diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/mcs 2009-06-18 13:09:45.000000000 -0400
@@ -66,7 +66,7 @@
#
# Note that getattr on files is always permitted.
#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
+mlsconstrain { file chr_file blk_file sock_file lnk_file fifo_file } { write setattr append unlink link rename ioctl lock execute relabelfrom }
(( h1 dom h2 ) or ( t1 == mlsfilewrite ));
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
@@ -111,22 +111,22 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
# Access control for any database objects based on MCS rules.
-mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
-mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
( h1 dom h2 );
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
-mlsconstrain db_procedure { execute install }
+mlsconstrain db_procedure { drop getattr setattr execute install }
( h1 dom h2 );
-mlsconstrain db_blob { drop setattr relabelfrom read write }
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
') dnl end enable_mcs
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.12/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/prelink.te 2009-06-15 08:33:15.000000000 -0400
@@ -68,10 +68,11 @@
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
-files_read_etc_files(prelink_t)
-files_read_etc_runtime_files(prelink_t)
+auth_read_all_files_except_shadow(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
+# Delta RPMS
+files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -102,5 +103,9 @@
')
optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
unconfined_domain(prelink_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-06-06 06:42:14.000000000 -0400
@@ -55,6 +55,7 @@
files_read_non_security_files(readahead_t)
files_dontaudit_read_security_files(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
+files_create_boot_flag(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-05-29 11:02:56.000000000 -0400
@@ -470,6 +470,24 @@
########################################
## <summary>
+## Manage RPM tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read,
## write RPM tmp files
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-05-26 13:02:40.000000000 -0400
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc
--- nsaserefpolicy/policy/modules/apps/gitosis.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-20 07:16:05.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.12/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.if 2009-06-20 07:16:05.000000000 -0400
@@ -0,0 +1,94 @@
+## <summary>gitosis interface</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+## Execute gitosis-serve in the gitosis domain, and
+## allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the gpsd domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`gitosis_run',`
+ gen_require(`
+ type gitosis_t;
+ ')
+
+ gitosis_domtrans($1)
+ role $2 types gitosis_t;
+ allow gitosis_t $3:chr_file rw_term_perms;
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_var_lib',`
+ gen_require(`
+ type gitosis_var_lib_t;
+
+ ')
+
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.12/policy/modules/apps/gitosis.te
--- nsaserefpolicy/policy/modules/apps/gitosis.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/gitosis.te 2009-06-20 07:16:05.000000000 -0400
@@ -0,0 +1,43 @@
+policy_module(gitosis,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t,gitosis_var_lib_t,gitosis_var_lib_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+kernel_read_system_state(gitosis_t)
+
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+libs_use_ld_so(gitosis_t)
+libs_use_shared_libs(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-08 13:49:44.000000000 -0400
@@ -1,2 +1,3 @@
/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-06-12 14:53:46.000000000 -0400
@@ -88,11 +88,16 @@
')
optional_policy(`
+ dbus_system_bus_client(qemu_t)
+')
+
+optional_policy(`
samba_domtrans_smb(qemu_t)
')
optional_policy(`
virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400
@@ -38,3 +38,6 @@
miscfiles_read_localization(sandbox_t)
userdom_use_user_ptys(sandbox_t)
+
+kernel_dontaudit_read_system_state(sandbox_t)
+corecmd_exec_all_executables(sandbox_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc
--- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 15:54:49.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-05-26 08:07:56.000000000 -0400
@@ -63,6 +63,7 @@
')
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-06-12 08:42:20.000000000 -0400
@@ -136,7 +136,7 @@
miscfiles_read_localization(vmware_host_t)
-sysnet_dns_name_resolve(vmware_host_t)
+auth_use_nsswitch(vmware_host_t)
storage_getattr_fixed_disk_dev(vmware_host_t)
