diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.12/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/man/man8/nfs_selinux.8 2009-11-19 10:29:57.000000000 +0100
@@ -1,9 +1,9 @@
.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
.SH "NAME"
-nfs_selinux \- Security Enhanced Linux Policy for NFS
+nfs_selinux \- Security-Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
-Security Enhanced Linux secures the NFS server via flexible mandatory access
+Security-Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
@@ -11,7 +11,7 @@
.TP
setsebool -P nfs_export_all_ro 1
.TP
-If you want to share files read/write you must set the nfs_export_all_rw boolean.
+If you want to share NFS partitions, and allow read and write access to those NFS partitions, turn the nfs_export_all_rw boolean on:
.TP
setsebool -P nfs_export_all_rw 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/man/man8/samba_selinux.8 2009-08-19 18:01:06.000000000 +0200
@@ -20,7 +20,7 @@
.TP
This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
.TP
-/var/eng(/.*)? system_u:object_r:samba_share_t
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
.TP
Run the restorecon command to apply the changes:
.TP
@@ -53,4 +53,4 @@
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
-selinux(8), samba(7), chcon(1), setsebool(8)
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/mcs 2009-07-08 21:09:33.000000000 +0200
@@ -66,7 +66,7 @@
#
# Note that getattr on files is always permitted.
#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+mlsconstrain { file chr_file blk_file lnk_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -111,22 +111,22 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
# Access control for any database objects based on MCS rules.
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
( h1 dom h2 );
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
-mlsconstrain db_procedure { execute install }
+mlsconstrain db_procedure { drop getattr setattr execute install }
( h1 dom h2 );
-mlsconstrain db_blob { drop setattr relabelfrom read write }
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
') dnl end enable_mcs
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.12/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/certwatch.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(certwatch, 1.3.0)
+policy_module(certwatch, 1.3.1)
########################################
#
@@ -28,7 +28,7 @@
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
-auth_filetrans_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-11-19 12:04:46.000000000 +0100
@@ -62,3 +62,6 @@
optional_policy(`
udev_read_db(dmesg_t)
')
+
+#mcelog needs
+dev_read_raw_memory(dmesg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.12/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/kismet.te 2009-07-07 08:55:43.000000000 +0200
@@ -23,6 +23,9 @@
type kismet_var_lib_t;
files_type(kismet_var_lib_t)
+type kismet_tmpfs_t;
+files_tmp_file(kismet_tmpfs_t)
+
########################################
#
# kismet local policy
@@ -44,6 +47,10 @@
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, file)
+
allow kismet_t kismet_var_lib_t:file manage_file_perms;
allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
@@ -53,6 +60,7 @@
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
corecmd_exec_bin(kismet_t)
@@ -75,3 +83,11 @@
userdom_use_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
+
+optional_policy(`
+ dbus_system_bus_client(kismet_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(kismet_t)
+ ')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-07-28 16:09:42.000000000 +0200
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -188,6 +188,10 @@
')
optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.12/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/mrtg.te 2009-08-13 08:59:23.000000000 +0200
@@ -136,10 +136,18 @@
')
optional_policy(`
+ hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
hostname_exec(mrtg_t)
')
optional_policy(`
+ netutils_domtrans_ping(mrtg_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-11-19 10:07:23.000000000 +0100
@@ -38,7 +38,7 @@
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
-dontaudit netutils_t self:capability sys_tty_config;
+dontaudit netutils_t self:capability { sys_module sys_tty_config };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-25 10:21:01.000000000 +0200
@@ -68,10 +68,11 @@
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
+auth_read_all_files_except_shadow(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
+# Delta RPMS
+files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -102,5 +103,9 @@
')
optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
unconfined_domain(prelink_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-08-05 21:59:03.000000000 +0200
@@ -50,11 +50,13 @@
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
+files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_create_boot_flag(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-09-02 13:11:37.000000000 +0200
@@ -1,5 +1,6 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-09-02 11:03:37.000000000 +0200
@@ -470,6 +470,24 @@
########################################
## <summary>
+## Manage RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read,
## write RPM tmp files
## </summary>
@@ -569,3 +587,31 @@
allow $1 rpm_t:process signull;
')
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t;
+ type rpm_script_t;
+ type rpm_var_run_t;
+ type rpm_tmp_t;
+ type rpm_tmpfs_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 rpm_var_run_t:file write_file_perms;
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-07-28 14:08:18.000000000 +0200
@@ -377,6 +377,10 @@
')
optional_policy(`
+ mount_domtrans(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.12/policy/modules/admin/shorewall.fc
--- nsaserefpolicy/policy/modules/admin/shorewall.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.fc 2009-10-29 22:48:05.000000000 +0100
@@ -0,0 +1,13 @@
+
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.12/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.if 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,166 @@
+## <summary>policy for shorewall</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+ gen_require(`
+ type shorewall_t;
+ type shorewall_exec_t;
+ ')
+
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_etc',`
+ gen_require(`
+ type shorewall_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+## <summary>
+## Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_var_lib',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an shorewall environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+ gen_require(`
+ type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_tmp_t;
+ ')
+
+ allow $1 shorewall_t:process { ptrace signal_perms };
+ ps_process_pattern($1, shorewall_t)
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
+ files_search_locks($1)
+ admin_pattern($1, shorewall_lock_t)
+
+ files_search_pids($1)
+ admin_pattern($1, shorewall_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, shorewall_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, shorewall_tmp_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.12/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/admin/shorewall.te 2009-06-25 10:41:25.000000000 +0200
@@ -0,0 +1,103 @@
+policy_module(shorewall,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_system_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal;
+
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+# etc file
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+# lock files
+manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+# var/lib files for shorewall
+exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
+
+# tmp files for shorewall
+manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+libs_use_ld_so(shorewall_t)
+libs_use_shared_libs(shorewall_t)
+
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+iptables_domtrans(shorewall_t)
+
+optional_policy(`
+ modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
+
+permissive shorewall_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/sudo.if 2009-08-05 23:24:01.000000000 +0200
@@ -152,6 +152,10 @@
optional_policy(`
dbus_system_bus_client($1_sudo_t)
')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_sudo_t)
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.12/policy/modules/admin/tzdata.te
--- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/tzdata.te 2009-09-07 13:31:31.000000000 +0200
@@ -16,6 +16,8 @@
# tzdata local policy
#
+fs_getattr_xattr_fs(tzdata_t)
+
files_read_etc_files(tzdata_t)
files_search_spool(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.12/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.if 2009-09-02 09:29:39.000000000 +0200
@@ -274,6 +274,9 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
+ # Add/remove user home directories
+ userdom_manage_home_role($2, useradd_t)
+
optional_policy(`
nscd_run(useradd_t, $2)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-09-02 09:28:02.000000000 +0200
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
@@ -489,6 +490,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
+userdom_manage_home_role(system_r, useradd_t)
+
userdom_manage_user_home_content_dirs(useradd_t)
userdom_manage_user_home_content_files(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-08-19 18:08:12.000000000 +0200
@@ -28,6 +28,8 @@
awstats_rw_pipes(awstats_t)
awstats_cgi_exec(awstats_t)
+can_exec(awstats_t, awstats_exec_t)
+
manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200
@@ -82,5 +82,9 @@
')
optional_policy(`
+ nscd_socket_use(calamaris_t)
+')
+
+optional_policy(`
nis_use_ypbind(calamaris_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if 2009-06-29 22:52:15.000000000 +0200
@@ -0,0 +1,96 @@
+## <summary>gitosis interface</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+## Execute gitosis-serve in the gitosis domain, and
+## allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the gitosis domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`gitosis_run',`
+ gen_require(`
+ type gitosis_t;
+ ')
+
+ gitosis_domtrans($1)
+ role $2 types gitosis_t;
+ allow gitosis_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+libs_use_ld_so(gitosis_t)
+libs_use_shared_libs(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.12/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.te 2009-09-18 14:56:40.000000000 +0200
@@ -114,6 +114,16 @@
userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gconfdefaultsm_t)
+ fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gconfdefaultsm_t)
+ fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
optional_policy(`
consolekit_dbus_chat(gconfdefaultsm_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.if 2009-08-18 15:05:46.000000000 +0200
@@ -30,7 +30,7 @@
# allow ps to show gpg
ps_process_pattern($2, gpg_t)
- allow $2 gpg_t:process { signal sigkill };
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
# communicate with the user
allow gpg_helper_t $2:fd use;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-08-18 15:06:47.000000000 +0200
@@ -90,6 +90,7 @@
corenet_tcp_connect_all_ports(gpg_t)
corenet_sendrecv_all_client_packets(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
dev_read_rand(gpg_t)
dev_read_urand(gpg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-09-22 17:00:57.000000000 +0200
@@ -148,6 +148,8 @@
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
+ files_execmod_all_files(unconfined_java_t)
+
init_dbus_chat_script(unconfined_java_t)
unconfined_domain_noaudit(unconfined_java_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-07-08 21:12:05.000000000 +0200
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+ mozilla_dbus_chat($2)
+
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ ')
')
########################################
@@ -64,6 +76,7 @@
allow $1 mozilla_home_t:dir list_dir_perms;
allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
@@ -82,7 +95,8 @@
type mozilla_home_t;
')
- write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file write_file_perms;
userdom_search_user_home_dirs($1)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.12/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.te 2009-07-08 21:12:10.000000000 +0200
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
# Mozpluggerrc
allow mozilla_t mozilla_conf_t:file read_file_perms;
@@ -97,6 +98,7 @@
corenet_tcp_connect_ftp_port(mozilla_t)
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
corenet_sendrecv_http_client_packets(mozilla_t)
corenet_sendrecv_http_cache_client_packets(mozilla_t)
corenet_sendrecv_ftp_client_packets(mozilla_t)
@@ -114,6 +116,8 @@
dev_dontaudit_rw_dri(mozilla_t)
dev_getattr_sysfs_dirs(mozilla_t)
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_etc_files(mozilla_t)
@@ -139,12 +143,7 @@
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_manage_user_home_content_symlinks(mozilla_t)
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -241,6 +240,9 @@
optional_policy(`
dbus_system_bus_client(mozilla_t)
dbus_session_bus_client(mozilla_t)
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.12/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.if 2009-07-07 08:51:57.000000000 +0200
@@ -89,6 +89,8 @@
role $1 types nsplugin_config_t;
allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.12/policy/modules/apps/ptchown.fc
--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.fc 2009-08-14 08:31:59.000000000 +0200
@@ -0,0 +1,2 @@
+
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.12/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.if 2009-08-14 08:09:22.000000000 +0200
@@ -0,0 +1,22 @@
+
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+ gen_require(`
+ type ptchown_t;
+ type ptchown_exec_t;
+ ')
+
+ domtrans_pattern($1,ptchown_exec_t,ptchown_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-20 09:35:25.000000000 +0200
@@ -0,0 +1,40 @@
+policy_module(ptchown,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+permissive ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+# Init script handling
+domain_use_interactive_fds(ptchown_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow ptchown_t self:fifo_file rw_file_perms;
+allow ptchown_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_setattr_all_user_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-25 10:21:01.000000000 +0200
@@ -1,2 +1,3 @@
/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-25 10:21:01.000000000 +0200
@@ -88,11 +88,16 @@
')
optional_policy(`
+ dbus_system_bus_client(qemu_t)
+')
+
+optional_policy(`
samba_domtrans_smb(qemu_t)
')
optional_policy(`
virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.12/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.if 2009-06-25 10:21:01.000000000 +0200
@@ -3,73 +3,143 @@
########################################
## <summary>
-## Execute a domain transition to run sandbox.
