diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/man/man8/samba_selinux.8 2009-08-19 18:01:06.000000000 +0200
@@ -20,7 +20,7 @@
.TP
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
.TP
-/var/eng(/.*)? system_u:object_r:samba_share_t
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
.TP
Run the restorecon command to apply the changes:
.TP
@@ -53,4 +53,4 @@
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8)
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/mcs 2009-07-08 21:09:33.000000000 +0200
@@ -66,7 +66,7 @@
#
# Note that getattr on files is always permitted.
#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -111,22 +111,22 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
# Access control for any database objects based on MCS rules.
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
( h1 dom h2 );
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
-mlsconstrain db_procedure { execute install }
+mlsconstrain db_procedure { drop getattr setattr execute install }
( h1 dom h2 );
-mlsconstrain db_blob { drop setattr relabelfrom read write }
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
') dnl end enable_mcs
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(certwatch, 1.3.0)
+policy_module(certwatch, 1.3.1)
########################################
#
@@ -28,7 +28,7 @@
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
-auth_filetrans_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/kismet.te 2009-07-07 08:55:43.000000000 +0200
@@ -23,6 +23,9 @@
type kismet_var_lib_t;
files_type(kismet_var_lib_t)
+type kismet_tmpfs_t;
+files_tmp_file(kismet_tmpfs_t)
+
########################################
#
# kismet local policy
@@ -44,6 +47,10 @@
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, file)
+
allow kismet_t kismet_var_lib_t:file manage_file_perms;
allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
@@ -53,6 +60,7 @@
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -75,3 +83,11 @@
userdom_use_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
+
+optional_policy(`
+ dbus_system_bus_client(kismet_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(kismet_t)
+ ')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-07-28 16:09:42.000000000 +0200
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -188,6 +188,10 @@
')
optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.12/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/mrtg.te 2009-08-13 08:59:23.000000000 +0200
@@ -136,10 +136,18 @@
')
optional_policy(`
+ hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
hostname_exec(mrtg_t)
')
optional_policy(`
+ netutils_domtrans_ping(mrtg_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-25 10:21:01.000000000 +0200
@@ -68,10 +68,11 @@
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
+auth_read_all_files_except_shadow(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
+# Delta RPMS
+files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -102,5 +103,9 @@
')
optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
unconfined_domain(prelink_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-08-05 21:59:03.000000000 +0200
@@ -50,11 +50,13 @@
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
+files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_create_boot_flag(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-09-02 13:11:37.000000000 +0200
@@ -1,5 +1,6 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-09-02 11:03:37.000000000 +0200
@@ -470,6 +470,24 @@
########################################
## <summary>
+## Manage RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read,
## write RPM tmp files
## </summary>
@@ -569,3 +587,31 @@
allow $1 rpm_t:process signull;
')
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t;
+ type rpm_script_t;
+ type rpm_var_run_t;
+ type rpm_tmp_t;
+ type rpm_tmpfs_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 rpm_var_run_t:file write_file_perms;
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-07-28 14:08:18.000000000 +0200
@@ -377,6 +377,10 @@
')
optional_policy(`
+ mount_domtrans(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+ gen_require(`
+ type shorewall_t;
+ type shorewall_exec_t;
+ ')
+
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_etc',`
+ gen_require(`
+ type shorewall_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+## <summary>
+## Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an shorewall environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+ gen_require(`
+ type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_tmp_t;
+ ')
+
+ allow $1 shorewall_t:process { ptrace signal_perms };
+ ps_process_pattern($1, shorewall_t)
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
+ files_search_locks($1)
+ admin_pattern($1, shorewall_lock_t)
+
+ files_search_pids($1)
+ admin_pattern($1, shorewall_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, shorewall_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, shorewall_tmp_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te 2009-06-25 10:41:25.000000000 +0200
@@ -0,0 +1,103 @@
+policy_module(shorewall,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_system_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal;
+
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+# etc file
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+# lock files
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+# var/lib files for shorewall
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
+
+# tmp files for shorewall
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+libs_use_ld_so(shorewall_t)
+libs_use_shared_libs(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+iptables_domtrans(shorewall_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
+
+permissive shorewall_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/sudo.if 2009-08-05 23:24:01.000000000 +0200
@@ -152,6 +152,10 @@
optional_policy(`
dbus_system_bus_client($1_sudo_t)
')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_sudo_t)
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.12/policy/modules/admin/tzdata.te
--- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/tzdata.te 2009-09-07 13:31:31.000000000 +0200
@@ -16,6 +16,8 @@
# tzdata local policy
#
+fs_getattr_xattr_fs(tzdata_t)
+
files_read_etc_files(tzdata_t)
files_search_spool(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.12/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.if 2009-09-02 09:29:39.000000000 +0200
@@ -274,6 +274,9 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
+ # Add/remove user home directories
+ userdom_manage_home_role($2, useradd_t)
+
optional_policy(`
nscd_run(useradd_t, $2)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-09-02 09:28:02.000000000 +0200
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
@@ -489,6 +490,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
+userdom_manage_home_role(system_r, useradd_t)
+
userdom_manage_user_home_content_dirs(useradd_t)
userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-08-19 18:08:12.000000000 +0200
@@ -28,6 +28,8 @@
awstats_rw_pipes(awstats_t)
awstats_cgi_exec(awstats_t)
+can_exec(awstats_t, awstats_exec_t)
+
manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200
@@ -82,5 +82,9 @@
')
optional_policy(`
+ nscd_socket_use(calamaris_t)
+')
+
+optional_policy(`
nis_use_ypbind(calamaris_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if 2009-06-29 22:52:15.000000000 +0200
@@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+## Execute gitosis-serve in the gitosis domain, and
+## allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the gitosis domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`gitosis_run',`
+ gen_require(`
+ type gitosis_t;
+ ')
+
+ gitosis_domtrans($1)
+ role $2 types gitosis_t;
+ allow gitosis_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+libs_use_ld_so(gitosis_t)
+libs_use_shared_libs(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.12/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.te 2009-09-18 14:56:40.000000000 +0200
@@ -114,6 +114,16 @@
userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gconfdefaultsm_t)
+ fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gconfdefaultsm_t)
+ fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
optional_policy(`
consolekit_dbus_chat(gconfdefaultsm_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.if 2009-08-18 15:05:46.000000000 +0200
@@ -30,7 +30,7 @@
# allow ps to show gpg
ps_process_pattern($2, gpg_t)
- allow $2 gpg_t:process { signal sigkill };
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
# communicate with the user
allow gpg_helper_t $2:fd use;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-08-18 15:06:47.000000000 +0200
@@ -90,6 +90,7 @@
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-09-22 17:00:57.000000000 +0200
@@ -148,6 +148,8 @@
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
+ files_execmod_all_files(unconfined_java_t)
+
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-07-08 21:12:05.000000000 +0200
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+ mozilla_dbus_chat($2)
+
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ ')
')
########################################
@@ -64,6 +76,7 @@
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -82,7 +95,8 @@
type mozilla_home_t;
')
- write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file write_file_perms;
userdom_search_user_home_dirs($1)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-07-08 21:12:10.000000000 +0200
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;
@@ -97,6 +98,7 @@
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
@@ -114,6 +116,8 @@
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
@@ -139,12 +143,7 @@
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_manage_user_home_content_symlinks(mozilla_t)
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -241,6 +240,9 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-07-07 08:51:57.000000000 +0200
@@ -89,6 +89,8 @@
role $1 types nsplugin_config_t;
allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.12/policy/modules/apps/ptchown.fc
--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.fc 2009-08-14 08:31:59.000000000 +0200
@@ -0,0 +1,2 @@
+
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.12/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.if 2009-08-14 08:09:22.000000000 +0200
@@ -0,0 +1,22 @@
+
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+ gen_require(`
+ type ptchown_t;
+ type ptchown_exec_t;
+ ')
+
+ domtrans_pattern($1,ptchown_exec_t,ptchown_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-20 09:35:25.000000000 +0200
@@ -0,0 +1,40 @@
+policy_module(ptchown,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+permissive ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+# Init script handling
+domain_use_interactive_fds(ptchown_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow ptchown_t self:fifo_file rw_file_perms;
+allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_setattr_all_user_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-25 10:21:01.000000000 +0200
@@ -1,2 +1,3 @@
/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-25 10:21:01.000000000 +0200
@@ -88,11 +88,16 @@
')
optional_policy(`
+ dbus_system_bus_client(qemu_t)
+')
+
+optional_policy(`
samba_domtrans_smb(qemu_t)
')
optional_policy(`
virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-06-25 10:21:01.000000000 +0200
@@ -3,73 +3,143 @@
########################################
## <summary>
-## Execute a domain transition to run sandbox.
