From 34fb1a041bc12db6c423ac8eeeda2be37fbcd51b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 23 2009 19:58:36 +0000 Subject: - Abrt connect to any port --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index bf72b62..5c5f9bf 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # diff --git a/policy-F12.patch b/policy-F12.patch index 472a355..ec1474d 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1780,7 +1780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-10-13 18:03:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-11-23 11:11:50.000000000 -0500 @@ -82,6 +82,7 @@ selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -1830,7 +1830,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) -@@ -329,6 +330,7 @@ +@@ -299,6 +300,7 @@ + + # allow checking if a shell is executable + corecmd_check_exec_shell(passwd_t) ++corecmd_exec_bin(passwd_t) + + domain_use_interactive_fds(passwd_t) + +@@ -329,6 +331,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1838,7 +1846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_domtrans(passwd_t) -@@ -378,6 +380,7 @@ +@@ -378,6 +381,7 @@ fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -1846,7 +1854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(sysadm_passwd_t) term_use_all_user_ptys(sysadm_passwd_t) -@@ -446,6 +449,7 @@ +@@ -446,6 +450,7 @@ corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) @@ -1854,7 +1862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -465,18 +469,16 @@ +@@ -465,18 +470,16 @@ selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -1877,7 +1885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(useradd_t) init_rw_utmp(useradd_t) -@@ -494,10 +496,8 @@ +@@ -494,10 +497,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -1889,7 +1897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_manage_spool(useradd_t) -@@ -521,6 +521,12 @@ +@@ -521,6 +522,12 @@ ') optional_policy(` @@ -1989,8 +1997,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-10-09 10:13:58.000000000 -0400 -@@ -0,0 +1,85 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-11-23 10:05:16.000000000 -0500 +@@ -0,0 +1,86 @@ + +## policy for chrome + @@ -2010,6 +2018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) ++ ps_process_pattern(chrome_sandbox_t, $1) +') + + @@ -2078,8 +2087,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-11-18 08:12:16.000000000 -0500 -@@ -0,0 +1,74 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-11-23 09:56:16.000000000 -0500 +@@ -0,0 +1,78 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -2119,10 +2128,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) + ++kernel_read_system_state(chrome_sandbox_t) +kernel_read_kernel_sysctls(chrome_sandbox_t) + +corecmd_exec_bin(chrome_sandbox_t) + ++domain_dontaudit_read_all_domains_state(chrome_sandbox_t) ++ +dev_read_urand(chrome_sandbox_t) + +files_read_etc_files(chrome_sandbox_t) @@ -2130,6 +2142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_rw_user_tmpfs_files(chrome_sandbox_t) +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) ++userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) @@ -2168,8 +2181,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-12 08:43:37.000000000 -0500 -@@ -0,0 +1,40 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-23 08:54:50.000000000 -0500 +@@ -0,0 +1,41 @@ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2210,6 +2223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-11-17 09:07:07.000000000 -0500 @@ -2824,7 +2838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.32/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-11-18 10:20:59.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-11-19 09:59:36.000000000 -0500 @@ -2,15 +2,16 @@ # /opt # @@ -2845,7 +2859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,16 @@ +@@ -20,5 +21,18 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2864,6 +2878,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) ++ ++/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-23 09:22:39.000000000 -0400 @@ -3076,8 +3092,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-11-12 08:45:00.000000000 -0500 -@@ -0,0 +1,65 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-11-23 09:53:01.000000000 -0500 +@@ -0,0 +1,67 @@ +policy_module(kdumpgui,1.0.0) + +######################################## @@ -3127,6 +3143,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +auth_use_nsswitch(kdumpgui_t) + ++logging_send_syslog_msg(kdumpgui_t) ++ +miscfiles_read_localization(kdumpgui_t) + +dontaudit_init_read_all_script_files(kdumpgui_t) @@ -3508,7 +3526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-11-09 13:10:04.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-11-20 08:13:03.000000000 -0500 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -3517,7 +3535,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Mozpluggerrc allow mozilla_t mozilla_conf_t:file read_file_perms; -@@ -97,6 +98,7 @@ +@@ -94,9 +95,11 @@ + corenet_tcp_sendrecv_ipp_port(mozilla_t) + corenet_tcp_connect_http_port(mozilla_t) + corenet_tcp_connect_http_cache_port(mozilla_t) ++corenet_tcp_connect_flash_port(mozilla_t) corenet_tcp_connect_ftp_port(mozilla_t) corenet_tcp_connect_ipp_port(mozilla_t) corenet_tcp_connect_generic_port(mozilla_t) @@ -3525,7 +3547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_client_packets(mozilla_t) corenet_sendrecv_http_cache_client_packets(mozilla_t) corenet_sendrecv_ftp_client_packets(mozilla_t) -@@ -114,6 +116,8 @@ +@@ -114,6 +117,8 @@ dev_dontaudit_rw_dri(mozilla_t) dev_getattr_sysfs_dirs(mozilla_t) @@ -3534,7 +3556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_etc_files(mozilla_t) -@@ -129,21 +133,18 @@ +@@ -129,21 +134,18 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -3559,7 +3581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -231,11 +232,15 @@ +@@ -231,11 +233,15 @@ optional_policy(` dbus_system_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t) @@ -3575,7 +3597,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -256,5 +261,10 @@ +@@ -256,5 +262,10 @@ ') optional_policy(` @@ -3930,7 +3952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-10-05 09:30:27.