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed to transition.
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
## </summary>
## </param>
#
-interface(`sandbox_domtrans',`
+interface(`sandbox_transition',`
gen_require(`
- type sandbox_t;
- type sandbox_exec_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain;
')
- domtrans_pattern($1,sandbox_exec_t,sandbox_t)
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ role $2 types sandbox_xserver_t;
')
-
########################################
## <summary>
-## Execute sandbox in the sandbox domain, and
-## allow the specified role the sandbox domain.
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="domain">
+## <param name="prefix">
## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed the sandbox domain.
+## Prefix for the domain.
## </summary>
## </param>
#
-interface(`sandbox_run',`
+template(`sandbox_domain_template',`
+
gen_require(`
- type sandbox_t;
+ attribute sandbox_domain;
')
- sandbox_domtrans($1)
- role $2 types sandbox_t;
+ type $1_t, sandbox_domain;
+ domain_type($1_t)
+
+ type $1_file_t;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
')
########################################
## <summary>
-## Role access for sandbox
+## Creates types and rules for a basic
+## qemu process domain.
## </summary>
-## <param name="role">
+## <param name="prefix">
## <summary>
-## Role allowed access
+## Prefix for the domain.
## </summary>
## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ ')
+
+ sandbox_domain_template($1)
+
+
+ typeattribute $1_t sandbox_x_domain;
+
+ # window manager
+ miscfiles_setattr_fonts($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain, sandbox_domain;
+ domain_type($1_client_t)
+
+ type $1_client_tmpfs_t;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+ term_create_pty($1_client_t,sandbox_devpts_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process sigkill;
+
+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
+ domain_entry_file($1_client_t, $1_file_t)
+
+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+
+ can_exec($1_client_t, $1_file_t)
+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+
+# permissive $1_client_t;
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
## <param name="domain">
## <summary>
-## User domain for the role
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`sandbox_role',`
+interface(`sandbox_rw_xserver_tmpfs_files',`
gen_require(`
- type sandbox_t;
+ type sandbox_xserver_tmpfs_t;
')
- role $2 types sandbox_t;
-
- sandbox_domtrans($1)
-
- ps_process_pattern($2, sandbox_t)
- allow $2 sandbox_t:process signal;
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,18 +1,84 @@
policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
########################################
#
# Declarations
#
-type sandbox_t;
-type sandbox_exec_t;
-application_domain(sandbox_t, sandbox_exec_t)
-init_daemon_domain(sandbox_t, sandbox_exec_t)
-role system_r types sandbox_t;
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
-type sandbox_file_t;
-files_type(sandbox_file_t)
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_common_app(sandbox_xserver_t)
+permissive sandbox_xserver_t;
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+files_read_etc_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
########################################
#
@@ -20,21 +86,189 @@
#
## internal communication is often done using fifo and unix sockets.
-allow sandbox_t self:fifo_file rw_file_perms;
-allow sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:fifo_file rw_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+
+files_rw_all_inherited_files(sandbox_domain)
+files_entrypoint_all_files(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:process { signal_perms getsched setpgid };
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+
+files_read_etc_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+allow sandbox_web_client_t self:capability { setuid setgid };
+allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_client_t self:process setsched;
+
+allow sandbox_web_client_t self:tcp_socket create_socket_perms;
+allow sandbox_web_client_t self:udp_socket create_socket_perms;
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
+corenet_all_recvfrom_netlabel(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
+corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_http_port(sandbox_web_client_t)
+corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
+corenet_tcp_connect_ftp_port(sandbox_web_client_t)
+corenet_tcp_connect_ipp_port(sandbox_web_client_t)
+corenet_tcp_connect_generic_port(sandbox_web_client_t)
+corenet_sendrecv_http_client_packets(sandbox_web_client_t)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
+corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
+selinux_get_fs_mount(sandbox_web_client_t)
+selinux_validate_context(sandbox_web_client_t)
+selinux_compute_access_vector(sandbox_web_client_t)
+selinux_compute_create_context(sandbox_web_client_t)
+selinux_compute_relabel_context(sandbox_web_client_t)
+selinux_compute_user_contexts(sandbox_web_client_t)
+seutil_read_default_contexts(sandbox_web_client_t)
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_client_t)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+allow sandbox_net_client_t self:tcp_socket create_socket_perms;
+allow sandbox_net_client_t self:udp_socket create_socket_perms;
+allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_net_client_t)
-manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
-manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t)
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
-files_rw_all_inherited_files(sandbox_t)
-files_entrypoint_all_files(sandbox_t)
+auth_use_nsswitch(sandbox_net_client_t)
-libs_use_ld_so(sandbox_t)
-libs_use_shared_libs(sandbox_t)
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
+selinux_get_fs_mount(sandbox_net_client_t)
+selinux_validate_context(sandbox_net_client_t)
+selinux_compute_access_vector(sandbox_net_client_t)
+selinux_compute_create_context(sandbox_net_client_t)
+selinux_compute_relabel_context(sandbox_net_client_t)
+selinux_compute_user_contexts(sandbox_net_client_t)
+seutil_read_default_contexts(sandbox_net_client_t)
-miscfiles_read_localization(sandbox_t)
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_client_t)
+ nsplugin_rw_exec(sandbox_web_client_t)
+')
-userdom_use_user_ptys(sandbox_t)
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-08-05 23:21:33.000000000 +0200
@@ -62,6 +62,7 @@
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file)
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
+ dontaudit $3 screen_var_run_t:fifo_file read;
allow $1_screen_t screen_home_t:dir list_dir_perms;
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-06-25 10:21:01.000000000 +0200
@@ -63,6 +63,7 @@
')
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-06-25 10:21:01.000000000 +0200
@@ -136,7 +136,7 @@
miscfiles_read_localization(vmware_host_t)
-sysnet_dns_name_resolve(vmware_host_t)
+auth_use_nsswitch(vmware_host_t)
storage_getattr_fixed_disk_dev(vmware_host_t)
@@ -160,6 +160,10 @@
xserver_common_app(vmware_host_t)
')
+optional_policy(`
+ unconfined_domain(vmware_host_t)
+ unconfined_domain(vmware_t)
+')
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-08-13 17:13:38.000000000 +0200
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69,6 +70,8 @@
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@@ -119,6 +122,7 @@
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
#
# /opt
@@ -145,6 +149,7 @@
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -217,8 +222,11 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-08-13 08:57:43.000000000 +0200
@@ -107,6 +107,7 @@
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd,tcp,2947,s0)
+network_port(hddtemp, tcp,7634,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -116,7 +117,7 @@
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8611,s0, udp,8611,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
@@ -134,7 +135,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-09-29 18:31:58.000000000 +0200
@@ -46,8 +46,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -168,6 +170,7 @@
ifdef(`distro_redhat',`
# originally from named.fc
+/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-07-03 11:25:38.000000000 +0200
@@ -1727,6 +1727,133 @@
########################################
## <summary>
+## Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+######################################
+## <summary>
+## Read the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Read and write the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Automatic type transition to the type
+## for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
@@ -3780,3 +3907,21 @@
typeattribute $1 devices_unconfined_type;
')
+
+######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_tty',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ setattr_chr_files_pattern($1, devtty_t, devtty_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-25 10:21:01.000000000 +0200
@@ -78,6 +78,13 @@
dev_node(ipmi_device_t)
#
+# ksm_device_t is the type of
+# /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
@@ -91,6 +98,12 @@
dev_node(kvm_device_t)
#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-07-07 08:21:23.000000000 +0200
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_use_fds($1)
- ')
- ')
-
- # send init a sigchld and signull
- optional_policy(`
- init_sigchld($1)
- init_signull($1)
- ')
-
- # these seem questionable:
-
- optional_policy(`
- rpm_use_fds($1)
- rpm_read_pipes($1)
- ')
-
- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`
- seutil_dontaudit_read_config($1)
- ')
')
########################################
@@ -1338,3 +1310,20 @@
typeattribute $1 process_uncond_exempt;
')
+#######################################
+## <summary>
+## Send generic signals to the unconfined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+ gen_require(`
+ type unconfined_domain_type;
+ ')
+
+ allow $1 unconfined_domain_type:process signal;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-09-02 11:03:42.000000000 +0200
@@ -91,6 +91,9 @@
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
@@ -108,6 +111,15 @@
# list the root directory
files_list_root(domain)
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+seutil_dontaudit_read_config(domain)
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
@@ -116,6 +128,12 @@
dev_read_urand(domain)
')
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
optional_policy(`
afs_rw_cache(domain)
')
@@ -125,6 +143,13 @@
libs_use_shared_libs(domain)
')
+# these seem questionable:
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_dontaudit_leaks(domain)
+')
+
optional_policy(`
setrans_translate_context(domain)
')
@@ -152,8 +177,7 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
-allow unconfined_domain_type domain:dbus send_msg;
-allow domain unconfined_domain_type:dbus send_msg;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
@@ -185,7 +209,10 @@
ifdef(`hide_broken_symptoms',`
fs_list_inotifyfs(domain)
+ dontaudit domain self:udp_socket listen;
allow domain domain:key { link search };
+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
+ cron_dontaudit_rw_tcp_sockets(domain)
')
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-09-14 14:40:51.000000000 +0200
@@ -1953,6 +1953,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
+ files_read_config_files($1)
')
########################################
@@ -3734,6 +3736,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
+ files_read_usr_src_files($1)
')
########################################
@@ -5224,6 +5227,7 @@
attribute file_type;
')
+ allow $1 file_type:dir search_dir_perms;
allow $1 file_type:file { getattr read write append lock };
allow $1 file_type:fifo_file { getattr read write append ioctl lock };
allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-06-25 10:21:01.000000000 +0200
@@ -817,7 +817,7 @@
type proc_t;
')
- dontaudit $1 proc_t:file { getattr read };
+ dontaudit $1 proc_t:file { open getattr read };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.12/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/storage.fc 2009-08-24 16:29:47.000000000 +0200
@@ -28,6 +28,7 @@
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.12/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/storage.if 2009-08-24 16:26:39.000000000 +0200
@@ -529,7 +529,7 @@
')
- dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-06-25 10:21:01.000000000 +0200
@@ -571,6 +571,25 @@
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
+')
+
########################################
## <summary>
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-08-05 21:52:27.000000000 +0200
@@ -44,6 +44,10 @@
')
optional_policy(`
+ postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
secadm_role_change(staff_r)
')
@@ -87,6 +91,10 @@
')
optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
kerneloops_dbus_chat(staff_t)
')
@@ -95,6 +103,10 @@
')
optional_policy(`
+ sandbox_transition(staff_t, staff_r)
+')
+
+optional_policy(`
screen_manage_var_run(staff_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-06-25 10:21:01.000000000 +0200