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
## </summary>
## </param>
#
-interface(`sandbox_domtrans',`
+interface(`sandbox_transition',`
gen_require(`
- type sandbox_t;
- type sandbox_exec_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain;
')
- domtrans_pattern($1,sandbox_exec_t,sandbox_t)
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ role $2 types sandbox_xserver_t;
')
-
########################################
## <summary>
-## Execute sandbox in the sandbox domain, and
-## allow the specified role the sandbox domain.
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="domain">
+## <param name="prefix">
## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the sandbox domain.
+## Prefix for the domain.
## </summary>
## </param>
#
-interface(`sandbox_run',`
+template(`sandbox_domain_template',`
+
gen_require(`
- type sandbox_t;
+ attribute sandbox_domain;
')
- sandbox_domtrans($1)
- role $2 types sandbox_t;
+ type $1_t, sandbox_domain;
+ domain_type($1_t)
+
+ type $1_file_t;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
')
########################################
## <summary>
-## Role access for sandbox
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="role">
+## <param name="prefix">
## <summary>
-## Role allowed access
+## Prefix for the domain.
## </summary>
## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ ')
+
+ sandbox_domain_template($1)
+
+
+ typeattribute $1_t sandbox_x_domain;
+
+ # window manager
+ miscfiles_setattr_fonts($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain, sandbox_domain;
+ domain_type($1_client_t)
+
+ type $1_client_tmpfs_t;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+ term_create_pty($1_client_t,sandbox_devpts_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process sigkill;
+
+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
+ domain_entry_file($1_client_t, $1_file_t)
+
+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+
+ can_exec($1_client_t, $1_file_t)
+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+
+# permissive $1_client_t;
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`sandbox_role',`
+interface(`sandbox_rw_xserver_tmpfs_files',`
gen_require(`
- type sandbox_t;
+ type sandbox_xserver_tmpfs_t;
')
- role $2 types sandbox_t;
-
- sandbox_domtrans($1)
-
- ps_process_pattern($2, sandbox_t)
- allow $2 sandbox_t:process signal;
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,18 +1,84 @@
policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
########################################
#
# Declarations
#
-type sandbox_t;
-type sandbox_exec_t;
-application_domain(sandbox_t, sandbox_exec_t)
-init_daemon_domain(sandbox_t, sandbox_exec_t)
-role system_r types sandbox_t;
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
-type sandbox_file_t;
-files_type(sandbox_file_t)
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_common_app(sandbox_xserver_t)
+permissive sandbox_xserver_t;
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+files_read_etc_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
########################################
#
@@ -20,21 +86,189 @@
#
## internal communication is often done using fifo and unix sockets.
-allow sandbox_t self:fifo_file rw_file_perms;
-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:fifo_file rw_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+
+files_rw_all_inherited_files(sandbox_domain)
+files_entrypoint_all_files(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { signal_perms getsched setpgid };
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+
+files_read_etc_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+allow sandbox_web_client_t self:capability { setuid setgid };
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_client_t self:process setsched;
+
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
+selinux_get_fs_mount(sandbox_web_client_t)
+selinux_validate_context(sandbox_web_client_t)
+selinux_compute_access_vector(sandbox_web_client_t)
+selinux_compute_create_context(sandbox_web_client_t)
+selinux_compute_relabel_context(sandbox_web_client_t)
+selinux_compute_user_contexts(sandbox_web_client_t)
+seutil_read_default_contexts(sandbox_web_client_t)
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_client_t)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_net_client_t)
-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-files_rw_all_inherited_files(sandbox_t)
-files_entrypoint_all_files(sandbox_t)
+auth_use_nsswitch(sandbox_net_client_t)
-libs_use_ld_so(sandbox_t)
-libs_use_shared_libs(sandbox_t)
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
+selinux_get_fs_mount(sandbox_net_client_t)
+selinux_validate_context(sandbox_net_client_t)
+selinux_compute_access_vector(sandbox_net_client_t)
+selinux_compute_create_context(sandbox_net_client_t)
+selinux_compute_relabel_context(sandbox_net_client_t)
+selinux_compute_user_contexts(sandbox_net_client_t)
+seutil_read_default_contexts(sandbox_net_client_t)
-miscfiles_read_localization(sandbox_t)
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
-userdom_use_user_ptys(sandbox_t)
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-08-05 23:21:33.000000000 +0200
@@ -62,6 +62,7 @@
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
+ dontaudit $3 screen_var_run_t:fifo_file read;
allow $1_screen_t screen_home_t:dir list_dir_perms;
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-06-25 10:21:01.000000000 +0200
@@ -63,6 +63,7 @@
')
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-06-25 10:21:01.000000000 +0200
@@ -136,7 +136,7 @@
miscfiles_read_localization(vmware_host_t)
-sysnet_dns_name_resolve(vmware_host_t)
+auth_use_nsswitch(vmware_host_t)
storage_getattr_fixed_disk_dev(vmware_host_t)
@@ -160,6 +160,10 @@
xserver_common_app(vmware_host_t)
')
+optional_policy(`
+ unconfined_domain(vmware_host_t)
+ unconfined_domain(vmware_t)
+')
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-08-13 17:13:38.000000000 +0200
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69,6 +70,8 @@
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@@ -119,6 +122,7 @@
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
#
# /opt
@@ -145,6 +149,7 @@
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -217,8 +222,11 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-08-13 08:57:43.000000000 +0200
@@ -107,6 +107,7 @@
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd,tcp,2947,s0)
+network_port(hddtemp, tcp,7634,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -116,7 +117,7 @@
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8611,s0, udp,8611,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
@@ -134,7 +135,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-09-29 18:31:58.000000000 +0200
@@ -46,8 +46,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -168,6 +170,7 @@
ifdef(`distro_redhat',`
# originally from named.fc
+/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-07-03 11:25:38.000000000 +0200
@@ -1727,6 +1727,133 @@
########################################
## <summary>
+## Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+######################################
+## <summary>
+## Read the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Read and write the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Automatic type transition to the type
+## for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
@@ -3780,3 +3907,21 @@
typeattribute $1 devices_unconfined_type;
')
+
+######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_tty',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ setattr_chr_files_pattern($1, devtty_t, devtty_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-25 10:21:01.000000000 +0200
@@ -78,6 +78,13 @@
dev_node(ipmi_device_t)
#
+# ksm_device_t is the type of
+# /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
@@ -91,6 +98,12 @@
dev_node(kvm_device_t)
#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-07-07 08:21:23.000000000 +0200
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_use_fds($1)
- ')
- ')
-
- # send init a sigchld and signull
- optional_policy(`
- init_sigchld($1)
- init_signull($1)
- ')
-
- # these seem questionable:
-
- optional_policy(`
- rpm_use_fds($1)
- rpm_read_pipes($1)
- ')
-
- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`
- seutil_dontaudit_read_config($1)
- ')
')
########################################
@@ -1338,3 +1310,20 @@
typeattribute $1 process_uncond_exempt;
')
+#######################################
+## <summary>
+## Send generic signals to the unconfined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+ gen_require(`
+ type unconfined_domain_type;
+ ')
+
+ allow $1 unconfined_domain_type:process signal;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-09-02 11:03:42.000000000 +0200
@@ -91,6 +91,9 @@
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
@@ -108,6 +111,15 @@
# list the root directory
files_list_root(domain)
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+seutil_dontaudit_read_config(domain)
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
@@ -116,6 +128,12 @@
dev_read_urand(domain)
')
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
optional_policy(`
afs_rw_cache(domain)
')
@@ -125,6 +143,13 @@
libs_use_shared_libs(domain)
')
+# these seem questionable:
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_dontaudit_leaks(domain)
+')
+
optional_policy(`
setrans_translate_context(domain)
')
@@ -152,8 +177,7 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
-allow unconfined_domain_type domain:dbus send_msg;
-allow domain unconfined_domain_type:dbus send_msg;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -185,7 +209,10 @@
ifdef(`hide_broken_symptoms',`
fs_list_inotifyfs(domain)
+ dontaudit domain self:udp_socket listen;
allow domain domain:key { link search };
+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
+ cron_dontaudit_rw_tcp_sockets(domain)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-09-14 14:40:51.000000000 +0200
@@ -1953,6 +1953,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+ files_read_config_files($1)
')
########################################
@@ -3734,6 +3736,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
+ files_read_usr_src_files($1)
')
########################################
@@ -5224,6 +5227,7 @@
attribute file_type;
')
+ allow $1 file_type:dir search_dir_perms;
allow $1 file_type:file { getattr read write append lock };
allow $1 file_type:fifo_file { getattr read write append ioctl lock };
allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-06-25 10:21:01.000000000 +0200
@@ -817,7 +817,7 @@
type proc_t;
')