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-11-20 08:10:34.000000000 -0500 @@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) @@ -4372,7 +4394,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-21 07:52:28.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-11-19 14:57:46.000000000 -0500 +@@ -18,7 +18,7 @@ + + allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; + allow pulseaudio_t self:fifo_file rw_file_perms; +-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; ++allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; + allow pulseaudio_t self:tcp_socket create_stream_socket_perms; + allow pulseaudio_t self:udp_socket create_socket_perms; @@ -26,6 +26,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -4752,8 +4783,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-10-29 08:45:14.000000000 -0400 -@@ -0,0 +1,59 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-11-23 10:38:44.000000000 -0500 +@@ -0,0 +1,60 @@ +policy_module(sambagui,1.0.0) + +######################################## @@ -4777,6 +4808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +samba_append_log(sambagui_t) +samba_manage_config(sambagui_t) +samba_manage_var_files(sambagui_t) ++samba_read_secrets(sambagui_t) +samba_initrc_domtrans(sambagui_t) +samba_domtrans_smbd(sambagui_t) +samba_domtrans_nmbd(sambagui_t) @@ -4820,8 +4852,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-11-18 16:21:09.000000000 -0500 -@@ -0,0 +1,187 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-11-21 19:21:01.000000000 -0500 +@@ -0,0 +1,188 @@ + +## policy for sandbox + @@ -4864,6 +4896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms; + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; ++ allow sandbox_xserver_t $1:unix_stream_socket { read write }; + + allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; @@ -6938,7 +6971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-18 10:29:18.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-23 11:26:09.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7221,7 +7254,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4955,7 +5129,7 @@ +@@ -4686,6 +4860,24 @@ + + ######################################## + ## ++## Do not audit attempts to getattr daemon runtime data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:file getattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to ioctl daemon runtime data files. + ## + ## +@@ -4955,7 +5147,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -7230,7 +7288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5151,15 @@ +@@ -4977,12 +5169,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7247,7 +7305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5180,173 @@ +@@ -5003,3 +5198,173 @@ typeattribute $1 files_unconfined_type; ') @@ -7821,7 +7879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Rules for all filesystem types diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-11-18 17:03:54.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-11-23 09:55:59.000000000 -0500 @@ -485,6 +485,25 @@ ######################################## @@ -7886,7 +7944,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2621,6 +2662,24 @@ +@@ -1878,6 +1919,24 @@ + + ######################################## + ## ++## Mount a kernel unlabeled filesystem. ++## ++## ++## ++## The type of the domain mounting the filesystem. ++## ++## ++# ++interface(`kernel_mount_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:filesystem mount; ++') ++ ++######################################## ++## + ## Send general signals to unlabeled processes. + ## + ## +@@ -2621,6 +2680,24 @@ ######################################## ## @@ -7911,7 +7994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to kernel module resources. ## ## -@@ -2636,3 +2695,22 @@ +@@ -2636,3 +2713,22 @@ typeattribute $1 kern_unconfined; ') @@ -8139,7 +8222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-11-09 13:31:28.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-11-23 11:44:39.000000000 -0500 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -8224,6 +8307,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -1011,8 +1051,10 @@ + interface(`term_dontaudit_use_unallocated_ttys',` + gen_require(` + type tty_device_t; ++ type console_device_t; + ') + ++ dontaudit $1 console_device_t:chr_file rw_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.32/policy/modules/kernel/terminal.te --- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/kernel/terminal.te 2009-09-30 16:12:48.000000000 -0400 @@ -9426,8 +9520,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-18 16:33:39.000000000 -0500 -@@ -0,0 +1,426 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-20 08:01:26.000000000 -0500 +@@ -0,0 +1,427 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9489,6 +9583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +dontaudit unconfined_t self:dir write; ++dontaudit unconfined_t self:file setattr; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; @@ -10007,7 +10102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-21 11:43:32.