@@ -116,6 +116,41 @@
########################################
## <summary>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans(sysadm_t, $1)
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
## requiring the caller to use setexeccon().
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-06-25 10:21:01.000000000 +0200
@@ -334,6 +334,10 @@
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-09-02 10:35:47.000000000 +0200
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
@@ -95,7 +97,6 @@
seutil_run_semanage(unconfined_t, unconfined_r)
unconfined_domain_noaudit(unconfined_t)
-domain_mmap_low(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
@@ -252,6 +253,10 @@
portmap_run_helper(unconfined_t, unconfined_r)
')
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
optional_policy(`
qemu_role_notrans(unconfined_r, unconfined_t)
qemu_unconfined_role(unconfined_r)
@@ -277,7 +282,7 @@
')
optional_policy(`
- sandbox_run(unconfined_t, unconfined_r)
+ sandbox_transition(unconfined_t, unconfined_r)
')
optional_policy(`
@@ -323,6 +328,7 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
allow unconfined_execmem_t unconfined_t:process transition;
+rpm_transition_script(unconfined_execmem_t)
optional_policy(`
init_dbus_chat_script(unconfined_execmem_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-06-25 10:21:01.000000000 +0200
@@ -22,5 +22,9 @@
')
optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
setroubleshoot_dontaudit_stream_connect(user_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.12/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/roles/xguest.te 2009-07-08 21:12:15.000000000 +0200
@@ -36,11 +36,17 @@
# Local policy
#
+# Dontaudit fusermount
+dontaudit xguest_t self:capability sys_admin;
+
# Allow mounting of file systems
optional_policy(`
tunable_policy(`xguest_mount_media',`
kernel_read_fs_sysctls(xguest_t)
+ # allow fusermount
+ allow xguest_t self:capability sys_admin;
+
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.12/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/afs.fc 2009-08-24 16:34:56.000000000 +0200
@@ -26,7 +26,7 @@
/vicepb gen_context(system_u:object_r:afs_files_t,s0)
/vicepc gen_context(system_u:object_r:afs_files_t,s0)
-
+/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.12/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/afs.te 2009-08-24 16:32:10.000000000 +0200
@@ -331,6 +331,7 @@
files_mounton_mnt(afs_t)
files_read_etc_files(afs_t)
files_rw_etc_runtime_files(afs_t)
+files_read_usr_files(afs_t)
fs_getattr_xattr_fs(afs_t)
fs_mount_nfs(afs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-09-14 14:48:14.000000000 +0200
@@ -40,6 +40,7 @@
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -98,4 +99,6 @@
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-09-16 13:39:43.000000000 +0200
@@ -681,6 +681,7 @@
unconfined_domain(httpd_unconfined_script_t)
role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.12/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/apm.te 2009-11-20 13:05:50.000000000 +0100
@@ -220,6 +220,10 @@
')
optional_policy(`
+ vbetool_domtrans(apmd_t)
+')
+
+optional_policy(`
unconfined_domain(apmd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/automount.if 2009-07-20 14:44:39.000000000 +0200
@@ -21,6 +21,24 @@
########################################
## <summary>
+## Send automount a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
## Execute automount in the caller domain.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2009-06-29 13:28:59.000000000 +0200
@@ -24,7 +24,7 @@
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-06-25 10:21:01.000000000 +0200
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.12/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/clamav.te 2009-07-13 11:33:25.000000000 +0200
@@ -106,6 +106,8 @@
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
+auth_use_nsswitch(clamd_t)
+
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -179,6 +181,8 @@
corenet_tcp_connect_http_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
+auth_use_nsswitch(freshclam_t)
+
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.12/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.fc 2009-09-30 09:41:34.000000000 +0200
@@ -0,0 +1,2 @@
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.12/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.if 2009-09-30 10:26:41.000000000 +0200
@@ -0,0 +1,21 @@
+## <summary>cobbler server policy</summary>
+
+#######################################
+## <summary>
+## Read cobbler lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ allow $1 cobbler_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.12/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/cobbler.te 2009-09-30 09:41:20.000000000 +0200
@@ -0,0 +1,10 @@
+
+policy_module(cobbler,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-10-29 22:41:51.000000000 +0100
@@ -14,7 +14,7 @@
files_pid_file(consolekit_var_run_t)
type consolekit_log_t;
-files_pid_file(consolekit_log_t)
+logging_log_file(consolekit_log_t)
########################################
#
@@ -50,11 +50,14 @@
files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
term_use_all_terms(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
+
auth_use_nsswitch(consolekit_t)
init_telinit(consolekit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-07-13 10:01:22.000000000 +0200
@@ -163,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t admin_crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
- #corecmd_shell_domtrans(admin_crontab_t, $2)
- corecmd_exec_bin(admin_crontab_t)
- corecmd_exec_shell(admin_crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
@@ -282,6 +269,8 @@
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
+ dontaudit $1 crond_t:fifo_file rw_fifo_file_perms;
+
userdom_dontaudit_list_admin_dir($1)
role system_r types $1;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-07-30 17:13:52.000000000 +0200
@@ -440,7 +440,7 @@
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_telinit(system_cronjob_t)
-init_spec_domtrans_script(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-08-11 09:45:17.000000000 +0200
@@ -53,6 +53,8 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-11-05 17:54:34.000000000 +0100
@@ -59,12 +59,13 @@
init_daemon_domain(hplip_t, hplip_exec_t)
# For CUPS to run as a backend
cups_backend(hplip_t, hplip_exec_t)
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
type hplip_etc_t;
files_config_file(hplip_etc_t)
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
+
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
@@ -163,6 +164,9 @@
files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
allow cupsd_t hplip_t:process {signal sigkill };
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
allow cupsd_t hplip_var_run_t:file read_file_perms;
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
@@ -376,6 +380,10 @@
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -574,9 +582,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
-fs_rw_anon_inodefs_files(hplip_t)
-
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
@@ -604,6 +611,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
+corenet_udp_bind_howl_port(hplip_t)
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
@@ -615,6 +623,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
# for python
corecmd_exec_bin(hplip_t)
@@ -733,6 +742,8 @@
files_read_etc_files(cups_pdf_t)
files_read_usr_files(cups_pdf_t)
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
kernel_read_system_state(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
@@ -746,6 +757,7 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_home_filetrans_user_home_dir(cups_pdf_t)
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
@@ -765,3 +777,10 @@
manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
miscfiles_read_fonts(cups_pdf_t)
+#need to read user-dirs.dirs
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
+
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.6.12/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/cyrus.te 2009-09-16 13:08:45.000000000 +0200
@@ -136,6 +136,7 @@
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-10-02 09:02:08.000000000 +0200
@@ -176,6 +176,10 @@
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
+
+ optional_policy(`
+ xserver_use_xdm($1_dbusd_t)
+ ')
')
########################################
@@ -458,3 +462,27 @@
allow $1 system_dbusd_t:tcp_socket { read write };
allow $1 system_dbusd_t:fd use;
')
+
+#######################################
+## <summary>
+## Dontaudit connect to system dbus
+## over an unix domain stream socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ dontaudit $1 system_dbusd_var_run_t:dir list_dir_perms;
+ dontaudit $1 system_dbusd_var_run_t:file read_file_perms;
+ dontaudit $1 system_dbusd_var_run_t:sock_file rw_sock_file_perms;
+ dontaudit $1 system_dbusd_t:unix_stream_socket connectto;
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-25 10:21:01.000000000 +0200
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+fs_getattr_all_fs(dcc_client_t)
+
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_bind_generic_node(dcc_client_t)
@@ -154,6 +156,10 @@
userdom_use_user_terminals(dcc_client_t)
optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ddclient.if 2009-06-25 10:21:01.000000000 +0200
@@ -21,6 +21,31 @@
########################################
## <summary>
+## Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ddclient environment
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-25 10:21:01.000000000 +0200
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -77,6 +77,7 @@
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -107,6 +108,7 @@
')
optional_policy(`
+ polkit_dbus_chat(devicekit_power_t)
polkit_domtrans_auth(devicekit_power_t)
polkit_read_lib(devicekit_power_t)
polkit_read_reload(devicekit_power_t)
@@ -147,6 +149,7 @@
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
@@ -199,6 +202,7 @@
')
optional_policy(`
+ polkit_dbus_chat(devicekit_disk_t)
polkit_domtrans_auth(devicekit_disk_t)
polkit_read_lib(devicekit_disk_t)
polkit_read_reload(devicekit_disk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-09-30 09:43:10.000000000 +0200
@@ -83,10 +83,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
+ cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
cron_manage_pid_files(dnsmasq_t)
')
optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
tftp_read_content(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.12/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.if 2009-07-31 13:05:17.000000000 +0200
@@ -2,47 +2,44 @@
########################################
## <summary>
-## Create, read, write, and delete the dovecot spool files.
