From 14f4c11b823ee8bbfc9fbf562da568e452845c74 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 19 2011 19:28:50 +0000 Subject: - Fixes for newrole_t domain related to namespace.init - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on - sandbox fixes - Add sepgsql fixes from KaiGai Kohei --- diff --git a/policy-F13.patch b/policy-F13.patch index cbd7ab5..ebd6186 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,12 +1,144 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-mcs/sepgsql_contexts +--- nsaserefpolicy/config/appconfig-mcs/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/config/appconfig-mcs/sepgsql_contexts 2011-01-19 19:02:35.494057572 +0100 +@@ -0,0 +1,40 @@ ++# ++# Initial security label for SE-PostgreSQL (MCS) ++# ++ ++# ++db_database * system_u:object_r:sepgsql_db_t:s0 ++ ++# ++db_schema *.* system_u:object_r:sepgsql_schema_t:s0 ++ ++# ++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_table *.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 ++ ++# ++db_view *.*.* system_u:object_r:sepgsql_view_t:s0 ++ ++# ++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 ++ ++# ++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 ++ ++# ++db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.* system_u:object_r:sepgsql_lang_t:s0 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-mls/sepgsql_contexts +--- nsaserefpolicy/config/appconfig-mls/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/config/appconfig-mls/sepgsql_contexts 2011-01-19 19:02:35.494057572 +0100 +@@ -0,0 +1,40 @@ ++# ++# Initial security label for SE-PostgreSQL (MLS) ++# ++ ++# ++db_database * system_u:object_r:sepgsql_db_t:s0 ++ ++# ++db_schema *.* system_u:object_r:sepgsql_schema_t:s0 ++ ++# ++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_table *.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 ++ ++# ++db_view *.*.* system_u:object_r:sepgsql_view_t:s0 ++ ++# ++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 ++ ++# ++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 ++db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 ++ ++# ++db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 ++ ++# ++db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 ++db_language *.* system_u:object_r:sepgsql_lang_t:s0 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/sepgsql_contexts serefpolicy-3.7.19/config/appconfig-standard/sepgsql_contexts +--- nsaserefpolicy/config/appconfig-standard/sepgsql_contexts 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.7.19/config/appconfig-standard/sepgsql_contexts 2011-01-19 19:02:35.495292665 +0100 +@@ -0,0 +1,40 @@ ++# ++# Initial security label for SE-PostgreSQL (none-MLS) ++# ++ ++# ++db_database * system_u:object_r:sepgsql_db_t ++ ++# ++db_schema *.* system_u:object_r:sepgsql_schema_t ++ ++# ++db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t ++db_table *.*.* system_u:object_r:sepgsql_table_t ++ ++# ++db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t ++db_column *.*.*.* system_u:object_r:sepgsql_table_t ++ ++# ++db_sequence *.*.* system_u:object_r:sepgsql_seq_t ++ ++# ++db_view *.*.* system_u:object_r:sepgsql_view_t ++ ++# ++db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t ++ ++# ++db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t ++db_tuple *.*.* system_u:object_r:sepgsql_table_t ++ ++# ++db_blobs *.* system_u:object_r:sepgsql_blob_t ++ ++# ++db_language *.sql system_u:object_r:sepgsql_safe_lang_t ++db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t ++db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t ++db_language *.plperl system_u:object_r:sepgsql_safe_lang_t ++db_language *.* system_u:object_r:sepgsql_lang_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.19/Makefile --- nsaserefpolicy/Makefile 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/Makefile 2010-05-28 09:41:59.942610848 +0200 ++++ serefpolicy-3.7.19/Makefile 2011-01-19 19:02:35.498308180 +0100 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -31,6 +163,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .SH BOOLEANS .PP +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.7.19/policy/flask/access_vectors +--- nsaserefpolicy/policy/flask/access_vectors 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/flask/access_vectors 2011-01-19 19:02:35.500042367 +0100 +@@ -816,3 +816,32 @@ + + class x_keyboard + inherits x_device ++ ++class db_schema ++inherits database ++{ ++ search ++ add_name ++ remove_name ++} ++ ++class db_view ++inherits database ++{ ++ expand ++} ++ ++class db_sequence ++inherits database ++{ ++ get_value ++ next_value ++ set_value ++} ++ ++class db_language ++inherits database ++{ ++ implement ++ execute ++} +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.7.19/policy/flask/security_classes +--- nsaserefpolicy/policy/flask/security_classes 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/flask/security_classes 2011-01-19 19:02:35.501042440 +0100 +@@ -125,4 +125,10 @@ + class x_pointer # userspace + class x_keyboard # userspace + ++# More Database stuff ++class db_schema # userspace ++class db_view # userspace ++class db_sequence # userspace ++class db_language # userspace ++ + # FLASK diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/global_tunables 2011-01-18 18:06:48.149053065 +0100 @@ -85,7 +267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs --- nsaserefpolicy/policy/mcs 