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-11-20 08:11:54.000000000 -0500 @@ -31,16 +31,37 @@ userdom_restricted_xwindows_user_template(xguest) @@ -10067,7 +10162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,9 +101,16 @@ +@@ -75,9 +101,17 @@ ') optional_policy(` @@ -10080,6 +10175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + networkmanager_read_var_lib_files(xguest_t) + corenet_tcp_connect_pulseaudio_port(xguest_t) + corenet_tcp_connect_ipp_port(xguest_t) ++ corenet_tcp_connect_http_port(xguest_t) ') ') @@ -10233,7 +10329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-18 16:55:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-23 13:56:57.000000000 -0500 @@ -33,12 +33,23 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10255,7 +10351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # -allow abrt_t self:capability { setuid setgid sys_nice dac_override }; -+allow abrt_t self:capability { chown setuid setgid sys_nice dac_override }; ++allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; allow abrt_t self:process { signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -10306,7 +10402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +118,60 @@ +@@ -96,22 +118,64 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10320,6 +10416,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ nis_use_ypbind(abrt_t) ++') ++ ++optional_policy(` + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) +') @@ -10661,7 +10761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-11-18 10:24:30.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-11-23 11:03:53.000000000 -0500 @@ -1,12 +1,16 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -11387,7 +11487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-30 16:16:22.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-11-23 11:24:47.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -11629,8 +11729,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -358,6 +421,10 @@ +@@ -356,8 +419,13 @@ + files_read_etc_files(httpd_t) + # for tomcat files_read_var_lib_symlinks(httpd_t) ++files_dontaudit_getattr_all_pids(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them @@ -11640,7 +11743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_read_lib_files(httpd_t) -@@ -372,18 +439,33 @@ +@@ -372,18 +440,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -11678,7 +11781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,32 +473,70 @@ +@@ -391,32 +474,70 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -11754,7 +11857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +544,23 @@ +@@ -424,11 +545,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -11778,7 +11881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +583,14 @@ +@@ -451,6 +584,14 @@ ') optional_policy(` @@ -11793,7 +11896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +599,13 @@ +@@ -459,8 +600,13 @@ ') optional_policy(` @@ -11809,7 +11912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +613,19 @@ +@@ -468,22 +614,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -11835,7 +11938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -494,12 +636,23 @@ +@@ -494,12 +637,23 @@ ') optional_policy(` @@ -11859,7 +11962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +661,7 @@ +@@ -508,6 +662,7 @@ ') optional_policy(` @@ -11867,7 +11970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +689,23 @@ +@@ -535,6 +690,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -11891,7 +11994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +735,25 @@ +@@ -564,20 +736,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11923,7 +12026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +771,24 @@ +@@ -595,23 +772,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -11952,7 +12055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +801,7 @@ +@@ -624,6 +802,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -11960,7 +12063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +809,31 @@ +@@ -631,22 +810,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -11999,7 +12102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +859,14 @@ +@@ -672,15 +860,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12018,7 +12121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +885,24 @@ +@@ -699,12 +886,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12045,7 +12148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +910,35 @@ +@@ -712,6 +911,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12081,7 +12184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +951,10 @@ +@@ -724,6 +952,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12092,7 +12195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +966,8 @@ +@@ -735,6 +967,8 @@ # httpd_rotatelogs local policy # @@ -12101,7 +12204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +987,88 @@ +@@ -754,11 +988,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12216,6 +12319,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: related to sleep/resume (?) optional_policy(` xserver_domtrans(apmd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2009-11-19 09:58:31.000000000 -0500 +@@ -34,6 +34,7 @@ + allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; + allow arpwatch_t self:udp_socket create_socket_perms; + allow arpwatch_t self:packet_socket create_socket_perms; ++allow arpwatch_t self:socket create_socket_perms; + + manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) + manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-11-09 12:03:06.000000000 -0500 @@ -12248,7 +12362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-09 12:04:26.