From 129fb08e086e4221a6d944f1709197c1299468a4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 02 2009 20:15:22 +0000 Subject: - Remove transition from dhcpc_t to consoletype_t, just allow exec - Fixes for prelink cron job - Fix label on yumex backend - Allow unconfined_java_t to communicate with iptables - Allow abrt to read /tmp files - Fix nut/ups policy --- diff --git a/policy-F12.patch b/policy-F12.patch index d8e1636..dbf7cc5 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -654,7 +654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-30 11:31:33.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-12-02 13:54:17.000000000 -0500 @@ -21,8 +21,23 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -720,7 +720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +119,54 @@ +@@ -99,5 +119,56 @@ ') optional_policy(` @@ -737,19 +737,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow prelink_cron_system_t self:capability setuid; -+allow prelink_cron_system_t self:process setsched; ++allow prelink_cron_system_t self:process { setsched setfscreate }; +allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; +allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; + +domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + +read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) ++allow prelink_cron_system_t prelink_cache_t:file unlink; ++files_delete_etc_dir_entry(prelink_cron_system_t) + -+# This sucks: can it not just append? -+rw_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) ++manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) + +manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) +files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) ++allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; + +corecmd_exec_bin(prelink_cron_system_t) +corecmd_exec_shell(prelink_cron_system_t) @@ -788,8 +790,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_getattr_all_sockets(readahead_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.32/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-10-28 08:38:25.000000000 -0400 -@@ -1,18 +1,18 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-12-01 15:44:26.000000000 -0500 +@@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -811,10 +813,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -21,15 +21,23 @@ +@@ -21,15 +22,23 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1760,7 +1763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-11-16 09:57:56.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-12-01 15:42:25.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1769,18 +1772,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_delete_user_home_content_dirs(tmpreaper_t) userdom_delete_user_home_content_files(tmpreaper_t) userdom_delete_user_home_content_symlinks(tmpreaper_t) -@@ -52,6 +53,10 @@ +@@ -52,6 +53,11 @@ ') optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) ++ apache_delete_cache(tmpreaper_t) +') + +optional_policy(` kismet_manage_log(tmpreaper_t) ') -@@ -60,5 +65,9 @@ +@@ -60,5 +66,9 @@ ') optional_policy(` @@ -4758,7 +4762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-11-13 08:12:27.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-12-02 13:43:45.000000000 -0500 @@ -13,15 +13,48 @@ ## gen_tunable(qemu_full_network, false) @@ -4858,7 +4862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -@@ -44,6 +115,9 @@ +@@ -44,6 +115,10 @@ type qemu_unconfined_t; domain_type(qemu_unconfined_t) unconfined_domain_noaudit(qemu_unconfined_t) @@ -4867,6 +4871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + application_type(qemu_unconfined_t) + role unconfined_r types qemu_unconfined_t; allow qemu_unconfined_t self:process { execstack execmem }; ++ allow qemu_unconfined_t qemu_exec_t:file execmod; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.32/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 @@ -6004,7 +6009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-01 09:36:15.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-02 09:10:48.000000000 -0500 @@ -1,4 +1,4 @@ - +c @@ -6060,7 +6065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -211,6 +217,8 @@ +@@ -211,16 +217,22 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -6069,7 +6074,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +229,9 @@ + /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -6079,7 +6088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +274,7 @@ +@@ -263,6 +275,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -6087,7 +6096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +327,21 @@ +@@ -315,3 +328,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6375,8 +6384,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-30 14:35:16.000000000 -0500 -@@ -1692,6 +1692,78 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-12-02 09:43:54.000000000 -0500 +@@ -783,6 +783,24 @@ + + ######################################## + ## ++## Dontaudit write on all block file device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_all_blk_files',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ dontaudit $1 device_node:blk_file write; ++') ++ ++######################################## ++## + ## Dontaudit read on all character file device nodes. + ## + ## +@@ -801,6 +819,24 @@ + + ######################################## + ## ++## Dontaudit write on all character file device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_all_chr_files',` ++ gen_require(` ++ attribute device_node; ++ ') ++ ++ dontaudit $1 device_node:chr_file