From 189f19705e06ad20630cce3b9b701776a4b7f9ee Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 31 2007 19:49:42 +0000 Subject: - Fix prelink to handle execmod - Allow mount_ntfs to search file_type:dir --- diff --git a/policy-20070501.patch b/policy-20070501.patch index c46978f..9015fec 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -585,7 +585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.6.4/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/prelink.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/prelink.te 2007-07-24 08:58:20.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -595,6 +595,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; +@@ -40,7 +40,7 @@ + read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) + logging_log_filetrans(prelink_t, prelink_log_t, file) + +-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; ++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; + files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) + @@ -49,8 +49,7 @@ allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; @@ -614,6 +623,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink fs_getattr_xattr_fs(prelink_t) +@@ -81,6 +82,7 @@ + libs_manage_lib_files(prelink_t) + libs_relabel_lib_files(prelink_t) + libs_delete_lib_symlinks(prelink_t) ++libs_legacy_use_shared_libs(prelink_t) + + miscfiles_read_localization(prelink_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.6.4/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2007-05-07 14:51:05.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/admin/readahead.te 2007-07-13 13:11:46.000000000 -0400 @@ -659,7 +676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-07-31 14:04:26.000000000 -0400 @@ -211,6 +211,24 @@ ######################################## @@ -1422,7 +1439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp auth_search_pam_console_data($1_userhelper_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-07-31 13:44:59.000000000 -0400 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1435,7 +1452,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -248,6 +253,7 @@ +@@ -131,7 +136,8 @@ + /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) +@@ -248,6 +254,7 @@ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -1443,7 +1470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -256,3 +262,13 @@ +@@ -256,3 +263,13 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -1537,16 +1564,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-07-13 13:11:46.000000000 -0400 -@@ -19,6 +19,7 @@ ++++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:08.000000000 -0400 +@@ -19,6 +19,8 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) ++/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) -@@ -52,7 +53,7 @@ +@@ -52,7 +54,7 @@ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -1555,7 +1583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) /dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -64,6 +65,7 @@ +@@ -64,6 +66,7 @@ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) @@ -1563,7 +1591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -81,6 +83,8 @@ +@@ -81,6 +84,8 @@ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -1824,7 +1852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-07-25 16:22:10.000000000 -0400 @@ -45,7 +45,6 @@ /etc -d gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) @@ -1841,6 +1869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -210,6 +210,7 @@ + /usr/lost\+found/.* <> + + /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) ++/usr/share/doc(/.*)? gen_context(system_u:object_r:usr_t,s0) + + /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) + /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-07-13 13:11:46.000000000 -0400 @@ -2083,7 +2119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:41.000000000 -0400 @@ -1096,6 +1096,24 @@ ######################################## @@ -2136,7 +2172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount a NFS filesystem. ## ## -@@ -3420,3 +3458,22 @@ +@@ -3420,3 +3458,42 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -2159,6 +2195,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + + allow $1 fusefs_t:filesystem mount; +') ++ ++######################################## ++## ++## unmount a FUSE filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem unmount; ++') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-23 10:45:02.000000000 -0400 @@ -2850,7 +2906,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-23 16:18:32.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-26 13:46:31.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(apache,1.6.0) ++policy_module(apache,1.7.0) + + # + # NOTES: @@ -30,6 +30,13 @@ ## @@ -2879,6 +2942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac gen_tunable(httpd_can_network_connect,false) ## +@@ -97,7 +111,7 @@ + ## Allow http daemon to communicate with the TTY + ##