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-23 13:38:23.000000000 -0500 @@ -34,6 +34,8 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12266,6 +12380,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) +@@ -107,6 +110,7 @@ + dev_read_sysfs(asterisk_t) + dev_read_sound(asterisk_t) + dev_write_sound(asterisk_t) ++dev_read_urand(asterisk_t) + + domain_use_interactive_fds(asterisk_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-11-09 08:40:15.000000000 -0500 @@ -13316,8 +13438,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.6.32/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-11-13 09:25:10.000000000 -0500 -@@ -0,0 +1,107 @@ ++++ serefpolicy-3.6.32/policy/modules/services/corosync.te 2009-11-23 13:51:19.000000000 -0500 +@@ -0,0 +1,109 @@ + +policy_module(corosync,1.0.0) + @@ -13409,6 +13531,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +logging_send_syslog_msg(corosync_t) + ++userdom_rw_user_tmpfs_files(corosync_t) ++ +# to communication with RHCS +dlm_controld_manage_tmpfs_files(corosync_t) +dlm_controld_rw_semaphores(corosync_t) @@ -14414,7 +14538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-11-14 00:17:13.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-11-19 16:38:40.000000000 -0500 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -14506,7 +14630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` -+ virt_read_images(devicekit_disk_t) ++ virt_manage_images(devicekit_disk_t) +') + +optional_policy(` @@ -15444,7 +15568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.32/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2009-11-23 11:58:23.000000000 -0500 @@ -11,15 +11,21 @@ application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) @@ -15464,7 +15588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # -allow gpsd_t self:capability { setuid sys_nice setgid fowner }; -+allow gpsd_t self:capability { fsetid setuid sys_nice setgid fowner }; ++allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -16212,8 +16336,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-10-23 08:00:38.000000000 -0400 -@@ -1,16 +1,22 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-11-23 14:11:15.000000000 -0500 +@@ -1,16 +1,26 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -16229,10 +16353,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) ++ +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + ifdef(`distro_debian',` @@ -16243,7 +16371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.32/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-10-29 17:36:24.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.if 2009-11-23 14:10:20.000000000 -0500 @@ -64,7 +64,7 @@ ######################################## @@ -16304,11 +16432,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`nagios_read_log',` + gen_require(` -+ type nagios_var_log_t; ++ type nagios_log_t; + ') + + logging_search_logs($1) -+ read_files_pattern($1, nagios_var_log_t, nagios_var_log_t) ++ read_files_pattern($1, nagios_log_t, nagios_log_t) +') + +######################################## @@ -16364,7 +16492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-11-18 16:57:21.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-11-23 14:23:38.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -16392,17 +16520,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +35,9 @@ +@@ -33,6 +35,16 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) +type nrpe_var_run_t; +files_pid_file(nrpe_var_run_t) + ++type nagios_checkdisk_plugin_t; ++type nagios_checkdisk_plugin_exec_t; ++application_domain(nagios_checkdisk_plugin_t, nagios_checkdisk_plugin_exec_t) ++role system_r types nagios_checkdisk_plugin_t; ++ ++permissive nagios_checkdisk_plugin_t; ++ ######################################## # # Nagios local policy -@@ -60,6 +65,8 @@ +@@ -45,6 +57,9 @@ + allow nagios_t self:tcp_socket create_stream_socket_perms; + allow nagios_t self:udp_socket create_socket_perms; + ++# needed by command.cfg ++can_exec(nagios_t, nagios_checkdisk_plugin_exec_t) ++ + read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) + read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) + allow nagios_t nagios_etc_t:dir list_dir_perms; +@@ -60,6 +75,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -16411,7 +16556,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -127,52 +134,57 @@ +@@ -86,6 +103,7 @@ + files_read_etc_files(nagios_t) + files_read_etc_runtime_files(nagios_t) + files_read_kernel_symbol_table(nagios_t) ++files_search_spool(nagios_t) + + fs_getattr_all_fs(nagios_t) + fs_search_auto_mountpoints(nagios_t) +@@ -127,52 +145,59 @@ # # Nagios CGI local policy # @@ -16480,6 +16633,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow nrpe_t self:tcp_socket create_stream_socket_perms; -allow nrpe_t nrpe_etc_t:file read_file_perms; ++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) ++ +read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) files_search_etc(nrpe_t) @@ -16494,7 +16649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +195,19 @@ +@@ -183,15 +208,19 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -16514,6 +16669,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` +@@ -209,3 +238,22 @@ + optional_policy(` + udev_read_db(nrpe_t) + ') ++ ++####################################### ++# ++# nagios check_disk and check_ide_smart plugin local policy ++# ++ ++# needed by ioctl() ++allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; ++ ++# leaked file descriptor ++dontaudit nagios_checkdisk_plugin_t nrpe_t:tcp_socket { read write }; ++ ++files_read_etc_runtime_files(nagios_checkdisk_plugin_t) ++ ++fs_getattr_all_fs(nagios_checkdisk_plugin_t) ++ ++storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) ++ ++miscfiles_read_localization(nagios_checkdisk_plugin_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-11-17 08:38:54.000000000 -0500 @@ -17532,19 +17710,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -1,6 +1,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-11-23 10:16:36.000000000 -0500 +@@ -1,6 +1,8 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) - +- ++/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) ++/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-09-30 16:12:48.000000000 -0400 -@@ -17,3 +17,22 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-11-20 10:16:31.000000000 -0500 +@@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) ') @@ -17561,26 +17741,88 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`nx_read_home_files',` + gen_require(` -+ type nx_server_home_ssh_t; ++ type nx_server_home_ssh_t, nx_server_var_lib_t; + ') + ++ allow $1 nx_server_var_lib_t:dir search_dir_perms; + read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) +') ++ ++######################################## ++## ++## Read nx home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nx_search_var_lib',` ++ gen_require(` ++ type nx_server_var_lib_t; ++ ') ++ ++ allow $1 nx_server_var_lib_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Create an object in the root directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++# ++interface(`nx_var_lib_filetrans',` ++ gen_require(` ++ type nx_server_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, nx_server_var_lib_t, $2, $3) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.32/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.te 2009-09-30 16:12:48.000000000 -0400 -@@ -25,6 +25,9 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nx.te 2009-11-20 10:16:31.000000000 -0500 +@@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) ++type nx_server_var_lib_t; ++files_type(nx_server_var_lib_t) ++ +type nx_server_home_ssh_t; +files_type(nx_server_home_ssh_t) + ######################################## # # NX server local policy -@@ -44,6 +47,9 @@ +@@ -37,6 +43,10 @@ + allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr }; + term_create_pty(nx_server_t, nx_server_devpts_t) + ++manage_files_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t) ++manage_dirs_pattern(nx_server_t, nx_server_var_lib_t,nx_server_var_lib_t) ++files_var_lib_filetrans(nx_server_t,nx_server_var_lib_t, { file dir }) ++ + manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) + manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t) + files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir }) +@@ -44,6 +54,9 @@ manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) @@ -20849,7 +21091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.6.32/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/rtkit.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/rtkit.te 2009-11-23 11:53:16.000000000 -0500 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -20862,6 +21104,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rtkit_daemon_t) fs_rw_anon_inodefs_files(rtkit_daemon_t) +@@ -28,7 +30,7 @@ + + logging_send_syslog_msg(rtkit_daemon_t) + +-miscfiles_read_localization(locale_t) ++miscfiles_read_localization(rtkit_daemon_t) + + optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.32/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/samba.fc 2009-09-30 16:12:48.000000000 -0400 @@ -22130,6 +22381,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te +--- nsaserefpolicy/policy/modules/services/snort.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/snort.te 2009-11-23 10:22:20.000000000 -0500 +@@ -37,6 +37,7 @@ + allow snort_t self:tcp_socket create_stream_socket_perms; + allow snort_t self:udp_socket create_socket_perms; + allow snort_t self:packet_socket create_socket_perms; ++allow snort_t self:socket create_socket_perms; + # Snort IPS node. unverified. + allow snort_t self:netlink_firewall_socket { bind create getattr }; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-09-30 16:12:48.000000000 -0400 @@ -24353,7 +24615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-30 07:58:49.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-11-20 10:11:50.000000000 -0500 @@ -3,12 +3,19 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -24409,7 +24671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,16 +93,31 @@ +@@ -89,17 +93,36 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -24417,19 +24679,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) ++ ++/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -+ +/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+ -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) ++/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) ++ +/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -24444,6 +24706,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) + ') ++ ++ ++/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-10 16:23:46.000000000 -0500 @@ -25319,7 +25586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-09 15:38:27.