- dontaudit $1 proc_t:file { getattr read };
+ dontaudit $1 proc_t:file { open getattr read };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.12/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/storage.fc 2009-08-24 16:29:47.000000000 +0200
@@ -28,6 +28,7 @@
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.12/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/storage.if 2009-08-24 16:26:39.000000000 +0200
@@ -529,7 +529,7 @@
')
- dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-06-25 10:21:01.000000000 +0200
@@ -571,6 +571,25 @@
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
+')
+
########################################
## <summary>
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-08-05 21:52:27.000000000 +0200
@@ -44,6 +44,10 @@
')
optional_policy(`
+ postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
secadm_role_change(staff_r)
')
@@ -87,6 +91,10 @@
')
optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
kerneloops_dbus_chat(staff_t)
')
@@ -95,6 +103,10 @@
')
optional_policy(`
+ sandbox_transition(staff_t, staff_r)
+')
+
+optional_policy(`
screen_manage_var_run(staff_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-06-25 10:21:01.000000000 +0200
@@ -116,6 +116,41 @@
########################################
## <summary>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans(sysadm_t, $1)
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-06-25 10:21:01.000000000 +0200
@@ -334,6 +334,10 @@
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-09-02 10:35:47.000000000 +0200
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
@@ -95,7 +97,6 @@
seutil_run_semanage(unconfined_t, unconfined_r)
unconfined_domain_noaudit(unconfined_t)
-domain_mmap_low(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
@@ -252,6 +253,10 @@
portmap_run_helper(unconfined_t, unconfined_r)
')
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
optional_policy(`
qemu_role_notrans(unconfined_r, unconfined_t)
qemu_unconfined_role(unconfined_r)
@@ -277,7 +282,7 @@
')
optional_policy(`
- sandbox_run(unconfined_t, unconfined_r)
+ sandbox_transition(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -323,6 +328,7 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
allow unconfined_execmem_t unconfined_t:process transition;
+rpm_transition_script(unconfined_execmem_t)
optional_policy(`
init_dbus_chat_script(unconfined_execmem_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-06-25 10:21:01.000000000 +0200
@@ -22,5 +22,9 @@
')
optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
setroubleshoot_dontaudit_stream_connect(user_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-07-08 21:12:15.000000000 +0200
@@ -36,11 +36,17 @@
# Local policy
#
+# Dontaudit fusermount
+dontaudit xguest_t self:capability sys_admin;
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
+ # allow fusermount
+ allow xguest_t self:capability sys_admin;
+
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.12/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/afs.fc 2009-08-24 16:34:56.000000000 +0200
@@ -26,7 +26,7 @@
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
/vicepc gen_context(system_u:object_r:afs_files_t,s0)
-
+/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.12/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/afs.te 2009-08-24 16:32:10.000000000 +0200
@@ -331,6 +331,7 @@
files_mounton_mnt(afs_t)
files_read_etc_files(afs_t)
files_rw_etc_runtime_files(afs_t)
+files_read_usr_files(afs_t)
fs_getattr_xattr_fs(afs_t)
fs_mount_nfs(afs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-09-14 14:48:14.000000000 +0200
@@ -40,6 +40,7 @@
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -98,4 +99,6 @@
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-09-16 13:39:43.000000000 +0200
@@ -681,6 +681,7 @@
unconfined_domain(httpd_unconfined_script_t)
role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/automount.if 2009-07-20 14:44:39.000000000 +0200
@@ -21,6 +21,24 @@
########################################
## <summary>
+## Send automount a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
## Execute automount in the caller domain.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-06-29 13:28:59.000000000 +0200
@@ -24,7 +24,7 @@
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-06-25 10:21:01.000000000 +0200
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-07-13 11:33:25.000000000 +0200
@@ -106,6 +106,8 @@
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+auth_use_nsswitch(clamd_t)
+
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -179,6 +181,8 @@
corenet_tcp_connect_http_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
+auth_use_nsswitch(freshclam_t)
+
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.12/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.fc 2009-09-30 09:41:34.000000000 +0200
@@ -0,0 +1,2 @@
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.12/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.if 2009-09-30 10:26:41.000000000 +0200
@@ -0,0 +1,21 @@
+## <summary>cobbler server policy</summary>
+
+#######################################
+## <summary>
+## Read cobbler lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ allow $1 cobbler_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.12/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.te 2009-09-30 09:41:20.000000000 +0200
@@ -0,0 +1,10 @@
+
+policy_module(cobbler,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-08-04 12:44:39.000000000 +0200
@@ -14,7 +14,7 @@
files_pid_file(consolekit_var_run_t)
type consolekit_log_t;
-files_pid_file(consolekit_log_t)
+logging_log_file(consolekit_log_t)
########################################
#
@@ -50,6 +50,7 @@
files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-07-13 10:01:22.000000000 +0200
@@ -163,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t admin_crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
- #corecmd_shell_domtrans(admin_crontab_t, $2)
- corecmd_exec_bin(admin_crontab_t)
- corecmd_exec_shell(admin_crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -282,6 +269,8 @@
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
+ dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
+
userdom_dontaudit_list_admin_dir($1)
role system_r types $1;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-07-30 17:13:52.000000000 +0200
@@ -440,7 +440,7 @@
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_telinit(system_cronjob_t)
-init_spec_domtrans_script(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-08-11 09:45:17.000000000 +0200
@@ -53,6 +53,8 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-08-13 09:15:32.000000000 +0200
@@ -59,12 +59,13 @@
init_daemon_domain(hplip_t, hplip_exec_t)
# For CUPS to run as a backend
cups_backend(hplip_t, hplip_exec_t)
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
type hplip_etc_t;
files_config_file(hplip_etc_t)
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
+
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -163,6 +164,9 @@
files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
allow cupsd_t hplip_t:process {signal sigkill };
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -376,6 +380,10 @@
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -574,9 +582,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -615,6 +622,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
# for python
corecmd_exec_bin(hplip_t)
@@ -733,6 +741,8 @@
files_read_etc_files(cups_pdf_t)
files_read_usr_files(cups_pdf_t)
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
kernel_read_system_state(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -746,6 +756,7 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_home_filetrans_user_home_dir(cups_pdf_t)
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
@@ -765,3 +776,10 @@
manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
miscfiles_read_fonts(cups_pdf_t)
+#need to read user-dirs.dirs
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
+
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.12/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cyrus.te 2009-09-16 13:08:45.000000000 +0200
@@ -136,6 +136,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-10-02 09:02:08.000000000 +0200
@@ -176,6 +176,10 @@
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
+
+ optional_policy(`
+ xserver_use_xdm($1_dbusd_t)
+ ')
')
########################################
@@ -458,3 +462,27 @@
allow $1 system_dbusd_t:tcp_socket { read write };
allow $1 system_dbusd_t:fd use;
')
+
+#######################################
+## <summary>
+## Dontaudit connect to system dbus
+## over an unix domain stream socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ dontaudit $1 system_dbusd_var_run_t:dir list_dir_perms;
+ dontaudit $1 system_dbusd_var_run_t:file read_file_perms;
+ dontaudit $1 system_dbusd_var_run_t:sock_file rw_sock_file_perms;
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-25 10:21:01.000000000 +0200
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+fs_getattr_all_fs(dcc_client_t)
+
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_bind_generic_node(dcc_client_t)
@@ -154,6 +156,10 @@
userdom_use_user_terminals(dcc_client_t)
optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ddclient.if 2009-06-25 10:21:01.000000000 +0200
@@ -21,6 +21,31 @@
########################################
## <summary>
+## Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ddclient environment
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-25 10:21:01.000000000 +0200
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -77,6 +77,7 @@
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -107,6 +108,7 @@
')
optional_policy(`
+ polkit_dbus_chat(devicekit_power_t)
polkit_domtrans_auth(devicekit_power_t)
polkit_read_lib(devicekit_power_t)
polkit_read_reload(devicekit_power_t)
@@ -147,6 +149,7 @@
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -199,6 +202,7 @@
')
optional_policy(`
+ polkit_dbus_chat(devicekit_disk_t)
polkit_domtrans_auth(devicekit_disk_t)
polkit_read_lib(devicekit_disk_t)
polkit_read_reload(devicekit_disk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-09-30 09:43:10.000000000 +0200
@@ -83,10 +83,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
+ cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
cron_manage_pid_files(dnsmasq_t)
')
optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
tftp_read_content(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-07-31 13:05:17.000000000 +0200
@@ -2,47 +2,44 @@
########################################
## <summary>
-## Create, read, write, and delete the dovecot spool files.