+## Connect to dovecot auth unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`dovecot_manage_spool',`
+interface(`dovecot_stream_connect_auth',`
gen_require(`
- type dovecot_spool_t;
+ type dovecot_auth_t, dovecot_var_run_t;
')
- manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
- manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
')
########################################
## <summary>
-## Connect to dovecot auth unix domain stream socket.
+## Execute dovecot_deliver in the dovecot_deliver domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`dovecot_auth_stream_connect',`
+interface(`dovecot_domtrans_deliver',`
gen_require(`
- type dovecot_auth_t, dovecot_var_run_t;
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
')
- allow $1 dovecot_var_run_t:dir search;
- allow $1 dovecot_var_run_t:sock_file write;
- allow $1 dovecot_auth_t:unix_stream_socket connectto;
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
')
########################################
## <summary>
-## Execute dovecot_deliver in the dovecot_deliver domain.
+## Create, read, write, and delete the dovecot spool files.
## </summary>
## <param name="domain">
## <summary>
@@ -50,17 +47,18 @@
## </summary>
## </param>
#
-interface(`dovecot_domtrans_deliver',`
+interface(`dovecot_manage_spool',`
gen_require(`
- type dovecot_deliver_t, dovecot_deliver_exec_t;
+ type dovecot_spool_t;
')
- domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
')
-#######################################
+########################################
## <summary>
-## Do not audit attempts to d`elete dovecot lib files.
+## Do not audit attempts to delete dovecot lib files.
## </summary>
## <param name="domain">
## <summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.12/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/dovecot.te 2009-09-30 15:36:17.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(dovecot, 1.10.2)
+policy_module(dovecot, 1.10.3)
########################################
#
@@ -15,15 +15,18 @@
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
+type dovecot_cert_t;
+files_type(dovecot_cert_t)
+
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
domain_type(dovecot_deliver_t)
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
role system_r types dovecot_deliver_t;
-type dovecot_cert_t;
-files_type(dovecot_cert_t)
-
type dovecot_etc_t;
files_config_file(dovecot_etc_t)
@@ -46,9 +49,6 @@
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
-type dovecot_auth_tmp_t;
-files_tmp_file(dovecot_auth_tmp_t)
-
########################################
#
# dovecot local policy
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
-allow dovecot_t self:process { setrlimit signal_perms };
+allow dovecot_t self:process { getcap setcap setrlimit signal_perms };
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
@@ -73,7 +73,6 @@
can_exec(dovecot_t, dovecot_exec_t)
-# log files
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
@@ -181,7 +180,7 @@
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
-dovecot_auth_stream_connect(dovecot_auth_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -252,9 +251,10 @@
miscfiles_read_localization(dovecot_deliver_t)
-dovecot_auth_stream_connect(dovecot_deliver_t)
+dovecot_stream_connect_auth(dovecot_deliver_t)
files_search_tmp(dovecot_deliver_t)
+
fs_getattr_all_fs(dovecot_deliver_t)
userdom_manage_user_home_content_dirs(dovecot_deliver_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-09-14 14:36:18.000000000 +0200
@@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
auth_use_nsswitch(exim_t)
@@ -148,7 +149,11 @@
')
optional_policy(`
- dovecot_auth_stream_connect(exim_t)
+ dovecot_stream_connect_auth(exim_t)
+')
+
+optional_policy(`
+ sendmail_manage_tmp(exim_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-10-16 13:32:38.000000000 +0200
@@ -79,6 +79,7 @@
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-06-29 16:22:53.000000000 +0200
@@ -60,6 +60,8 @@
corenet_tcp_connect_all_ports(fetchmail_t)
corenet_sendrecv_all_client_packets(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-08-13 18:07:07.000000000 +0200
@@ -22,12 +22,17 @@
corecmd_search_bin(fprintd_t)
+dev_list_usbfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
dev_read_sysfs(fprintd_t)
+fs_getattr_all_fs(fprintd_t)
+
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
+kernel_read_system_state(fprintd_t)
+
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
@@ -40,9 +45,10 @@
')
optional_policy(`
- polkit_read_reload(fprintd_t)
- polkit_read_lib(fprintd_t)
+ polkit_dbus_chat(fprintd_t)
polkit_domtrans_auth(fprintd_t)
+ polkit_read_lib(fprintd_t)
+ polkit_read_reload(fprintd_t)
')
permissive fprintd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-08-24 09:30:32.000000000 +0200
@@ -85,12 +85,23 @@
type xferlog_t;
logging_log_file(xferlog_t)
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
########################################
#
# ftpd local policy
#
allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+ifdef(`hide_broken_symptoms', `
+allow ftpd_t self:capability { sys_admin };
+')
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process signal_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -99,6 +110,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -129,8 +141,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-06-25 10:21:01.000000000 +0200
@@ -44,6 +44,7 @@
')
optional_policy(`
+ polkit_dbus_chat(gnomeclock_t)
polkit_domtrans_auth(gnomeclock_t)
polkit_read_lib(gnomeclock_t)
polkit_read_reload(gnomeclock_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.12/policy/modules/services/gpsd.fc
--- nsaserefpolicy/policy/modules/services/gpsd.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.fc 2009-06-25 10:25:21.000000000 +0200
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.12/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/gpsd.te 2009-08-20 14:46:39.000000000 +0200
@@ -8,17 +9,23 @@
type gpsd_t;
type gpsd_exec_t;
application_domain(gpsd_t, gpsd_exec_t)
-role system_r types gpsd_t;
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
type gpsd_tmpfs_t;
files_tmpfs_file(gpsd_tmpfs_t)
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
########################################
#
# gpsd local policy
#
-allow gpsd_t self:capability { setuid sys_nice setgid fowner };
+allow gpsd_t self:capability { setuid sys_nice setgid fowner fsetid };
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -28,6 +35,15 @@
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
corenet_tcp_bind_all_nodes(gpsd_t)
corenet_tcp_bind_gpsd_port(gpsd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-09-02 10:30:14.000000000 +0200
@@ -103,6 +103,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
kernel_setsched(hald_t)
auth_read_pam_console_data(hald_t)
@@ -162,6 +163,7 @@
fs_mount_dos_fs(hald_t)
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
files_getattr_all_mountpoints(hald_t)
@@ -211,6 +213,7 @@
sysnet_read_config(hald_t)
sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -297,6 +300,7 @@
')
optional_policy(`
+ polkit_dbus_chat(hald_t)
polkit_domtrans_auth(hald_t)
polkit_domtrans_resolve(hald_t)
polkit_read_lib(hald_t)
@@ -369,6 +373,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
+fs_getattr_all_fs(hald_acl_t)
+
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
@@ -381,6 +387,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
+ polkit_dbus_chat(hald_acl_t)
polkit_domtrans_auth(hald_acl_t)
polkit_read_lib(hald_acl_t)
polkit_read_reload(hald_acl_t)
@@ -470,6 +477,8 @@
#
# Local hald dccm policy
#
+
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
allow hald_dccm_t self:capability { net_bind_service };
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
@@ -480,6 +489,8 @@
allow hald_t hald_dccm_t:process signal;
allow hald_dccm_t hald_t:unix_stream_socket connectto;
+hal_rw_dgram_sockets(hald_dccm_t)
+
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
@@ -508,4 +519,8 @@
miscfiles_read_localization(hald_dccm_t)
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
+
permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.12/policy/modules/services/hddtemp.fc
--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.fc 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,4 @@
+
+/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.12/policy/modules/services/hddtemp.if
--- nsaserefpolicy/policy/modules/services/hddtemp.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.if 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,38 @@
+## <summary>hddtemp hard disk temperature tool running as a daemon</summary>
+
+#######################################
+## <summary>
+## Execute hddtemp in the hddtemp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`hddtemp_domtrans',`
+ gen_require(`
+ type hddtemp_t, hddtemp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+')
+
+######################################
+## <summary>
+## Execute hddtemp
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`hddtemp_exec',`
+ gen_require(`
+ type hddtemp_exec_t;
+ ')
+
+ can_exec($1, hddtemp_exec_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.12/policy/modules/services/hddtemp.te
--- nsaserefpolicy/policy/modules/services/hddtemp.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/hddtemp.te 2009-08-13 08:56:27.000000000 +0200
@@ -0,0 +1,40 @@
+policy_module(hddtemp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hddtemp_t;
+type hddtemp_exec_t;
+init_daemon_domain(hddtemp_t,hddtemp_exec_t)
+
+type hddtemp_initrc_exec_t;
+init_script_file(hddtemp_initrc_exec_t)
+
+########################################
+#
+# hddtemp local policy
+#
+
+allow hddtemp_t self:capability sys_rawio;
+dontaudit hddtemp_t self:capability sys_admin;
+
+allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
+allow hddtemp_t self:tcp_socket create_stream_socket_perms;
+allow hddtemp_t self:udp_socket create_socket_perms;
+
+corenet_tcp_bind_all_nodes(hddtemp_t)
+corenet_tcp_bind_hddtemp_port(hddtemp_t)
+
+storage_raw_read_fixed_disk(hddtemp_t)
+
+# read hddtemp db file
+files_read_usr_files(hddtemp_t)
+
+logging_send_syslog_msg(hddtemp_t)
+
+miscfiles_read_localization(hddtemp_t)
+
+permissive hddtemp_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-25 10:21:01.000000000 +0200
@@ -70,6 +70,7 @@
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
files_search_etc($1)
@@ -101,6 +102,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:file getattr;
