From 2ffff7cb7272e621359423a689db631aeb8f0b4a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 10 2010 22:13:08 +0000 Subject: - Make Chrome work with staff user --- diff --git a/policy-F13.patch b/policy-F13.patch index bf460c6..6f7e206 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1119,7 +1119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/rpm.te 2010-02-09 08:59:57.000000000 -0500 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -1226,24 +1226,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,44 +202,41 @@ +@@ -174,7 +202,19 @@ ') optional_policy(` +- hal_dbus_chat(rpm_t) ++ dbus_system_domain(rpm_t, rpm_exec_t) ++ ++ optional_policy(` ++ hal_dbus_chat(rpm_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(rpm_t) ++ ') ++ + optional_policy(` - hal_dbus_chat(rpm_t) ++ dbus_system_domain(rpm_t, debuginfo_exec_t) ++ ') ') optional_policy(` -- prelink_domtrans(rpm_t) -+ networkmanager_dbus_chat(rpm_t) +@@ -182,36 +222,19 @@ ') optional_policy(` - unconfined_domain(rpm_t) -- # yum-updatesd requires this -- unconfined_dbus_chat(rpm_t) -+ dbus_system_domain(rpm_t, rpm_exec_t) ++ unconfined_domain_noaudit(rpm_t) + # yum-updatesd requires this + unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) ') -ifdef(`TODO',` @@ -1256,25 +1268,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te -allow rpm_t fs_type:dir { setattr rw_dir_perms }; - -allow rpm_t mount_t:tcp_socket write; -+ optional_policy(` -+ dbus_system_domain(rpm_t, debuginfo_exec_t) -+ ') -+') - +- -allow rpm_t rpc_pipefs_t:dir search; -+optional_policy(` -+ prelink_domtrans(rpm_t) -+') - - optional_policy(` +- +-optional_policy(` -allow rpm_t sysadm_gph_t:fd use; -+ unconfined_domain_noaudit(rpm_t) -+ # yum-updatesd requires this -+ unconfined_dbus_chat(rpm_t) -+ unconfined_dbus_chat(rpm_script_t) - ') +-') -') dnl endif TODO - +- ######################################## # # rpm-script Local policy @@ -1287,7 +1288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +247,15 @@ +@@ -222,12 +245,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1303,7 +1304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +267,9 @@ +@@ -239,6 +265,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1313,7 +1314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te dev_list_sysfs(rpm_script_t) -@@ -254,7 +285,9 @@ +@@ -254,7 +283,9 @@ fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) @@ -1323,7 +1324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +305,19 @@ +@@ -272,14 +303,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1343,7 +1344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +329,10 @@ +@@ -291,8 +327,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1354,7 +1355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +348,15 @@ +@@ -308,12 +346,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1370,7 +1371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -326,13 +369,22 @@ +@@ -326,13 +367,22 @@ ') optional_policy(` @@ -1994,7 +1995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.8/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/chrome.te 2010-02-09 10:40:33.000000000 -0500 @@ -0,0 +1,82 @@ +policy_module(chrome,1.0.0) + @@ -2019,8 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +# +# chrome_sandbox local policy +# -+allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid }; -+dontaudit chrome_sandbox_t self:capability { sys_ptrace }; ++allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:fifo_file manage_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; @@ -2065,6 +2065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + +optional_policy(` + xserver_use_user_fonts(chrome_sandbox_t) ++ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t) +') + +tunable_policy(`use_nfs_home_dirs',` @@ -2139,8 +2140,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.8/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-02 10:31:03.000000000 -0500 -@@ -0,0 +1,103 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/execmem.if 2010-02-10 12:27:20.000000000 -0500 +@@ -0,0 +1,108 @@ +## execmem domain + +######################################## @@ -2217,6 +2218,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + ') + + optional_policy(` ++ nsplugin_rw_shm($1_execmem_t) ++ nsplugin_rw_semaphores($1_execmem_t) ++ ') ++ ++ optional_policy(` + xserver_role($2, $1_execmem_t) + ') +') @@ -2935,7 +2941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/java.if 2010-02-09 10:04:27.000000000 -0500 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -3328,7 +3334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc +/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mono.if 2010-02-09 10:28:01.000000000 -0500 @@ -21,6 +21,105 @@ ######################################## @@ -3539,7 +3545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te 2010-02-09 10:11:18.000000000 -0500 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3614,8 +3620,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-02 10:31:03.000000000 -0500 -@@ -0,0 +1,321 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.if 2010-02-10 12:26:47.000000000 -0500 +@@ -0,0 +1,358 @@ + +## policy for nsplugin + @@ -3937,6 +3943,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') ++ ++######################################## ++## ++## Read and write to nsplugin shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`nsplugin_rw_shm',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:shm rw_shm_perms; ++') ++ ++##################################### ++## ++## Allow read and write access to nsplugin semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_rw_semaphores',` ++ gen_require(` ++ type nsplugin_t; ++ ') ++ ++ allow $1 nsplugin_t:sem rw_sem_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te 2010-02-02 10:31:03.000000000 -0500 @@ -4425,7 +4468,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/apps/pulseaudio.if 2010-02-10 12:27:45.000000000 -0500 +@@ -29,7 +29,7 @@ + ps_process_pattern($2, pulseaudio_t) + + allow pulseaudio_t $2:process { signal signull }; +- allow $2 pulseaudio_t:process { signal signull }; ++ allow $2 pulseaudio_t:process { signal signull sigkill }; + ps_process_pattern(pulseaudio_t, $2) + + allow pulseaudio_t $2:unix_stream_socket connectto; @@ -40,7 +40,7 @@ userdom_manage_tmpfs_role($1, pulseaudio_t) @@ -6433,7 +6485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-08 12:14:39.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-02-09 16:10:20.000000000 -0500 @@ -801,6 +801,24 @@ ######################################## @@ -7125,7 +7177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-02-09 14:24:24.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8555,7 +8607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.8/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/staff.te 2010-02-09 10:07:37.000000000 -0500 @@ -10,161 +10,121 @@ userdom_unpriv_user_template(staff) @@ -8679,35 +8731,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t -optional_policy(` - razor_role(staff_r, staff_t) -') -+domain_read_all_domains_state(staff_t) -+domain_getattr_all_domains(staff_t) ++domain_read_all_domains_state(staff_usertype) ++domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) -optional_policy(` - rssh_role(staff_r, staff_t) -') -+files_read_kernel_modules(staff_t) ++files_read_kernel_modules(staff_usertype) -optional_policy(` - screen_role_template(staff, staff_r, staff_t) -') -+kernel_read_fs_sysctls(staff_t) ++kernel_read_fs_sysctls(staff_usertype) -optional_policy(` - secadm_role_change(staff_r) -') -+modutils_read_module_config(staff_t) -+modutils_read_module_deps(staff_t) ++modutils_read_module_config(staff_usertype) ++modutils_read_module_deps(staff_usertype) -optional_policy(` - spamassassin_role(staff_r, staff_t) -') -+miscfiles_read_hwdata(staff_t) ++miscfiles_read_hwdata(staff_usertype) -optional_policy(` - ssh_role_template(staff, staff_r, staff_t) -') -+term_use_unallocated_ttys(staff_t) ++term_use_unallocated_ttys(staff_usertype) optional_policy(` - su_role_template(staff, staff_r, staff_t) @@ -9760,7 +9812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/roles/unconfineduser.te 2010-02-10 13:39:29.000000000 -0500 @@ -0,0 +1,445 @@ +policy_module(unconfineduser, 1.0.0) + @@ -11464,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.if 2010-02-09 16:01:34.000000000 -0500 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -12195,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-05 12:03:18.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-09 15:52:27.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12281,7 +12333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -108,6 +145,29 @@ +@@ -108,6 +145,36 @@ ## gen_tunable(httpd_unified, false) @@ -12301,6 +12353,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +## +##

++## Allow httpd to run gpg ++##

++## ++gen_tunable(httpd_use_gpg, false) ++ ++## ++##

+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. +##

+## @@ -12311,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -140,6 +200,9 @@ +@@ -140,6 +207,9 @@ domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; @@ -12321,7 +12380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -180,6 +243,10 @@ +@@ -180,6 +250,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -12332,7 +12391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -187,28 +254,28 @@ +@@ -187,28 +261,28 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) @@ -12374,7 +12433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # for apache2 memory mapped files type httpd_var_lib_t; -@@ -230,7 +297,7 @@ +@@ -230,7 +304,7 @@ # Apache server local policy # @@ -12383,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +316,7 @@ +@@ -249,6 +323,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -12391,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -272,6 +340,7 @@ +@@ -272,6 +347,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -12399,7 +12458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +352,9 @@ +@@ -283,9 +359,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -12412,7 +12471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,9 +370,11 @@ +@@ -301,9 +377,11 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -12425,7 +12484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -312,18 +383,21 @@ +@@ -312,18 +390,21 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -12452,7 +12511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -335,15 +409,15 @@ +@@ -335,15 +416,15 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -12471,7 +12530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -@@ -358,6 +432,10 @@ +@@ -358,6 +439,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -12482,7 +12541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -372,18 +450,33 @@ +@@ -372,18 +457,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -12520,7 +12579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -391,32 +484,71 @@ +@@ -391,32 +491,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12597,7 +12656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +556,23 @@ +@@ -424,11 +563,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12621,7 +12680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +595,21 @@ +@@ -451,6 +602,21 @@ ') optional_policy(` @@ -12643,7 +12702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +618,18 @@ +@@ -459,8 +625,24 @@ ') optional_policy(` @@ -12660,11 +12719,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + +optional_policy(` ++tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` ++ gpg_domtrans(httpd_t) ++') ++') ++ ++optional_policy(` + kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` -@@ -468,22 +637,19 @@ +@@ -468,22 +650,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12690,7 +12755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -494,12 +660,23 @@ +@@ -494,12 +673,23 @@ ') optional_policy(` @@ -12714,7 +12779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -508,6 +685,7 @@ +@@ -508,6 +698,7 @@ ') optional_policy(` @@ -12722,7 +12787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +713,23 @@ +@@ -535,6 +726,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12746,7 +12811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -564,20 +759,25 @@ +@@ -564,20 +772,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12778,7 +12843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -595,23 +795,24 @@ +@@ -595,23 +808,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12807,7 +12872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +825,7 @@ +@@ -624,6 +838,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12815,7 +12880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +833,31 @@ +@@ -631,22 +846,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12854,7 +12919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,16 +883,16 @@ +@@ -672,16 +896,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12875,7 +12940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +910,24 @@ +@@ -699,12 +923,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12902,7 +12967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +935,35 @@ +@@ -712,6 +948,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12938,7 +13003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +976,10 @@ +@@ -724,6 +989,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12949,7 +13014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -735,6 +991,8 @@ +@@ -735,6 +1004,8 @@ # httpd_rotatelogs local policy # @@ -12958,7 +13023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +1012,88 @@ +@@ -754,11 +1025,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12978,12 +13043,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_suexec_t) - ') ++') + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) @@ -14279,7 +14344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.8/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/clogd.if 2010-02-09 10:29:01.000000000 -0500 @@ -0,0 +1,98 @@ +## clogd - clustered mirror log server + @@ -15921,7 +15986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_stream_connect(cyrus_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-08 12:17:04.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/dbus.if 2010-02-09 09:01:28.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -16012,10 +16077,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## for service (acquire_svc). ## ## -@@ -364,6 +372,16 @@ +@@ -364,6 +372,18 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) ++ ps_process_pattern(system_dbusd_t, $1) ++ + userdom_dontaudit_search_admin_dir($1) + + optional_policy(` @@ -16029,7 +16096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -405,3 +423,24 @@ +@@ -405,3 +425,24 @@ typeattribute $1 dbusd_unconfined; ') @@ -16585,6 +16652,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp ## Set the attributes of the DCHP ## server state files. ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.8/policy/modules/services/djbdns.if +--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/services/djbdns.if 2010-02-10 13:04:18.000000000 -0500 +@@ -26,6 +26,8 @@ + daemontools_read_svc(djbdns_$1_t) + + allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; ++ allow djbdns_$1_t self:process signal; ++ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; + allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; + allow djbdns_$1_t self:udp_socket create_socket_perms; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc 2010-02-02 10:31:03.000000000 -0500 @@ -17221,7 +17300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.8/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/git.fc 2010-02-10 13:25:49.000000000 -0500 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -19239,8 +19318,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_write_log(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.8/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-02 10:31:03.000000000 -0500 -@@ -1,16 +1,85 @@ ++++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-02-09 10:17:49.000000000 -0500 +@@ -1,16 +1,87 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -19271,6 +19350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + ++# admin plugins ++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) ++ +# check disk plugins +/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) @@ -19286,7 +19368,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) @@ -19493,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.8/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-02-09 10:17:49.