write; ++') ++ ++######################################## ++## + ## Create all block device files. + ## + ## +@@ -1692,6 +1728,78 @@ ######################################## ## @@ -6455,7 +6514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of the kvm devices. ## ## -@@ -1762,6 +1834,61 @@ +@@ -1762,6 +1870,61 @@ rw_chr_files_pattern($1, device_t, kvm_device_t) ') @@ -6517,7 +6576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read the lvm comtrol device. -@@ -1818,6 +1945,25 @@ +@@ -1818,6 +1981,25 @@ ######################################## ## @@ -6543,7 +6602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ## -@@ -1836,6 +1982,24 @@ +@@ -1836,6 +2018,24 @@ ######################################## ## @@ -6568,7 +6627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read raw memory devices (e.g. /dev/mem). ## ## -@@ -2046,6 +2210,78 @@ +@@ -2046,6 +2246,78 @@ ######################################## ## @@ -6647,7 +6706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of the mouse devices. ## ## -@@ -2305,6 +2541,25 @@ +@@ -2305,6 +2577,25 @@ ######################################## ## @@ -6673,7 +6732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -@@ -3599,6 +3854,24 @@ +@@ -3599,6 +3890,24 @@ ######################################## ## @@ -6756,7 +6815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-30 15:50:22.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-12-02 09:09:19.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -7122,7 +7181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-12-02 13:34:38.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7131,7 +7190,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ifdef(`distro_suse',` -@@ -229,6 +230,8 @@ +@@ -48,6 +49,7 @@ + /etc/.* gen_context(system_u:object_r:etc_t,s0) + /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -229,6 +231,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -7142,7 +7209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-01 10:00:54.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-02 13:55:02.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7274,7 +7341,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2418,6 +2499,11 @@ +@@ -2011,6 +2092,25 @@ + delete_files_pattern($1, etc_t, etc_t) + ') + ++ ++######################################## ++## ++## Remove entries from the etc directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_etc_dir_entry',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ allow $1 etc_t:dir del_entry_dir_perms; ++') ++ + ######################################## + ## + ## Execute generic files in /etc. +@@ -2418,6 +2518,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -7286,7 +7379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3320,6 +3406,32 @@ +@@ -3320,6 +3425,32 @@ ######################################## ## @@ -7319,7 +7412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage temporary files and directories in /tmp. ## ## -@@ -3449,6 +3561,24 @@ +@@ -3449,6 +3580,24 @@ ######################################## ## @@ -7344,7 +7437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3515,6 +3645,8 @@ +@@ -3515,6 +3664,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -7353,7 +7446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3623,7 +3755,12 @@ +@@ -3623,7 +3774,12 @@ type usr_t; ') @@ -7367,7 +7460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3662,6 +3799,7 @@ +@@ -3662,6 +3818,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -7375,7 +7468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4188,6 +4326,24 @@ +@@ -4188,6 +4345,24 @@ ######################################## ## @@ -7400,7 +7493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the /var/lib directory. ## ## -@@ -4288,6 +4444,24 @@ +@@ -4288,6 +4463,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -7425,7 +7518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4686,6 +4860,24 @@ +@@ -4686,6 +4879,24 @@ ######################################## ## @@ -7450,7 +7543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to ioctl daemon runtime data files. ## ## -@@ -4955,7 +5147,7 @@ +@@ -4955,7 +5166,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -7459,7 +7552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5169,15 @@ +@@ -4977,12 +5188,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7476,7 +7569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5198,173 @@ +@@ -5003,3 +5217,173 @@ typeattribute $1 files_unconfined_type; ') @@ -9762,8 +9855,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-25 10:48:26.000000000 -0500 -@@ -0,0 +1,448 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-01 14:52:35.000000000 -0500 +@@ -0,0 +1,436 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9911,6 +10004,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ iptables_run(unconfined_usertype, unconfined_r) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) + ') + @@ -9929,7 +10026,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + sandbox_transition(unconfined_usertype, unconfined_r) + ') -+ +') + +ifdef(`distro_gentoo',` @@ -9979,10 +10075,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` -+ hal_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` + gnomeclock_dbus_chat(unconfined_t) + ') + @@ -9991,10 +10083,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` -+ networkmanager_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` + oddjob_dbus_chat(unconfined_t) + ') + @@ -10016,10 +10104,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ iptables_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + java_role_template(unconfined, unconfined_r, unconfined_t) + role system_r types unconfined_java_t; + @@ -10029,9 +10113,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + unconfined_domain_noaudit(unconfined_java_t) + unconfined_dbus_chat(unconfined_java_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_java_t) -+ ') + + optional_policy(` + rpm_domtrans(unconfined_java_t) @@ -10629,8 +10710,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-30 17:31:37.000000000 -0500 -@@ -33,12 +33,23 @@ ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-02 09:44:01.000000000 -0500 +@@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10652,10 +10733,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow abrt_t self:capability { setuid setgid sys_nice dac_override }; +allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; ++dontaudit abrt_t self:capability sys_rawio; allow abrt_t self:process { signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; -@@ -58,15 +69,18 @@ +@@ -58,15 +70,18 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -10676,7 +10758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +89,30 @@ +@@ -75,18 +90,31 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10696,10 +10778,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) files_read_usr_files(abrt_t) - ++files_read_generic_tmp_files(abrt_t) ++ +files_dontaudit_list_default(abrt_t) +files_dontaudit_read_default_files(abrt_t) -+ + fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) fs_getattr_all_dirs(abrt_t) @@ -10707,7 +10790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +122,75 @@ +@@ -96,22 +124,79 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10787,6 +10870,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') ++ dev_dontaudit_read_all_blk_files(abrt_helper_t) ++ dev_dontaudit_read_all_chr_files(abrt_helper_t) ++ dev_dontaudit_write_all_chr_files(abrt_helper_t) ++ dev_dontaudit_write_all_blk_files(abrt_helper_t) +') + +permissive abrt_helper_t; @@ -13640,7 +13727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-11-30 08:14:58.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-02 14:02:29.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -13650,7 +13737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -59,15 +59,19 @@ +@@ -59,16 +59,21 @@ term_use_all_terms(consolekit_t) auth_use_nsswitch(consolekit_t) @@ -13668,9 +13755,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# consolekit needs to be able to ptrace all logged in users +userdom_ptrace_all_users(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) ++userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) -@@ -84,9 +88,12 @@ + hal_ptrace(consolekit_t) +@@ -84,9 +89,12 @@ ') optional_policy(` @@ -13684,7 +13773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat(consolekit_t) ') -@@ -100,6 +107,7 @@ +@@ -100,6 +108,7 @@ ') optional_policy(` @@ -13692,7 +13781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -108,10 +116,21 @@ +@@ -108,10 +117,21 @@ optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) @@ -14466,7 +14555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-01 09:24:30.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-02 09:33:28.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -14556,7 +14645,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -407,6 +424,7 @@ +@@ -378,6 +395,8 @@ + dev_read_rand(cupsd_config_t) + dev_rw_generic_usb_dev(cupsd_config_t) + ++files_search_all_mountpoints(cupsd_config_t) ++ + fs_getattr_all_fs(cupsd_config_t) + fs_search_auto_mountpoints(cupsd_config_t) + +@@ -407,6 +426,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -14564,7 +14662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(cupsd_config_t) -@@ -419,12 +437,15 @@ +@@ -419,12 +439,15 @@ ') optional_policy(` @@ -14582,7 +14680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +467,10 @@ +@@ -446,6 +469,10 @@ ') optional_policy(` @@ -14593,7 +14691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -457,6 +482,10 @@ +@@ -457,6 +484,10 @@ udev_read_db(cupsd_config_t) ') @@ -14604,7 +14702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Cups lpd support -@@ -542,6 +571,8 @@ +@@ -542,6 +573,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -14613,7 +14711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +587,15 @@ +@@ -556,11 +589,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -14629,7 +14727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +636,9 @@ +@@ -601,6 +638,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14639,7 +14737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +665,7 @@ +@@ -627,6 +667,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -15176,7 +15274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-11-13 11:27:34.