+ ## +-gen_tunable(httpd_tty_comm,false) ++gen_tunable(httpd_tty_comm,true) + + ## + ##

@@ -106,6 +120,27 @@ ## gen_tunable(httpd_unified,false) @@ -2907,7 +2979,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; # domains that can exec all users scripts -@@ -215,7 +250,7 @@ +@@ -201,11 +236,6 @@ + type squirrelmail_spool_t; + files_tmp_file(squirrelmail_spool_t) + +-ifdef(`targeted_policy',` +- typealias httpd_sys_content_t alias httpd_user_content_t; +- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; +-') +- + optional_policy(` + prelink_object_file(httpd_modules_t) + ') +@@ -215,7 +245,7 @@ # Apache server local policy # @@ -2916,7 +3000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -257,6 +292,7 @@ +@@ -257,6 +287,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -2924,15 +3008,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -297,6 +333,7 @@ +@@ -297,8 +328,10 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) +kernel_search_network_sysctl(httpd_t) - corenet_non_ipsec_sendrecv(httpd_t) +-corenet_non_ipsec_sendrecv(httpd_t) ++corenet_all_recvfrom_unlabeled(httpd_t) ++corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) -@@ -342,6 +379,9 @@ + corenet_udp_sendrecv_all_if(httpd_t) + corenet_tcp_sendrecv_all_nodes(httpd_t) +@@ -342,6 +375,9 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -2942,18 +3030,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -362,6 +402,10 @@ +@@ -360,16 +396,12 @@ - mta_send_mail(httpd_t) + userdom_use_unpriv_users_fds(httpd_t) +-mta_send_mail(httpd_t) +- +-ifdef(`targeted_policy',` +- term_dontaudit_use_unallocated_ttys(httpd_t) +- term_dontaudit_use_generic_ptys(httpd_t) +- files_dontaudit_read_root_files(httpd_t) +optional_policy(` + nscd_socket_use(httpd_t) +') -+ - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(httpd_t) - term_dontaudit_use_generic_ptys(httpd_t) -@@ -382,6 +426,7 @@ + +- tunable_policy(`httpd_enable_homedirs',` +- userdom_search_generic_user_home_dirs(httpd_t) +- ') ++tunable_policy(`httpd_enable_homedirs',` ++ userdom_search_generic_user_home_dirs(httpd_t) + ') + + tunable_policy(`allow_httpd_anon_write',` +@@ -382,6 +414,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -2961,7 +3060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -389,6 +434,14 @@ +@@ -389,6 +422,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -2971,12 +3070,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_smtp_client_packets(httpd_t) + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) ++ mta_send_mail(httpd_t) ++ mta_send_mail(httpd_sys_script_t) +') + tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -416,6 +469,10 @@ +@@ -416,6 +459,10 @@ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; ') @@ -2987,7 +3088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -433,11 +490,21 @@ +@@ -433,11 +480,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -3009,21 +3110,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -445,6 +512,13 @@ - allow httpd_sys_script_t httpd_t:process sigchld; +@@ -459,10 +516,20 @@ ') + optional_policy(` ++ tunable_policy(`httpd_tty_comm',` ++ unconfined_use_terminals(httpd_t) ++ ') ++') ++ +optional_policy(` -+ dbus_system_bus_client_template(httpd,httpd_t) -+ tunable_policy(`allow_httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) + calamaris_read_www_files(httpd_t) + ') + + optional_policy(` ++ cron_system_entry(httpd_t, httpd_exec_t) ++') ++ ++optional_policy(` + daemontools_service_domain(httpd_t, httpd_exec_t) + ') + +@@ -537,10 +604,16 @@ + tunable_policy(`httpd_tty_comm',` + # cjp: this is redundant: + term_use_controlling_term(httpd_helper_t) +- + userdom_use_sysadm_terms(httpd_helper_t) + ') + ++optional_policy(` ++ tunable_policy(`httpd_tty_comm',` ++ unconfined_use_terminals(httpd_helper_t) + ') +') + - # When the admin starts the server, the server wants to access - # the TTY or PTY associated with the session. The httpd appears - # to run correctly without this permission, so the permission -@@ -668,6 +742,12 @@ ++ + ######################################## + # + # Apache