@@ -160,6 +160,10 @@
xserver_common_app(vmware_host_t)
')
+optional_policy(`
+ unconfined_domain(vmware_host_t)
+ unconfined_domain(vmware_t)
+')
ifdef(`TODO',`
# VMWare need access to pcmcia devices for network
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-08 08:49:07.000000000 -0400
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -69,6 +70,8 @@
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
@@ -145,6 +148,7 @@
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -217,8 +221,11 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-06-19 07:01:37.000000000 -0400
@@ -134,7 +134,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
-network_port(mail, tcp,2000,s0)
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-08 09:12:26.000000000 -0400
@@ -46,8 +46,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-08 09:15:11.000000000 -0400
@@ -1727,6 +1727,133 @@
########################################
## <summary>
+## Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+######################################
+## <summary>
+## Read the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Read and write the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Automatic type transition to the type
+## for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-08 09:12:06.000000000 -0400
@@ -78,6 +78,13 @@
dev_node(ipmi_device_t)
#
+# ksm_device_t is the type of
+# /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
# Type for /dev/kmsg
#
type kmsg_device_t;
@@ -91,6 +98,12 @@
dev_node(kvm_device_t)
#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
# Type for /dev/mapper/control
#
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:47:44.000000000 -0400
@@ -65,8 +65,8 @@
')
optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
+ selinux_getattr_fs($1)
+ selinux_search_fs($1)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-12 13:29:57.000000000 -0400
@@ -91,6 +91,9 @@
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
@@ -152,8 +155,7 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
-allow unconfined_domain_type domain:dbus send_msg;
-allow domain unconfined_domain_type:dbus send_msg;
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-06-15 08:32:29.000000000 -0400
@@ -1953,6 +1953,7 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
+ files_read_etc_runtime_files($1)
')
########################################
@@ -3734,6 +3735,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
+ files_read_usr_src_files($1)
')
########################################
@@ -5224,6 +5226,7 @@
attribute file_type;
')
+ allow $1 file_type:dir search_dir_perms;
allow $1 file_type:file { getattr read write append lock };
allow $1 file_type:fifo_file { getattr read write append ioctl lock };
allow $1 file_type:sock_file { getattr read write append ioctl lock };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-22 08:57:53.000000000 -0400
@@ -817,7 +817,7 @@
type proc_t;
')
- dontaudit $1 proc_t:file { getattr read };
+ dontaudit $1 proc_t:file { open getattr read };
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-06-11 10:02:45.000000000 -0400
@@ -571,6 +571,25 @@
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
+#######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
+')
+
########################################
## <summary>
## Read and write the controlling
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-01 08:41:46.000000000 -0400
@@ -44,6 +44,10 @@
')
optional_policy(`
+ postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
secadm_role_change(staff_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.12/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/sysadm.te 2009-05-21 15:11:07.000000000 -0400
@@ -334,6 +334,10 @@
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-06-15 15:37:33.000000000 -0400
@@ -52,6 +52,8 @@
init_system_domain(unconfined_execmem_t, execmem_exec_t)
role unconfined_r types unconfined_execmem_t;
typealias execmem_exec_t alias unconfined_execmem_exec_t;
+userdom_unpriv_usertype(unconfined, unconfined_execmem_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_execmem_t)
type unconfined_notrans_t;
type unconfined_notrans_exec_t;
@@ -253,6 +255,10 @@
')
optional_policy(`
+ ppp_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
qemu_role_notrans(unconfined_r, unconfined_t)
qemu_unconfined_role(unconfined_r)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.12/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/apache.fc 2009-05-26 15:13:01.000000000 -0400
@@ -98,4 +98,6 @@
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2009-04-07 15:54:47.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/automount.if 2009-06-08 08:39:46.000000000 -0400
