From 2da39d317ff50a3844019639f626ee260003530e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 09 2007 20:56:30 +0000 Subject: - Allow rsync to backup all files on a system via a boolean --- diff --git a/policy-20070501.patch b/policy-20070501.patch index a9a792f..84fd4b2 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -186,21 +186,87 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te logging_log_file(acct_data_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-2.6.4/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-10-02 11:59:34.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-10-09 16:20:44.000000000 -0400 @@ -1,4 +1,9 @@ /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) ++/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-2.6.4/policy/modules/admin/alsa.if +--- nsaserefpolicy/policy/modules/admin/alsa.if 2007-05-07 14:51:04.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/alsa.if 2007-10-09 16:21:00.000000000 -0400 +@@ -74,3 +74,39 @@ + read_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) + read_lnk_files_pattern($1,alsa_etc_rw_t,alsa_etc_rw_t) + ') ++ ++######################################## ++## ++## search alsa lib config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`alsa_search_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ allow $1 alsa_var_lib_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Read alsa lib config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`alsa_read_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ read_files_pattern($1,alsa_var_lib_t,alsa_var_lib_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.6.4/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/alsa.te 2007-08-07 09:42:34.000000000 -0400 -@@ -20,20 +20,24 @@ ++++ serefpolicy-2.6.4/policy/modules/admin/alsa.te 2007-10-09 16:22:07.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(alsa,1.1.0) ++policy_module(alsa,1.1.1) + + ######################################## + # +@@ -8,32 +8,44 @@ + + type alsa_t; + type alsa_exec_t; +-domain_type(alsa_t) +-domain_entry_file(alsa_t, alsa_exec_t) ++init_system_domain(alsa_t, alsa_exec_t) + role system_r types alsa_t; + + type alsa_etc_rw_t; + files_type(alsa_etc_rw_t) + ++type alsa_var_lib_t; ++files_type(alsa_var_lib_t) ++ + ######################################## + # # Local policy # @@ -219,20 +285,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) ++files_search_var_lib(alsa_t) ++manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) ++manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) ++ +files_search_home(alsa_t) files_read_etc_files(alsa_t) -term_use_generic_ptys(alsa_t) -term_dontaudit_use_unallocated_ttys(alsa_t) ++init_dontaudit_use_fds(alsa_t) ++ +kernel_read_system_state(alsa_t) libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -@@ -44,7 +48,17 @@ +@@ -44,7 +56,17 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) +userdom_search_generic_user_home_dirs(alsa_t) ++userdom_dontaudit_search_sysadm_home_dirs(alsa_t) + +term_use_generic_ptys(alsa_t) +term_dontaudit_use_unallocated_ttys(alsa_t) @@ -245,7 +318,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te + hal_use_fds(alsa_t) + hal_write_log(alsa_t) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.6.4/policy/modules/admin/amanda.if --- nsaserefpolicy/policy/modules/admin/amanda.if 2007-05-07 14:51:04.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/admin/amanda.if 2007-09-11 09:15:10.000000000 -0400 @@ -5268,7 +5340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-14 08:16:15.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-10-09 10:28:10.000000000 -0400 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -5372,7 +5444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -190,12 +195,54 @@ +@@ -190,12 +195,58 @@ seutil_dontaudit_search_config(dovecot_auth_t) @@ -5389,6 +5461,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove +') + +optional_policy(` ++ nis_authenticate(dovecot_auth_t) ++') ++ ++optional_policy(` + postfix_create_pivate_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') @@ -5434,7 +5510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.63 2007/10/06 13:01:10 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.64 2007/10/09 20:56:30 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5615,7 +5691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-05 09:28:22.000000000 -0400 @@ -0,0 +1,229 @@ -+# $Id: policy-20070501.patch,v 1.63 2007/10/06 13:01:10 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.64 2007/10/09 20:56:30 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -6947,7 +7023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/nis.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/nis.if 2007-10-09 10:27:32.000000000 -0400 @@ -48,8 +48,8 @@ corenet_udp_bind_all_nodes($1) corenet_tcp_bind_generic_port($1) @@ -6959,6 +7035,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) +@@ -243,3 +243,24 @@ + corecmd_search_bin($1) + domtrans_pattern($1,ypxfr_exec_t,ypxfr_t) + ') ++ ++######################################## ++## ++## Use the ypbind service to access NIS services. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++# ++interface(`nis_authenticate',` ++ tunable_policy(`allow_ypbind',` ++ nis_use_ypbind_uncond($1) ++ # Needs to bind to a port < 1024 ++ allow $1 self:capability net_bind_service; ++ corenet_tcp_bind_all_rpc_ports($1) ++ corenet_udp_bind_all_rpc_ports($1) ++ ') ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.6.4/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/nis.te 2007-10-01 16:16:04.000000000 -0400 @@ -7319,8 +7420,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-2.6.4/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/openvpn.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -11,5 +11,5 @@ ++++ serefpolicy-2.6.4/policy/modules/services/openvpn.fc 2007-10-09 16:13:12.000000000 -0400 +@@ -11,5 +11,6 @@ # # /var # @@ -7328,6 +7429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open -/var/run/openvpn.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) +/var/log/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_log_t,s0) +/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) ++/var/log/openvpn.*\.log -- gen_context(system_u:object_r:openvpn_var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-2.6.4/policy/modules/services/openvpn.if --- nsaserefpolicy/policy/modules/services/openvpn.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/openvpn.if 2007-08-07 09:42:35.000000000 -0400 @@ -8528,8 +8630,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-08-07 09:42:35.000000000 -0400 -@@ -17,6 +17,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-10-08 11:45:53.000000000 -0400 +@@ -1,5 +1,5 @@ + +-policy_module(rsync,1.4.0) ++policy_module(rsync,1.5.0) + + ######################################## + # +@@ -8,6 +8,13 @@ + + ## + ##

++## Allow rsync export files read only ++##

++## ++gen_tunable(rsync_export_all_ro,false) ++ ++## ++##

+ ## Allow rsync to modify public files + ## used for public file transfer services. + ##

+@@ -17,6 +24,7 @@ type rsync_t; type rsync_exec_t; init_daemon_domain(rsync_t,rsync_exec_t) @@ -8537,6 +8660,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn role system_r types rsync_t; type rsync_data_t; +@@ -57,11 +65,14 @@ + manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) + files_pid_filetrans(rsync_t,rsync_var_run_t,file) + ++auth_use_nsswitch(rsync_t) ++ + kernel_read_kernel_sysctls(rsync_t) + kernel_read_system_state(rsync_t) + kernel_read_network_state(rsync_t) + +-corenet_non_ipsec_sendrecv(rsync_t) ++corenet_all_recvfrom_unlabeled(rsync_t) ++corenet_all_recvfrom_netlabel(rsync_t) + corenet_tcp_sendrecv_all_if(rsync_t) + corenet_udp_sendrecv_all_if(rsync_t) + corenet_tcp_sendrecv_all_nodes(rsync_t) +@@ -88,8 +99,6 @@ + miscfiles_read_localization(rsync_t) + miscfiles_read_public_files(rsync_t) + +-sysnet_read_config(rsync_t) +- + tunable_policy(`allow_rsync_anon_write',` + miscfiles_manage_public_files(rsync_t) + ') +@@ -106,10 +115,8 @@ + inetd_service_domain(rsync_t,rsync_exec_t) + ') + +-optional_policy(` +- nis_use_ypbind(rsync_t) +-') +- +-optional_policy(` +- nscd_socket_use(rsync_t) ++tunable_policy(`rsync_export_all_ro',` ++ allow rsync_t self:capability dac_override; ++ fs_read_noxattr_fs_files(rsync_t) ++ auth_read_all_files_except_shadow(rsync_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho.if serefpolicy-2.6.4/policy/modules/services/rwho.if --- nsaserefpolicy/policy/modules/services/rwho.if 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/rwho.if 2007-08-07 09:42:35.000000000 -0400 @@ -8893,7 +9056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-01 16:01:17.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-09 10:45:19.000000000 -0400 @@ -16,6 +16,14 @@ ## @@ -9216,11 +9379,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow swat_t nmbd_port_t:udp_socket name_bind; +allow swat_t nmbd_t:process { signal signull }; +allow swat_t nmbd_var_run_t:file { lock read unlink }; - --rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) ++ +init_read_utmp(swat_t) +init_dontaudit_write_utmp(swat_t) -+ + +-rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) +manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) +create_files_pattern(swat_t,samba_log_t,samba_log_t) + @@ -9360,26 +9523,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -736,6 +810,7 @@ +@@ -736,8 +810,11 @@ read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) +files_list_var_lib(winbind_helper_t) allow winbind_helper_t samba_var_t:dir search; ++auth_use_nsswitch(winbind_helper_t) ++ stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) -@@ -763,4 +838,66 @@ + + term_list_ptys(winbind_helper_t) +@@ -757,10 +834,68 @@ + ') + optional_policy(` - squid_read_log(winbind_helper_t) - squid_append_log(winbind_helper_t) +- nscd_socket_use(winbind_helper_t) ++ squid_read_log(winbind_helper_t) ++ squid_append_log(winbind_helper_t) + squid_rw_stream_sockets(winbind_helper_t) -+') -+ + ') + +######################################## +# +# samba_unconfined_script_t local policy +# -+optional_policy(` + optional_policy(` +- squid_read_log(winbind_helper_t) +- squid_append_log(winbind_helper_t) + type samba_unconfined_script_t; + domain_type(samba_unconfined_script_t) + role system_r types samba_unconfined_script_t; @@ -10080,8 +10252,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs. dev_read_sysfs(xfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.4/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-02 11:51:15.000000000 -0400 -@@ -92,7 +92,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-08 13:26:18.000000000 -0400 +@@ -92,10 +92,11 @@ /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -10090,6 +10262,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + + /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400 @@ -10284,7 +10460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-10-01 16:38:06.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-10-09 10:29:42.000000000 -0400 @@ -27,11 +27,9 @@ domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) @@ -10395,15 +10571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_rw_utmp($1) logging_send_syslog_msg($1) -@@ -221,6 +229,7 @@ +@@ -221,6 +229,16 @@ seutil_read_config($1) seutil_read_default_contexts($1) ++ userdom_set_rlimitnh($1) ++ ++ optional_policy(` ++ nis_authenticate($1) ++ ') ++ ++ optional_policy(` ++ unconfined_set_rlimitnh($1) ++ ') + tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -320,10 +329,6 @@ +@@ -320,10 +338,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -10414,7 +10599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -332,6 +337,8 @@ +@@ -332,6 +346,8 @@ dev_read_rand($1) dev_read_urand($1) @@ -10423,7 +10608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo miscfiles_read_certs($1) sysnet_dns_name_resolve($1) -@@ -357,6 +364,37 @@ +@@ -357,6 +373,37 @@ ######################################## ## @@ -10461,7 +10646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -1357,6 +1395,8 @@ +@@ -1357,6 +1404,8 @@ optional_policy(` samba_stream_connect_winbind($1) @@ -10470,7 +10655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1391,3 +1431,114 @@ +@@ -1391,3 +1440,114 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -10819,14 +11004,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-2.6.4/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-08-07 09:42:35.000000000 -0400 -@@ -124,3 +124,22 @@ ++++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-10-08 17:26:44.000000000 -0400 +@@ -124,3 +124,40 @@ allow $1 swapfile_t:file getattr; ') + +######################################## +## ++## Read swapfile ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`fstools_read_swap_files',` ++ gen_require(` ++ type swapfile_t; ++ ') ++ ++ allow $1 swapfile_t:file r_file_perms; ++') ++ ++######################################## ++## +## Read fstools unnamed pipes. +## +## @@ -12134,7 +12337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-09-13 12:47:13.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-08 17:27:32.000000000 -0400 @@ -9,6 +9,13 @@ ifdef(`targeted_policy',` ## @@ -12162,7 +12365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_loopback_t; # customizable files_type(mount_loopback_t) -@@ -38,14 +49,15 @@ +@@ -38,21 +49,26 @@ # # setuid/setgid needed to mount cifs @@ -12180,7 +12383,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) -@@ -53,6 +65,8 @@ + ++fstools_read_swap_files(mount_t) ++ kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) @@ -12189,7 +12394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) -@@ -65,6 +79,7 @@ +@@ -65,6 +81,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -12197,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) -@@ -103,6 +118,8 @@ +@@ -103,6 +120,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -12206,7 +12411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. libs_use_ld_so(mount_t) libs_use_shared_libs(mount_t) -@@ -130,10 +147,15 @@ +@@ -130,10 +149,15 @@ ') ifdef(`targeted_policy',` @@ -12223,7 +12428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ') -@@ -162,13 +184,8 @@ +@@ -162,13 +186,8 @@ fs_search_rpc(mount_t) @@ -12237,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -192,9 +209,6 @@ +@@ -192,9 +211,6 @@ samba_domtrans_smbmount(mount_t) ') @@ -12247,7 +12452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -204,4 +218,30 @@ +@@ -204,4 +220,30 @@ ifdef(`targeted_policy',` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -12255,7 +12460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_dbus_chat(unconfined_mount_t) + ') + -+') + ') + +######################################## +# @@ -12276,7 +12481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) - ') ++') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te --- nsaserefpolicy/policy/modules/system/netlabel.te 2007-05-07 14:51:02.000000000 -0400