PHP script local policy +@@ -631,17 +704,16 @@ + + miscfiles_read_localization(httpd_suexec_t) + +-ifdef(`targeted_policy',` +- tunable_policy(`httpd_enable_homedirs',` +- userdom_search_generic_user_home_dirs(httpd_suexec_t) +- ') ++tunable_policy(`httpd_enable_homedirs',` ++ userdom_search_generic_user_home_dirs(httpd_suexec_t) + ') + + tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; + +- corenet_non_ipsec_sendrecv(httpd_suexec_t) ++ corenet_all_recvfrom_unlabeled(httpd_suexec_t) ++ corenet_all_recvfrom_netlabel(httpd_suexec_t) + corenet_tcp_sendrecv_all_if(httpd_suexec_t) + corenet_udp_sendrecv_all_if(httpd_suexec_t) + corenet_tcp_sendrecv_all_nodes(httpd_suexec_t) +@@ -650,7 +722,6 @@ + corenet_udp_sendrecv_all_ports(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) +- + sysnet_read_config(httpd_suexec_t) + ') + +@@ -668,6 +739,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -3036,7 +3192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -706,7 +786,8 @@ +@@ -706,7 +783,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -3046,7 +3202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -720,6 +801,8 @@ +@@ -720,21 +798,66 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3055,20 +3211,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') -@@ -730,11 +813,21 @@ - ') + +-ifdef(`targeted_policy',` +- tunable_policy(`httpd_enable_homedirs',` +- userdom_search_generic_user_home_dirs(httpd_sys_script_t) +- ') ++tunable_policy(`httpd_enable_homedirs',` ++ userdom_search_generic_user_home_dirs(httpd_sys_script_t) ') +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; ++ ++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) ++ corenet_all_recvfrom_netlabel(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_postgresql_port(httpd_sys_script_t) ++ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) ++ corenet_sendrecv_postgresql_client_packets(httpd_sys_script_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) ++') ++ ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; ++ ++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) ++ corenet_all_recvfrom_netlabel(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_all_ports(httpd_sys_script_t) ++ corenet_sendrecv_all_client_packets(httpd_sys_script_t) ++') ++ ++ +tunable_policy(`httpd_use_cifs', ` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) @@ -3077,11 +3274,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -788,3 +881,19 @@ - term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) - term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t) +@@ -754,14 +877,12 @@ + # Apache unconfined script local policy + # + +-unconfined_domain(httpd_unconfined_script_t) +- + optional_policy(` +- cron_system_entry(httpd_t, httpd_exec_t) ++ nscd_socket_use(httpd_unconfined_script_t) ') -+ + + optional_policy(` +- nscd_socket_use(httpd_unconfined_script_t) ++ unconfined_domain(httpd_unconfined_script_t) + ') + + ######################################## +@@ -784,7 +905,25 @@ + + miscfiles_read_localization(httpd_rotatelogs_t) + +-ifdef(`targeted_policy',` +- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) +- term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t) +#============= bugzilla policy ============== +apache_content_template(bugzilla) +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; @@ -3097,11 +3313,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + postgresql_stream_connect(httpd_bugzilla_script_t) +') + ++ ++optional_policy(` ++ dbus_system_bus_client_template(httpd,httpd_t) ++ tunable_policy(`allow_httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-2.6.4/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc 2007-07-13 13:11:46.000000000 -0400 -@@ -3,3 +3,8 @@ ++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc 2007-07-30 11:42:49.000000000 -0400 +@@ -1,5 +1,11 @@ + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) ++/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) + @@ -3140,7 +3366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:24.000000000 -0400 @@ -16,6 +16,9 @@ type apcupsd_log_t; logging_log_file(apcupsd_log_t) @@ -3186,20 +3412,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu dev_rw_generic_usb_dev(apcupsd_t) -@@ -54,6 +66,12 @@ +@@ -53,6 +65,15 @@ + files_read_etc_files(apcupsd_t) files_search_locks(apcupsd_t) - ++# Creates /etc/nologin ++files_manage_etc_runtime_files(apcupsd_t) ++files_etc_filetrans_etc_runtime(apcuspd_t,file) ++ +#apcupsd runs shutdown, probably