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/mcs 2010-09-23 12:57:46.199386949 +0200 ++++ serefpolicy-3.7.19/policy/mcs 2011-01-19 19:02:35.502042304 +0100 @@ -86,10 +86,10 @@ (( h1 dom h2 ) and ( l2 eq h2 )); @@ -99,7 +281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } -@@ -101,6 +101,9 @@ +@@ -101,13 +101,16 @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -109,9 +291,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1 # # MCS policy for SELinux-enabled databases # + + # Any database object must be dominated by the relabeling subject + # clearance, also the objects are single-level. +-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } ++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + + mlsconstrain { db_tuple } { insert relabelto } +@@ -117,6 +120,9 @@ + mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } + ( h1 dom h2 ); + ++mlsconstrain db_language { drop getattr setattr relabelfrom execute } ++ ( h1 dom h2 ); ++ + mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } + ( h1 dom h2 ); + +@@ -126,9 +132,18 @@ + mlsconstrain db_tuple { relabelfrom select update delete use } + ( h1 dom h2 ); + +-mlsconstrain db_procedure { drop getattr setattr execute install } ++mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } ++ ( h1 dom h2 ); ++ ++mlsconstrain db_view { drop getattr setattr relabelfrom expand } ++ ( h1 dom h2 ); ++ ++mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } + ( h1 dom h2 ); + ++mlsconstrain db_language { drop getattr setattr relabelfrom execute } ++ ( h1 dom h2 ); ++ + mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } + ( h1 dom h2 ); + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls --- nsaserefpolicy/policy/mls 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/mls 2010-05-28 09:41:59.943612109 +0200 ++++ serefpolicy-3.7.19/policy/mls 2011-01-19 19:02:35.504042381 +0100 @@ -208,12 +208,14 @@ (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or @@ -127,6 +347,124 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.1 ( t1 == mlsnetwrite )); # these access vectors have no MLS restrictions +@@ -725,13 +727,13 @@ + # + + # make sure these database classes are "single level" +-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } ++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } + ( l2 eq h2 ); + mlsconstrain { db_tuple } { insert relabelto } + ( l2 eq h2 ); + + # new database labels must be dominated by the relabeling subjects clearance +-mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto } ++mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } + ( h1 dom h2 ); + + # the database "read" ops (note the check is dominance of the low level) +@@ -741,6 +743,12 @@ + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_schema } { getattr search } ++ (( l1 dom l2 ) or ++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ++ ( t1 == mlsdbread ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_table } { getattr use select lock } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or +@@ -753,12 +761,30 @@ + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_sequence } { getattr get_value next_value } ++ (( l1 dom l2 ) or ++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ++ ( t1 == mlsdbread ) or ++ ( t2 == mlstrustedobject )); ++ ++mlsconstrain { db_view } { getattr expand } ++ (( l1 dom l2 ) or ++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ++ ( t1 == mlsdbread ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_procedure } { getattr execute install } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_language } { getattr execute } ++ (( l1 dom l2 ) or ++ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ++ ( t1 == mlsdbread ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_blob } { getattr read export } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or +@@ -779,6 +805,13 @@ + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name } ++ (( l1 eq l2 ) or ++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or ++ ( t1 == mlsdbwrite ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or +@@ -793,6 +826,20 @@ + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value } ++ (( l1 eq l2 ) or ++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or ++ ( t1 == mlsdbwrite ) or ++ ( t2 == mlstrustedobject )); ++ ++mlsconstrain { db_view } { create drop setattr relabelfrom } ++ (( l1 eq l2 ) or ++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or ++ ( t1 == mlsdbwrite ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_procedure } { create drop setattr relabelfrom } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or +@@ -800,6 +847,13 @@ + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + ++mlsconstrain { db_language } { create drop setattr relabelfrom } ++ (( l1 eq l2 ) or ++ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ++ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or ++ ( t1 == mlsdbwrite ) or ++ ( t2 == mlstrustedobject )); ++ + mlsconstrain { db_blob } { create drop setattr relabelfrom write import } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or +@@ -815,7 +869,7 @@ + ( t2 == mlstrustedobject )); + + # the database upgrade/downgrade rule +-mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob } ++mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } + ((( l1 eq l2 ) or + (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or + (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.7.19/policy/modules/admin/accountsd.fc --- nsaserefpolicy/policy/modules/admin/accountsd.