc_t) + + domain_use_interactive_fds(ndc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.2.5/policy/modules/services/bitlbee.fc --- nsaserefpolicy/policy/modules/services/bitlbee.fc 2007-09-17 15:56:47.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/bitlbee.fc 2008-01-18 12:40:46.000000000 -0500 @@ -7805,8 +7818,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-30 11:17:07.000000000 -0500 -@@ -32,6 +32,9 @@ ++++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-31 11:15:46.000000000 -0500 +@@ -32,19 +32,22 @@ type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) @@ -7816,7 +7829,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ######################################## # # Bluetooth services local policy -@@ -44,7 +47,7 @@ + # + +-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; @@ -12469,7 +12488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-31 11:45:40.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -12487,8 +12506,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -40,27 +43,40 @@ - allow system_mail_t self:capability { dac_override }; +@@ -37,30 +40,43 @@ + # + + # newalias required this, not sure if it is needed in 'if' file +-allow system_mail_t self:capability { dac_override }; ++allow system_mail_t self:capability { dac_override fowner }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) @@ -15087,8 +15110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.5/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-30 15:42:04.000000000 -0500 -@@ -0,0 +1,116 @@ ++++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-31 08:49:34.000000000 -0500 +@@ -0,0 +1,128 @@ + +## policy for prelude + @@ -15155,18 +15178,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +interface(`prelude_admin',` + gen_require(` + type prelude_t; ++ type prelude_spool_t; ++ type prelude_var_run_t; ++ type prelude_var_lib_t; ++ type prelude_script_exec_t; ++ type audisp_prelude_t; ++ type audisp_prelude_var_run_t; + ') + + allow $1 prelude_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, prelude_t, prelude_t) + -+ ++ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t) ++ + # Allow prelude_t to restart the apache service + prelude_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 prelude_script_exec_t system_r; + allow $2 system_r; + ++ manage_all_pattern($1, prelude_spool_t) ++ manage_all_pattern($1, prelude_var_lib_t) ++ manage_all_pattern($1, prelude_var_run_t) ++ manage_all_pattern($1, audisp_prelude_var_run_t) +') + +######################################## @@ -15208,7 +15243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel Binary files nsaserefpolicy/policy/modules/services/prelude.pp and serefpolicy-3.2.5/policy/modules/services/prelude.pp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.5/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-30 15:55:36.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-31 13:09:03.000000000 -0500 @@ -0,0 +1,114 @@ +policy_module(prelude,1.0.0) + @@ -15222,15 +15257,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +domain_type(prelude_t) +init_daemon_domain(prelude_t, prelude_exec_t) + ++type prelude_spool_t; ++files_type(prelude_spool_t) ++ +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + +type prelude_var_lib_t; +files_type(prelude_var_lib_t) + -+type prelude_spool_t; -+files_type(prelude_spool_t) -+ +type prelude_script_exec_t; +init_script_type(prelude_script_exec_t) + @@ -15968,7 +16003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-31 11:58:50.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -15994,6 +16029,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ############################## # +@@ -218,3 +217,42 @@ + + domtrans_pattern($1, razor_exec_t, razor_t) + ') ++ ++######################################## ++## ++## Create, read, write, and delete razor files ++## in a user home subdirectory. ++## ++## ++##

++## Create, read, write, and delete razor files ++## in a user home subdirectory. ++##

++##

++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##

++##
++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`razor_manage_user_home_files',` ++ gen_require(` ++ type user_home_dir_t, user_razor_home_t; ++ ') ++ ++ files_search_home($2) ++ allow $2 user_home_dir_t:dir search_dir_perms; ++ manage_files_pattern($2,user_razor_home_t,user_razor_home_t) ++ read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/razor.te 2008-01-18 12:40:46.000000000 -0500 @@ -16959,7 +17037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-28 14:28:32.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-31 11:27:07.000000000 -0500 @@ -26,28 +26,28 @@ ## @@ -17070,7 +17148,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -340,6 +347,17 @@ +@@ -320,6 +327,8 @@ + userdom_dontaudit_use_unpriv_user_fds(smbd_t) + userdom_use_unpriv_users_fds(smbd_t) + ++term_use_ptmx(smbd_t) ++ + ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) +@@ -340,6 +349,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -17088,7 +17175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -391,7 +409,7 @@ +@@ -391,7 +411,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -17097,7 +17184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -403,8 +421,7 @@ +@@ -403,8 +423,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -17107,7 +17194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -439,6 +456,7 @@ +@@ -439,6 +458,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -17115,7 +17202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -522,6 +540,7 @@ +@@ -522,6 +542,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -17123,7 +17210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -546,28 +565,37 @@ +@@ -546,28 +567,37 @@ userdom_use_all_users_fds(smbmount_t) @@ -17168,7 +17255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -577,7 +605,9 @@ +@@ -577,7 +607,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -17179,7 +17266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -602,6 +632,7 @@ +@@ -602,6 +634,7 @@ dev_read_urand(swat_t) @@ -17187,7 +17274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) -@@ -614,6 +645,7 @@ +@@ -614,6 +647,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -17195,7 +17282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -631,6 +663,17 @@ +@@ -631,6 +665,17 @@ kerberos_use(swat_t) ') @@ -17213,7 +17300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Winbind local policy -@@ -679,6 +722,8 @@ +@@ -679,6 +724,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -17222,7 +17309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -766,6 +811,7 @@ +@@ -766,6 +813,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -17230,7 +17317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -790,3 +836,37 @@ +@@ -790,3 +838,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -18171,7 +18258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-31 12:54:45.000000000 -0500 @@ -37,7 +37,9 @@ gen_require(` @@ -18384,9 +18471,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - libs_use_shared_libs($1_spamassassin_t) - - logging_send_syslog_msg($1_spamassassin_t) -- ++ ifelse(`$1',`user',`',` ++ typealias user_spamassassin_home_t alias $1_spamassassin_home_t; ++ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; ++ typealias user_spamc_tmp_t alias $1_spamc_tmp_t; ++ ') ++ ++ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) ++ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) ++ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) ++ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) ++ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) ++ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) + - miscfiles_read_localization($1_spamassassin_t) -- ++ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) ++ domtrans_pattern($2, spamc_exec_t, spamc_t) + - # cjp: this could probably be removed - seutil_read_config($1_spamassassin_t) - @@ -18448,24 +18549,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam - # Write pid file and socket in ~/.evolution/cache/tmp - evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file }) - ') -+ ifelse(`$1',`user',`',` -+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t; -+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t; -+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t; -+ ') -+ -+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -+ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -+ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) -+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t) - +- - optional_policy(` - # cjp: clearly some redundancy here -+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) -+ domtrans_pattern($2, spamc_exec_t, spamc_t) - +- - nis_use_ypbind($1_spamassassin_t) - - tunable_policy(`spamassassin_can_network && allow_ypbind',` @@ -18480,6 +18567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## +@@ -370,7 +122,7 @@ + # + interface(`spamassassin_exec_spamd',` + gen_require(` +- type spamd_exec_t; ++ type spamd_eoxec_t; + ') + + can_exec($1,spamd_exec_t) @@ -398,11 +150,65 @@ ## # @@ -18590,7 +18686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) ') -@@ -528,3 +355,101 @@ +@@ -528,3 +355,133 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -18691,10 +18787,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + manage_all_pattern($1,spamd_var_run_t) +') + ++######################################## ++## ++## Read spamassassin per user homedir ++## ++## ++##