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-20 16:23:32.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -25458,7 +25725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,23 +269,28 @@ +@@ -250,25 +269,30 @@ # Xauth local policy # @@ -25488,8 +25755,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) - fs_getattr_xattr_fs(xauth_t) +-fs_getattr_xattr_fs(xauth_t) ++fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) + + # cjp: why? @@ -279,6 +303,11 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -25502,7 +25772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_xdm_tmp_files(xauth_t) tunable_policy(`use_nfs_home_dirs',` -@@ -289,6 +318,11 @@ +@@ -289,6 +318,15 @@ fs_manage_cifs_files(xauth_t) ') @@ -25511,10 +25781,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_dontaudit_rw_dri(xauth_t) +') + ++optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ++') ++ optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -300,20 +334,31 @@ +@@ -300,20 +338,31 @@ # XDM Local policy # @@ -25549,7 +25823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +370,43 @@ +@@ -325,26 +374,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -25600,7 +25874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +420,7 @@ +@@ -358,6 +424,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -25608,7 +25882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +429,14 @@ +@@ -366,10 +433,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -25624,7 +25898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +456,13 @@ +@@ -389,11 +460,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -25638,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +470,7 @@ +@@ -401,6 +474,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -25646,7 +25920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +483,17 @@ +@@ -413,14 +487,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -25666,7 +25940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +504,13 @@ +@@ -431,9 +508,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -25680,7 +25954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +519,7 @@ +@@ -442,6 +523,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25688,7 +25962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +528,7 @@ +@@ -450,6 +532,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -25696,7 +25970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +539,12 @@ +@@ -460,10 +543,12 @@ logging_read_generic_logs(xdm_t) @@ -25711,7 +25985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +553,10 @@ +@@ -472,6 +557,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25722,7 +25996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +589,12 @@ +@@ -504,10 +593,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -25735,7 +26009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +602,47 @@ +@@ -515,12 +606,47 @@ ') optional_policy(` @@ -25783,7 +26057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +664,38 @@ +@@ -542,6 +668,38 @@ ') optional_policy(` @@ -25822,7 +26096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +704,9 @@ +@@ -550,8 +708,9 @@ ') optional_policy(` @@ -25834,7 +26108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +715,6 @@ +@@ -560,7 +719,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -25842,7 +26116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +725,10 @@ +@@ -571,6 +729,10 @@ ') optional_policy(` @@ -25853,7 +26127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +745,9 @@ +@@ -587,10 +749,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25865,7 +26139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +759,12 @@ +@@ -602,9 +763,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25878,7 +26152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +776,14 @@ +@@ -616,13 +780,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -25894,7 +26168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +796,19 @@ +@@ -635,9 +800,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25914,7 +26188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +842,6 @@ +@@ -671,7 +846,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -25922,7 +26196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +851,12 @@ +@@ -681,9 +855,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -25936,7 +26210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +871,12 @@ +@@ -698,8 +875,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25949,7 +26223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +898,7 @@ +@@ -721,6 +902,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -25957,7 +26231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +921,7 @@ +@@ -743,7 +925,7 @@ ') ifdef(`enable_mls',` @@ -25966,7 +26240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +953,20 @@ +@@ -775,12 +957,20 @@ ') optional_policy(` @@ -25988,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +993,12 @@ +@@ -807,12 +997,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -26005,7 +26279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1014,14 @@ +@@ -828,9 +1018,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -26020,7 +26294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1036,14 @@ +@@ -845,11 +1040,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -26036,7 +26310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1076,8 @@ +@@ -882,6 +1080,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -26045,7 +26319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1102,8 @@ +@@ -906,6 +1106,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -26054,7 +26328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1171,49 @@ +@@ -973,17 +1175,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28021,7 +28295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-18 16:59:43.