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-02 14:59:42.000000000 -0500 @@ -56,7 +56,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; @@ -15194,7 +15292,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) -@@ -159,7 +160,7 @@ +@@ -142,6 +143,10 @@ + ') + + optional_policy(` ++ postgresql_stream_connect(dovecot_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(dovecot_t) + ') + +@@ -159,7 +164,7 @@ # allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; @@ -15203,7 +15312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -220,15 +221,23 @@ +@@ -220,15 +225,23 @@ ') optional_policy(` @@ -15227,7 +15336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -@@ -260,3 +269,14 @@ +@@ -260,3 +273,14 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) ') @@ -17960,8 +18069,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.6.32/policy/modules/services/nut.fc --- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/nut.fc 2009-10-07 16:06:40.000000000 -0400 -@@ -0,0 +1,15 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nut.fc 2009-12-02 07:58:43.000000000 -0500 +@@ -0,0 +1,8 @@ + +/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0) + @@ -17969,17 +18078,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0) + -+/var/run/nut/upsdrvctl\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) -+ -+/var/run/nut/upsd\.pid -- gen_context(system_u:object_r:upsd_var_run_t,s0) -+ -+/var/run/nut/upsmon\.pid -- gen_context(system_u:object_r:upsmon_var_run_t,s0) -+ -+/var/run/nut/usbhid-ups-myups\.pid -- gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) -+/var/run/nut/usbhid-ups-myups -s gen_context(system_u:object_r:upsdrvctl_var_run_t,s0) ++/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.6.32/policy/modules/services/nut.if --- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/nut.if 2009-10-07 16:06:40.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nut.if 2009-12-02 07:58:44.000000000 -0500 @@ -0,0 +1,82 @@ +## SELinux policy for nut - Network UPS Tools + @@ -17993,7 +18095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`upsd_domtrans',` ++interface(`nut_domtrans_upsd',` + gen_require(` + type upsd_t, upsd_exec_t; + ') @@ -18013,7 +18115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`upsmon_domtrans',` ++interface(`nut_domtrans_upsmon',` + gen_require(` + type upsmon_t, upsmon_exec_t; + ') @@ -18033,7 +18135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`upsdrvctl_domtrans',` ++interface(`nut_domtrans_upsdrvctl',` + gen_require(` + type upsdrvctl_t, upsdrvctl_exec_t; + ') @@ -18054,19 +18156,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`upsdrvctl_stream_connect',` ++interface(`nut_stream_connect',` + gen_require(` -+ type upsdrvctl_t, upsdrvctl_var_run_t; ++ type upsdrvctl_t, nut_var_run_t; + ') + + files_search_pids($1) -+ stream_connect_pattern($1, upsdrvctl_var_run_t, upsdrvctl_var_run_t, upsdrvctl_t) ++ stream_connect_pattern($1, nut_var_run_t, nut_var_run_t, upsdrvctl_t) +') + +Binary files nsaserefpolicy/policy/modules/services/nut.pp and serefpolicy-3.6.32/policy/modules/services/nut.pp differ +Binary files nsaserefpolicy/policy/modules/services/nut.tar and serefpolicy-3.6.32/policy/modules/services/nut.tar differ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-11-24 15:02:36.000000000 -0500 -@@ -0,0 +1,138 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-12-02 07:58:44.000000000 -0500 +@@ -0,0 +1,127 @@ + +policy_module(nut,1.0.0) + @@ -18079,23 +18183,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type upsd_exec_t; +init_daemon_domain(upsd_t,upsd_exec_t) + -+type upsd_var_run_t; -+files_pid_file(upsd_var_run_t) ++type nut_var_run_t; ++files_pid_file(nut_var_run_t) ++typealias nut_var_run_t alias { upsd_var_run_t upsmon_var_run_t upsdrvctl_var_run_t }; + +type upsmon_t; +type upsmon_exec_t; +init_daemon_domain(upsmon_t,upsmon_exec_t) + -+type upsmon_var_run_t; -+files_pid_file(upsmon_var_run_t) -+ +type upsdrvctl_t; +type upsdrvctl_exec_t; +init_daemon_domain(upsdrvctl_t, upsdrvctl_exec_t) + -+type upsdrvctl_var_run_t; -+files_pid_file(upsdrvctl_var_run_t) -+ +permissive upsd_t; +permissive upsdrvctl_t; +permissive upsmon_t; @@ -18104,19 +18203,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# upsd local policy +# -+ +allow upsd_t self:capability { dac_override setuid setgid }; + +allow upsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow upsd_t self:tcp_socket create_stream_socket_perms; + +# pid file -+manage_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) -+manage_dirs_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) -+manage_sock_files_pattern(upsd_t, upsd_var_run_t, upsd_var_run_t) -+files_pid_filetrans(upsd_t, upsd_var_run_t, { file }) -+ -+rw_files_pattern(upsd_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) ++manage_files_pattern(upsd_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(upsd_t, nut_var_run_t, nut_var_run_t) ++manage_sock_files_pattern(upsd_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(upsd_t, nut_var_run_t, { file }) + +corenet_tcp_bind_ups_port(upsd_t) +corenet_tcp_bind_generic_node(upsd_t) @@ -18128,13 +18224,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +auth_use_nsswitch(upsd_t) + ++sysnet_read_config(upsd_t) ++ +logging_send_syslog_msg(upsd_t) + +miscfiles_read_localization(upsd_t) + -+optional_policy(` -+ upsdrvctl_stream_connect(upsd_t) -+') ++nut_stream_connect(upsd_t) + +###################################### +# @@ -18148,11 +18244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow upsmon_t self:tcp_socket create_stream_socket_perms; + +# pid file -+manage_files_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t) -+manage_dirs_pattern(upsmon_t, upsmon_var_run_t, upsmon_var_run_t) -+files_pid_filetrans(upsmon_t, upsmon_var_run_t, { file }) -+ -+rw_sock_files_pattern(upsmon_t,upsd_var_run_t,upsd_var_run_t) ++manage_files_pattern(upsmon_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(upsmon_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(upsmon_t, nut_var_run_t, { file }) + +corenet_tcp_connect_ups_port(upsmon_t) + @@ -18184,10 +18278,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; + +# pid file -+manage_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) -+manage_dirs_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) -+manage_sock_files_pattern(upsdrvctl_t, upsdrvctl_var_run_t, upsdrvctl_var_run_t) -+files_pid_filetrans(upsdrvctl_t, upsdrvctl_var_run_t, { file sock_file }) ++manage_files_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++manage_sock_files_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(upsdrvctl_t, nut_var_run_t, { file sock_file }) + +corecmd_exec_bin(upsdrvctl_t) + @@ -18204,7 +18298,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(upsdrvctl_t) + +miscfiles_read_localization(upsdrvctl_t) -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-01 10:43:41.000000000 -0500 @@ -18344,6 +18437,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.32/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/oddjob.te 2009-12-02 14:53:05.000000000 -0500 +@@ -101,7 +101,5 @@ + # Add/remove user home directories + userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) + userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +-userdom_manage_user_home_content_files(oddjob_mkhomedir_t) +-userdom_manage_user_home_dirs(oddjob_mkhomedir_t) +-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) ++userdom_manage_user_home_content(oddjob_mkhomedir_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2009-09-30 16:12:48.000000000 -0400 @@ -24164,7 +24269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-11-23 17:38:36.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-12-02 09:09:33.000000000 -0500 @@ -16,6 +16,9 @@ type sssd_var_lib_t; files_type(sssd_var_lib_t) @@ -24184,7 +24289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sssd_t self:process { setsched signal getsched }; allow sssd_t self:fifo_file rw_file_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -33,16 +36,23 @@ +@@ -33,16 +36,24 @@ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) @@ -24204,11 +24309,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(sssd_t) +domain_read_all_domains_state(sssd_t) ++domain_obj_id_change_exemption(sssd_t) + files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) -@@ -58,6 +68,8 @@ +@@ -58,6 +69,8 @@ miscfiles_read_localization(sssd_t) @@ -31256,8 +31362,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-01 09:38:51.000000000 -0500 -@@ -43,6 +43,39 @@ ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-01 18:03:08.000000000 -0500 +@@ -43,6 +43,36 @@ sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; @@ -31267,9 +31373,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + modutils_run_insmod(dhcpc_t, $2) + + optional_policy(` -+ consoletype_run(dhcpc_t, $2) -+ ') -+ optional_policy(` + hostname_run(dhcpc_t, $2) + ') + @@ -31297,7 +31400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -192,7 +225,25 @@ +@@ -192,7 +222,25 @@ type dhcpc_state_t; ') @@ -31324,7 +31427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -230,7 +281,8 @@ +@@ -230,7 +278,8 @@ ') files_search_etc($1) @@ -31334,7 +31437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -323,7 +375,8 @@ +@@ -323,7 +372,8 @@ type net_conf_t; ') @@ -31344,7 +31447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -464,6 +517,7 @@ +@@ -464,6 +514,7 @@ ') files_search_etc($1) @@ -31352,7 +31455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') -@@ -541,6 +595,7 @@ +@@ -541,6 +592,7 @@ type net_conf_t; ') @@ -31360,7 +31463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -557,6 +612,14 @@ +@@ -557,6 +609,14 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -31375,7 +31478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -586,6 +649,8 @@ +@@ -586,6 +646,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -31384,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -620,3 +685,49 @@ +@@ -620,3 +682,49 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') @@ -31436,7 +31539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-10-13 11:04:29.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-12-01 17:57:37.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -31512,6 +31615,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) +@@ -146,7 +157,7 @@ + ') + + optional_policy(` +- consoletype_domtrans(dhcpc_t) ++ consoletype_exec(dhcpc_t) + ') + + optional_policy(` @@ -183,25 +194,23 @@ ') @@ -32599,7 +32711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-01 07:56:40.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-02 14:02:00.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -34209,7 +34321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3039,32 @@ +@@ -2765,11 +3039,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -34220,6 +34332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_list_home($1) + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; +') + +######################################## @@ -34244,7 +34357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3192,43 @@ +@@ -2897,7 +3193,43 @@ type user_tmp_t; ') @@ -34289,7 +34402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3265,7 @@ +@@ -2934,6 +3266,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -34297,7 +34410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3396,638 @@ +@@ -3064,3 +3397,656 @@ allow $1 userdomain:dbus send_msg; ') @@ -34474,6 +34587,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## dontaudit Search getatrr /root files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_getattr_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file getattr; ++') ++ ++######################################## ++## +## dontaudit list /root +## +##