++## Read spamassassin per user homedir ++##

++##

++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##

++##
++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`spamassassin_manage_user_home_files',` ++ gen_require(` ++ type user_spamassassin_home_t; ++ ') + ++ manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t) ++ razor_manage_user_home_files(user,$1) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-31 12:52:59.000000000 -0500 @@ -21,8 +21,9 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -18802,7 +18930,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') -@@ -212,3 +254,206 @@ +@@ -198,6 +240,10 @@ + + optional_policy(` + razor_domtrans(spamd_t) ++ tunable_policy(`spamd_enable_home_dirs',` ++ razor_manage_user_home_files(user,spamd_t) ++ ') ++ + ') + + optional_policy(` +@@ -212,3 +258,206 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -19847,7 +19986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-25 16:50:51.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-31 11:12:11.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -21211,7 +21350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-31 13:43:36.000000000 -0500 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -21303,15 +21442,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -356,6 +398,7 @@ +@@ -356,6 +398,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') + auth_domtrans_upd_passwd($1) ++') ++ ++######################################## ++## ++## Run unix_chkpwd to check a password. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_domtrans_chkpwd',` ++ gen_require(` ++ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ++ ') ++ ++ corecmd_search_sbin($1) ++ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) ++ dontaudit $1 shadow_t:file { getattr read }; ++ auth_domtrans_upd_passwd($1) ') ######################################## -@@ -369,12 +412,12 @@ +@@ -369,12 +433,12 @@ ## ## ## @@ -21326,7 +21486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## ## # -@@ -386,6 +429,7 @@ +@@ -386,6 +450,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; @@ -21334,7 +21494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1457,6 +1501,7 @@ +@@ -1457,6 +1522,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -21342,7 +21502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1536,23 @@ +@@ -1491,3 +1557,23 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -21368,7 +21528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-22 12:59:23.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-31 11:33:23.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -22671,6 +22831,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.2.5/policy/modules/system/miscfiles.fc +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-08-22 17:33:53.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.fc 2008-01-31 08:38:35.000000000 -0500 +@@ -80,3 +80,4 @@ + /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + ') ++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.5/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.if 2008-01-31 08:40:50.000000000 -0500 +@@ -489,3 +489,44 @@ + manage_lnk_files_pattern($1,locale_t,locale_t) + ') + ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_read_home_fonts',` ++ gen_require(` ++ type user_fonts_home_t; ++ ') ++ ++ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t) ++ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) ++') ++ ++######################################## ++## ++## Read user homedir fonts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_manage_home_fonts',` ++ gen_require(` ++ type user_fonts_home_t; ++ ') ++ ++ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t) ++ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t) ++ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.2.5/policy/modules/system/miscfiles.te +--- nsaserefpolicy/policy/modules/system/miscfiles.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.te 2008-01-31 08:42:09.000000000 -0500 +@@ -20,6 +20,14 @@ + files_type(fonts_t) + + # ++# fonts_t is the type of various font ++# files in /usr ++# ++type user_fonts_home_t; ++userdom_user_home_type(user_fonts_home_t) ++files_type(user_fonts_home_t) ++ ++# + # type for /usr/share/hwdata + # + type hwdata_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.5/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/system/modutils.if 2008-01-18 12:40:46.000000000 -0500 @@ -24389,7 +24623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-25 11:51:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-31 08:42:16.000000000 -0500 @@ -29,9 +29,14 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 63a6cb6..b03bd86 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Wed Jan 30 2008 Dan Walsh 3.2.5-23 +- Allow allow_httpd_mod_auth_pam to work + * Wed Jan 30 2008 Dan Walsh 3.2.5-22 - Add audisp policy and prelude