@@ -21,6 +21,25 @@
########################################
## <summary>
+## Send automount a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+#
+interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
## Execute automount in the caller domain.
## </summary>
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-06-16 09:05:29.000000000 -0400
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-01 06:47:53.000000000 -0400
@@ -14,7 +14,7 @@
files_pid_file(consolekit_var_run_t)
type consolekit_log_t;
-files_pid_file(consolekit_log_t)
+logging_log_file(consolekit_log_t)
########################################
#
@@ -50,6 +50,7 @@
files_read_usr_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
fs_list_inotifyfs(consolekit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-05-26 08:38:15.000000000 -0400
@@ -163,27 +163,14 @@
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t;
+ type unconfined_cronjob_t;
')
- role $1 types { unconfined_cronjob_t admin_crontab_t };
+ role $1 types unconfined_cronjob_t;
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
-
- # crontab shows up in user ps
- ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
-
- # Run helper programs as the user domain
- #corecmd_bin_domtrans(admin_crontab_t, $2)
- #corecmd_shell_domtrans(admin_crontab_t, $2)
- corecmd_exec_bin(admin_crontab_t)
- corecmd_exec_shell(admin_crontab_t)
-
optional_policy(`
gen_require(`
class dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.12/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/cups.fc 2009-06-19 14:21:26.000000000 -0400
@@ -36,6 +36,8 @@
# keep as separate lines to ensure proper sorting
/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-09 07:21:39.000000000 -0400
@@ -130,11 +130,13 @@
# Access files in /var/dcc. The map file can be updated
allow dcc_client_t dcc_var_t:dir list_dir_perms;
-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
kernel_read_system_state(dcc_client_t)
+fs_getattr_all_fs(dcc_client_t)
+
corenet_all_recvfrom_unlabeled(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_bind_generic_node(dcc_client_t)
@@ -154,6 +156,10 @@
userdom_use_user_terminals(dcc_client_t)
optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
spamassassin_read_spamd_tmp_files(dcc_client_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.12/policy/modules/services/ddclient.if
--- nsaserefpolicy/policy/modules/services/ddclient.if 2009-04-07 15:54:45.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ddclient.if 2009-06-15 15:36:48.000000000 -0400
@@ -21,6 +21,31 @@
########################################
## <summary>
+## Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ddclient environment
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-20 06:24:36.000000000 -0400
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice };
+allow devicekit_power_t self:capability { dac_override sys_ptrace sys_tty_config sys_nice };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
@@ -77,6 +77,7 @@
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+dev_read_input(devicekit_power_t)
dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -107,6 +108,7 @@
')
optional_policy(`
+ polkit_dbus_chat(devicekit_power_t)
polkit_domtrans_auth(devicekit_power_t)
polkit_read_lib(devicekit_power_t)
polkit_read_reload(devicekit_power_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-06-19 07:12:28.000000000 -0400
@@ -87,6 +88,10 @@
')
optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
tftp_read_content(dnsmasq_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-06-17 09:18:27.000000000 -0400
@@ -22,12 +22,15 @@
corecmd_search_bin(fprintd_t)
+dev_list_usbfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
dev_read_sysfs(fprintd_t)
files_read_etc_files(fprintd_t)
files_read_usr_files(fprintd_t)
+kernel_read_system_state(fprintd_t)
+
auth_use_nsswitch(fprintd_t)
miscfiles_read_localization(fprintd_t)
@@ -40,9 +43,10 @@
')
optional_policy(`
- polkit_read_reload(fprintd_t)
- polkit_read_lib(fprintd_t)
+ polkit_dbus_chat(fprintd_t)
polkit_domtrans_auth(fprintd_t)
+ polkit_read_lib(fprintd_t)
+ polkit_read_reload(fprintd_t)
')
permissive fprintd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ftp.te 2009-06-16 08:25:50.000000000 -0400
