From 137e7a191b2efdf8f95899eb4b4ce05c4ef1bc61 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 19 2010 17:12:32 +0000 Subject: - Allow xdm_t to manage gnome homedir content - Allow s-c-firewall to read and write virtual memory sysctls - Fixes for logwatch policy --- diff --git a/policy-F13.patch b/policy-F13.patch index 546fbd4..3b8d36d 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -358,7 +358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.19/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te 2010-05-28 09:41:59.948610734 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te 2010-07-19 15:48:02.471151653 +0200 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -368,6 +368,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) +@@ -48,6 +48,7 @@ + ') + + optional_policy(` ++ pcscd_domtrans(certwatch_t) + pcscd_stream_connect(certwatch_t) + pcscd_read_pub_files(certwatch_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.19/policy/modules/admin/consoletype.if --- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/consoletype.if 2010-05-28 09:41:59.948610734 +0200 @@ -584,7 +592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-06-28 16:07:02.334150320 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-07-19 17:21:32.409152009 +0200 @@ -20,6 +20,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -606,14 +614,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -93,6 +100,7 @@ +@@ -93,8 +100,14 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) +userdom_dontaudit_list_admin_dir(logwatch_t) - mta_send_mail(logwatch_t) +-mta_send_mail(logwatch_t) ++# bug 614698 ++#mta_send_mail(logwatch_t) ++mta_base_mail_template(logwatch) ++mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) ++logging_read_all_logs(logwatch_mail_t) ++write_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) + ifdef(`distro_redhat',` + files_search_all(logwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.19/policy/modules/admin/mcelog.te --- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/admin/mcelog.te 2010-05-28 09:41:59.952610471 +0200 @@ -987,7 +1003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-06-08 14:47:28.309627171 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-07-19 15:48:21.071151654 +0200 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -1035,7 +1051,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink files_search_var_lib(prelink_t) # prelink misc objects that are not system -@@ -80,6 +96,7 @@ +@@ -64,6 +80,7 @@ + corecmd_read_bin_symlinks(prelink_t) + + dev_read_urand(prelink_t) ++dev_getattr_all_chr_files(prelink_t) + + files_list_all(prelink_t) + files_getattr_all_files(prelink_t) +@@ -80,6 +97,7 @@ selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) @@ -1043,7 +1067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink libs_manage_ld_so(prelink_t) libs_relabel_ld_so(prelink_t) libs_manage_shared_libs(prelink_t) -@@ -89,6 +106,8 @@ +@@ -89,6 +107,8 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) @@ -1052,7 +1076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +118,59 @@ +@@ -99,5 +119,59 @@ ') optional_policy(` @@ -3086,8 +3110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.19/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-05-28 09:41:59.975610499 +0200 -@@ -0,0 +1,66 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-07-19 13:22:45.974151339 +0200 +@@ -0,0 +1,67 @@ + +policy_module(firewallgui,1.0.0) + @@ -3127,6 +3151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +kernel_read_network_state(firewallgui_t) +kernel_rw_net_sysctls(firewallgui_t) +kernel_rw_kernel_sysctl(firewallgui_t) ++kernel_rw_vm_sysctls(firewallgui_t) + +files_read_etc_files(firewallgui_t) +files_read_usr_files(firewallgui_t) @@ -6031,7 +6056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.19/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-05-28 09:41:59.997610803 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/podsleuth.te 2010-07-19 16:31:06.162151600 +0200 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -6040,7 +6065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut corecmd_exec_bin(podsleuth_t) -@@ -66,12 +67,14 @@ +@@ -66,12 +67,15 @@ fs_search_dos(podsleuth_t) fs_getattr_tmpfs(podsleuth_t) fs_list_tmpfs(podsleuth_t) @@ -6051,6 +6076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut sysnet_dns_name_resolve(podsleuth_t) userdom_signal_unpriv_users(podsleuth_t) ++userdom_signull_unpriv_users(podsleuth_t) +userdom_read_user_tmpfs_files(podsleuth_t) optional_policy(` @@ -14052,7 +14078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-06-15 18:40:09.962020397 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-07-19 15:48:59.455151640 +0200 @@ -0,0 +1,114 @@ + +policy_module(aisexec,1.0.0) @@ -14093,7 +14119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +# aisexec local policy +# + -+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock }; ++allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner }; +allow aisexec_t self:process { setrlimit setsched signal }; + +allow aisexec_t self:fifo_file rw_fifo_file_perms; @@ -15223,6 +15249,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.19/policy/modules/services/apm.te +--- nsaserefpolicy/policy/modules/services/apm.