+## Connect to dovecot auth unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`dovecot_manage_spool',`
+interface(`dovecot_stream_connect_auth',`
gen_require(`
- type dovecot_spool_t;
+ type dovecot_auth_t, dovecot_var_run_t;
')
- manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
########################################
## <summary>
-## Connect to dovecot auth unix domain stream socket.
+## Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`dovecot_auth_stream_connect',`
+interface(`dovecot_domtrans_deliver',`
gen_require(`
- type dovecot_auth_t, dovecot_var_run_t;
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- allow $1 dovecot_var_run_t:dir search;
- allow $1 dovecot_var_run_t:sock_file write;
- allow $1 dovecot_auth_t:unix_stream_socket connectto;
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
## <summary>
-## Execute dovecot_deliver in the dovecot_deliver domain.
+## Create, read, write, and delete the dovecot spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -50,17 +47,18 @@
## </summary>
## </param>
#
-interface(`dovecot_domtrans_deliver',`
+interface(`dovecot_manage_spool',`
gen_require(`
- type dovecot_deliver_t, dovecot_deliver_exec_t;
+ type dovecot_spool_t;
')
- domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
-#######################################
+########################################
## <summary>
-## Do not audit attempts to d`elete dovecot lib files.
+## Do not audit attempts to delete dovecot lib files.
## </summary>
## <param name="domain">
## <summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-09-30 15:36:17.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(dovecot, 1.10.2)
+policy_module(dovecot, 1.10.3)
########################################
#
@@ -15,15 +15,18 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
-type dovecot_cert_t;
-files_type(dovecot_cert_t)
-
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
@@ -46,9 +49,6 @@
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-type dovecot_auth_tmp_t;
-files_tmp_file(dovecot_auth_tmp_t)
-
########################################
#
# dovecot local policy
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:process { getcap setcap setrlimit signal_perms };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -73,7 +73,6 @@
can_exec(dovecot_t, dovecot_exec_t)
-# log files
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
@@ -181,7 +180,7 @@
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
-dovecot_auth_stream_connect(dovecot_auth_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -252,9 +251,10 @@
miscfiles_read_localization(dovecot_deliver_t)
-dovecot_auth_stream_connect(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
files_search_tmp(dovecot_deliver_t)
+
fs_getattr_all_fs(dovecot_deliver_t)
userdom_manage_user_home_content_dirs(dovecot_deliver_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-09-14 14:36:18.000000000 +0200
@@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
auth_use_nsswitch(exim_t)
@@ -148,7 +149,11 @@
')
optional_policy(`
- dovecot_auth_stream_connect(exim_t)
+ dovecot_stream_connect_auth(exim_t)
+')
+
+optional_policy(`
+ sendmail_manage_tmp(exim_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-06-29 16:22:53.000000000 +0200
@@ -60,6 +60,8 @@
corenet_tcp_connect_all_ports(fetchmail_t)
corenet_sendrecv_all_client_packets(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-08-13 18:07:07.000000000 +0200
@@ -22,12 +22,17 @@
corecmd_search_bin(fprintd_t)
+dev_list_usbfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
dev_read_sysfs(fprintd_t)
+fs_getattr_all_fs(fprintd_t)
+
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
+kernel_read_system_state(fprintd_t)
+
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
@@ -40,9 +45,10 @@
')
optional_policy(`
- polkit_read_reload(fprintd_t)
- polkit_read_lib(fprintd_t)
+ polkit_dbus_chat(fprintd_t)
polkit_domtrans_auth(fprintd_t)
+ polkit_read_lib(fprintd_t)
+ polkit_read_reload(fprintd_t)
')
permissive fprintd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-08-24 09:30:32.000000000 +0200
@@ -85,12 +85,23 @@
type xferlog_t;
logging_log_file(xferlog_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
########################################
#
# ftpd local policy
#
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+ifdef(`hide_broken_symptoms', `
+allow ftpd_t self:capability { sys_admin };
+')
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -99,6 +110,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -129,8 +141,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-06-25 10:21:01.000000000 +0200
@@ -44,6 +44,7 @@
')
optional_policy(`
+ polkit_dbus_chat(gnomeclock_t)
polkit_domtrans_auth(gnomeclock_t)
polkit_read_lib(gnomeclock_t)
polkit_read_reload(gnomeclock_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-06-25 10:25:21.000000000 +0200
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-08-20 14:46:39.000000000 +0200
@@ -8,17 +9,23 @@
type gpsd_t;
type gpsd_exec_t;
application_domain(gpsd_t, gpsd_exec_t)
-role system_r types gpsd_t;
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
type gpsd_tmpfs_t;
files_tmpfs_file(gpsd_tmpfs_t)
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
########################################
#
# gpsd local policy
#
-allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:capability { setuid sys_nice setgid fowner fsetid };
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -28,6 +35,15 @@
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
corenet_tcp_bind_all_nodes(gpsd_t)
corenet_tcp_bind_gpsd_port(gpsd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-09-02 10:30:14.000000000 +0200
@@ -103,6 +103,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
kernel_setsched(hald_t)
auth_read_pam_console_data(hald_t)
@@ -162,6 +163,7 @@
fs_mount_dos_fs(hald_t)
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
files_getattr_all_mountpoints(hald_t)
@@ -211,6 +213,7 @@
sysnet_read_config(hald_t)
sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -297,6 +300,7 @@
')
optional_policy(`
+ polkit_dbus_chat(hald_t)
polkit_domtrans_auth(hald_t)
polkit_domtrans_resolve(hald_t)
polkit_read_lib(hald_t)
@@ -369,6 +373,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
+fs_getattr_all_fs(hald_acl_t)
+
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
@@ -381,6 +387,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
+ polkit_dbus_chat(hald_acl_t)
polkit_domtrans_auth(hald_acl_t)
polkit_read_lib(hald_acl_t)
polkit_read_reload(hald_acl_t)
@@ -470,6 +477,8 @@
#
# Local hald dccm policy
#
+
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
allow hald_dccm_t self:capability { net_bind_service };
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
@@ -480,6 +489,8 @@
allow hald_t hald_dccm_t:process signal;
allow hald_dccm_t hald_t:unix_stream_socket connectto;
+hal_rw_dgram_sockets(hald_dccm_t)
+
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
@@ -508,4 +519,8 @@
miscfiles_read_localization(hald_dccm_t)
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
+
permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.12/policy/modules/services/hddtemp.fc
--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.fc 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,4 @@
+
+/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.12/policy/modules/services/hddtemp.if
--- nsaserefpolicy/policy/modules/services/hddtemp.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.if 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,38 @@
+## <summary>hddtemp hard disk temperature tool running as a daemon</summary>
+
+#######################################
+## <summary>
+## Execute hddtemp in the hddtemp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`hddtemp_domtrans',`
+ gen_require(`
+ type hddtemp_t, hddtemp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+')
+
+######################################
+## <summary>
+## Execute hddtemp
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`hddtemp_exec',`
+ gen_require(`
+ type hddtemp_exec_t;
+ ')
+
+ can_exec($1, hddtemp_exec_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.12/policy/modules/services/hddtemp.te
--- nsaserefpolicy/policy/modules/services/hddtemp.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.te 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,40 @@
+policy_module(hddtemp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hddtemp_t;
+type hddtemp_exec_t;
+init_daemon_domain(hddtemp_t,hddtemp_exec_t)
+
+type hddtemp_initrc_exec_t;
+init_script_file(hddtemp_initrc_exec_t)
+
+########################################
+#
+# hddtemp local policy
+#
+
+allow hddtemp_t self:capability sys_rawio;
+dontaudit hddtemp_t self:capability sys_admin;
+
+allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
+allow hddtemp_t self:tcp_socket create_stream_socket_perms;
+allow hddtemp_t self:udp_socket create_socket_perms;
+
+corenet_tcp_bind_all_nodes(hddtemp_t)
+corenet_tcp_bind_hddtemp_port(hddtemp_t)
+
+storage_raw_read_fixed_disk(hddtemp_t)
+
+# read hddtemp db file
+files_read_usr_files(hddtemp_t)
+
+logging_send_syslog_msg(hddtemp_t)
+
+miscfiles_read_localization(hddtemp_t)
+
+permissive hddtemp_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-25 10:21:01.000000000 +0200
@@ -70,6 +70,7 @@
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
files_search_etc($1)
@@ -101,6 +102,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:file getattr;
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-07-07 08:19:18.000000000 +0200
@@ -277,6 +277,8 @@
#
allow kpropd_t self:capability net_bind_service;
+allow kpropd_t self:process setfscreate;
+
allow kpropd_t self:fifo_file rw_file_perms;
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
@@ -287,6 +289,12 @@
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -302,10 +310,14 @@
files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
+selinux_validate_context(kpropd_t)
+
logging_send_syslog_msg(kpropd_t)
miscfiles_read_localization(kpropd_t)
+seutil_read_file_contexts(kpropd_t)
+
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-07-30 17:14:36.000000000 +0200
@@ -45,6 +45,10 @@
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
dev_read_generic_usb_dev(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+dev_rw_lirc(lircd_t)
+
logging_send_syslog_msg(lircd_t)
files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-06-25 10:21:01.000000000 +0200
@@ -197,6 +197,7 @@
type mailman_data_t;
')
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-06-25 10:21:01.000000000 +0200
@@ -473,6 +473,7 @@
')
write_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-08-04 11:04:57.000000000 +0200
@@ -136,10 +136,14 @@
allow mysqld_safe_t self:capability { dac_override fowner chown };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-mysql_append_db_files(mysqld_safe_t)
+domain_getattr_all_domains(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-06-26 15:48:39.000000000 +0200
@@ -72,8 +72,7 @@
manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_kernel_sysctls(ypbind_t)
-kernel_list_proc(ypbind_t)
-kernel_read_proc_symlinks(ypbind_t)
+kernel_read_system_state(ypbind_t)
corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.12/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.if 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,145 @@
+
+## <summary>policy for nslcd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+ gen_require(`
+ type nslcd_t;
+ type nslcd_exec_t;
+ ')
+
+ domtrans_pattern($1,nslcd_exec_t,nslcd_t)
+')
+
+
+########################################
+## <summary>
+## Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read nslcd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage nslcd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_manage_var_run',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+ manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nslcd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nslcd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+ gen_require(`
+ type nslcd_t;
+ ')
+
+ allow $1 nslcd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, nslcd_t, nslcd_t)
+ allow $1 nslcd_conf_t:file read_file_perms;
+
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ nslcd_manage_var_run($1)
+')
+
+
+########################################
+## <summary>
+## Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_use',`
+ gen_require(`
+ type nslcd_t, var_run_t, nslcd_var_run_t;
+ ')
+
+# list_dirs_pattern($1, var_run_t, nslcd_var_run_t)
+ write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+ allow $1 nslcd_t:unix_stream_socket connectto;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.12/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.te 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,50 @@
+policy_module(nslcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+#permissive nslcd_t;
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+
+# Init script handling
+domain_use_interactive_fds(nslcd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow nslcd_t self:sock_file rw_file_perms;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+allow nslcd_t self:process signal;
+
+files_read_etc_files(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
+allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.12/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nx.fc 2009-08-20 15:35:42.000000000 +0200
@@ -5,3 +5,6 @@
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.12/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nx.if 2009-09-14 14:45:30.000000000 +0200
@@ -17,3 +17,23 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+
+#######################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t;
+ ')
+
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-08-20 09:42:28.000000000 +0200
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
+corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
@@ -98,6 +99,8 @@
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+auth_use_pam(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -114,6 +117,16 @@
userdom_read_user_home_content_files(openvpn_t)
')
+tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(openvpn_t)
+ fs_read_nfs_symlinks(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+ fs_read_cifs_symlinks(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
@@ -122,5 +135,6 @@
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
+ fprintd_dbus_chat(openvpn_t)
networkmanager_dbus_chat(openvpn_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.12/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.if 2009-10-02 08:35:36.000000000 +0200
@@ -53,6 +53,5 @@
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:sock_file write;
- allow $1 pcscd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200
@@ -28,6 +28,7 @@
allow pcscd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
@@ -46,6 +47,8 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+kernel_read_system_state(pcscd_t)
+
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-06-25 10:21:01.000000000 +0200
@@ -2,7 +2,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-06-25 10:21:01.000000000 +0200
@@ -194,6 +194,7 @@
polkit_domtrans_auth($1)
role $2 types polkit_auth_t;
+ polkit_dbus_chat($1)
')
#######################################
@@ -217,6 +218,7 @@
polkit_run_grant($2, $1)
polkit_read_lib($2)
polkit_read_reload($2)
+ polkit_dbus_chat($2)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.te 2009-08-07 12:21:31.000000000 +0200
@@ -72,6 +72,7 @@
manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
+userdom_getattr_all_users(polkit_t)
userdom_read_all_users_state(polkit_t)
optional_policy(`
@@ -99,6 +100,8 @@
domain_use_interactive_fds(polkit_auth_t)
+fs_getattr_all_fs(polkit_auth_t)
+
files_read_etc_files(polkit_auth_t)
files_read_usr_files(polkit_auth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-07-31 13:05:32.000000000 +0200
@@ -112,6 +112,13 @@
template(`postfix_server_domain_template',`
postfix_domain_template($1)
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
allow postfix_$1_t self:capability { setuid setgid dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
@@ -580,6 +587,25 @@
########################################
## <summary>
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-07-31 13:05:36.000000000 +0200
@@ -42,9 +42,6 @@
mta_manage_spool(postfix_local_t)
')
-type postfix_local_tmp_t;
-files_tmp_file(postfix_local_tmp_t)
-
# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
@@ -106,9 +103,6 @@
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
-type postfix_virtual_tmp_t;
-files_tmp_file(postfix_virtual_tmp_t)
-
########################################
#
# Postfix master process local policy
@@ -302,10 +296,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-manage_dirs_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-manage_files_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
-
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -399,14 +389,6 @@
miscfiles_read_localization(postfix_map_t)
-tunable_policy(`read_default_t',`
- files_list_default(postfix_map_t)
- files_read_default_files(postfix_map_t)
- files_read_default_symlinks(postfix_map_t)
- files_read_default_sockets(postfix_map_t)
- files_read_default_pipes(postfix_map_t)
-')
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -508,7 +490,7 @@
')
optional_policy(`
- sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -640,7 +622,7 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
- dovecot_auth_stream_connect(postfix_smtpd_t)
+ dovecot_stream_connect_auth(postfix_smtpd_t)
')
optional_policy(`
@@ -665,10 +647,6 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-manage_dirs_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-manage_files_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
-
# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-07-08 21:12:21.000000000 +0200
@@ -202,6 +202,7 @@
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
@@ -237,6 +238,7 @@
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-25 10:21:01.000000000 +0200
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
type pppd_t;
+ type pptp_t;
')
ppp_domtrans($1)
role $2 types pppd_t;
+ role $2 types pptp_t;
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.12/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.te 2009-08-24 15:30:24.000000000 +0200
@@ -218,7 +218,7 @@
# PPTP Local policy
#
-allow pptp_t self:capability { net_raw net_admin };
+allow pptp_t self:capability { dac_read_search dac_override net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-06-25 10:21:01.000000000 +0200
@@ -48,8 +48,7 @@
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
kernel_read_kernel_sysctls(privoxy_t)
-kernel_list_proc(privoxy_t)
-kernel_read_proc_symlinks(privoxy_t)
+kernel_read_system_state(privoxy_t)
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-06-25 10:21:01.000000000 +0200
@@ -3,6 +3,8 @@
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-06-25 10:21:01.000000000 +0200
@@ -97,6 +97,8 @@
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.12/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/radvd.te 2009-09-29 18:03:17.000000000 +0200
@@ -23,7 +23,7 @@
# Local policy
#
allow radvd_t self:capability { setgid setuid net_raw net_admin };
-dontaudit radvd_t self:capability sys_tty_config;
+dontaudit radvd_t self:capability { sys_module sys_tty_config };
allow radvd_t self:process signal_perms;
allow radvd_t self:unix_dgram_socket create_socket_perms;
allow radvd_t self:unix_stream_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.12/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rpcbind.if 2009-09-14 15:08:43.000000000 +0200
@@ -95,6 +95,26 @@
files_search_var_lib($1)
')
+#######################################
+## <summary>
+## Connect to rpcbindd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_stream_connect',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rpcbind_var_run_t:sock_file write;
+ allow $1 rpcbind_t:unix_stream_socket connectto;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-09-14 14:31:36.000000000 +0200
@@ -95,6 +95,10 @@
userdom_signal_unpriv_users(rpcd_t)
optional_policy(`
+ automount_signal(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
@@ -103,6 +107,10 @@
unconfined_signal(rpcd_t)
')
+optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -189,6 +197,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -207,6 +216,8 @@
mount_signal(gssd_t)
+userdom_signal_all_users(gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
@@ -214,6 +225,10 @@
')
optional_policy(`
+ automount_signal(gssd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-06-25 10:21:01.000000000 +0200
@@ -126,6 +126,8 @@
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-09-22 17:53:46.000000000 +0200
@@ -280,6 +280,7 @@
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+allow smbd_t winbind_t:process { signal signull };
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -342,6 +343,8 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
+userdom_signal_all_users(smbd_t)
+
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
@@ -924,3 +927,6 @@
allow winbind_t smbcontrol_t:process signal;
allow smbcontrol_t nmbd_var_run_t:file { read lock };
+
+userdom_use_user_terminals(smbcontrol_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-09-29 18:20:22.000000000 +0200
@@ -31,7 +31,7 @@
# Local policy
#
-allow saslauthd_t self:capability setuid;
+allow saslauthd_t self:capability { setgid setuid };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
@@ -98,6 +98,10 @@
')
optional_policy(`
+ dbus_dontaudit_system_bus_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
kerberos_manage_host_rcache(saslauthd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-07-31 13:22:05.000000000 +0200
@@ -92,6 +92,24 @@
allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Dontaudit Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