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -19532,13 +19613,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +42,33 @@ +@@ -33,6 +42,38 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) +type nrpe_var_run_t; +files_pid_file(nrpe_var_run_t) + ++# creates nagios_admin_plugin_exec_t for executable ++# and nagios_admin_plugin_t for domain ++nagios_plugin_template(admin) ++ +# creates nagios_checkdisk_plugin_exec_t for executable +# and nagios_checkdisk_plugin_t for domain +nagios_plugin_template(checkdisk) @@ -19559,6 +19644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + unconfined_domain(nagios_unconfined_plugin_t) +') + ++permissive nagios_admin_plugin_t; +permissive nagios_checkdisk_plugin_t; +permissive nagios_services_plugin_t; +permissive nagios_system_plugin_t; @@ -19566,7 +19652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # # Nagios local policy -@@ -45,6 +81,9 @@ +@@ -45,6 +86,9 @@ allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; @@ -19576,7 +19662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) allow nagios_t nagios_etc_t:dir list_dir_perms; -@@ -60,6 +99,8 @@ +@@ -60,6 +104,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -19585,7 +19671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -76,6 +117,9 @@ +@@ -76,6 +122,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) @@ -19595,7 +19681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -86,6 +130,7 @@ +@@ -86,6 +135,7 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -19603,7 +19689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -118,61 +163,63 @@ +@@ -118,61 +168,63 @@ udev_read_db(nagios_t) ') @@ -19625,45 +19711,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi - -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+allow httpd_nagios_script_t self:process signal_perms; - +- -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + +-kernel_read_system_state(nagios_cgi_t) +files_search_spool(httpd_nagios_script_t) +rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) --kernel_read_system_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) --corecmd_exec_bin(nagios_cgi_t) +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) --domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++kernel_read_system_state(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + +-miscfiles_read_localization(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) --miscfiles_read_localization(nagios_cgi_t) -- -optional_policy(` - apache_append_log(nagios_cgi_t) -') @@ -19699,7 +19785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +230,21 @@ +@@ -183,15 +235,21 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -19721,11 +19807,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -209,3 +262,85 @@ +@@ -209,3 +267,120 @@ optional_policy(` udev_read_db(nrpe_t) ') + ++##################################### ++# ++# local policy for admin check plugins ++# ++ ++allow nagios_admin_plugin_t self:capability { setuid setgid dac_override }; ++ ++allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_admin_plugin_t self:udp_socket create_socket_perms; ++ ++kernel_read_system_state(nagios_admin_plugin_t) ++kernel_read_kernel_sysctls(nagios_admin_plugin_t) ++ ++corecmd_read_bin_files(nagios_admin_plugin_t) ++corecmd_read_bin_symlinks(nagios_admin_plugin_t) ++ ++dev_read_urand(nagios_admin_plugin_t) ++ ++files_read_etc_files(nagios_admin_plugin_t) ++ ++libs_use_lib_files(nagios_admin_plugin_t) ++libs_use_ld_so(nagios_admin_plugin_t) ++ ++logging_send_syslog_msg(nagios_admin_plugin_t) ++ ++sysnet_read_config(nagios_admin_plugin_t) ++ ++nscd_dontaudit_search_pid(nagios_admin_plugin_t) ++ ++optional_policy(` ++ mta_read_config(nagios_admin_plugin_t) ++ mta_list_queue(nagios_admin_plugin_t) ++ mta_read_queue(nagios_admin_plugin_t) ++ mta_sendmail_exec(nagios_admin_plugin_t) ++') + +###################################### +# @@ -25433,13 +25554,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/sendmail.te 2010-02-09 08:31:26.000000000 -0500 @@ -30,7 +30,7 @@ # allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; -allow sendmail_t self:process { setrlimit signal signull }; -+allow sendmail_t self:process { setpgid setrlimit signal signull }; ++allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; allow sendmail_t self:unix_stream_socket create_stream_socket_perms; allow sendmail_t self:unix_dgram_socket create_socket_perms; @@ -26396,7 +26517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ssh.if 2010-02-10 12:29:40.