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-07-07 08:19:18.000000000 +0200
@@ -277,6 +277,8 @@
#
allow kpropd_t self:capability net_bind_service;
+allow kpropd_t self:process setfscreate;
+
allow kpropd_t self:fifo_file rw_file_perms;
allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
allow kpropd_t self:tcp_socket create_stream_socket_perms;
@@ -287,6 +289,12 @@
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -302,10 +310,14 @@
files_read_etc_files(kpropd_t)
files_search_tmp(kpropd_t)
+selinux_validate_context(kpropd_t)
+
logging_send_syslog_msg(kpropd_t)
miscfiles_read_localization(kpropd_t)
+seutil_read_file_contexts(kpropd_t)
+
sysnet_dns_name_resolve(kpropd_t)
kerberos_use(kpropd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-10-16 13:42:13.000000000 +0200
@@ -45,6 +45,13 @@
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
dev_read_generic_usb_dev(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_mouse(lircd_t)
+
+dev_read_generic_usb_dev(lircd_t)
+
logging_send_syslog_msg(lircd_t)
files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-06-25 10:21:01.000000000 +0200
@@ -197,6 +197,7 @@
type mailman_data_t;
')
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-10-16 13:35:27.000000000 +0200
@@ -35,6 +35,8 @@
# Create other data files and directories in the data directory
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+ files_read_etc_files($1_milter_t)
+
miscfiles_read_localization($1_milter_t)
logging_send_syslog_msg($1_milter_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-06-25 10:21:01.000000000 +0200
@@ -473,6 +473,7 @@
')
write_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-11-19 10:03:36.000000000 +0100
@@ -136,15 +136,20 @@
allow mysqld_safe_t self:capability { dac_override fowner chown };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-mysql_append_db_files(mysqld_safe_t)
+domain_read_all_domains_state(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
dev_list_sysfs(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.12/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nis.te 2009-06-26 15:48:39.000000000 +0200
@@ -72,8 +72,7 @@
manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
kernel_read_kernel_sysctls(ypbind_t)
-kernel_list_proc(ypbind_t)
-kernel_read_proc_symlinks(ypbind_t)
+kernel_read_system_state(ypbind_t)
corenet_all_recvfrom_unlabeled(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.12/policy/modules/services/nslcd.fc
--- nsaserefpolicy/policy/modules/services/nslcd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.fc 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,4 @@
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.12/policy/modules/services/nslcd.if
--- nsaserefpolicy/policy/modules/services/nslcd.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.if 2009-10-29 22:58:40.000000000 +0100
@@ -0,0 +1,144 @@
+
+## <summary>policy for nslcd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+ gen_require(`
+ type nslcd_t;
+ type nslcd_exec_t;
+ ')
+
+ domtrans_pattern($1,nslcd_exec_t,nslcd_t)
+')
+
+
+########################################
+## <summary>
+## Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read nslcd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage nslcd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_manage_var_run',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+ manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
+')
+
+#######################################
+## <summary>
+## Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`nslcd_stream_connect',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nslcd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nslcd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the user terminal.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+ gen_require(`
+ type nslcd_t;
+ ')
+
+ allow $1 nslcd_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, nslcd_t, nslcd_t)
+ allow $1 nslcd_conf_t:file read_file_perms;
+
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ nslcd_manage_var_run($1)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.12/policy/modules/services/nslcd.te
--- nsaserefpolicy/policy/modules/services/nslcd.te 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.12/policy/modules/services/nslcd.te 2009-06-25 10:21:01.000000000 +0200
@@ -0,0 +1,50 @@
+policy_module(nslcd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+#permissive nslcd_t;
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+
+# Init script handling
+domain_use_interactive_fds(nslcd_t)
+
+# internal communication is often done using fifo and unix sockets.
+allow nslcd_t self:sock_file rw_file_perms;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+allow nslcd_t self:process signal;
+
+files_read_etc_files(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
+allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.12/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nx.fc 2009-08-20 15:35:42.000000000 +0200
@@ -5,3 +5,6 @@
/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.12/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/nx.if 2009-09-14 14:45:30.000000000 +0200
@@ -17,3 +17,23 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
')
+
+#######################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t;
+ ')
+
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-08-20 09:42:28.000000000 +0200
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
+corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
@@ -98,6 +99,8 @@
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
+auth_use_pam(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -114,6 +117,16 @@
userdom_read_user_home_content_files(openvpn_t)
')
+tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(openvpn_t)
+ fs_read_nfs_symlinks(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+ fs_read_cifs_symlinks(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
@@ -122,5 +135,6 @@
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
+ fprintd_dbus_chat(openvpn_t)
networkmanager_dbus_chat(openvpn_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.12/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.if 2009-10-02 08:35:36.000000000 +0200
@@ -53,6 +53,5 @@
')
files_search_pids($1)
- allow $1 pcscd_var_run_t:sock_file write;
- allow $1 pcscd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200
@@ -28,6 +28,7 @@
allow pcscd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
@@ -46,6 +47,8 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+kernel_read_system_state(pcscd_t)
+
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-06-25 10:21:01.000000000 +0200
@@ -2,7 +2,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.if 2009-06-25 10:21:01.000000000 +0200
@@ -194,6 +194,7 @@
polkit_domtrans_auth($1)
role $2 types polkit_auth_t;
+ polkit_dbus_chat($1)
')
#######################################
@@ -217,6 +218,7 @@
polkit_run_grant($2, $1)
polkit_read_lib($2)
polkit_read_reload($2)
+ polkit_dbus_chat($2)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.12/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/polkit.te 2009-08-07 12:21:31.000000000 +0200
@@ -72,6 +72,7 @@
manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
+userdom_getattr_all_users(polkit_t)
userdom_read_all_users_state(polkit_t)
optional_policy(`
@@ -99,6 +100,8 @@
domain_use_interactive_fds(polkit_auth_t)
+fs_getattr_all_fs(polkit_auth_t)
+
files_read_etc_files(polkit_auth_t)
files_read_usr_files(polkit_auth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-07-31 13:05:32.000000000 +0200
@@ -112,6 +112,13 @@
template(`postfix_server_domain_template',`
postfix_domain_template($1)
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
allow postfix_$1_t self:capability { setuid setgid dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
@@ -580,6 +587,25 @@
########################################
## <summary>
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-07-31 13:05:36.000000000 +0200
@@ -42,9 +42,6 @@
mta_manage_spool(postfix_local_t)
')
-type postfix_local_tmp_t;
-files_tmp_file(postfix_local_tmp_t)
-
# Program for creating database files
type postfix_map_t;
type postfix_map_exec_t;
@@ -106,9 +103,6 @@
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
-type postfix_virtual_tmp_t;
-files_tmp_file(postfix_virtual_tmp_t)
-
########################################
#
# Postfix master process local policy
@@ -302,10 +296,6 @@
allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-manage_dirs_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-manage_files_pattern(postfix_local_t, postfix_local_tmp_t, postfix_local_tmp_t)
-files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir })
-
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -399,14 +389,6 @@
miscfiles_read_localization(postfix_map_t)
-tunable_policy(`read_default_t',`
- files_list_default(postfix_map_t)
- files_read_default_files(postfix_map_t)
- files_read_default_symlinks(postfix_map_t)
- files_read_default_sockets(postfix_map_t)
- files_read_default_pipes(postfix_map_t)
-')
-
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -508,7 +490,7 @@
')
optional_policy(`
- sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
')
optional_policy(`
@@ -640,7 +622,7 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
- dovecot_auth_stream_connect(postfix_smtpd_t)
+ dovecot_stream_connect_auth(postfix_smtpd_t)
')
optional_policy(`
@@ -665,10 +647,6 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-manage_dirs_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-manage_files_pattern(postfix_virtual_t, postfix_virtual_tmp_t, postfix_virtual_tmp_t)
-files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
-
# connect to master process
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.12/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/postgresql.te 2009-07-08 21:12:21.000000000 +0200
@@ -202,6 +202,7 @@
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
@@ -237,6 +238,7 @@
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-25 10:21:01.000000000 +0200
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
type pppd_t;
+ type pptp_t;
')
ppp_domtrans($1)
role $2 types pppd_t;
+ role $2 types pptp_t;
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.12/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ppp.te 2009-08-24 15:30:24.000000000 +0200
@@ -218,7 +218,7 @@
# PPTP Local policy
#
-allow pptp_t self:capability { net_raw net_admin };