@@ -129,8 +129,7 @@
allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
# Create and modify /var/log/xferlog.
-allow ftpd_t xferlog_t:dir search_dir_perms;
-allow ftpd_t xferlog_t:file manage_file_perms;
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.12/policy/modules/services/gnomeclock.te
--- nsaserefpolicy/policy/modules/services/gnomeclock.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/gnomeclock.te 2009-06-20 06:24:32.000000000 -0400
@@ -44,6 +44,7 @@
')
optional_policy(`
+ polkit_dbus_chat(gnomeclock_t)
polkit_domtrans_auth(gnomeclock_t)
polkit_read_lib(gnomeclock_t)
polkit_read_reload(gnomeclock_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-27 07:02:29.000000000 -0400
@@ -162,6 +162,7 @@
fs_mount_dos_fs(hald_t)
fs_unmount_dos_fs(hald_t)
fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
files_getattr_all_mountpoints(hald_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-06-01 08:13:05.000000000 -0400
@@ -70,6 +70,7 @@
interface(`kerberos_use',`
gen_require(`
type krb5_conf_t, krb5kdc_conf_t;
+ type krb5_host_rcache_t;
')
files_search_etc($1)
@@ -101,6 +102,7 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
+ allow $1 krb5_host_rcache_t:file getattr;
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-06-15 15:00:15.000000000 -0400
@@ -287,6 +287,7 @@
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
corecmd_exec_bin(kpropd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-06-01 08:22:04.000000000 -0400
@@ -45,6 +45,9 @@
dev_filetrans(lircd_t, lircd_sock_t, sock_file )
dev_read_generic_usb_dev(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+
logging_send_syslog_msg(lircd_t)
files_read_etc_files(lircd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.12/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mailman.if 2009-05-26 13:53:04.000000000 -0400
@@ -197,6 +197,7 @@
type mailman_data_t;
')
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-06-15 10:55:27.000000000 -0400
@@ -473,6 +473,7 @@
')
write_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 15:54:45.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-16 09:51:56.000000000 -0400
@@ -28,6 +28,7 @@
allow pcscd_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
@@ -46,6 +47,8 @@
files_read_etc_files(pcscd_t)
files_read_etc_runtime_files(pcscd_t)
+kernel_read_system_state(pcscd_t)
+
term_use_unallocated_ttys(pcscd_t)
term_dontaudit_getattr_pty_dirs(pcscd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.12/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/polkit.fc 2009-06-15 11:00:10.000000000 -0400
@@ -2,7 +2,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-06-03 08:38:18.000000000 -0400
@@ -580,6 +580,25 @@
########################################
## <summary>
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+########################################
+## <summary>
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.12/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ppp.if 2009-06-18 15:55:43.000000000 -0400
@@ -177,10 +177,16 @@
interface(`ppp_run',`
gen_require(`
type pppd_t;
+ type pptp_t;
')
ppp_domtrans($1)
role $2 types pppd_t;
+ role $2 types pptp_t;
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te 2009-06-15 15:20:45.000000000 -0400
@@ -48,8 +48,7 @@
files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
kernel_read_kernel_sysctls(privoxy_t)
-kernel_list_proc(privoxy_t)
-kernel_read_proc_symlinks(privoxy_t)
+kernel_read_system_state(privoxy_t)
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400
@@ -3,6 +3,8 @@
HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.12/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.te 2009-06-09 07:21:04.000000000 -0400
@@ -97,6 +97,8 @@
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-06-08 08:39:25.000000000 -0400
@@ -95,6 +95,10 @@
userdom_signal_unpriv_users(rpcd_t)
optional_policy(`
+ automount_signal(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
@@ -214,6 +218,10 @@
')
optional_policy(`
+ automount_signal(gssd_t)
+')
+
+optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-06-03 08:45:52.000000000 -0400
@@ -126,6 +126,8 @@
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-06-03 08:38:28.000000000 -0400
@@ -148,6 +148,7 @@
optional_policy(`
postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:59.000000000 -0400
@@ -121,6 +121,10 @@
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
--- nsaserefpolicy/policy/modules/services/shorewall.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 2009-06-12 07:59:58.000000000 -0400
@@ -35,6 +35,7 @@
allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400
@@ -1,3 +1,4 @@
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.12/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/uucp.te 2009-06-10 16:13:54.000000000 -0400
@@ -95,6 +95,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
+term_setattr_controlling_term(uucpd_t)
+
auth_use_nsswitch(uucpd_t)
logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-19 12:42:59.000000000 -0400
@@ -22,6 +22,13 @@
## <desc>
## <p>
+## Allow svirt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
## Allow svirt to manage device configuration, (pci)
## </p>
## </desc>
@@ -183,6 +190,7 @@
seutil_read_default_contexts(virtd_t)
term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -214,6 +222,12 @@
fs_read_cifs_symlinks(virtd_t)
')
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
optional_policy(`
brctl_domtrans(virtd_t)
')
@@ -316,16 +330,17 @@