########################################
## <summary>
## Read sendmail logs.
@@ -238,3 +256,24 @@
allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
')
+
+######################################
+## <summary>
+## Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_manage_tmp',`
+ gen_require(`
+ type sendmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-07-24 15:40:05.000000000 +0200
@@ -131,6 +131,10 @@
')
optional_policy(`
+ exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
fail2ban_read_lib_files(sendmail_t)
')
@@ -148,6 +152,7 @@
optional_policy(`
postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
@@ -186,6 +191,6 @@
optional_policy(`
mta_etc_filetrans_aliases(unconfined_sendmail_t)
- unconfined_domain(unconfined_sendmail_t)
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-07-17 08:50:23.000000000 +0200
@@ -81,6 +81,7 @@
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
files_list_all(setroubleshootd_t)
@@ -121,6 +122,10 @@
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 1970-01-01 01:00:00.000000000 +0100
@@ -1,12 +0,0 @@
-
-/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-
-/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-
-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
-/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 1970-01-01 01:00:00.000000000 +0100
@@ -1,166 +0,0 @@
-## <summary>policy for shorewall</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run shorewall.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`shorewall_domtrans',`
- gen_require(`
- type shorewall_t;
- type shorewall_exec_t;
- ')
-
- domtrans_pattern($1, shorewall_exec_t, shorewall_t)
-')
-
-#######################################
-## <summary>
-## Read shorewall etc configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_etc',`
- gen_require(`
- type shorewall_etc_t;
- ')
-
- files_search_etc($1)
- read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
-')
-
-#######################################
-## <summary>
-## Read shorewall PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
-## <summary>
-## Read and write shorewall PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-######################################
-## <summary>
-## Read shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_var_lib',`
- gen_require(`
- type shorewall_t;
- ')
-
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-## Read and write shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_rw_var_lib',`
- gen_require(`
- type shorewall_t;
- ')
-
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-## All of the rules required to administrate
-## an shorewall environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`shorewall_admin',`
- gen_require(`
- type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
- type shorewall_initrc_exec_t, shorewall_var_lib_t;
- type shorewall_tmp_t;
- ')
-
- allow $1 shorewall_t:process { ptrace signal_perms };
- ps_process_pattern($1, shorewall_t)
-
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, shorewall_etc_t)
-
- files_search_locks($1)
- admin_pattern($1, shorewall_lock_t)
-
- files_search_pids($1)
- admin_pattern($1, shorewall_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, shorewall_var_lib_t)
-
- files_search_tmp($1)
- admin_pattern($1, shorewall_tmp_t)
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-policy_module(shorewall,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type shorewall_t;
-type shorewall_exec_t;
-init_daemon_domain(shorewall_t, shorewall_exec_t)
-
-type shorewall_initrc_exec_t;
-init_script_file(shorewall_initrc_exec_t)
-
-# etc files
-type shorewall_etc_t;
-files_config_file(shorewall_etc_t)
-
-# lock files
-type shorewall_lock_t;
-files_lock_file(shorewall_lock_t)
-
-# tmp files
-type shorewall_tmp_t;
-files_tmp_file(shorewall_tmp_t)
-
-# var/lib files
-type shorewall_var_lib_t;
-files_type(shorewall_var_lib_t)
-
-########################################
-#
-# shorewall local policy
-#
-
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
-dontaudit shorewall_t self:capability sys_tty_config;
-
-allow shorewall_t self:fifo_file rw_fifo_file_perms;
-
-# etc file
-read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-
-# lock files
-manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
-files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
-
-# var/lib files for shorewall
-exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
-
-# tmp files for shorewall
-manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(shorewall_t)
-kernel_read_system_state(shorewall_t)
-kernel_read_network_state(shorewall_t)
-kernel_rw_net_sysctls(shorewall_t)
-
-corecmd_exec_bin(shorewall_t)
-corecmd_exec_shell(shorewall_t)
-
-dev_read_urand(shorewall_t)
-
-fs_getattr_all_fs(shorewall_t)
-
-domain_read_all_domains_state(shorewall_t)
-
-files_getattr_kernel_modules(shorewall_t)
-files_read_etc_files(shorewall_t)
-files_read_usr_files(shorewall_t)
-files_search_kernel_modules(shorewall_t)
-
-init_rw_utmp(shorewall_t)
-
-libs_use_ld_so(shorewall_t)
-libs_use_shared_libs(shorewall_t)
-
-logging_send_syslog_msg(shorewall_t)
-
-miscfiles_read_localization(shorewall_t)
-
-userdom_dontaudit_list_admin_dir(shorewall_t)
-
-sysnet_domtrans_ifconfig(shorewall_t)
-iptables_domtrans(shorewall_t)
-
-optional_policy(`
- modutils_domtrans_insmod(shorewall_t)
-')
-
-optional_policy(`
- ulogd_search_log(shorewall_t)
-')
-
-permissive shorewall_t;
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-09-02 10:27:17.000000000 +0200
@@ -28,9 +28,9 @@
# Local policy
#
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { setgid setpcap sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
-allow fsdaemon_t self:process { signal_perms setfscreate };
+allow fsdaemon_t self:process { getcap setcap signal_perms setfscreate };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.12/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/snmp.if 2009-09-17 10:38:55.000000000 +0200
@@ -28,6 +28,24 @@
refpolicywarn(`$0($*) has been deprecated.')
')
+#######################################
+## <summary>
+## Append snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_append_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
########################################
## <summary>
## Read snmpd libraries.
@@ -85,6 +103,25 @@
dontaudit $1 snmpd_var_lib_t:file write;
')
+#######################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-09-16 13:08:08.000000000 +0200
@@ -71,6 +71,8 @@
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
dev_list_sysfs(snmpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-08-19 17:48:56.000000000 +0200
@@ -1,13 +1,15 @@
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -20,5 +22,5 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-09-16 12:19:24.000000000 +0200
@@ -263,6 +263,7 @@
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
+can_exec(spamc_t, spamc_exec_t)
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -406,6 +407,7 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-08-23 20:37:28.000000000 +0200
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-07-20 14:31:17.000000000 +0200
@@ -187,7 +187,7 @@
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal setsched setrlimit setexec };
+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
@@ -685,3 +685,24 @@
can_exec($1, ssh_agent_exec_t)
')
+#######################################
+## <summary>
+## Read ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_user_home_files',`
+ gen_require(`
+ type home_ssh_t;
+ ')
+
+ allow $1 home_ssh_t:dir list_dir_perms;
+ read_files_pattern($1, home_ssh_t, home_ssh_t)
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-09-22 17:01:21.000000000 +0200
@@ -133,6 +133,12 @@
read_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+# ssh servers can create and read the user keys and config
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -347,10 +353,18 @@
')
optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
+')
+
+optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
+ nx_read_home_files(sshd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(sshd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-09-29 18:28:19.000000000 +0200
@@ -1,6 +1,6 @@
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.12/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.if 2009-09-29 18:28:19.000000000 +0200
@@ -1,5 +1,4 @@
-
-## <summary>policy for sssd</summary>
+## <summary>System Security Services Daemon</summary>
########################################
## <summary>
@@ -68,17 +67,15 @@
## </summary>
## </param>
#
-interface(`sssd_manage_var_run',`
+interface(`sssd_manage_pids',`
gen_require(`
type sssd_var_run_t;
')
manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
- manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
')