+allow pptp_t self:capability { dac_read_search dac_override net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-06-25 10:21:01.000000000 +0200
@@ -48,8 +48,7 @@
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
kernel_read_kernel_sysctls(privoxy_t)
-kernel_list_proc(privoxy_t)
-kernel_read_proc_symlinks(privoxy_t)
+kernel_read_system_state(privoxy_t)
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-06-25 10:21:01.000000000 +0200
@@ -3,6 +3,8 @@
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-06-25 10:21:01.000000000 +0200
@@ -97,6 +97,8 @@
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.12/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/radvd.te 2009-09-29 18:03:17.000000000 +0200
@@ -23,7 +23,7 @@
# Local policy
#
allow radvd_t self:capability { setgid setuid net_raw net_admin };
-dontaudit radvd_t self:capability sys_tty_config;
+dontaudit radvd_t self:capability { sys_module sys_tty_config };
allow radvd_t self:process signal_perms;
allow radvd_t self:unix_dgram_socket create_socket_perms;
allow radvd_t self:unix_stream_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.12/policy/modules/services/rpcbind.if
--- nsaserefpolicy/policy/modules/services/rpcbind.if 2009-04-07 21:54:47.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rpcbind.if 2009-09-14 15:08:43.000000000 +0200
@@ -95,6 +95,26 @@
files_search_var_lib($1)
')
+#######################################
+## <summary>
+## Connect to rpcbindd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_stream_connect',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rpcbind_var_run_t:sock_file write;
+ allow $1 rpcbind_t:unix_stream_socket connectto;
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-09-14 14:31:36.000000000 +0200
@@ -95,6 +95,10 @@
userdom_signal_unpriv_users(rpcd_t)
optional_policy(`
+ automount_signal(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
@@ -103,6 +107,10 @@
unconfined_signal(rpcd_t)
')
+optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
########################################
#
# NFSD local policy
@@ -189,6 +197,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -207,6 +216,8 @@
mount_signal(gssd_t)
+userdom_signal_all_users(gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
@@ -214,6 +225,10 @@
')
optional_policy(`
+ automount_signal(gssd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-06-25 10:21:01.000000000 +0200
@@ -126,6 +126,8 @@
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.12/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/samba.te 2009-09-22 17:53:46.000000000 +0200
@@ -280,6 +280,7 @@
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+allow smbd_t winbind_t:process { signal signull };
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -342,6 +343,8 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
+userdom_signal_all_users(smbd_t)
+
userdom_use_unpriv_users_fds(smbd_t)
userdom_dontaudit_search_user_home_dirs(smbd_t)
@@ -924,3 +927,6 @@
allow winbind_t smbcontrol_t:process signal;
allow smbcontrol_t nmbd_var_run_t:file { read lock };
+
+userdom_use_user_terminals(smbcontrol_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-09-29 18:20:22.000000000 +0200
@@ -31,7 +31,7 @@
# Local policy
#
-allow saslauthd_t self:capability setuid;
+allow saslauthd_t self:capability { setgid setuid };
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
@@ -98,6 +98,10 @@
')
optional_policy(`
+ dbus_dontaudit_system_bus_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
kerberos_manage_host_rcache(saslauthd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-07-31 13:22:05.000000000 +0200
@@ -92,6 +92,24 @@
allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Dontaudit Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl };
+')
+
########################################
## <summary>
## Read sendmail logs.
@@ -238,3 +256,24 @@
allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
')
+
+######################################
+## <summary>
+## Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_manage_tmp',`
+ gen_require(`
+ type sendmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-07-24 15:40:05.000000000 +0200
@@ -131,6 +131,10 @@
')
optional_policy(`
+ exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
fail2ban_read_lib_files(sendmail_t)
')
@@ -148,6 +152,7 @@
optional_policy(`
postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
@@ -186,6 +191,6 @@
optional_policy(`
mta_etc_filetrans_aliases(unconfined_sendmail_t)
- unconfined_domain(unconfined_sendmail_t)
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-07-17 08:50:23.000000000 +0200
@@ -81,6 +81,7 @@
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
files_list_all(setroubleshootd_t)
@@ -121,6 +122,10 @@
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc
--- nsaserefpolicy/policy/modules/services/shorewall.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 1970-01-01 01:00:00.000000000 +0100
@@ -1,12 +0,0 @@
-
-/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
-
-/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
-
-/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
-
-/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if
--- nsaserefpolicy/policy/modules/services/shorewall.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 1970-01-01 01:00:00.000000000 +0100
@@ -1,166 +0,0 @@
-## <summary>policy for shorewall</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run shorewall.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`shorewall_domtrans',`
- gen_require(`
- type shorewall_t;
- type shorewall_exec_t;
- ')
-
- domtrans_pattern($1, shorewall_exec_t, shorewall_t)
-')
-
-#######################################
-## <summary>
-## Read shorewall etc configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_etc',`
- gen_require(`
- type shorewall_etc_t;
- ')
-
- files_search_etc($1)
- read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
-')
-
-#######################################
-## <summary>
-## Read shorewall PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-#######################################
-## <summary>
-## Read and write shorewall PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
-')
-
-######################################
-## <summary>
-## Read shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_read_var_lib',`
- gen_require(`
- type shorewall_t;
- ')
-
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-## Read and write shorewall /var/lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`shorewall_rw_var_lib',`
- gen_require(`
- type shorewall_t;
- ')
-
- files_search_var_lib($1)
- search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-')
-
-#######################################
-## <summary>
-## All of the rules required to administrate
-## an shorewall environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`shorewall_admin',`
- gen_require(`
- type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
- type shorewall_initrc_exec_t, shorewall_var_lib_t;
- type shorewall_tmp_t;
- ')
-
- allow $1 shorewall_t:process { ptrace signal_perms };
- ps_process_pattern($1, shorewall_t)
-
- init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 shorewall_initrc_exec_t system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, shorewall_etc_t)
-
- files_search_locks($1)
- admin_pattern($1, shorewall_lock_t)
-
- files_search_pids($1)
- admin_pattern($1, shorewall_var_run_t)
-
- files_search_var_lib($1)
- admin_pattern($1, shorewall_var_lib_t)
-
- files_search_tmp($1)
- admin_pattern($1, shorewall_tmp_t)
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-policy_module(shorewall,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type shorewall_t;
-type shorewall_exec_t;
-init_daemon_domain(shorewall_t, shorewall_exec_t)
-
-type shorewall_initrc_exec_t;
-init_script_file(shorewall_initrc_exec_t)
-
-# etc files
-type shorewall_etc_t;
-files_config_file(shorewall_etc_t)
-
-# lock files
-type shorewall_lock_t;
-files_lock_file(shorewall_lock_t)
-
-# tmp files
-type shorewall_tmp_t;
-files_tmp_file(shorewall_tmp_t)
-
-# var/lib files
-type shorewall_var_lib_t;
-files_type(shorewall_var_lib_t)
-
-########################################
-#
-# shorewall local policy
-#
-
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
-dontaudit shorewall_t self:capability sys_tty_config;
-
-allow shorewall_t self:fifo_file rw_fifo_file_perms;
-
-# etc file
-read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
-
-# lock files
-manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
-files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
-
-# var/lib files for shorewall
-exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
-files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
-
-# tmp files for shorewall
-manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
-files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(shorewall_t)
-kernel_read_system_state(shorewall_t)
-kernel_read_network_state(shorewall_t)
-kernel_rw_net_sysctls(shorewall_t)
-
-corecmd_exec_bin(shorewall_t)
-corecmd_exec_shell(shorewall_t)
-
-dev_read_urand(shorewall_t)
-
-fs_getattr_all_fs(shorewall_t)
-
-domain_read_all_domains_state(shorewall_t)
-
-files_getattr_kernel_modules(shorewall_t)
-files_read_etc_files(shorewall_t)
-files_read_usr_files(shorewall_t)
-files_search_kernel_modules(shorewall_t)
-
-init_rw_utmp(shorewall_t)
-
-libs_use_ld_so(shorewall_t)
-libs_use_shared_libs(shorewall_t)
-
-logging_send_syslog_msg(shorewall_t)
-
-miscfiles_read_localization(shorewall_t)
-
-userdom_dontaudit_list_admin_dir(shorewall_t)
-
-sysnet_domtrans_ifconfig(shorewall_t)
-iptables_domtrans(shorewall_t)
-
-optional_policy(`
- modutils_domtrans_insmod(shorewall_t)
-')
-
-optional_policy(`
- ulogd_search_log(shorewall_t)
-')
-
-permissive shorewall_t;
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-09-02 10:27:17.000000000 +0200
@@ -28,9 +28,9 @@
# Local policy
#
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+allow fsdaemon_t self:capability { setgid setpcap sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
-allow fsdaemon_t self:process { signal_perms setfscreate };
+allow fsdaemon_t self:process { getcap setcap signal_perms setfscreate };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.12/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/snmp.if 2009-09-17 10:38:55.000000000 +0200
@@ -28,6 +28,24 @@
refpolicywarn(`$0($*) has been deprecated.')