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-23 12:09:13.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -28130,7 +28404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +181,12 @@ +@@ -168,12 +181,13 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -28138,6 +28412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28145,7 +28420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +198,10 @@ +@@ -185,15 +199,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28162,7 +28437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +236,17 @@ +@@ -228,31 +237,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28198,9 +28473,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,8 +262,8 @@ +@@ -267,9 +262,10 @@ + /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -# RPM Fusion, refpolicy ticket #48 -/usr/lib(64)?/libavfilter.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28209,7 +28486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +289,8 @@ +@@ -295,6 +291,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28218,7 +28495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +303,101 @@ +@@ -307,10 +305,107 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -28286,6 +28563,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28302,9 +28584,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28320,6 +28599,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') ++/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-20 14:41:55.000000000 -0400 @@ -29288,7 +29571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-11-13 07:48:33.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2009-11-19 14:07:20.000000000 -0500 @@ -18,8 +18,12 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -29326,7 +29609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,21 +59,37 @@ +@@ -47,21 +59,38 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -29336,11 +29619,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_var_filetrans(mount_t,mount_var_run_t,dir) + +# In order to mount reiserfs_t ++kernel_dontaudit_getattr_core_if(mount_t) +kernel_list_unlabeled(mount_t) ++kernel_mount_unlabeled(mount_t) kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) - kernel_dontaudit_getattr_core_if(mount_t) +-kernel_dontaudit_getattr_core_if(mount_t) +kernel_search_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) @@ -29364,7 +29649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -70,7 +98,7 @@ +@@ -70,7 +99,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -29373,7 +29658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +108,17 @@ +@@ -80,15 +109,17 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -29394,7 +29679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +129,7 @@ +@@ -99,6 +130,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -29402,7 +29687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(mount_t) -@@ -107,6 +138,8 @@ +@@ -107,6 +139,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -29411,7 +29696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mount_t) -@@ -117,6 +150,7 @@ +@@ -117,6 +151,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -29419,7 +29704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -132,6 +166,10 @@ +@@ -132,6 +167,10 @@ ') ') @@ -29430,7 +29715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) -@@ -165,6 +203,8 @@ +@@ -165,6 +204,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -29439,7 +29724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -172,6 +212,25 @@ +@@ -172,6 +213,25 @@ ') optional_policy(` @@ -29465,7 +29750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +238,11 @@ +@@ -179,6 +239,11 @@ ') ') @@ -29477,7 +29762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +250,7 @@ +@@ -186,6 +251,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -29485,7 +29770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,5 +260,8 @@ +@@ -195,5 +261,8 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -31713,7 +31998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-18 17:04:34.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-23 14:09:35.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -33411,7 +33696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3396,578 @@ +@@ -3064,3 +3396,597 @@ allow $1 userdomain:dbus send_msg; ') @@ -33974,6 +34259,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Read files inherited ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_inherited_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file { getattr read }; ++') ++ ++######################################## ++## +## Append files inherited +## in a user tmp files. +## diff --git a/selinux-policy.spec b/selinux-policy.spec index dec9df4..3cf08fb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 47%{?dist} +Release: 48%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,10 @@ exit 0 %endif %changelog +* Fri Nov 20 2009 Dan Walsh 3.6.32-48 +- Abrt connect to any port + + * Tue Nov 17 2009 Dan Walsh 3.6.32-47 - Make mozilla call in execmem.if optional to fix build of minimum install - Allow uucpd to execute shells and send mail