need a shutdown domain +init_rw_utmp(apcupsd_t) +init_telinit(apcupsd_t) + +kernel_read_system_state(apcupsd_t) -+ + libs_use_ld_so(apcupsd_t) libs_use_shared_libs(apcupsd_t) - -@@ -61,7 +79,39 @@ +@@ -61,7 +82,39 @@ miscfiles_read_localization(apcupsd_t) @@ -3843,7 +4072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-07-31 13:45:11.000000000 -0400 @@ -8,6 +8,7 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -3852,15 +4081,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +@@ -17,7 +18,7 @@ + + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + +-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) ++/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) + @@ -52,3 +53,5 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) -+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) -+ ++/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:cupsd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-19 10:33:19.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-31 12:58:13.000000000 -0400 @@ -93,8 +93,6 @@ # generic socket here until appletalk socket is available in kernels allow cupsd_t self:socket create_socket_perms; @@ -3870,6 +4108,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_etc_t:{ dir file } setattr; read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t) read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t) +@@ -107,7 +105,7 @@ + + # allow cups to execute its backend scripts + can_exec(cupsd_t, cupsd_exec_t) +-allow cupsd_t cupsd_exec_t:dir search; ++allow cupsd_t cupsd_exec_t:dir search_dir_perms; + allow cupsd_t cupsd_exec_t:lnk_file read; + + manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) @@ -151,14 +149,16 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) @@ -6488,8 +6735,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-16 16:14:39.000000000 -0400 -@@ -59,6 +59,8 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-31 14:16:39.000000000 -0400 +@@ -59,10 +59,13 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -6498,7 +6745,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_system_state(rpcd_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad -@@ -79,6 +81,7 @@ + kernel_read_sysctl(rpcd_t) ++kernel_getattr_core_if(nfsd_t) + + fs_list_rpc(rpcd_t) + fs_read_rpc_files(rpcd_t) +@@ -79,6 +82,7 @@ optional_policy(` nis_read_ypserv_config(rpcd_t) @@ -6506,7 +6758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -91,6 +94,9 @@ +@@ -91,9 +95,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -6516,7 +6768,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) -@@ -123,6 +129,7 @@ ++kernel_dontaudit_getattr_core_if(nfsd_t) + + corenet_tcp_bind_all_rpc_ports(nfsd_t) + corenet_udp_bind_all_rpc_ports(nfsd_t) +@@ -123,6 +131,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -7621,7 +7877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.6.4/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/xserver.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/xserver.te 2007-07-31 10:08:59.000000000 -0400 @@ -448,6 +448,10 @@ rhgb_rw_tmpfs_files(xdm_xserver_t) ') @@ -8190,7 +8446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-19 09:02:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-30 11:23:46.000000000 -0400 @@ -0,0 +1,50 @@ +policy_module(brctl,1.0.0) + @@ -8214,7 +8470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +allow brctl_t self:tcp_socket create_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; + -+dev_search_sysfs(brctl_t) ++dev_rw_sysfs(brctl_t) + +# Init script handling +domain_use_interactive_fds(brctl_t) @@ -8307,7 +8563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-14 08:55:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-25 10:26:51.000000000 -0400 @@ -9,6 +9,7 @@ type fsadm_t; type fsadm_exec_t; @@ -8316,15 +8572,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool role system_r types fsadm_t; type fsadm_log_t; -@@ -184,3 +185,8 @@ +@@ -184,3 +185,9 @@ fs_dontaudit_write_ramfs_pipes(fsadm_t) rhgb_stub(fsadm_t) ') + +optional_policy(` + xen_append_log(fsadm_t) -+ xen_rw_image_files(udev_t) ++ xen_rw_image_files(fsadm_t) +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.4/policy/modules/system/fusermount.fc --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/system/fusermount.fc 2007-07-13 13:11:47.000000000 -0400 @@ -9083,7 +9340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-07-26 14:57:05.000000000 -0400 @@ -7,10 +7,15 @@ # @@ -9110,7 +9367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) -@@ -59,14 +67,17 @@ +@@ -59,13 +67,18 @@ init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) ') @@ -9122,16 +9379,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + ######################################## # - # Auditd local policy +-# Auditd local policy ++# Auditctl local policy # -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -- ++allow auditctl_t self:capability { fsetid dac_read_search dac_override }; + read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; - -@@ -91,6 +102,7 @@ +@@ -91,6 +104,7 @@ locallogin_dontaudit_use_fds(auditctl_t) @@ -9139,7 +9397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditctl_t) ifdef(`targeted_policy',` -@@ -103,12 +115,11 @@ +@@ -103,12 +117,11 @@ # Auditd local policy # @@ -9153,7 +9411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow auditd_t self:fifo_file rw_file_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -146,6 +157,7 @@ +@@ -146,6 +159,7 @@ init_telinit(auditd_t) @@ -9161,7 +9419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -265,8 +277,14 @@ +@@ -265,8 +279,14 @@ allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) @@ -9176,7 +9434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -331,6 +349,7 @@ +@@ -331,6 +351,7 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -9386,7 +9644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-07-31 13:48:21.000000000 -0400 @@ -9,6 +9,13 @@ ifdef(`targeted_policy',` ## @@ -9459,7 +9717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ') -@@ -204,4 +225,58 @@ +@@ -204,4 +225,65 @@ ifdef(`targeted_policy',` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -9473,7 +9731,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +# +# mount_ntfs local policy +# -+allow mount_ntfs_t self:capability { setuid sys_admin }; ++mount_ntfs_domtrans(mount_t) ++ ++allow mount_ntfs_t self:capability { dac_override setuid sys_admin }; +allow mount_ntfs_t self:fifo_file { read write }; +allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms; +allow mount_ntfs_t self:unix_dgram_socket { connect create }; @@ -9482,6 +9742,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +corecmd_exec_shell(mount_ntfs_t) + +files_read_etc_files(mount_ntfs_t) ++files_search_all(mount_ntfs_t) ++files_mounton_non_security_dir(mount_ntfs_t) ++ ++fs_mount_fusefs(mount_ntfs_t) ++fs_unmount_fusefs(mount_ntfs_t) + +libs_use_ld_so(mount_ntfs_t) +libs_use_shared_libs(mount_ntfs_t) @@ -9499,7 +9764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + +modutils_domtrans_insmod(mount_ntfs_t) + -+mount_ntfs_domtrans(mount_t) ++mount_domtrans(mount_ntfs_t) + +storage_raw_read_fixed_disk(mount_ntfs_t) +storage_raw_write_fixed_disk(mount_ntfs_t) @@ -9534,7 +9799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab libs_use_ld_so(netlabel_mgmt_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-07-31 09:57:06.000000000 -0400 @@ -19,7 +19,7 @@ # Local policy # @@ -9552,6 +9817,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t term_dontaudit_list_ptys(mdadm_t) +@@ -69,6 +70,7 @@ + + userdom_dontaudit_use_unpriv_user_fds(mdadm_t) + userdom_dontaudit_use_sysadm_ttys(mdadm_t) ++userdom_dontaudit_search_all_users_home_content(mdadm_t) + + mta_send_mail(mdadm_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc 2007-07-13 13:11:47.000000000 -0400 @@ -10179,7 +10452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf init_dbus_chat_script(unconfined_execmem_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-07-28 11:08:16.000000000 -0400 @@ -114,6 +114,22 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; @@ -10275,6 +10548,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) +@@ -1028,7 +1071,7 @@ + # and may change other protocols + tunable_policy(`user_tcp_server',` + corenet_tcp_bind_all_nodes($1_t) +- corenet_tcp_bind_generic_port($1_t) ++ corenet_tcp_bind_all_unreserved_ports($1_t) + ') + + optional_policy(` @@ -1059,10 +1102,6 @@ dontaudit xdm_t $1_home_t:file rw_file_perms; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2ae4c52..4581735 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 29%{?dist} +Release: 30%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -361,8 +361,12 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Mon Jul 23 2007 Dan Walsh 2.6.4-30 +- Fix prelink to handle execmod +- Allow mount_ntfs to search file_type:dir + * Mon Jul 23 2007 Dan Walsh 2.6.4-29 -- +- Multiple fixes * Fri Jul 13 2007 Dan Walsh 2.6.4-28 - Additional rules for openvpn reading homedirs