')
+#######################################
+## <summary>
+## Append snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_append_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
########################################
## <summary>
## Read snmpd libraries.
@@ -85,6 +103,25 @@
dontaudit $1 snmpd_var_lib_t:file write;
')
+#######################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
########################################
## <summary>
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.12/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/snmp.te 2009-09-16 13:08:08.000000000 +0200
@@ -71,6 +71,8 @@
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
dev_list_sysfs(snmpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-08-19 17:48:56.000000000 +0200
@@ -1,13 +1,15 @@
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/spamassassin -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/spamd -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -20,5 +22,5 @@
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-09-16 12:19:24.000000000 +0200
@@ -263,6 +263,7 @@
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
+can_exec(spamc_t, spamc_exec_t)
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -406,6 +407,7 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2009-08-23 20:37:28.000000000 +0200
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-07-20 14:31:17.000000000 +0200
@@ -187,7 +187,7 @@
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal setsched setrlimit setexec };
+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
@@ -685,3 +685,24 @@
can_exec($1, ssh_agent_exec_t)
')
+#######################################
+## <summary>
+## Read ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_user_home_files',`
+ gen_require(`
+ type home_ssh_t;
+ ')
+
+ allow $1 home_ssh_t:dir list_dir_perms;
+ read_files_pattern($1, home_ssh_t, home_ssh_t)
+ read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
+ userdom_search_user_home_dirs($1)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-09-22 17:01:21.000000000 +0200
@@ -133,6 +133,12 @@
read_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
read_lnk_files_pattern(ssh_server,home_ssh_t,home_ssh_t)
+# ssh servers can create and read the user keys and config
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
@@ -347,10 +353,18 @@
')
optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
+')
+
+optional_policy(`
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
+ nx_read_home_files(sshd_t)
+')
+
+optional_policy(`
rpm_use_script_fds(sshd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-10-29 22:53:13.000000000 +0100
@@ -1,6 +1,9 @@
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.12/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.if 2009-10-29 23:03:38.000000000 +0100
@@ -1,5 +1,4 @@
-
-## <summary>policy for sssd</summary>
+## <summary>System Security Services Daemon</summary>
########################################
## <summary>
@@ -68,17 +67,15 @@
## </summary>
## </param>
#
-interface(`sssd_manage_var_run',`
+interface(`sssd_manage_pids',`
gen_require(`
type sssd_var_run_t;
')
manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t)
manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
- manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t)
')
-
########################################
## <summary>
## Search sssd lib directories.
@@ -196,8 +192,7 @@
')
files_search_pids($1)
- write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
- allow $1 sssd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
')
########################################
@@ -241,9 +235,7 @@
role_transition $2 sssd_initrc_exec_t system_r;
allow $2 system_r;
- sssd_manage_var_run($1)
-
- sssd_manage_var_lib($1)
+ sssd_manage_pids($1)
+ sssd_manage_lib_files($1)
')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te 2009-10-29 23:01:59.000000000 +0100
@@ -9,54 +10,51 @@
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
-permissive sssd_t;
-
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
-type sssd_var_run_t;
-files_pid_file(sssd_var_run_t)
-
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
########################################
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setuid };
+allow sssd_t self:capability { sys_nice setgid setuid };
allow sssd_t self:process { setsched signal getsched };
-allow sssd_t tmp_t:dir { read getattr open };
-
-# Init script handling
-domain_use_interactive_fds(sssd_t)
-
-# internal communication is often done using fifo and unix sockets.
-allow sssd_t self:process signal;
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir })
-
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
-corecmd_exec_bin(sssd_t)
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-dev_read_urand(sssd_t)
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+fs_list_inotifyfs(sssd_t)
kernel_read_system_state(sssd_t)
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
-fs_list_inotifyfs(sssd_t)
-
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -68,6 +66,8 @@
miscfiles_read_localization(sssd_t)
+userdom_manage_tmp_role(system_t, sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.6.12/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/tftp.fc 2009-10-16 15:01:44.000000000 +0200
@@ -5,4 +5,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-07-07 09:47:39.000000000 +0200
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+term_setattr_controlling_term(uucpd_t)
+
auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-09-16 13:17:05.000000000 +0200
@@ -10,6 +10,7 @@
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-14 08:33:53.000000000 +0200
@@ -22,6 +22,13 @@
## <desc>
## <p>
+## Allow svirt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
## Allow svirt to manage device configuration, (pci)
## </p>
## </desc>
@@ -95,6 +102,7 @@
manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
+read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t)
allow virtd_t virt_image_t:file { relabelfrom relabelto };
allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
@@ -183,6 +191,7 @@
seutil_read_default_contexts(virtd_t)
term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -214,6 +223,12 @@
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
@@ -305,8 +320,11 @@
manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t)
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
allow svirt_t svirt_image_t:dir search_dir_perms;
manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
@@ -316,16 +334,17 @@
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
-storage_raw_write_removable_device(svirt_t)
-storage_raw_read_removable_device(svirt_t)
-
userdom_search_user_home_content(svirt_t)
userdom_read_all_users_state(svirt_t)
append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
allow svirt_t self:udp_socket create_socket_perms;
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
@@ -353,7 +372,7 @@
')
optional_policy(`
- samba_domtrans_smb(svirt_t)
+ ptchown_domtrans(svirt_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-09-29 18:24:34.000000000 +0200
@@ -13,6 +13,7 @@
HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
#
@@ -62,6 +63,7 @@
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
@@ -104,6 +106,7 @@
/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-08-05 23:23:17.000000000 +0200
@@ -599,9 +599,10 @@
#
interface(`xserver_use_xdm_fds',`
gen_require(`
- type xdm_t;
+ type xdm_t, xdm_home_t;
')
+ allow $1 xdm_home_t:file append_file_perms;
allow $1 xdm_t:fd use;
')
@@ -779,6 +780,24 @@
manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
')
+#######################################
+## <summary>
+## Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Read XDM var lib files.
@@ -861,6 +880,24 @@
########################################
## <summary>
+## Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
+ ')
+
+ domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
@@ -1409,8 +1446,10 @@
# Allow connections to X server.
xserver_stream_connect_xdm($1)
xserver_read_xdm_tmp_files($1)
+ xserver_search_xdm_lib($1)
xserver_xdm_stream_connect($1)
xserver_setattr_xdm_tmp_dirs($1)
+ xserver_read_xdm_pid($1)
allow $1 xdm_t:x_client { getattr destroy };
allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-11-16 15:19:31.000000000 +0100
@@ -339,6 +339,8 @@
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -370,8 +372,9 @@
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+
fs_getattr_all_fs(xdm_t)
-fs_search_inotifyfs(xdm_t)
+fs_list_inotifyfs(xdm_t)
fs_read_noxattr_fs_files(xdm_t)
manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@@ -530,6 +533,8 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
+miscfiles_search_man_pages(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -538,6 +543,7 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
@@ -651,7 +657,12 @@
')
optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
')
# On crash gdm execs gdb to dump stack
@@ -839,7 +850,6 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
-fs_list_inotifyfs(xdm_t)
fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
@@ -931,6 +941,10 @@
')
optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.12/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.fc 2009-06-25 10:21:01.000000000 +0200
@@ -24,6 +24,8 @@
/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -44,4 +46,3 @@
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
-/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-10-29 23:01:14.000000000 +0100
@@ -30,6 +30,53 @@
dontaudit $2 shadow_t:file read_file_perms;
')
+#######################################
+## <summary>
+## Make the specified domain used for a login program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain type used for a login program domain.
+## </summary>
+## </param>
+#
+interface(`auth_use_pam',`
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+ auth_rw_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+')
+
########################################
## <summary>
## Make the specified domain used for a login program.
@@ -42,8 +89,7 @@
#
interface(`auth_login_pgm_domain',`
gen_require(`
- type var_auth_t;
- type auth_cache_t;
+ type var_auth_t, auth_cache_t;
')
domain_type($1)
@@ -77,6 +123,8 @@
# for SSP/ProPolice
dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -143,6 +191,11 @@
')
optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
fprintd_dbus_chat($1)
')
@@ -153,6 +206,7 @@
optional_policy(`
ssh_agent_exec($1)
userdom_read_user_home_content_files($1)
+ ssh_read_user_home_files($1)
')
')
@@ -238,6 +292,97 @@
########################################
## <summary>
+## Search authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ allow $1 auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Read/Write authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ rw_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Manage authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+#######################################
+## <summary>
+## Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ files_var_filetrans($1,auth_cache_t,{ file dir } )
+')
+
+########################################
+## <summary>
## Run unix_chkpwd to check a password.
## </summary>
## <param name="domain">
@@ -726,7 +871,7 @@
########################################
## <summary>
-## Send signal to pam process
+## Send generic signals to pam processes.