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -26515,7 +26636,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## -@@ -694,6 +706,27 @@ +@@ -386,6 +398,7 @@ + logging_send_syslog_msg($1_ssh_agent_t) + + miscfiles_read_localization($1_ssh_agent_t) ++ miscfiles_read_certs($1_ssh_agent_t) + + seutil_dontaudit_read_config($1_ssh_agent_t) + +@@ -393,6 +406,7 @@ + userdom_use_user_terminals($1_ssh_agent_t) + + # for the transition back to normal privs upon exec ++ userdom_search_user_home_content($1_ssh_agent_t) + userdom_user_home_domtrans($1_ssh_agent_t, $3) + allow $3 $1_ssh_agent_t:fd use; + allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; +@@ -694,6 +708,27 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -26545,7 +26682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ## Delete from the ssh temp files. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/ssh.te 2010-02-10 13:27:57.000000000 -0500 @@ -111,9 +111,10 @@ manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -26589,15 +26726,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -172,6 +176,7 @@ +@@ -170,8 +174,10 @@ + userdom_search_user_home_dirs(ssh_t) + # Write to the user domain tty. userdom_use_user_terminals(ssh_t) - # needs to read krb tgt +-# needs to read krb tgt ++# needs to read krb/write tgt userdom_read_user_tmp_files(ssh_t) ++userdom_write_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -282,6 +287,8 @@ +@@ -282,6 +288,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -26606,7 +26747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -298,16 +305,23 @@ +@@ -298,16 +306,23 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -26634,7 +26775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -315,7 +329,12 @@ +@@ -315,7 +330,12 @@ ') optional_policy(` @@ -26648,7 +26789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -323,6 +342,10 @@ +@@ -323,6 +343,10 @@ ') optional_policy(` @@ -26659,7 +26800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +356,18 @@ +@@ -333,10 +357,18 @@ ') optional_policy(` @@ -28332,7 +28473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-02-10 12:25:28.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -28342,6 +28483,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; ') +@@ -31,7 +31,7 @@ + allow xserver_t $2:shm rw_shm_perms; + + domtrans_pattern($2, xserver_exec_t, xserver_t) +- allow xserver_t $2:process signal; ++ allow xserver_t $2:process { getpgid signal }; + + allow xserver_t $2:shm rw_shm_perms; + @@ -45,6 +45,7 @@ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) @@ -28377,15 +28527,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $2 xserver_t:fd use; -@@ -96,7 +105,6 @@ +@@ -94,9 +103,9 @@ + dev_rw_usbfs($2) + miscfiles_read_fonts($2) ++ miscfiles_setattr_fonts_cache_dirs($2) xserver_common_x_domain_template(user, $2) - xserver_unconfined($2) xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -104,6 +112,7 @@ +@@ -104,6 +113,7 @@ xserver_read_xdm_pid($2) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($2) @@ -28393,7 +28546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) -@@ -162,7 +171,6 @@ +@@ -162,7 +172,6 @@ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -28401,7 +28554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -197,7 +205,7 @@ +@@ -197,7 +206,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -28410,7 +28563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -260,12 +268,12 @@ +@@ -260,12 +269,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -28426,7 +28579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -445,6 +453,7 @@ +@@ -445,6 +454,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -28434,7 +28587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -514,6 +523,12 @@ +@@ -514,6 +524,12 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -28447,7 +28600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -567,6 +582,7 @@ +@@ -567,6 +583,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -28455,7 +28608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -774,7 +790,7 @@ +@@ -774,7 +791,7 @@ ') files_search_pids($1) @@ -28464,7 +28617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,3 +1235,329 @@ +@@ -1219,3 +1236,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -28796,7 +28949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-08 14:29:02.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-09 15:53:37.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -28959,7 +29112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +274,53 @@ +@@ -250,30 +274,55 @@ fs_manage_cifs_files(iceauth_t) ') @@ -29000,7 +29153,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) -- ++stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) + domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) @@ -29017,7 +29171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,17 +330,35 @@ +@@ -283,17 +332,35 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -29053,7 +29207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +370,31 @@ +@@ -305,20 +372,31 @@ # XDM Local policy # @@ -29088,7 +29242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,22 +410,40 @@ +@@ -334,22 +412,40 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -29132,7 +29286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -363,6 +457,7 @@ +@@ -363,6 +459,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -29140,7 +29294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +466,14 @@ +@@ -371,10 +468,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -29156,7 +29310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +493,13 @@ +@@ -394,11 +495,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -29170,7 +29324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +507,7 @@ +@@ -406,6 +509,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -29178,7 +29332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +516,21 @@ +@@ -414,18 +518,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -29203,7 +29357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +541,15 @@ +@@ -436,9 +543,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -29219,7 +29373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,6 +558,7 @@ +@@ -447,6 +560,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29227,7 +29381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -455,6 +567,7 @@ +@@ -455,6 +569,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -29235,7 +29389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +578,12 @@ +@@ -465,10 +580,12 @@ logging_read_generic_logs(xdm_t) @@ -29250,7 +29404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +592,11 @@ +@@ -477,6 +594,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29262,7 +29416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +629,12 @@ +@@ -509,10 +631,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -29275,7 +29429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +642,49 @@ +@@ -520,12 +644,49 @@ ') optional_policy(` @@ -29325,7 +29479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +702,43 @@ +@@ -543,9 +704,43 @@ ') optional_policy(` @@ -29369,7 +29523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +748,9 @@ +@@ -555,8 +750,9 @@ ') optional_policy(` @@ -29381,7 +29535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +759,6 @@ +@@ -565,7 +761,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -29389,7 +29543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +769,10 @@ +@@ -576,6 +771,10 @@ ') optional_policy(` @@ -29400,7 +29554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +797,9 @@ +@@ -600,10 +799,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29412,7 +29566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +811,18 @@ +@@ -615,6 +813,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29431,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +842,19 @@ +@@ -634,12 +844,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29453,7 +29607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +888,6 @@ +@@ -673,7 +890,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29461,7 +29615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +897,12 @@ +@@ -683,9 +899,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -29475,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +917,12 @@ +@@ -700,8 +919,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29488,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +944,7 @@ +@@ -723,6 +946,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -29496,7 +29650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +1001,20 @@ +@@ -779,12 +1003,20 @@ ') optional_policy(` @@ -29518,7 +29672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1041,7 @@ +@@ -811,7 +1043,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -29527,7 +29681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1062,14 @@ +@@ -832,9 +1064,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29542,7 +29696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1084,14 @@ +@@ -849,11 +1086,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -29559,7 +29713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -1000,17 +1238,32 @@ +@@ -1000,17 +1240,32 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30034,6 +30188,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.8/policy/modules/system/daemontools.te +--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/system/daemontools.te 2010-02-10 13:04:18.000000000 -0500 +@@ -65,6 +65,8 @@ + + kernel_read_system_state(svc_run_t) + ++dev_read_urand(svc_run_t) ++ + corecmd_exec_bin(svc_run_t) + corecmd_exec_shell(svc_run_t) + +@@ -93,10 +95,14 @@ + + allow svc_start_t self:fifo_file rw_fifo_file_perms; + allow svc_start_t self:capability kill; ++allow svc_start_t self:tcp_socket create_stream_socket_perms; + allow svc_start_t self:unix_stream_socket create_socket_perms; + + can_exec(svc_start_t, svc_start_exec_t) + ++kernel_read_kernel_sysctls(svc_start_t) ++kernel_read_system_state(svc_start_t) ++ + corecmd_exec_bin(svc_start_t) + corecmd_exec_shell(svc_start_t) + +@@ -105,5 +111,9 @@ + files_search_var(svc_start_t) + files_search_pids(svc_start_t) + ++logging_send_syslog_msg(svc_start_t) ++ ++miscfiles_read_localization(svc_start_t) ++ + daemontools_domtrans_run(svc_start_t) + daemontools_manage_svc(svc_start_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.8/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-02-02 10:31:03.000000000 -0500 @@ -30471,7 +30662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-08 12:54:27.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-10 15:45:12.