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/admin/accountsd.fc 2010-05-28 09:41:59.944611136 +0200 @@ -12112,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-18 18:03:04.576041170 +0100 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-19 19:02:35.507042391 +0100 @@ -534,6 +534,37 @@ ######################################## @@ -12235,7 +12573,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## ## ## Do not audit attempts by caller to get attributes for -@@ -2792,6 +2877,24 @@ +@@ -2775,16 +2860,24 @@ + gen_require(` + type unlabeled_t; + class db_database { setattr relabelfrom }; ++ class db_schema { setattr relabelfrom }; + class db_table { setattr relabelfrom }; ++ class db_sequence { setattr relabelfrom }; ++ class db_view { setattr relabelfrom }; + class db_procedure { setattr relabelfrom }; ++ class db_language { setattr relabelfrom }; + class db_column { setattr relabelfrom }; + class db_tuple { update relabelfrom }; + class db_blob { setattr relabelfrom }; + ') + + allow $1 unlabeled_t:db_database { setattr relabelfrom }; ++ allow $1 unlabeled_t:db_schema { setattr relabelfrom }; + allow $1 unlabeled_t:db_table { setattr relabelfrom }; ++ allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; ++ allow $1 unlabeled_t:db_view { setattr relabelfrom }; + allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; ++ allow $1 unlabeled_t:db_language { setattr relabelfrom }; + allow $1 unlabeled_t:db_column { setattr relabelfrom }; + allow $1 unlabeled_t:db_tuple { update relabelfrom }; + allow $1 unlabeled_t:db_blob { setattr relabelfrom }; +@@ -2792,6 +2885,24 @@ ######################################## ## @@ -12260,7 +12623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2910,23 @@ +@@ -2807,3 +2918,23 @@ typeattribute $1 kern_unconfined; ') @@ -12913,7 +13276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-08-13 09:46:40.562085238 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-01-19 18:18:43.216042333 +0100 @@ -28,17 +28,29 @@ corecmd_exec_shell(sysadm_t) @@ -12963,19 +13326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -86,9 +101,11 @@ - auditadm_role_change(sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - auth_role(sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - backup_run(sysadm_t, sysadm_r) -@@ -98,17 +115,25 @@ +@@ -98,17 +113,25 @@ bind_run_ndc(sysadm_t, sysadm_r) ') @@ -13001,7 +13352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` certwatch_run(sysadm_t, sysadm_r) -@@ -126,16 +151,18 @@ +@@ -126,16 +149,18 @@ consoletype_run(sysadm_t, sysadm_r) ') @@ -13022,7 +13373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -165,9 +192,11 @@ +@@ -165,9 +190,11 @@ ethereal_run_tethereal(sysadm_t, sysadm_r) ') @@ -13034,7 +13385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` firstboot_run(sysadm_t, sysadm_r) -@@ -177,6 +206,7 @@ +@@ -177,6 +204,7 @@ fstools_run(sysadm_t, sysadm_r) ') @@ -13042,7 +13393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` games_role(sysadm_r, sysadm_t) ') -@@ -192,6 +222,7 @@ +@@ -192,6 +220,7 @@ optional_policy(` gpg_role(sysadm_r, sysadm_t) ') @@ -13050,7 +13401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` hostname_run(sysadm_t, sysadm_r) -@@ -205,6 +236,13 @@ +@@ -205,6 +234,13 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -13064,7 +13415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +250,18 @@ +@@ -212,12 +248,18 @@ ') optional_policy(` @@ -13083,7 +13434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +271,11 @@ +@@ -227,9 +269,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -13095,7 +13446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -252,8 +298,10 @@ +@@ -252,8 +296,10 @@ optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -13106,7 +13457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +309,7 @@ +@@ -261,6 +307,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -13114,7 +13465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -275,6 +324,10 @@ +@@ -275,6 +322,10 @@ ') optional_policy(` @@ -13125,7 +13476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -308,8 +361,14 @@ +@@ -308,8 +359,14 @@ ') optional_policy(` @@ -13140,7 +13491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +378,11 @@ +@@ -319,9 +376,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -13152,7 +13503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +392,11 @@ +@@ -331,9 +390,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -13164,7 +13515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -358,8 +421,14 @@ +@@ -358,8 +419,14 @@ ') optional_policy(` @@ -13179,7 +13530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -382,9 +451,11 @@ +@@ -382,9 +449,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -13191,7 +13542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +464,21 @@ +@@ -393,17 +462,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -13213,7 +13564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +492,11 @@ +@@ -417,9 +490,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -13225,7 +13576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +504,15 @@ +@@ -427,9 +502,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -13241,7 +13592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +523,30 @@ +@@ -440,13 +521,30 @@ ') optional_policy(` @@ -18891,6 +19242,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro optional_policy(` gpsd_rw_shm(chronyd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.7.19/policy/modules/services/clamav.fc +--- nsaserefpolicy/policy/modules/services/clamav.fc 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.fc 2011-01-19 17:06:42.240041373 +0100 +@@ -10,6 +10,7 @@ + + /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) + /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) ++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0) + /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) + /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.7.19/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/clamav.if 2010-10-18 15:38:09.251650866 +0200 @@ -19434,7 +19796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-12-01 13:47:12.420292540 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2011-01-19 17:25:53.443041687 +0100 @@ -1,12 +1,12 @@ ## Cobbler installation server. ## @@ -19503,7 +19865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); -+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) files_search_etc($1) ') @@ -30853,7 +31215,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-10-13 09:17:37.947649885 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2011-01-19 11:28:09.917041062 +0100 +@@ -35,7 +35,7 @@ + role system_r types postfix_$1_t; + + dontaudit postfix_$1_t self:capability sys_tty_config; +- allow postfix_$1_t self:process { signal_perms setpgid }; ++ allow postfix_$1_t self:process { signal_perms setpgid setsched }; + allow postfix_$1_t self:unix_dgram_socket create_socket_perms; + allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; + allow postfix_$1_t self:unix_stream_socket connectto; @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -31688,8 +32059,241 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.19/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2010-09-16 15:28:46.998386775 +0200 -@@ -312,10 +312,8 @@ ++++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2011-01-19 19:02:35.510042541 +0100 +@@ -10,7 +10,7 @@ + ## + ## + ## +-## ++## + ## The type of the user domain. + ## + ## +@@ -18,18 +18,24 @@ + interface(`postgresql_role',` + gen_require(` + class db_database all_db_database_perms; ++ class db_schema all_db_schema_perms; + class db_table all_db_table_perms; ++ class db_sequence all_db_sequence_perms; ++ class db_view all_db_view_perms; + class db_procedure all_db_procedure_perms; ++ class db_language all_db_language_perms; + class db_column all_db_column_perms; + class db_tuple all_db_tuple_perms; + class db_blob all_db_blob_perms; + + attribute sepgsql_client_type, sepgsql_database_type; +- attribute sepgsql_sysobj_table_type; ++ attribute sepgsql_schema_type, sepgsql_sysobj_table_type; + + type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; + type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; ++ type user_sepgsql_schema_t, user_sepgsql_seq_t; + type user_sepgsql_sysobj_t, user_sepgsql_table_t; ++ type user_sepgsql_view_t; + ') + + ######################################## +@@ -45,30 +51,44 @@ + # Client local policy + # + +- tunable_policy(`sepgsql_enable_users_ddl',` +- allow $2 user_sepgsql_table_t:db_table { create drop setattr }; +- allow $2 user_sepgsql_table_t:db_column { create drop setattr }; + +- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; +- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; +- ') ++ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; ++ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; + + allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; +- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; ++ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated ++ type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; + + allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; + type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; + ++ allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; ++ type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; ++ ++ allow $2 user_sepgsql_view_t:db_view { getattr expand }; ++ type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; ++ + allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; ++ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated ++ type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; + + allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; + type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; + + allow $2 sepgsql_trusted_proc_t:process transition; + type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ ++ tunable_policy(`sepgsql_enable_users_ddl',` ++ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; ++ allow $2 user_sepgsql_table_t:db_table { create drop setattr }; ++ allow $2 user_sepgsql_table_t:db_column { create drop setattr }; ++ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; ++ allow $2 user_sepgsql_view_t:db_view { create drop setattr }; ++ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ++ ') + ') + + ######################################## +@@ -109,6 +129,24 @@ + + ######################################## + ## ++## Marks as a SE-PostgreSQL schema object type ++## ++## ++## ++## Type marked as a schema object type. ++## ++## ++# ++interface(`postgresql_schema_object',` ++ gen_require(` ++ attribute sepgsql_schema_type; ++ ') ++ ++ typeattribute $1 sepgsql_schema_type; ++') ++ ++######################################## ++## + ## Marks as a SE-PostgreSQL table/column/tuple object type + ## + ## +@@ -146,6 +184,42 @@ + + ######################################## + ## ++## Marks as a SE-PostgreSQL sequence type ++## ++## ++## ++## Type marked as a sequence type. ++## ++## ++# ++interface(`postgresql_sequence_object',` ++ gen_require(` ++ attribute sepgsql_sequence_type; ++ ') ++ ++ typeattribute $1 sepgsql_sequence_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL view object type ++## ++## ++## ++## Type marked as a view object type. ++## ++## ++# ++interface(`postgresql_view_object',` ++ gen_require(` ++ attribute sepgsql_view_type; ++ ') ++ ++ typeattribute $1 sepgsql_view_type; ++') ++ ++######################################## ++## + ## Marks as a SE-PostgreSQL procedure object type + ## + ## +@@ -164,6 +238,24 @@ + + ######################################## + ## ++## Marks as a SE-PostgreSQL procedural language object type ++## ++## ++## ++## Type marked as a procedural language object type. ++## ++## ++# ++interface(`postgresql_language_object',` ++ gen_require(` ++ attribute sepgsql_language_type; ++ ') ++ ++ typeattribute $1 sepgsql_language_type; ++') ++ ++######################################## ++## + ## Marks as a SE-PostgreSQL binary large object type + ## + ## +@@ -195,7 +287,7 @@ + type postgresql_db_t; + ') + +- allow $1 postgresql_db_t:dir search; ++ allow $1 postgresql_db_t:dir search_dir_perms; + ') + + ######################################## +@@ -207,6 +299,7 @@ + ## Domain allowed access. + ## + ## ++# + interface(`postgresql_manage_db',` + gen_require(` + type postgresql_db_t; +@@ -214,7 +307,7 @@ + + allow $1 postgresql_db_t:dir rw_dir_perms; + allow $1 postgresql_db_t:file rw_file_perms; +- allow $1 postgresql_db_t:lnk_file { getattr read }; ++ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -223,7 +316,7 @@ + ## + ## + ## +-## The type of the process performing this action. ++## Domain allowed to transition. + ## + ## + # +@@ -241,7 +334,7 @@ + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +@@ -304,7 +397,6 @@ + ## Domain allowed access. + ## + ## +-## + # + interface(`postgresql_stream_connect',` + gen_require(` +@@ -312,10 +404,8 @@ ') files_search_pids($1) @@ -31698,42 +32302,452 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post - # Some versions of postgresql put the sock file in /tmp - allow $1 postgresql_tmp_t:sock_file write; + files_search_tmp($1) -+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) ++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') ######################################## -@@ -439,14 +437,19 @@ +@@ -332,18 +422,25 @@ + interface(`postgresql_unpriv_client',` + gen_require(` + class db_database all_db_database_perms; ++ class db_schema all_db_schema_perms; + class db_table all_db_table_perms; ++ class db_sequence all_db_sequence_perms; ++ class db_view all_db_view_perms; + class db_procedure all_db_procedure_perms; ++ class db_language all_db_language_perms; + class db_column all_db_column_perms; + class db_tuple all_db_tuple_perms; + class db_blob all_db_blob_perms; + + attribute sepgsql_client_type; +- attribute sepgsql_database_type, sepgsql_sysobj_table_type; ++ attribute sepgsql_database_type, sepgsql_schema_type; ++ attribute sepgsql_sysobj_table_type; + + type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; + type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; ++ type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; + type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; ++ type unpriv_sepgsql_view_t; + ') + + ######################################## +@@ -362,25 +459,40 @@ + allow $1 sepgsql_trusted_proc_t:process transition; + + tunable_policy(`sepgsql_enable_users_ddl',` ++ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; + allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; + allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; ++ allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; + ') + ++ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; ++ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; ++ + allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; +- type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; ++ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated ++ type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; ++ ++ allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; ++ type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; ++ ++ allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; ++ type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; + + allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; + type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; + + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; +- type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; ++ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated ++ type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; + + allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; + type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; ++ + ') + + ######################################## +@@ -420,13 +532,10 @@ + # + interface(`postgresql_admin',` + gen_require(` +- attribute sepgsql_admin_type; +- attribute