-
########################################
## <summary>
## Search sssd lib directories.
@@ -196,8 +192,7 @@
')
files_search_pids($1)
- write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- allow $1 sssd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
')
########################################
@@ -241,9 +235,7 @@
role_transition $2 sssd_initrc_exec_t system_r;
allow $2 system_r;
- sssd_manage_var_run($1)
-
- sssd_manage_var_lib($1)
+ sssd_manage_pids($1)
+ sssd_manage_lib_files($1)
')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-09-29 18:28:19.000000000 +0200
@@ -9,54 +10,45 @@
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
-permissive sssd_t;
-
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
-type sssd_var_run_t;
-files_pid_file(sssd_var_run_t)
-
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
########################################
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setuid };
+allow sssd_t self:capability { sys_nice setgid setuid };
allow sssd_t self:process { setsched signal getsched };
-allow sssd_t tmp_t:dir { read getattr open };
-
-# Init script handling
-domain_use_interactive_fds(sssd_t)
-
-# internal communication is often done using fifo and unix sockets.
-allow sssd_t self:process signal;
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
-
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
-corecmd_exec_bin(sssd_t)
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
-dev_read_urand(sssd_t)
+fs_list_inotifyfs(sssd_t)
kernel_read_system_state(sssd_t)
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
-fs_list_inotifyfs(sssd_t)
-
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -68,6 +60,8 @@
miscfiles_read_localization(sssd_t)
+userdom_manage_tmp_role(system_t, sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-07-07 09:47:39.000000000 +0200
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+term_setattr_controlling_term(uucpd_t)
+
auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-09-16 13:17:05.000000000 +0200
@@ -10,6 +10,7 @@
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-14 08:33:53.000000000 +0200
@@ -22,6 +22,13 @@
## <desc>
## <p>
+## Allow svirt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
## Allow svirt to manage device configuration, (pci)
## </p>
## </desc>
@@ -95,6 +102,7 @@
manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
+read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t)
allow virtd_t virt_image_t:file { relabelfrom relabelto };
allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
@@ -183,6 +191,7 @@
seutil_read_default_contexts(virtd_t)
term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -214,6 +223,12 @@
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
@@ -305,8 +320,11 @@
manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
@@ -316,16 +334,17 @@
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
-storage_raw_write_removable_device(svirt_t)
-storage_raw_read_removable_device(svirt_t)
-
userdom_search_user_home_content(svirt_t)
userdom_read_all_users_state(svirt_t)
append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
allow svirt_t self:udp_socket create_socket_perms;
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
@@ -353,7 +372,7 @@
')
optional_policy(`
- samba_domtrans_smb(svirt_t)
+ ptchown_domtrans(svirt_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-09-29 18:24:34.000000000 +0200
@@ -13,6 +13,7 @@
HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
#
@@ -62,6 +63,7 @@
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
@@ -104,6 +106,7 @@
/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-08-05 23:23:17.000000000 +0200
@@ -599,9 +599,10 @@
#
interface(`xserver_use_xdm_fds',`
gen_require(`
- type xdm_t;
+ type xdm_t, xdm_home_t;
')
+ allow $1 xdm_home_t:file append_file_perms;
allow $1 xdm_t:fd use;
')
@@ -779,6 +780,24 @@
manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
')
+#######################################
+## <summary>
+## Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Read XDM var lib files.
@@ -861,6 +880,24 @@
########################################
## <summary>
+## Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
+ ')
+
+ domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
@@ -1409,8 +1446,10 @@
# Allow connections to X server.
xserver_stream_connect_xdm($1)
xserver_read_xdm_tmp_files($1)
+ xserver_search_xdm_lib($1)
xserver_xdm_stream_connect($1)
xserver_setattr_xdm_tmp_dirs($1)
+ xserver_read_xdm_pid($1)
allow $1 xdm_t:x_client { getattr destroy };
allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-09-30 09:25:12.000000000 +0200
@@ -370,8 +370,9 @@
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+
fs_getattr_all_fs(xdm_t)
-fs_search_inotifyfs(xdm_t)
+fs_list_inotifyfs(xdm_t)
fs_read_noxattr_fs_files(xdm_t)
manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@@ -530,6 +531,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -538,6 +540,7 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
@@ -651,7 +654,12 @@
')
optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
')
# On crash gdm execs gdb to dump stack
@@ -839,7 +847,6 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
-fs_list_inotifyfs(xdm_t)
fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
@@ -931,6 +938,10 @@
')
optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-06-25 10:21:01.000000000 +0200
@@ -24,6 +24,8 @@
/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -44,4 +46,3 @@
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-08-20 10:24:42.000000000 +0200
@@ -30,6 +30,53 @@
dontaudit $2 shadow_t:file read_file_perms;
')
+#######################################
+## <summary>
+## Make the specified domain used for a login program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain type used for a login program domain.
+## </summary>
+## </param>
+#
+interface(`auth_use_pam',`
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+ auth_rw_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+')
+
########################################
## <summary>
## Make the specified domain used for a login program.
@@ -42,8 +89,7 @@
#
interface(`auth_login_pgm_domain',`
gen_require(`
- type var_auth_t;
- type auth_cache_t;
+ type var_auth_t, auth_cache_t;
')
domain_type($1)
@@ -77,6 +123,8 @@
# for SSP/ProPolice
dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -143,6 +191,11 @@
')
optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
fprintd_dbus_chat($1)
')
@@ -153,6 +206,7 @@
optional_policy(`
ssh_agent_exec($1)
userdom_read_user_home_content_files($1)
+ ssh_read_user_home_files($1)
')
')
@@ -238,6 +292,97 @@
########################################
## <summary>
+## Search authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ allow $1 auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Read/Write authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ rw_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Manage authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+#######################################
+## <summary>
+## Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ files_var_filetrans($1,auth_cache_t,{ file dir } )
+')
+
+########################################
+## <summary>
## Run unix_chkpwd to check a password.
## </summary>
## <param name="domain">
@@ -726,7 +871,7 @@
########################################
## <summary>
-## Send signal to pam process
+## Send generic signals to pam processes.
