From 30c21992cb0c7cda171e1ea65ffb279841da1c0a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 03 2010 20:52:58 +0000 Subject: - Add mcelog policy --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 6543a87..a5306a6 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -890,6 +890,13 @@ lircd = module # lvm = base +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = base + # Layer: services # Module: mailman # diff --git a/modules-mls.conf b/modules-mls.conf index 779e1b6..245ca34 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -792,6 +792,13 @@ lpd = module # lvm = base +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = base + # Layer: services # Module: mailman # diff --git a/modules-targeted.conf b/modules-targeted.conf index 6543a87..a5306a6 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -890,6 +890,13 @@ lircd = module # lvm = base +# Layer: admin +# Module: mcelog +# +# Policy for mcelog. +# +mcelog = base + # Layer: services # Module: mailman # diff --git a/policy-F13.patch b/policy-F13.patch index 2c8fb1d..8d12bed 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -123,14 +123,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.7.8/policy/modules/admin/dmesg.fc ---- nsaserefpolicy/policy/modules/admin/dmesg.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/dmesg.fc 2010-02-02 10:31:03.000000000 -0500 -@@ -1,2 +1,4 @@ - - /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) -+ -+/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.8/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/admin/dmesg.te 2010-02-02 10:31:03.000000000 -0500 @@ -333,6 +325,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.8/policy/modules/admin/mcelog.fc +--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/mcelog.fc 2010-02-03 08:26:08.000000000 -0500 +@@ -0,0 +1,2 @@ ++ ++/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.8/policy/modules/admin/mcelog.if +--- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/mcelog.if 2010-02-03 08:26:09.000000000 -0500 +@@ -0,0 +1,21 @@ ++ ++## policy for mcelog ++ ++######################################## ++## ++## Execute a domain transition to run mcelog. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mcelog_domtrans',` ++ gen_require(` ++ type mcelog_t, mcelog_exec_t; ++ ') ++ ++ domtrans_pattern($1, mcelog_exec_t, mcelog_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.8/policy/modules/admin/mcelog.te +--- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/mcelog.te 2010-02-03 08:26:09.000000000 -0500 +@@ -0,0 +1,31 @@ ++ ++policy_module(mcelog,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mcelog_t; ++type mcelog_exec_t; ++application_domain(mcelog_t, mcelog_exec_t) ++cron_system_entry(mcelog_t, mcelog_exec_t) ++ ++permissive mcelog_t; ++ ++######################################## ++# ++# mcelog local policy ++# ++ ++ ++kernel_read_system_state(mcelog_t) ++ ++dev_read_raw_memory(mcelog_t) ++dev_read_kmsg(mcelog_t) ++ ++files_read_etc_files(mcelog_t) ++ ++miscfiles_read_localization(mcelog_t) ++ ++logging_send_syslog_msg(mcelog_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.8/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/admin/mrtg.te 2010-02-02 10:31:03.000000000 -0500 @@ -2316,8 +2374,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-02-02 10:31:03.000000000 -0500 -@@ -1,8 +1,25 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/gnome.fc 2010-02-02 16:41:41.000000000 -0500 +@@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) @@ -2326,12 +2384,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) ++/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++ +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) ++/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -6219,7 +6280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-02-03 11:34:06.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -6253,7 +6314,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -159,6 +164,8 @@ +@@ -142,6 +147,7 @@ + /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) + + /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) + +@@ -159,6 +165,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -11874,7 +11943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-02-03 13:33:57.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12091,15 +12160,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +370,7 @@ +@@ -301,9 +370,11 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) +setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) ++manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,18 +382,21 @@ +-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) ++files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) + + manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -312,18 +383,21 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -12126,7 +12200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -335,15 +408,15 @@ +@@ -335,15 +409,15 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -12145,7 +12219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -@@ -358,6 +431,10 @@ +@@ -358,6 +432,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -12156,7 +12230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -372,18 +449,33 @@ +@@ -372,18 +450,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -12194,7 +12268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -391,32 +483,71 @@ +@@ -391,32 +484,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12271,7 +12345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +555,23 @@ +@@ -424,11 +556,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12295,7 +12369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +594,21 @@ +@@ -451,6 +595,21 @@ ') optional_policy(` @@ -12317,7 +12391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +617,18 @@ +@@ -459,8 +618,18 @@ ') optional_policy(` @@ -12338,7 +12412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -468,22 +636,19 @@ +@@ -468,22 +637,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12364,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -494,12 +659,23 @@ +@@ -494,12 +660,23 @@ ') optional_policy(` @@ -12388,7 +12462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -508,6 +684,7 @@ +@@ -508,6 +685,7 @@ ') optional_policy(` @@ -12396,7 +12470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +712,23 @@ +@@ -535,6 +713,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12420,7 +12494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -564,20 +758,25 @@ +@@ -564,20 +759,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12452,7 +12526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -595,23 +794,24 @@ +@@ -595,23 +795,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12481,7 +12555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +824,7 @@ +@@ -624,6 +825,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12489,7 +12563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +832,31 @@ +@@ -631,22 +833,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12528,7 +12602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,16 +882,16 @@ +@@ -672,16 +883,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12549,7 +12623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +909,24 @@ +@@ -699,12 +910,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12576,7 +12650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +934,35 @@ +@@ -712,6 +935,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12612,7 +12686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +975,10 @@ +@@ -724,6 +976,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12623,7 +12697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -735,6 +990,8 @@ +@@ -735,6 +991,8 @@ # httpd_rotatelogs local policy # @@ -12632,7 +12706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +1011,88 @@ +@@ -754,11 +1012,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -20510,7 +20584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.7.8/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.if 2010-02-02 16:48:03.000000000 -0500 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -20836,8 +20910,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.8/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-02 10:31:03.000000000 -0500 -@@ -0,0 +1,101 @@ ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-02-03 15:28:58.000000000 -0500 +@@ -0,0 +1,102 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -20893,6 +20967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + +miscfiles_read_localization(plymouthd_t) +miscfiles_read_fonts(plymouthd_t) ++miscfiles_manage_fonts_cache(plymouthd_t) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) @@ -25278,7 +25353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/spamassassin.te 2010-02-03 08:51:00.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25345,16 +25420,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -150,6 +191,8 @@ +@@ -150,6 +191,9 @@ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_udp_bind_generic_node(spamassassin_t) + corenet_udp_bind_generic_port(spamassassin_t) ++ corenet_dontaudit_udp_bind_all_ports(spamassassin_t) sysnet_read_config(spamassassin_t) ') -@@ -186,6 +229,8 @@ +@@ -186,6 +230,8 @@ optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -25363,7 +25439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -207,16 +252,33 @@ +@@ -207,16 +253,33 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -25397,7 +25473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -246,9 +308,16 @@ +@@ -246,9 +309,16 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -25414,7 +25490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -256,27 +325,40 @@ +@@ -256,27 +326,40 @@ sysnet_read_config(spamc_t) @@ -25461,7 +25537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -288,7 +370,7 @@ +@@ -288,7 +371,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -25470,7 +25546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -304,10 +386,17 @@ +@@ -304,10 +387,17 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -25489,7 +25565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -316,10 +405,12 @@ +@@ -316,10 +406,12 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -25503,7 +25579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -369,22 +460,27 @@ +@@ -369,22 +461,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -25535,7 +25611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -402,23 +498,16 @@ +@@ -402,23 +499,16 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -25560,7 +25636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam postfix_read_config(spamd_t) ') -@@ -433,6 +522,10 @@ +@@ -433,6 +523,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -25571,7 +25647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -445,5 +538,9 @@ +@@ -445,5 +539,9 @@ ') optional_policy(` @@ -26212,10 +26288,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.8/policy/modules/services/tuned.fc +--- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tuned.fc 2010-02-03 13:29:02.000000000 -0500 +@@ -2,4 +2,7 @@ + + /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) + ++/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) ++/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) ++ + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.8/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-02-02 10:31:03.000000000 -0500 -@@ -27,6 +27,7 @@ ++++ serefpolicy-3.7.8/policy/modules/services/tuned.te 2010-02-03 13:29:02.000000000 -0500 +@@ -13,6 +13,9 @@ + type tuned_initrc_exec_t; + init_script_file(tuned_initrc_exec_t) + ++type tuned_log_t; ++logging_log_file(tuned_log_t) ++ + type tuned_var_run_t; + files_pid_file(tuned_var_run_t) + +@@ -22,15 +25,22 @@ + # + + dontaudit tuned_t self:capability { dac_override sys_tty_config }; ++allow tuned_t self:process fork; ++ ++manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) ++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) ++logging_log_filetrans(tuned_t, tuned_log_t, file) + + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, file) corecmd_exec_shell(tuned_t) @@ -26223,15 +26330,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) + ++dev_read_urand(tuned_t) + dev_read_sysfs(tuned_t) + # to allow cpu tuning + dev_rw_netcontrol(tuned_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc 2010-02-03 14:20:04.000000000 -0500 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -\ No newline at end of file diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.8/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.if 2010-02-02 10:31:03.000000000 -0500 @@ -27414,7 +27525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-02-03 08:06:18.