sepgsql_client_type; +- +- type postgresql_t, postgresql_var_run_t; +- type postgresql_tmp_t, postgresql_db_t; +- type postgresql_etc_t, postgresql_log_t; +- type postgresql_initrc_exec_t; ++ attribute sepgsql_admin_type, sepgsql_client_type; ++ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; ++ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; ++ type postgresql_etc_t; + ') + + typeattribute $1 sepgsql_admin_type; +@@ -439,14 +548,19 @@ role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; -+ files_search_pids($1) ++ files_list_pids($1) admin_pattern($1, postgresql_var_run_t) -+ files_search_var_lib($1) ++ files_list_var_lib($1) admin_pattern($1, postgresql_db_t) -+ files_search_etc($1) ++ files_list_etc($1) admin_pattern($1, postgresql_etc_t) -+ logging_search_logs($1) ++ logging_list_logs($1) admin_pattern($1, postgresql_log_t) -+ files_search_tmp($1) ++ files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.19/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2010-09-15 15:43:14.862386997 +0200 -@@ -251,7 +251,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2011-01-19 19:02:35.513051840 +0100 +@@ -1,5 +1,4 @@ +- +-policy_module(postgresql, 1.10.2) ++policy_module(postgresql, 1.12.1) + + gen_require(` + class db_database all_db_database_perms; +@@ -8,6 +7,10 @@ + class db_column all_db_column_perms; + class db_tuple all_db_tuple_perms; + class db_blob all_db_blob_perms; ++ class db_schema all_db_schema_perms; ++ class db_view all_db_view_perms; ++ class db_sequence all_db_sequence_perms; ++ class db_language all_db_language_perms; + ') + + ################################# +@@ -16,16 +19,16 @@ + # + + ## +-##

+-## Allow unprived users to execute DDL statement +-##

++##

++## Allow unprived users to execute DDL statement ++##

+ ## + gen_tunable(sepgsql_enable_users_ddl, true) + + ## +-##

+-## Allow database admins to execute DML statement +-##

++##

++## Allow database admins to execute DML statement ++##

+ ## + gen_tunable(sepgsql_unconfined_dbadm, true) + +@@ -61,9 +64,13 @@ + + # database objects attribute + attribute sepgsql_database_type; ++attribute sepgsql_schema_type; + attribute sepgsql_table_type; + attribute sepgsql_sysobj_table_type; ++attribute sepgsql_sequence_type; ++attribute sepgsql_view_type; + attribute sepgsql_procedure_type; ++attribute sepgsql_language_type; + attribute sepgsql_blob_type; + attribute sepgsql_module_type; + +@@ -77,6 +84,12 @@ + type sepgsql_fixed_table_t; + postgresql_table_object(sepgsql_fixed_table_t) + ++type sepgsql_lang_t; ++postgresql_language_object(sepgsql_lang_t) ++ ++type sepgsql_priv_lang_t; ++postgresql_language_object(sepgsql_priv_lang_t) ++ + type sepgsql_proc_exec_t; + typealias sepgsql_proc_exec_t alias sepgsql_proc_t; + postgresql_procedure_object(sepgsql_proc_exec_t) +@@ -87,12 +100,21 @@ + type sepgsql_ro_table_t; + postgresql_table_object(sepgsql_ro_table_t) + ++type sepgsql_safe_lang_t; ++postgresql_language_object(sepgsql_safe_lang_t) ++ ++type sepgsql_schema_t; ++postgresql_schema_object(sepgsql_schema_t) ++ + type sepgsql_secret_blob_t; + postgresql_blob_object(sepgsql_secret_blob_t) + + type sepgsql_secret_table_t; + postgresql_table_object(sepgsql_secret_table_t) + ++type sepgsql_seq_t; ++postgresql_sequence_object(sepgsql_seq_t) ++ + type sepgsql_sysobj_t; + postgresql_system_table_object(sepgsql_sysobj_t) + +@@ -102,6 +124,9 @@ + type sepgsql_trusted_proc_exec_t; + postgresql_procedure_object(sepgsql_trusted_proc_exec_t) + ++type sepgsql_view_t; ++postgresql_view_object(sepgsql_view_t) ++ + # Trusted Procedure Domain + type sepgsql_trusted_proc_t; + domain_type(sepgsql_trusted_proc_t) +@@ -115,12 +140,21 @@ + type unpriv_sepgsql_proc_exec_t; + postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) + ++type unpriv_sepgsql_schema_t; ++postgresql_schema_object(unpriv_sepgsql_schema_t); ++ ++type unpriv_sepgsql_seq_t; ++postgresql_sequence_object(unpriv_sepgsql_seq_t) ++ + type unpriv_sepgsql_sysobj_t; + postgresql_system_table_object(unpriv_sepgsql_sysobj_t) + + type unpriv_sepgsql_table_t; + postgresql_table_object(unpriv_sepgsql_table_t) + ++type unpriv_sepgsql_view_t; ++postgresql_view_object(unpriv_sepgsql_view_t) ++ + # Types for UBAC + type user_sepgsql_blob_t; + typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; +@@ -132,6 +166,16 @@ + typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; + postgresql_procedure_object(user_sepgsql_proc_exec_t) + ++type user_sepgsql_schema_t; ++typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t }; ++typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t }; ++postgresql_schema_object(user_sepgsql_schema_t) ++ ++type user_sepgsql_seq_t; ++typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t }; ++typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t }; ++postgresql_sequence_object(user_sepgsql_seq_t) ++ + type user_sepgsql_sysobj_t; + typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; + typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; +@@ -142,6 +186,11 @@ + typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; + postgresql_table_object(user_sepgsql_table_t) + ++type user_sepgsql_view_t; ++typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t }; ++typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t }; ++postgresql_view_object(user_sepgsql_view_t) ++ + ######################################## + # + # postgresql