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
-storage_raw_write_removable_device(svirt_t)
-storage_raw_read_removable_device(svirt_t)
-
userdom_search_user_home_content(svirt_t)
userdom_read_all_users_state(svirt_t)
append_files_pattern(svirt_t, virt_log_t, virt_log_t)
+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t)
allow svirt_t self:udp_socket create_socket_perms;
+corecmd_exec_bin(svirt_t)
+corecmd_exec_shell(svirt_t)
+
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
@@ -353,10 +368,6 @@
')
optional_policy(`
- samba_domtrans_smb(svirt_t)
-')
-
-optional_policy(`
xen_rw_image_files(svirt_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-06-12 13:40:09.000000000 -0400
@@ -530,6 +530,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -538,6 +539,7 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-06-15 15:31:05.000000000 -0400
@@ -77,6 +77,8 @@
# for SSP/ProPolice
dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -147,6 +149,11 @@
')
optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
nis_authenticate($1)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.12/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.fc 2009-05-26 09:15:52.000000000 -0400
@@ -6,6 +6,8 @@
/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-06-15 10:44:05.000000000 -0400
@@ -285,6 +285,7 @@
kernel_dontaudit_getattr_message_if(initrc_t)
kernel_stream_connect(initrc_t)
files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
files_read_kernel_symbol_table(initrc_t)
files_exec_etc_files(initrc_t)
@@ -750,6 +751,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
+ mysql_read_config(initrc_t)
')
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-15 16:11:42.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(ipsec, 1.9.0)
+policy_module(ipsec, 1.9.1)
########################################
#
@@ -53,7 +53,7 @@
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -67,7 +67,7 @@
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -103,13 +103,11 @@
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
-
-corenet_udp_bind_all_nodes(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_ipsecnat_port(ipsec_t)
-
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
@@ -130,7 +128,7 @@
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
-files_search_tmp(ipsec_t)
+files_list_tmp(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@@ -158,12 +156,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
+allow ipsec_mgmt_t self:process { signal setrlimit ptrace };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
@@ -171,8 +169,6 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
-logging_send_syslog_msg(ipsec_mgmt_t)
-
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -248,6 +244,8 @@
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
+logging_send_syslog_msg(ipsec_mgmt_t)
+
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -284,6 +282,7 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -301,11 +300,21 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
+can_exec(racoon_t, racoon_exec_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
-corenet_udp_sendrecv_all_if(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
@@ -348,6 +357,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-06-16 09:44:36.000000000 -0400
@@ -69,6 +69,7 @@
dev_rw_sysfs(iscsid_t)
domain_use_interactive_fds(iscsid_t)
+domain_read_all_domains_state(iscsid_t)
files_read_etc_files(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-12 09:03:04.000000000 -0400
@@ -139,6 +139,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -190,6 +191,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -366,9 +368,10 @@
/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-05-28 21:07:39.000000000 -0400
@@ -211,6 +211,7 @@
# Sulogin local policy
#
+allow sulogin_t self:capability dac_override;
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_file_perms;
@@ -258,7 +259,10 @@
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
-ifdef(`distro_redhat',`define(`sulogin_no_pam')')
+ifdef(`distro_redhat',`
+ define(`sulogin_no_pam')
+ selinux_compute_user_contexts(sulogin_t)
+')
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-06-01 13:01:59.000000000 -0400
@@ -45,7 +45,7 @@
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability sys_tty_config;
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-12 07:55:17.000000000 -0400
@@ -196,6 +196,10 @@
')
optional_policy(`
+ bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
brctl_domtrans(udev_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-06-01 08:19:34.000000000 -0400
@@ -1880,7 +1880,7 @@
type user_home_t;
')
- allow $1 user_home_t:dir delete_file_perms;
+ allow $1 user_home_t:file delete_file_perms;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-12 14:53:26.000000000 -0400
@@ -38,6 +38,7 @@
dev_read_sound(virtualdomain)
dev_write_sound(virtualdomain)
dev_rw_kvm(virtualdomain)
+dev_rw_ksm(virtualdomain)
dev_rw_qemu(virtualdomain)
domain_use_interactive_fds(virtualdomain)
@@ -63,10 +64,6 @@
miscfiles_read_localization(virtualdomain)
optional_policy(`
- dbus_system_bus_client(virtualdomain)
-')
-
-optional_policy(`
virt_read_config(virtualdomain)
virt_read_lib_files(virtualdomain)
virt_read_content(virtualdomain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-04 14:47:25.000000000 -0400
@@ -419,6 +419,7 @@
kernel_read_xen_state(xm_ssh_t)
kernel_write_xen_state(xm_ssh_t)
+userdom_search_admin_dir(xm_ssh_t)
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)