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apm.te 2010-07-19 15:49:29.576151384 +0200 +@@ -63,6 +63,7 @@ + dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; + allow apmd_t self:process { signal_perms getsession }; + allow apmd_t self:fifo_file rw_fifo_file_perms; ++allow apmd_t self:netlink_socket create_socket_perms; + allow apmd_t self:unix_dgram_socket create_socket_perms; + allow apmd_t self:unix_stream_socket create_stream_socket_perms; + +@@ -82,6 +83,7 @@ + kernel_read_system_state(apmd_t) + kernel_write_proc_files(apmd_t) + ++dev_read_input(apmd_t) + dev_read_realtime_clock(apmd_t) + dev_read_urand(apmd_t) + dev_rw_apm_bios(apmd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.19/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/arpwatch.te 2010-05-28 09:42:00.062610591 +0200 @@ -18585,7 +18630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-06-01 16:38:46.796222623 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-07-19 16:37:40.119151948 +0200 @@ -16,6 +16,7 @@ type cupsd_t; type cupsd_exec_t; @@ -18854,6 +18899,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) +@@ -647,6 +701,8 @@ + files_read_etc_files(hplip_t) + files_read_etc_runtime_files(hplip_t) + files_read_usr_files(hplip_t) ++# bug 616010 ++files_dontaudit_write_usr_dirs(hplip_t) + + logging_send_syslog_msg(hplip_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.19/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/cvs.te 2010-05-28 09:42:00.093610497 +0200 @@ -20110,7 +20164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.19/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-05-28 09:42:00.107610683 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-07-19 15:49:47.256151555 +0200 @@ -36,6 +36,9 @@ application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -20121,6 +20175,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim type exim_log_t; logging_log_file(exim_log_t) +@@ -185,6 +188,7 @@ + + optional_policy(` + procmail_domtrans(exim_t) ++ procmail_read_home_files(exim_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.19/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/fail2ban.if 2010-05-28 09:42:00.108611036 +0200 @@ -20176,8 +20238,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.19/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ftp.fc 2010-05-28 09:42:00.109610829 +0200 -@@ -22,7 +22,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ftp.fc 2010-07-19 17:37:44.247151964 +0200 +@@ -13,6 +13,8 @@ + + /usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + ++/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) ++ + /usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0) + /usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) + /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +@@ -22,7 +24,7 @@ # # /var # @@ -24140,7 +24211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.19/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nis.fc 2010-05-28 09:42:00.136610568 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nis.fc 2010-07-19 15:50:18.905151763 +0200 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -24150,7 +24221,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) -@@ -11,3 +14,8 @@ +@@ -8,6 +11,12 @@ + + /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) ++/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) @@ -27199,6 +27274,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.7.19/policy/modules/services/procmail.if +--- nsaserefpolicy/policy/modules/services/procmail.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/procmail.if 2010-07-19 15:50:57.889151415 +0200 +@@ -77,3 +77,22 @@ + files_search_tmp($1) + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) + ') ++ ++######################################## ++## ++## Read procmail home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`procmail_read_home_files',` ++ gen_require(` ++ type procmail_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ read_files_pattern($1, procmail_home_t, procmail_home_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.19/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/procmail.te 2010-05-28 09:42:00.161610790 +0200 @@ -29777,7 +29878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-05-28 09:42:00.181610786 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-07-19 18:56:34.213260188 +0200 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -29820,6 +29921,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` pcscd_read_pub_files(samba_net_t) +@@ -222,7 +231,7 @@ + # + # smbd Local policy + # +-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource kill lease dac_override dac_read_search }; + dontaudit smbd_t self:capability sys_tty_config; + allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow smbd_t self:process setrlimit; @@ -275,6 +284,8 @@ allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; @@ -31684,7 +31794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Relabel and access ptys created by sshd diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-05-28 09:42:00.195610901 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-07-19 17:18:16.871150898 +0200 @@ -32,6 +32,7 @@ allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; @@ -31693,7 +31803,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -81,6 +82,8 @@ +@@ -50,6 +51,7 @@ + files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + + kernel_read_system_state(sssd_t) ++kernel_read_network_state(sssd_t) + + corecmd_exec_bin(sssd_t) + +@@ -81,6 +83,8 @@ miscfiles_read_localization(sssd_t) @@ -31715,11 +31833,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.19/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-06-16 22:52:47.839870308 +0200 -@@ -20,6 +20,25 @@ ++++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-07-19 15:51:20.642151520 +0200 +@@ -16,6 +16,26 @@ + ') - ######################################## - ## + read_files_pattern($1, tftpdir_t, tftpdir_t) ++ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) ++') ++ ++######################################## ++## +## Search tftp /var/lib directories. +## +## @@ -31735,13 +31858,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp + + search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + files_search_var_lib($1) -+') -+ -+######################################## -+## - ## Manage tftp /var/lib files. - ## - ## + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-28 09:42:00.195610901 +0200 @@ -33099,7 +33218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-07-14 14:41:48.517158641 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-07-19 13:20:20.524151390 +0200 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.3.2) @@ -33653,7 +33772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +695,50 @@ +@@ -520,12 +695,51 @@ ') optional_policy(` @@ -33695,6 +33814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` ++ gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) + gnome_read_gconf_config(xdm_t) @@ -33704,7 +33824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +756,63 @@ +@@ -543,20 +757,63 @@ ') optional_policy(` @@ -33770,7 +33890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +821,6 @@ +@@ -565,7 +822,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -33778,7 +33898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +831,10 @@ +@@ -576,6 +832,10 @@ ') optional_policy(` @@ -33789,7 +33909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +859,9 @@ +@@ -600,10 +860,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33801,7 +33921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +873,18 @@ +@@ -615,6 +874,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33820,7 +33940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +904,19 @@ +@@ -634,12 +905,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -33842,7 +33962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +950,6 @@ +@@ -673,7 +951,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -33850,7 +33970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +959,12 @@ +@@ -683,9 +960,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -33864,7 +33984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +979,13 @@ +@@ -700,8 +980,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -33878,7 +33998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1007,14 @@ +@@ -723,11 +1008,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -33893,7 +34013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1066,28 @@ +@@ -779,12 +1067,28 @@ ') optional_policy(` @@ -33923,7 +34043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1114,7 @@ +@@ -811,7 +1115,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -33932,7 +34052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1135,14 @@ +@@ -832,9 +1136,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33947,7 +34067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1157,14 @@ +@@ -849,11 +1158,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -33964,7 +34084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1310,33 @@ +@@ -999,3 +1311,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -38503,7 +38623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2010-05-28 09:42:00.521610641 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/udev.te 2010-07-19 15:51:48.410151770 +0200 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -38512,7 +38632,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -211,6 +212,10 @@ +@@ -111,6 +112,7 @@ + files_dontaudit_search_isid_type_dirs(udev_t) + files_getattr_generic_locks(udev_t) + files_search_mnt(udev_t) ++files_list_tmp(udev_t) + + fs_getattr_all_fs(udev_t) + fs_list_inotifyfs(udev_t) +@@ -211,6 +213,10 @@ ') optional_policy(` @@ -38523,7 +38651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -254,6 +259,10 @@ +@@ -254,6 +260,10 @@ ') optional_policy(` @@ -38534,7 +38662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -268,6 +277,10 @@ +@@ -268,6 +278,10 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 5c60cd1..3e7e911 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 37%{?dist} +Release: 38%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Mon Jul 19 2010 Miroslav Grepl 3.7.19-38 +- Allow xdm_t to manage gnome homedir content +- Allow s-c-firewall to read and write virtual memory sysctls +- Fixes for logwatch policy + * Wed Jul 14 2010 Miroslav Grepl 3.7.19-37 - Redefine hi_reserved_port_t to include ports from 512 to 599 - Add label for /sbin/sushell