Local policy +@@ -166,9 +215,15 @@ + # Database/Loadable module + allow sepgsql_database_type sepgsql_module_type:db_database load_module; + ++allow postgresql_t sepgsql_schema_type:db_schema *; ++ + allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; + type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; + ++allow postgresql_t sepgsql_sequence_type:db_sequence *; ++ ++allow postgresql_t sepgsql_view_type:db_view *; ++ + allow postgresql_t sepgsql_procedure_type:db_procedure *; + type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; + +@@ -186,7 +241,7 @@ + read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) + read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) + +-allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; ++allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; + can_exec(postgresql_t, postgresql_exec_t ) + + allow postgresql_t postgresql_lock_t:file manage_file_perms; +@@ -203,9 +258,10 @@ + files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) + fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + ++manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) + manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +-files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) ++files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(postgresql_t) + kernel_read_system_state(postgresql_t) +@@ -251,8 +307,7 @@ domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) -files_manage_etc_files(postgresql_t) +-files_search_etc(postgresql_t) +files_read_etc_files(postgresql_t) - files_search_etc(postgresql_t) files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) + +@@ -314,6 +369,8 @@ + allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; + type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; + ++allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; ++ + allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; + allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; + allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; +@@ -333,9 +390,22 @@ + allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; + allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; + ++allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; ++ ++allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; ++ + allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; + allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; + ++allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; ++allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; ++ ++# Only DBA can implement SQL procedures using `unsafe' procedural languages. ++# The `unsafe' one provides a capability to access internal data structure, ++# so we don't allow user-defined function being implemented using `unsafe' one. ++allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement }; ++allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement }; ++ + allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; + allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; + allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; +@@ -353,6 +423,12 @@ + # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. + dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; + ++# Note that permission of creation/deletion are eventually controlled by ++# create or drop permission of individual objects within shared schemas. ++# So, it just allows to create/drop user specific types. ++tunable_policy(`sepgsql_enable_users_ddl',` ++ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ++') + + ######################################## + # +@@ -362,16 +438,33 @@ + allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; + type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; + ++allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; ++type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; ++ + allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; + allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; + allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; + +-type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; ++type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated ++type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; ++ ++allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; ++ ++type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t; ++ ++allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; ++ ++type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t; + + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; + allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; + +-type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; ++type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated ++type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; ++ ++allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; ++ ++type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t; + + allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; + +@@ -384,12 +477,18 @@ + tunable_policy(`sepgsql_unconfined_dbadm',` + allow sepgsql_admin_type sepgsql_database_type:db_database *; + ++ allow sepgsql_admin_type sepgsql_schema_type:db_schema *; ++ + allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; ++ allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *; ++ allow sepgsql_admin_type sepgsql_view_type:db_view *; + + allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; + allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; + ++ allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; ++ + allow sepgsql_admin_type sepgsql_blob_type:db_blob *; + ') + +@@ -401,11 +500,21 @@ + allow sepgsql_unconfined_type sepgsql_database_type:db_database *; + type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; + +-type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; +-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; ++allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; ++ ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated ++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; ++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; ++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; ++type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t; + type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; + + allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; ++allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *; ++allow sepgsql_unconfined_type sepgsql_view_type:db_view *; + + # unconfined domain is not allowed to invoke user defined procedure directly. + # They have to confirm and relabel it at first. +@@ -413,6 +522,8 @@ + allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; + allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; + ++allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; ++ + allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; + + allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.19/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-10-13 09:40:56.718900943 +0200 @@ -44262,7 +45276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-12-20 16:32:51.450041217 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2011-01-19 17:28:25.370292769 +0100 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -44353,7 +45367,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -261,25 +266,25 @@ +@@ -235,6 +240,7 @@ + domain_sigchld_interactive_fds(newrole_t) + + files_read_etc_files(newrole_t) ++files_list_var(newrole_t) + files_read_var_files(newrole_t) + files_read_var_symlinks(newrole_t) + +@@ -261,25 +267,25 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -44385,7 +45407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -313,6 +318,8 @@ +@@ -313,6 +319,8 @@ kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -44394,7 +45416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -336,6 +343,8 @@ +@@ -336,6 +344,8 @@ seutil_libselinux_linked(restorecond_t) @@ -44403,7 +45425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -354,7 +363,7 @@ +@@ -354,7 +364,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -44412,7 +45434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -375,6 +384,8 @@ +@@ -375,6 +385,8 @@ mls_rangetrans_source(run_init_t) @@ -44421,7 +45443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu selinux_validate_context(run_init_t) selinux_compute_access_vector(run_init_t) selinux_compute_create_context(run_init_t) -@@ -383,7 +394,6 @@ +@@ -383,7 +395,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -44429,7 +45451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -406,6 +416,10 @@ +@@ -406,6 +417,10 @@ ') ') @@ -44440,7 +45462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -421,61 +435,22 @@ +@@ -421,61 +436,22 @@ # semodule local policy # @@ -44510,7 +45532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +459,24 @@ +@@ -484,12 +460,24 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -44535,7 +45557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,112 +486,54 @@ +@@ -499,112 +487,54 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -48580,7 +49602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-14 14:36:19.658040682 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-19 17:11:07.574292106 +0100 @@ -29,18 +29,18 @@ ## @@ -48605,7 +49627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ##

-@@ -54,11 +54,20 @@ +@@ -54,11 +54,22 @@ # all user domains attribute userdomain; @@ -48625,10 +49647,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) ++files_poly_member(admin_home_t) ++files_poly_parent(admin_home_t) type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) -@@ -72,6 +81,7 @@ +@@ -72,6 +83,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -48636,7 +49660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -85,10 +95,11 @@ +@@ -85,10 +97,11 @@ files_type(user_devpts_t) ubac_constrained(user_devpts_t) @@ -48649,7 +49673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; files_tmpfs_file(user_tmpfs_t) -@@ -97,3 +108,41 @@ +@@ -97,3 +110,41 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1e9b31f..24cd46e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 83%{?dist} +Release: 84%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -153,6 +153,7 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' . %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ @@ -470,6 +471,13 @@ exit 0 %endif %changelog +* Tue Jan 19 2011 Miroslav Grepl 3.7.19-84 +- Fixes for newrole_t domain related to namespace.init +- Add puppetmaster_uses_db boolean +- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on +- sandbox fixes +- Add sepgsql fixes from KaiGai Kohei + * Tue Jan 18 2011 Miroslav Grepl 3.7.19-83 - Allow newrole to run namespace - Add puppetmaster_uses_db boolean