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27506,7 +27617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) + @@ -27988,7 +28099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-02-02 16:08:33.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -28208,7 +28319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,6 +329,14 @@ +@@ -283,17 +329,35 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -28223,7 +28334,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_xdm_tmp_files(xauth_t) -@@ -294,6 +348,15 @@ + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(xauth_t) ++ fs_read_nfs_symlinks(xauth_t) + ') + + tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(xauth_t) ') @@ -28239,7 +28355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +368,31 @@ +@@ -305,20 +369,31 @@ # XDM Local policy # @@ -28274,7 +28390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,22 +408,40 @@ +@@ -334,22 +409,40 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -28318,7 +28434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -363,6 +455,7 @@ +@@ -363,6 +456,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -28326,7 +28442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +464,14 @@ +@@ -371,10 +465,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28342,7 +28458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +491,13 @@ +@@ -394,11 +492,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28356,7 +28472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +505,7 @@ +@@ -406,6 +506,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28364,7 +28480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +514,21 @@ +@@ -414,18 +515,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28389,7 +28505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +539,15 @@ +@@ -436,9 +540,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28405,7 +28521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,6 +556,7 @@ +@@ -447,6 +557,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28413,7 +28529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -455,6 +565,7 @@ +@@ -455,6 +566,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28421,7 +28537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +576,12 @@ +@@ -465,10 +577,12 @@ logging_read_generic_logs(xdm_t) @@ -28436,7 +28552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +590,11 @@ +@@ -477,6 +591,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28448,7 +28564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +627,12 @@ +@@ -509,10 +628,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28461,7 +28577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +640,49 @@ +@@ -520,12 +641,49 @@ ') optional_policy(` @@ -28511,7 +28627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +700,43 @@ +@@ -543,9 +701,43 @@ ') optional_policy(` @@ -28555,7 +28671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +746,9 @@ +@@ -555,8 +747,9 @@ ') optional_policy(` @@ -28567,7 +28683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +757,6 @@ +@@ -565,7 +758,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28575,7 +28691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +767,10 @@ +@@ -576,6 +768,10 @@ ') optional_policy(` @@ -28586,7 +28702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +795,9 @@ +@@ -600,10 +796,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28598,7 +28714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +809,18 @@ +@@ -615,6 +810,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28617,7 +28733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +840,19 @@ +@@ -634,12 +841,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28639,7 +28755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +886,6 @@ +@@ -673,7 +887,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28647,7 +28763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +895,12 @@ +@@ -683,9 +896,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28661,7 +28777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +915,12 @@ +@@ -700,8 +916,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28674,7 +28790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +942,7 @@ +@@ -723,6 +943,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28682,7 +28798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +999,20 @@ +@@ -779,12 +1000,20 @@ ') optional_policy(` @@ -28704,7 +28820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1039,7 @@ +@@ -811,7 +1040,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28713,7 +28829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1060,14 @@ +@@ -832,9 +1061,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28728,7 +28844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1082,14 @@ +@@ -849,11 +1083,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28745,7 +28861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -1000,17 +1236,32 @@ +@@ -1000,17 +1237,32 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28822,8 +28938,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.8/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-02 10:31:03.000000000 -0500 -@@ -7,6 +7,13 @@ ++++ serefpolicy-3.7.8/policy/modules/system/application.te 2010-02-03 09:21:48.000000000 -0500 +@@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -28834,6 +28950,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic + +files_dontaudit_search_all_dirs(application_domain_type) + ++optional_policy(` ++ afs_rw_udp_sockets(application_domain_type) ++') ++ optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) @@ -29340,20 +29460,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-02 10:45:19.000000000 -0500 -@@ -162,6 +162,7 @@ ++++ serefpolicy-3.7.8/policy/modules/system/init.if 2010-02-03 15:45:27.000000000 -0500 +@@ -162,8 +162,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; + type init_t; role system_r; attribute daemon; ++ attribute initrc_transition_domain; ') -@@ -174,6 +175,11 @@ + + typeattribute $1 daemon; +@@ -174,6 +176,12 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; ++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + + # Handle upstart direct transition to a executable + domtrans_pattern(init_t,$2,$1) @@ -29361,15 +29485,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i # daemons started from init will # inherit fds from init for the console -@@ -272,6 +278,7 @@ +@@ -265,6 +273,7 @@ + gen_require(` + type initrc_t; + role system_r; ++ attribute initrc_transition_domain; + ') + + application_domain($1,$2) +@@ -272,6 +281,8 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; ++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +287,36 @@ +@@ -280,6 +291,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -29406,7 +29539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -546,7 +583,8 @@ +@@ -546,7 +587,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -29416,7 +29549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -619,18 +657,19 @@ +@@ -619,18 +661,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -29440,7 +29573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -646,23 +685,43 @@ +@@ -646,23 +689,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -29488,7 +29621,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Execute a init script in a specified domain. ## ## -@@ -923,6 +982,24 @@ +@@ -714,8 +777,10 @@ + interface(`init_labeled_script_domtrans',` + gen_require(` + type initrc_t; ++ attribute initrc_transition_domain; + ') + ++ typeattribute $1 initrc_transition_domain; + domtrans_pattern($1, $2, initrc_t) + files_search_etc($1) + ') +@@ -923,6 +988,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -29513,7 +29657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1142,7 +1219,7 @@ +@@ -1142,7 +1225,7 @@ type initrc_t; ') @@ -29522,7 +29666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1310,6 +1387,25 @@ +@@ -1310,6 +1393,25 @@ ######################################## ## @@ -29548,7 +29692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## Create files in a init script ## temporary data directory. ## -@@ -1540,3 +1636,75 @@ +@@ -1540,3 +1642,76 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29617,6 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + ') + + dontaudit $1 initrc_t:tcp_socket { read write }; ++ dontaudit $1 initrc_t:udp_socket { read write }; + dontaudit $1 initrc_t:unix_dgram_socket { read write }; + dontaudit $1 initrc_t:unix_stream_socket { read write }; + dontaudit $1 initrc_t:shm rw_shm_perms; @@ -29626,7 +29771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/init.te 2010-02-03 15:43:32.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29648,7 +29793,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # used for direct running of init scripts # by admin domains attribute direct_run_init; -@@ -64,6 +78,7 @@ +@@ -26,6 +40,7 @@ + attribute init_script_domain_type; + attribute init_script_file_type; + attribute init_run_all_scripts_domain; ++attribute initrc_transition_domain; + + # Mark process types as daemons + attribute daemon; +@@ -64,6 +79,7 @@ # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -29656,7 +29809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -88,7 +103,7 @@ +@@ -88,7 +104,7 @@ # # Use capabilities. old rule: @@ -29665,7 +29818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -101,7 +116,8 @@ +@@ -101,7 +117,8 @@ # Re-exec itself can_exec(init_t, init_exec_t) @@ -29675,7 +29828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -140,6 +156,7 @@ +@@ -140,6 +157,7 @@ files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) @@ -29683,7 +29836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) -@@ -167,6 +184,8 @@ +@@ -167,6 +185,8 @@ miscfiles_read_localization(init_t) @@ -29692,7 +29845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -189,6 +208,22 @@ +@@ -189,6 +209,22 @@ ') optional_policy(` @@ -29715,7 +29868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -202,9 +237,10 @@ +@@ -202,9 +238,10 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29727,7 +29880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +253,8 @@ +@@ -217,7 +254,8 @@ term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode @@ -29737,7 +29890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, init_script_file_type) -@@ -230,10 +267,16 @@ +@@ -230,10 +268,16 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29756,7 +29909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) -@@ -246,13 +289,19 @@ +@@ -246,13 +290,19 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29778,7 +29931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -272,16 +321,66 @@ +@@ -272,16 +322,66 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -29846,7 +29999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -291,7 +390,7 @@ +@@ -291,7 +391,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29855,7 +30008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -306,14 +405,15 @@ +@@ -306,14 +406,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29873,7 +30026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -324,48 +424,16 @@ +@@ -324,48 +425,16 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29926,7 +30079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -374,19 +442,22 @@ +@@ -374,19 +443,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -29950,7 +30103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -422,16 +493,12 @@ +@@ -422,16 +494,12 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -29968,7 +30121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` arpwatch_manage_data_files(initrc_t) -@@ -450,11 +517,9 @@ +@@ -450,11 +518,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -29981,7 +30134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -464,6 +529,7 @@ +@@ -464,6 +530,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -29989,7 +30142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -492,15 +558,26 @@ +@@ -492,15 +559,26 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -30016,7 +30169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -515,6 +592,33 @@ +@@ -515,6 +593,33 @@ ') ') @@ -30050,7 +30203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -567,10 +671,19 @@ +@@ -567,10 +672,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30070,7 +30223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -590,6 +703,10 @@ +@@ -590,6 +704,10 @@ ') optional_policy(` @@ -30081,7 +30234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +763,20 @@ +@@ -646,20 +764,20 @@ ') optional_policy(` @@ -30108,7 +30261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +785,7 @@ +@@ -668,6 +786,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -30116,7 +30269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -700,7 +818,6 @@ +@@ -700,7 +819,6 @@ ') optional_policy(` @@ -30124,7 +30277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -722,8 +839,6 @@ +@@ -722,8 +840,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30133,7 +30286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,13 +851,16 @@ +@@ -736,13 +852,16 @@ squid_manage_logs(initrc_t) ') @@ -30150,7 +30303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -751,6 +869,7 @@ +@@ -751,6 +870,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -30158,7 +30311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -758,7 +877,17 @@ +@@ -758,7 +878,17 @@ ') optional_policy(` @@ -30176,7 +30329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -768,6 +897,21 @@ +@@ -768,6 +898,21 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -30198,7 +30351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +937,31 @@ +@@ -793,3 +938,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -30513,7 +30666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.8/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/iptables.te 2010-02-03 08:15:29.000000000 -0500 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30555,7 +30708,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) -@@ -89,6 +89,7 @@ +@@ -76,6 +76,7 @@ + # to allow rules to be saved on reboot: + init_rw_script_tmp_files(iptables_t) + init_rw_script_stream_sockets(iptables_t) ++init_dontaudit_script_leaks(iptables_t) + + logging_send_syslog_msg(iptables_t) + +@@ -89,6 +90,7 @@ optional_policy(` fail2ban_append_log(iptables_t) @@ -30563,7 +30724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -@@ -122,5 +123,10 @@ +@@ -122,5 +124,10 @@ ') optional_policy(` @@ -30576,7 +30737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.8/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/iscsi.fc 2010-02-03 10:42:23.000000000 -0500 @@ -1,5 +1,10 @@ -/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -30584,7 +30745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) + -+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_lock_t,s0) ++/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + +/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) @@ -30592,13 +30753,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.8/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/iscsi.te 2010-02-03 14:44:32.000000000 -0500 @@ -14,6 +14,9 @@ type iscsi_lock_t; files_lock_file(iscsi_lock_t) -+type iscsid_log_t; -+logging_log_file(iscsid_log_t) ++type iscsi_log_t; ++logging_log_file(iscsi_log_t) + type iscsi_tmp_t; files_tmp_file(iscsi_tmp_t) @@ -30621,8 +30782,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. -allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; -allow iscsid_t iscsi_tmp_t:file manage_file_perms; -fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) -+manage_files_pattern(iscsid_t, iscsid_log_t, iscsid_log_t) -+logging_log_filetrans(iscsid_t, iscsid_log_t, file) ++manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) ++logging_log_filetrans(iscsid_t, iscsi_log_t, file) + +manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) +manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) @@ -31463,7 +31624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/miscfiles.if 2010-02-03 15:28:51.000000000 -0500 @@ -73,7 +73,8 @@ # interface(`miscfiles_read_fonts',` @@ -31485,7 +31646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -@@ -167,6 +172,70 @@ +@@ -167,6 +172,68 @@ manage_dirs_pattern($1, fonts_t, fonts_t) manage_files_pattern($1, fonts_t, fonts_t) manage_lnk_files_pattern($1, fonts_t, fonts_t) @@ -31546,9 +31707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi + type fonts_cache_t; + ') + -+ # cjp: fonts can be in either of these dirs -+ files_search_usr($1) -+ libs_search_lib($1) ++ files_search_var($1) + + manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) + manage_files_pattern($1, fonts_cache_t, fonts_cache_t) @@ -33260,7 +33419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-02 10:31:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/udev.te 2010-02-03 14:21:06.000000000 -0500 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33297,10 +33456,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') optional_policy(` -@@ -271,6 +277,10 @@ +@@ -271,6 +277,14 @@ ') optional_policy(` ++ usbmuxd_domtrans(udev_t) ++') ++ ++optional_policy(` + unconfined_signal(udev_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index c0c05c8..6deb1f2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.8 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Wed Feb 3 2010 Dan Walsh 3.7.8-7 +- Add mcelog policy + * Mon Feb 1 2010 Dan Walsh 3.7.8-6 - Lots of fixes found in F12