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -30908,13 +31099,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -515,6 +602,33 @@ +@@ -515,6 +602,34 @@ ') ') +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_list_admin_dir(daemon) ++userdom_dontaudit_search_user_tmp(daemon) + +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) @@ -30942,7 +31134,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -567,10 +681,19 @@ +@@ -527,6 +642,8 @@ + optional_policy(` + apache_read_config(initrc_t) + apache_list_modules(initrc_t) ++ # webmin seems to cause this. ++ apache_search_sys_content(daemon) + ') + + optional_policy(` +@@ -567,10 +684,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30962,7 +31163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -590,6 +713,10 @@ +@@ -590,6 +716,10 @@ ') optional_policy(` @@ -30973,7 +31174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +773,20 @@ +@@ -646,20 +776,20 @@ ') optional_policy(` @@ -31000,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +795,7 @@ +@@ -668,6 +798,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -31008,7 +31209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -700,7 +828,6 @@ +@@ -700,7 +831,6 @@ ') optional_policy(` @@ -31016,7 +31217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -722,8 +849,6 @@ +@@ -722,8 +852,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -31025,7 +31226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,13 +861,16 @@ +@@ -736,13 +864,16 @@ squid_manage_logs(initrc_t) ') @@ -31042,7 +31243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -751,6 +879,7 @@ +@@ -751,6 +882,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -31050,7 +31251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -758,7 +887,17 @@ +@@ -758,7 +890,17 @@ ') optional_policy(` @@ -31068,7 +31269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -768,6 +907,25 @@ +@@ -768,6 +910,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -31094,7 +31295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +951,31 @@ +@@ -793,3 +954,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -31261,7 +31462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-02-10 12:21:01.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -31314,23 +31515,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. -allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; -allow ipsec_mgmt_t self:process { signal setrlimit }; -+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap }; ++allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; -+allow ipsec_mgmt_t self:process { signal setrlimit ptrace }; ++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +195,9 @@ +@@ -182,6 +195,13 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) ++manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) ++manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) ++files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) ++ +manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -209,7 +225,6 @@ +@@ -209,7 +229,6 @@ # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) @@ -31338,7 +31543,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; -@@ -259,6 +274,7 @@ +@@ -244,11 +263,13 @@ + domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) + domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) + +-files_read_etc_files(ipsec_mgmt_t) +-files_exec_etc_files(ipsec_mgmt_t) +-files_read_etc_runtime_files(ipsec_mgmt_t) + files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) + files_dontaudit_getattr_default_files(ipsec_mgmt_t) ++files_exec_etc_files(ipsec_mgmt_t) ++files_list_tmp(ipsec_mgmt_t) ++files_read_etc_files(ipsec_mgmt_t) ++files_read_etc_runtime_files(ipsec_mgmt_t) ++files_read_usr_files(ipsec_mgmt_t) + + fs_getattr_xattr_fs(ipsec_mgmt_t) + fs_list_tmpfs(ipsec_mgmt_t) +@@ -259,6 +280,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -31346,7 +31568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. logging_send_syslog_msg(ipsec_mgmt_t) -@@ -323,6 +339,7 @@ +@@ -323,6 +345,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -31354,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) -@@ -362,6 +379,8 @@ +@@ -362,6 +385,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -31363,7 +31585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -380,12 +399,15 @@ +@@ -380,12 +405,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -31379,7 +31601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -397,3 +419,4 @@ +@@ -397,3 +425,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) @@ -32038,7 +32260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.8/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/locallogin.te 2010-02-09 15:54:03.000000000 -0500 @@ -33,7 +33,7 @@ # Local login local policy # @@ -32048,15 +32270,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow local_login_t self:process { setrlimit setexec }; allow local_login_t self:fd use; -@@ -74,6 +74,7 @@ +@@ -74,6 +74,8 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) +dev_rw_generic_usb_dev(local_login_t) ++dev_read_video_dev(local_login_t) dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -152,6 +153,11 @@ +@@ -152,6 +154,11 @@ fs_read_cifs_symlinks(local_login_t) ') @@ -32068,7 +32291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` alsa_domtrans(local_login_t) ') -@@ -181,7 +187,7 @@ +@@ -181,7 +188,7 @@ ') optional_policy(` @@ -32077,7 +32300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -@@ -198,9 +204,10 @@ +@@ -198,9 +205,10 @@ # Sulogin local policy # @@ -32089,7 +32312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; -@@ -220,6 +227,7 @@ +@@ -220,6 +228,7 @@ files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -32097,7 +32320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall init_getpgid_script(sulogin_t) -@@ -233,11 +241,24 @@ +@@ -233,11 +242,24 @@ userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -32122,7 +32345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; -@@ -251,11 +272,3 @@ +@@ -251,11 +273,3 @@ selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -32228,8 +32451,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-02 10:31:03.000000000 -0500 -@@ -123,10 +123,10 @@ ++++ serefpolicy-3.7.8/policy/modules/system/logging.te 2010-02-09 08:53:48.000000000 -0500 +@@ -101,6 +101,7 @@ + + kernel_read_kernel_sysctls(auditctl_t) + kernel_read_proc_symlinks(auditctl_t) ++kernel_setsched(auditctl_t) + + domain_read_all_domains_state(auditctl_t) + domain_use_interactive_fds(auditctl_t) +@@ -123,10 +124,10 @@ allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; @@ -32242,7 +32473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -179,6 +179,8 @@ +@@ -179,6 +180,8 @@ logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -32251,7 +32482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) -@@ -215,9 +217,9 @@ +@@ -215,9 +218,9 @@ # audit dispatcher local policy # @@ -32264,7 +32495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -226,13 +228,18 @@ +@@ -226,13 +229,18 @@ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) @@ -32284,7 +32515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(audisp_t) -@@ -240,6 +247,14 @@ +@@ -240,6 +248,14 @@ sysnet_dns_name_resolve(audisp_t) @@ -32299,7 +32530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ######################################## # # Audit remote logger local policy -@@ -253,11 +268,16 @@ +@@ -253,11 +269,16 @@ corenet_tcp_sendrecv_generic_node(audisp_remote_t) corenet_tcp_connect_audit_port(audisp_remote_t) corenet_sendrecv_audit_client_packets(audisp_remote_t) @@ -32316,7 +32547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(audisp_remote_t) sysnet_dns_name_resolve(audisp_remote_t) -@@ -337,7 +357,7 @@ +@@ -337,7 +358,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; @@ -32325,7 +32556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -@@ -461,10 +481,18 @@ +@@ -461,10 +482,18 @@ ') optional_policy(` @@ -32513,7 +32744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-08 11:50:22.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/modutils.te 2010-02-09 08:53:16.000000000 -0500 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -32717,7 +32948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-05 14:44:10.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-02-10 13:39:41.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -32940,12 +33171,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -195,5 +281,9 @@ +@@ -195,5 +281,10 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) + unconfined_domain_noaudit(unconfined_mount_t) ++ userdom_unpriv_usertype(unconfined, unconfined_mount_t) + + rpc_domtrans_rpcd(unconfined_mount_t) + devicekit_dbus_chat_disk(unconfined_mount_t) @@ -33012,7 +33244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/selinuxutil.if 2010-02-10 13:11:08.000000000 -0500 @@ -351,6 +351,27 @@ ######################################## @@ -33139,7 +33371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1028,6 +1117,33 @@ +@@ -1028,6 +1117,54 @@ ######################################## ## @@ -33170,10 +33402,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +######################################## +## ++## Full management of the semanage ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_read_module_store',` ++ gen_require(` ++ type selinux_config_t, semanage_store_t; ++ ') ++ ++ files_search_etc($1) ++ read_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ read_files_pattern($1, semanage_store_t, semanage_store_t) ++') ++ ++######################################## ++## ## Full management of the semanage ## module store. ## -@@ -1139,3 +1255,194 @@ +@@ -1139,3 +1276,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -35051,7 +35304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-05 11:22:50.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-02-10 15:44:32.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -36704,7 +36957,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2897,7 +3185,43 @@ +@@ -2884,6 +3172,25 @@ + + ######################################## + ## ++## Dontaudit search user temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaduit_search_user_tmp',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:dir search_dir_perms; ++') ++ ++ ++######################################## ++## + ## Write all users files in /tmp + ## + ## +@@ -2897,7 +3204,43 @@ type user_tmp_t; ') @@ -36749,7 +37028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2934,6 +3258,7 @@ +@@ -2934,6 +3277,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -36757,7 +37036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3064,3 +3389,674 @@ +@@ -3064,3 +3408,674 @@ allow $1 userdomain:dbus send_msg; ') @@ -37634,7 +37913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.8/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/support/misc_patterns.spt 2010-02-05 16:37:16.000000000 -0500 ++++ serefpolicy-3.7.8/policy/support/misc_patterns.spt 2010-02-09 09:00:57.000000000 -0500 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3)