## </summary>
## <param name="domain">
## <summary>
@@ -1258,6 +1403,25 @@
########################################
## <summary>
+## dontaudit read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to
## login records files.
## </summary>
@@ -1415,6 +1579,10 @@
')
optional_policy(`
+ nslcd_use($1)
+ ')
+
+ optional_policy(`
sssd_stream_connect($1)
')
@@ -1456,99 +1624,3 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
-
-########################################
-## <summary>
-## Search authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_search_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- allow $1 auth_cache_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_read_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- read_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-
-########################################
-## <summary>
-## Read/Write authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_rw_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- rw_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-########################################
-## <summary>
-## Manage authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_manage_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- manage_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-
-#######################################
-## <summary>
-## Automatic transition from cache_t to cache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_filetrans_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- manage_files_pattern($1, auth_cache_t, auth_cache_t)
- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
- files_var_filetrans($1,auth_cache_t,{ file dir } )
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(authlogin, 2.0.0)
+policy_module(authlogin, 2.0.2)
########################################
#
@@ -10,9 +10,12 @@
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
-typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t };
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
application_domain(chkpwd_t, chkpwd_exec_t)
role system_r types chkpwd_t;
@@ -57,15 +60,13 @@
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;
type utempter_t;
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
-type auth_cache_t;
-logging_log_file(auth_cache_t)
-
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
@@ -180,11 +181,6 @@
logging_send_syslog_msg(pam_t)
-userdom_write_user_tmp_files(pam_t)
-userdom_delete_user_tmp_files(pam_t)
-userdom_dontaudit_read_user_home_content_files(pam_t)
-userdom_dontaudit_write_user_home_content_files(pam_t)
-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
@@ -200,7 +196,7 @@
# PAM console local policy
#
-allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid };
+allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
@@ -218,8 +214,6 @@
dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
-dev_getattr_cpu_dev(pam_console_t)
-dev_setattr_cpu_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
@@ -244,10 +238,6 @@
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
-
-dev_getattr_all_chr_files(pam_console_t)
-dev_setattr_all_chr_files(pam_console_t)
-
dev_read_urand(pam_console_t)
mls_file_read_all_levels(pam_console_t)
@@ -329,6 +319,7 @@
# updpwd local policy
#
+allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -336,6 +327,8 @@
kernel_read_system_state(updpwd_t)
+dev_read_urand(updpwd_t)
+
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-06-25 10:21:01.000000000 +0200
@@ -6,6 +6,8 @@
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-09-14 14:35:30.000000000 +0200
@@ -285,6 +285,7 @@
kernel_dontaudit_getattr_message_if(initrc_t)
kernel_stream_connect(initrc_t)
files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
files_read_kernel_symbol_table(initrc_t)
files_exec_etc_files(initrc_t)
@@ -331,6 +332,7 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -403,6 +405,9 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
+
auth_use_nsswitch(initrc_t)
@@ -750,6 +755,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
+ mysql_read_config(initrc_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-08-20 13:08:01.000000000 +0200
@@ -1,11 +1,18 @@
-policy_module(ipsec, 1.9.0)
+policy_module(ipsec, 1.9.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t,ipsec_exec_t)
@@ -43,6 +50,9 @@
init_daemon_domain(racoon_t,racoon_exec_t)
role system_r types racoon_t;
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t,setkey_exec_t)
@@ -53,7 +63,7 @@
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -67,7 +77,7 @@
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -82,7 +92,7 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
@@ -103,13 +113,11 @@
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
-
-corenet_udp_bind_all_nodes(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
-
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
@@ -130,7 +138,7 @@
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
-files_search_tmp(ipsec_t)
+files_list_tmp(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -158,12 +166,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
@@ -171,8 +179,6 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
-logging_send_syslog_msg(ipsec_mgmt_t)
-
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -248,6 +254,8 @@
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
+logging_send_syslog_msg(ipsec_mgmt_t)
+
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -284,6 +292,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, setkey_exec_t)
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -301,11 +316,21 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
-corenet_udp_sendrecv_all_if(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
@@ -315,6 +340,8 @@
files_read_etc_files(racoon_t)
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
@@ -329,6 +356,13 @@
miscfiles_read_localization(racoon_t)
+auth_use_pam(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+')
+
########################################
#
# Setkey local policy
@@ -348,6 +382,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-07-24 15:37:54.000000000 +0200
@@ -101,6 +101,10 @@
')
optional_policy(`
+ psad_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
rhgb_dontaudit_use_ptys(iptables_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-06-25 10:21:01.000000000 +0200
@@ -69,6 +69,7 @@
dev_rw_sysfs(iscsid_t)
domain_use_interactive_fds(iscsid_t)
+domain_read_all_domains_state(iscsid_t)
files_read_etc_files(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-10-02 07:38:02.000000000 +0200
@@ -139,8 +139,10 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -167,6 +169,8 @@
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_debian',`
/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -190,6 +194,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -284,6 +289,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
+HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -329,6 +335,8 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+/var/named/chroot/usr/lib/bind(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
ifdef(`distro_suse',`
@@ -366,9 +374,14 @@
/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# libraries for avidemux
+/usr/lib/libADM_coreImage\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-06-25 10:21:01.000000000 +0200
@@ -211,6 +211,7 @@
# Sulogin local policy
#
+allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
@@ -258,7 +259,10 @@
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
+ selinux_compute_user_contexts(sulogin_t)
+')
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2009-09-29 18:32:45.000000000 +0200
@@ -50,6 +50,7 @@
')
ifdef(`distro_redhat',`
+/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-09-29 14:05:27.000000000 +0200
@@ -481,6 +481,10 @@
')
optional_policy(`
+ bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
inn_manage_log(syslogd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.12/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/miscfiles.fc 2009-07-30 17:46:06.000000000 +0200
@@ -11,6 +11,7 @@
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/mount.if 2009-09-08 13:12:41.000000000 +0200
@@ -175,7 +175,9 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
+ type unconfined_mount_t;
')
allow $1 mount_t:process signal;
+ allow $1 unconfined_mount_t:process signal;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-08-11 10:04:04.000000000 +0200
@@ -72,6 +72,7 @@
dev_list_all_dev_nodes(mount_t)
dev_read_usbfs(mount_t)
dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-08-12 10:55:14.000000000 +0200
@@ -281,6 +281,7 @@
')
files_search_etc($1)
+ allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-07-17 09:43:41.000000000 +0200
@@ -45,7 +45,7 @@
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
@@ -69,8 +69,9 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
-sysnet_manage_config(dhcpc_t)
+allow dhcpc_t net_conf_t:file manage_file_perms;
allow dhcpc_t net_conf_t:file relabel_file_perms;
+sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t,net_conf_t,file)
# create temp files
@@ -120,11 +121,13 @@
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
+domain_obj_id_change_exemption(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
@@ -270,8 +273,8 @@
read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
-files_read_etc_files(ifconfig_t);
-files_read_etc_runtime_files(ifconfig_t);
+files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
@@ -367,3 +370,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
+ hal_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.12/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.fc 2009-07-30 17:22:30.000000000 +0200
@@ -5,6 +5,7 @@
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+/etc/udev/rules\.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-08-13 18:24:35.000000000 +0200
@@ -67,6 +67,7 @@
manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t,udev_var_run_t,{ dir file })
kernel_read_system_state(udev_t)
@@ -112,6 +113,7 @@
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t)
@@ -196,6 +198,10 @@
')
optional_policy(`
+ bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
@@ -258,6 +264,10 @@
')
optional_policy(`
+ unconfined_signal(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-09-14 14:33:01.000000000 +0200
@@ -443,6 +443,9 @@
dev_rw_usbfs($1)
dev_rw_generic_usb_dev($1)
+ dev_read_video_dev($1)
+ dev_write_video_dev($1)
+
miscfiles_dontaudit_write_fonts($1)
optional_policy(`
@@ -518,6 +521,8 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:socket create_socket_perms;
+
allow $1_usertype unpriv_userdomain:fd use;
kernel_read_system_state($1_usertype)
@@ -627,12 +632,6 @@
')
optional_policy(`
- devicekit_dbus_chat($1_usertype)
- devicekit_power_dbus_chat($1_usertype)
- devicekit_disk_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
evolution_dbus_chat($1_usertype)
evolution_alarm_dbus_chat($1_usertype)
')
@@ -702,6 +701,7 @@
optional_policy(`
rpc_dontaudit_getattr_exports($1_usertype)
rpc_manage_nfs_rw_content($1_usertype)
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
@@ -968,6 +968,21 @@
')
optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_power_dbus_chat($1_usertype)
+ devicekit_disk_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_t)
+ ')
+
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
gnome_manage_config($1_usertype)
gnome_manage_gconf_home_files($1_usertype)
gnome_read_gconf_config($1_usertype)
@@ -1218,6 +1233,7 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
@@ -1457,6 +1473,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
files_search_home($1)
')
@@ -1880,7 +1897,7 @@
type user_home_t;
')
- allow $1 user_home_t:dir delete_file_perms;
+ allow $1 user_home_t:file delete_file_perms;
')
########################################
@@ -3317,10 +3334,6 @@
seutil_run_newrole($1_t, $1_r)
optional_policy(`
- gnomeclock_dbus_chat($1_t)
- ')
-
- optional_policy(`
kerneloops_dbus_chat($1_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-25 10:21:01.000000000 +0200
@@ -38,6 +38,7 @@
dev_read_sound(virtualdomain)
dev_write_sound(virtualdomain)
dev_rw_kvm(virtualdomain)
+dev_rw_ksm(virtualdomain)
dev_rw_qemu(virtualdomain)
domain_use_interactive_fds(virtualdomain)
@@ -63,10 +64,6 @@
miscfiles_read_localization(virtualdomain)
optional_policy(`
- dbus_system_bus_client(virtualdomain)
-')
-
-optional_policy(`
virt_read_config(virtualdomain)
virt_read_lib_files(virtualdomain)
virt_read_content(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-25 10:21:01.000000000 +0200
@@ -419,6 +419,7 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
+userdom_search_admin_dir(xm_ssh_t)
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)