## </summary>
## <param name="domain">
## <summary>
@@ -1258,6 +1403,25 @@
########################################
## <summary>
+## dontaudit read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to
## login records files.
## </summary>
@@ -1415,6 +1579,10 @@
')
optional_policy(`
+ nslcd_stream_connect($1)
+ ')
+
+ optional_policy(`
sssd_stream_connect($1)
')
@@ -1456,99 +1624,3 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
-
-########################################
-## <summary>
-## Search authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_search_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- allow $1 auth_cache_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_read_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- read_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-
-########################################
-## <summary>
-## Read/Write authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_rw_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- rw_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-########################################
-## <summary>
-## Manage authentication cache
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`auth_manage_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- manage_files_pattern($1, auth_cache_t, auth_cache_t)
-')
-
-#######################################
-## <summary>
-## Automatic transition from cache_t to cache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`auth_filetrans_cache',`
- gen_require(`
- type auth_cache_t;
- ')
-
- manage_files_pattern($1, auth_cache_t, auth_cache_t)
- manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
- files_var_filetrans($1,auth_cache_t,{ file dir } )
-')
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.12/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.te 2009-06-25 10:21:01.000000000 +0200
@@ -1,5 +1,5 @@
-policy_module(authlogin, 2.0.0)
+policy_module(authlogin, 2.0.2)
########################################
#
@@ -10,9 +10,12 @@
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
type chkpwd_t, can_read_shadow_passwords;
type chkpwd_exec_t;
-typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t system_chkpwd_t };
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
application_domain(chkpwd_t, chkpwd_exec_t)
role system_r types chkpwd_t;
@@ -57,15 +60,13 @@
type updpwd_exec_t;
domain_type(updpwd_t)
domain_entry_file(updpwd_t,updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
role system_r types updpwd_t;
type utempter_t;
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
-type auth_cache_t;
-logging_log_file(auth_cache_t)
-
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
@@ -180,11 +181,6 @@
logging_send_syslog_msg(pam_t)
-userdom_write_user_tmp_files(pam_t)
-userdom_delete_user_tmp_files(pam_t)
-userdom_dontaudit_read_user_home_content_files(pam_t)
-userdom_dontaudit_write_user_home_content_files(pam_t)
-
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
@@ -200,7 +196,7 @@
# PAM console local policy
#
-allow pam_console_t self:capability { dac_override dac_read_search chown fowner fsetid };
+allow pam_console_t self:capability { chown fowner fsetid };
dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
@@ -218,8 +214,6 @@
dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
-dev_getattr_cpu_dev(pam_console_t)
-dev_setattr_cpu_dev(pam_console_t)
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
@@ -244,10 +238,6 @@
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
-
-dev_getattr_all_chr_files(pam_console_t)
-dev_setattr_all_chr_files(pam_console_t)
-
dev_read_urand(pam_console_t)
mls_file_read_all_levels(pam_console_t)
@@ -329,6 +319,7 @@
# updpwd local policy
#
+allow updpwd_t self:capability { chown dac_override };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -336,6 +327,8 @@
kernel_read_system_state(updpwd_t)
+dev_read_urand(updpwd_t)
+
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-06-25 10:21:01.000000000 +0200
@@ -6,6 +6,8 @@
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-09-14 14:35:30.000000000 +0200
@@ -285,6 +285,7 @@
kernel_dontaudit_getattr_message_if(initrc_t)
kernel_stream_connect(initrc_t)
files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
files_read_kernel_symbol_table(initrc_t)
files_exec_etc_files(initrc_t)
@@ -331,6 +332,7 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -403,6 +405,9 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
+
auth_use_nsswitch(initrc_t)
@@ -750,6 +755,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
+ mysql_read_config(initrc_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-08-20 13:08:01.000000000 +0200
@@ -1,11 +1,18 @@
-policy_module(ipsec, 1.9.0)
+policy_module(ipsec, 1.9.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
type ipsec_t;
type ipsec_exec_t;
init_daemon_domain(ipsec_t,ipsec_exec_t)
@@ -43,6 +50,9 @@
init_daemon_domain(racoon_t,racoon_exec_t)
role system_r types racoon_t;
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
type setkey_t;
type setkey_exec_t;
init_system_domain(setkey_t,setkey_exec_t)
@@ -53,7 +63,7 @@
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -67,7 +77,7 @@
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -82,7 +92,7 @@
# so try flipping back into the ipsec_mgmt_t domain
corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
@@ -103,13 +113,11 @@
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
-
-corenet_udp_bind_all_nodes(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
-
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
@@ -130,7 +138,7 @@
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
-files_search_tmp(ipsec_t)
+files_list_tmp(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -158,12 +166,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
@@ -171,8 +179,6 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
-logging_send_syslog_msg(ipsec_mgmt_t)
-
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -248,6 +254,8 @@
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
+logging_send_syslog_msg(ipsec_mgmt_t)
+
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -284,6 +292,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, setkey_exec_t)
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -301,11 +316,21 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
-corenet_udp_sendrecv_all_if(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
@@ -315,6 +340,8 @@
files_read_etc_files(racoon_t)
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
# allow racoon to use avc_has_perm to check context on proposed SA
selinux_compute_access_vector(racoon_t)
@@ -329,6 +356,13 @@
miscfiles_read_localization(racoon_t)
+auth_use_pam(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+')
+
########################################
#
# Setkey local policy
@@ -348,6 +382,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-10-29 22:49:15.000000000 +0100
@@ -101,10 +101,18 @@
')
optional_policy(`
+ psad_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
rhgb_dontaudit_use_ptys(iptables_t)
')
optional_policy(`
+ shorewall_rw_var_lib(iptables_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(iptables_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-06-25 10:21:01.000000000 +0200
@@ -69,6 +69,7 @@
dev_rw_sysfs(iscsid_t)
domain_use_interactive_fds(iscsid_t)
+domain_read_all_domains_state(iscsid_t)
files_read_etc_files(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-11-16 15:27:21.000000000 +0100
@@ -139,8 +139,10 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -159,6 +161,10 @@
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -167,6 +173,8 @@
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_debian',`
/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
')
@@ -190,6 +198,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -284,6 +293,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
+HOME_DIR/\.mozilla(/.*)?/plugins/np-vmware-vmrc-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -329,6 +339,8 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+/var/named/chroot/usr/lib/bind(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
ifdef(`distro_suse',`
@@ -366,9 +378,14 @@
/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# libraries for avidemux
+/usr/lib(64)?(/.*)?/libADM.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-06-25 10:21:01.000000000 +0200
@@ -211,6 +211,7 @@
# Sulogin local policy
#
+allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
@@ -258,7 +259,10 @@
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
+ selinux_compute_user_contexts(sulogin_t)
+')
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2009-09-29 18:32:45.000000000 +0200
@@ -50,6 +50,7 @@
')
ifdef(`distro_redhat',`
+/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2009-09-29 14:05:27.000000000 +0200
@@ -481,6 +481,10 @@
')
optional_policy(`
+ bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
inn_manage_log(syslogd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.12/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/miscfiles.fc 2009-07-30 17:46:06.000000000 +0200
@@ -11,6 +11,7 @@
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.12/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/miscfiles.if 2009-11-16 15:23:38.000000000 +0100
@@ -272,6 +272,24 @@
allow $1 locale_t:file execute;
')
+#######################################
+## <summary>
+## Allow process to search man pages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`miscfiles_search_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ allow $1 man_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search man pages.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/mount.if 2009-09-08 13:12:41.000000000 +0200
@@ -175,7 +175,9 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
+ type unconfined_mount_t;
')
allow $1 mount_t:process signal;
+ allow $1 unconfined_mount_t:process signal;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-08-11 10:04:04.000000000 +0200
@@ -72,6 +72,7 @@
dev_list_all_dev_nodes(mount_t)
dev_read_usbfs(mount_t)
dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-08-12 10:55:14.000000000 +0200
@@ -281,6 +281,7 @@
')
files_search_etc($1)
+ allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-07-17 09:43:41.000000000 +0200
@@ -45,7 +45,7 @@
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
@@ -69,8 +69,9 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
-sysnet_manage_config(dhcpc_t)
+allow dhcpc_t net_conf_t:file manage_file_perms;
allow dhcpc_t net_conf_t:file relabel_file_perms;
+sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t,net_conf_t,file)
# create temp files
@@ -120,11 +121,13 @@
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
+domain_obj_id_change_exemption(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
@@ -270,8 +273,8 @@
read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
-files_read_etc_files(ifconfig_t);
-files_read_etc_runtime_files(ifconfig_t);
+files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
@@ -367,3 +370,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
+
+optional_policy(`
+ hal_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_rw_pipes(ifconfig_t)
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.12/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2009-04-07 21:54:48.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.fc 2009-07-30 17:22:30.000000000 +0200
@@ -5,6 +5,7 @@
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+/etc/udev/rules\.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-08-13 18:24:35.000000000 +0200
@@ -67,6 +67,7 @@
manage_dirs_pattern(udev_t,udev_var_run_t,udev_var_run_t)
manage_files_pattern(udev_t,udev_var_run_t,udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t,udev_var_run_t,{ dir file })
kernel_read_system_state(udev_t)
@@ -112,6 +113,7 @@
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t)
@@ -196,6 +198,10 @@
')
optional_policy(`
+ bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
@@ -258,6 +264,10 @@
')
optional_policy(`
+ unconfined_signal(udev_t)
+')
+
+optional_policy(`
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-09-14 14:33:01.000000000 +0200
@@ -443,6 +443,9 @@
dev_rw_usbfs($1)
dev_rw_generic_usb_dev($1)
+ dev_read_video_dev($1)
+ dev_write_video_dev($1)
+
miscfiles_dontaudit_write_fonts($1)
optional_policy(`
@@ -518,6 +521,8 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:socket create_socket_perms;
+
allow $1_usertype unpriv_userdomain:fd use;
kernel_read_system_state($1_usertype)
@@ -627,12 +632,6 @@
')
optional_policy(`
- devicekit_dbus_chat($1_usertype)
- devicekit_power_dbus_chat($1_usertype)
- devicekit_disk_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
evolution_dbus_chat($1_usertype)
evolution_alarm_dbus_chat($1_usertype)
')
@@ -702,6 +701,7 @@
optional_policy(`
rpc_dontaudit_getattr_exports($1_usertype)
rpc_manage_nfs_rw_content($1_usertype)
+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
@@ -968,6 +968,21 @@
')
optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_power_dbus_chat($1_usertype)
+ devicekit_disk_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_t)
+ ')
+
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
gnome_manage_config($1_usertype)
gnome_manage_gconf_home_files($1_usertype)
gnome_read_gconf_config($1_usertype)
@@ -1218,6 +1233,7 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
@@ -1457,6 +1473,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
files_search_home($1)
')
@@ -1880,7 +1897,7 @@
type user_home_t;
')
- allow $1 user_home_t:dir delete_file_perms;
+ allow $1 user_home_t:file delete_file_perms;
')
########################################
@@ -3317,10 +3334,6 @@
seutil_run_newrole($1_t, $1_r)
optional_policy(`
- gnomeclock_dbus_chat($1_t)
- ')
-
- optional_policy(`
kerneloops_dbus_chat($1_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-25 10:21:01.000000000 +0200
@@ -38,6 +38,7 @@
dev_read_sound(virtualdomain)
dev_write_sound(virtualdomain)
dev_rw_kvm(virtualdomain)
+dev_rw_ksm(virtualdomain)
dev_rw_qemu(virtualdomain)
domain_use_interactive_fds(virtualdomain)
@@ -63,10 +64,6 @@
miscfiles_read_localization(virtualdomain)
optional_policy(`
- dbus_system_bus_client(virtualdomain)
-')
-
-optional_policy(`
virt_read_config(virtualdomain)
virt_read_lib_files(virtualdomain)
virt_read_content(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-25 10:21:01.000000000 +0200
@@ -419,6 +419,7 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
+userdom_search_admin_dir(xm_ssh_t)
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)