From 4e42f3a511d7e93d4732e7df8c564f9a58885848 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 19 2009 21:48:16 +0000 Subject: - Add devicekit policy --- diff --git a/policy-20090105.patch b/policy-20090105.patch index a08a37e..b12e2f9 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4262,7 +4262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xfs, tcp,7100,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.3/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/devices.fc 2009-01-19 14:33:15.000000000 -0500 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -4350,15 +4350,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -91,6 +108,7 @@ +@@ -91,20 +108,32 @@ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) +-/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) +/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) ++/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) -@@ -98,13 +116,23 @@ + /dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0) /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -4378,6 +4379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) +/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) +/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/pts(/.*)? <> @@ -5404,6 +5406,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc +--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.fc 2009-01-19 13:53:22.000000000 -0500 +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-19 13:10:02.000000000 -0500 @@ -6040,7 +6048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.3/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/storage.fc 2009-01-19 13:53:59.000000000 -0500 @@ -36,7 +36,7 @@ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -6050,6 +6058,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ifdef(`distro_redhat', ` /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -67,6 +67,8 @@ + /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + ++/dev/device-mapper -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++ + /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + + /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.3/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-19 13:10:02.000000000 -0500 @@ -8332,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 15:38:07.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -8427,15 +8444,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -196,6 +242,7 @@ - userdom_user_home_content(httpd_user_script_rw_t) +@@ -187,15 +233,22 @@ + files_tmpfs_file(httpd_tmpfs_t) + + apache_content_template(user) ++ + ubac_constrained(httpd_user_script_t) ++typeattribue httpd_user_content_t, httpdcontent; ++typeattribue httpd_user_content_rw_t, httpdcontent; ++typeattribue httpd_user_content_ra_t, httpdcontent; ++typeattribue httpd_user_script_exec_t, httpdcontent; ++ + userdom_user_home_content(httpd_user_content_t) + userdom_user_home_content(httpd_user_htaccess_t) + userdom_user_home_content(httpd_user_script_exec_t) +-userdom_user_home_content(httpd_user_script_ra_t) +-userdom_user_home_content(httpd_user_script_ro_t) +-userdom_user_home_content(httpd_user_script_rw_t) ++userdom_user_home_content(httpd_user_content_ra_t) ++userdom_user_home_content(httpd_user_content_ro_t) ++userdom_user_home_content(httpd_user_content_rw_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; +typealias httpd_user_content_t alias httpd_unconfined_content_t; typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -@@ -230,7 +277,7 @@ +@@ -230,7 +283,7 @@ # Apache server local policy # @@ -8444,7 +8479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -272,6 +319,7 @@ +@@ -272,6 +325,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -8452,7 +8487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +331,9 @@ +@@ -283,9 +337,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -8465,7 +8500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +349,7 @@ +@@ -301,6 +355,7 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -8473,7 +8508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,6 +361,7 @@ +@@ -312,6 +367,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -8481,7 +8516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -322,6 +372,7 @@ +@@ -322,6 +378,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -8489,7 +8524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +386,12 @@ +@@ -335,12 +392,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -8505,7 +8540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -358,6 +409,10 @@ +@@ -358,6 +415,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -8516,7 +8551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_read_lib_files(httpd_t) -@@ -372,18 +427,33 @@ +@@ -372,18 +433,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -8554,7 +8589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,20 +461,54 @@ +@@ -391,20 +467,54 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -8610,7 +8645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -415,20 +519,28 @@ +@@ -415,20 +525,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -8643,7 +8678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -459,8 +571,13 @@ +@@ -459,8 +577,13 @@ ') optional_policy(` @@ -8659,7 +8694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -472,18 +589,13 @@ +@@ -472,18 +595,13 @@ ') optional_policy(` @@ -8679,7 +8714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -493,6 +605,12 @@ +@@ -493,6 +611,12 @@ openca_kill(httpd_t) ') @@ -8692,7 +8727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -500,6 +618,7 @@ +@@ -500,6 +624,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -8700,7 +8735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +627,7 @@ +@@ -508,6 +633,7 @@ ') optional_policy(` @@ -8708,7 +8743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +655,22 @@ +@@ -535,6 +661,22 @@ userdom_use_user_terminals(httpd_helper_t) @@ -8731,7 +8766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +700,25 @@ +@@ -564,20 +706,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -8763,7 +8798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +736,24 @@ +@@ -595,23 +742,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -8792,7 +8827,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -641,12 +783,25 @@ +@@ -624,6 +772,7 @@ + logging_send_syslog_msg(httpd_suexec_t) + + miscfiles_read_localization(httpd_suexec_t) ++miscfiles_read_public_files(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; +@@ -641,12 +790,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -8821,7 +8864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -655,6 +810,12 @@ +@@ -655,6 +817,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -8834,7 +8877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -672,15 +833,14 @@ +@@ -672,15 +840,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -8853,7 +8896,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +859,24 @@ +@@ -699,12 +866,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -8880,7 +8923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +884,35 @@ +@@ -712,6 +891,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -8916,7 +8959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +925,10 @@ +@@ -724,6 +932,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -8927,7 +8970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +940,8 @@ +@@ -735,6 +947,8 @@ # httpd_rotatelogs local policy # @@ -8936,7 +8979,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -762,3 +969,66 @@ +@@ -754,6 +968,9 @@ + + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) + ') + + # allow accessing files/dirs below the users home dir +@@ -762,3 +979,66 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -9811,7 +9864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.3/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/consolekit.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/consolekit.te 2009-01-19 14:46:22.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -9889,11 +9942,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_dbus_chat(consolekit_t) -@@ -61,6 +93,29 @@ +@@ -61,6 +93,30 @@ ') optional_policy(` + polkit_domtrans_auth(consolekit_t) ++ polkit_read_lib(consolekit_t) + polkit_read_reload(consolekit_t) +') + @@ -12187,8 +12241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.3/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te 2009-01-19 13:10:02.000000000 -0500 -@@ -0,0 +1,50 @@ ++++ serefpolicy-3.6.3/policy/modules/services/gnomeclock.te 2009-01-19 14:46:31.000000000 -0500 +@@ -0,0 +1,51 @@ +policy_module(gnomeclock, 1.0.0) +######################################## +# @@ -12236,6 +12290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + polkit_domtrans_auth(gnomeclock_t) ++ polkit_read_lib(gnomeclock_t) + polkit_read_reload(gnomeclock_t) +') + @@ -12267,7 +12322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 14:46:49.000000000 -0500 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12309,12 +12364,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +292,12 @@ +@@ -277,6 +292,13 @@ ') optional_policy(` + polkit_domtrans_auth(hald_t) + polkit_domtrans_resolve(hald_t) ++ polkit_read_lib(hald_t) + polkit_read_reload(hald_t) +') + @@ -12322,7 +12378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -301,12 +322,16 @@ +@@ -301,12 +323,16 @@ virt_manage_images(hald_t) ') @@ -12340,7 +12396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -321,6 +346,7 @@ +@@ -321,6 +347,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -12348,7 +12404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -339,6 +365,8 @@ +@@ -339,6 +366,8 @@ storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) @@ -12357,12 +12413,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(hald_acl_t) -@@ -346,12 +374,17 @@ +@@ -346,12 +375,18 @@ miscfiles_read_localization(hald_acl_t) +optional_policy(` + polkit_domtrans_auth(hald_acl_t) ++ polkit_read_lib(hald_acl_t) + polkit_read_reload(hald_acl_t) +') + @@ -12376,7 +12433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -418,3 +451,49 @@ +@@ -418,3 +453,49 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -12896,7 +12953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.3/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/mailman.te 2009-01-19 15:30:18.000000000 -0500 @@ -53,10 +53,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -12910,7 +12967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -65,15 +63,22 @@ +@@ -65,15 +63,27 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; @@ -12920,6 +12977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +files_search_spool(mailman_mail_t) +fs_rw_anon_inodefs_files(mailman_mail_t) ++fs_list_inotifyfs(mailman_mail_t) + +manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) +manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) @@ -12933,12 +12991,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; - # do we really need this? - allow mailman_mail_t qmail_lspawn_t:fifo_file write; --') + postfix_search_spool(mailman_mail_t) ') ++ ++optional_policy(` ++ cron_read_pipes(mailman_mail_t) + ') ######################################## -@@ -99,11 +104,15 @@ +@@ -99,11 +109,15 @@ # for su seutil_dontaudit_search_config(mailman_queue_t) @@ -13813,7 +13874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.3/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.te 2009-01-19 14:46:55.000000000 -0500 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -13956,7 +14017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +199,48 @@ +@@ -155,23 +199,49 @@ ') optional_policy(` @@ -13987,6 +14048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + polkit_domtrans_auth(NetworkManager_t) ++ polkit_read_lib(NetworkManager_t) + polkit_read_reload(NetworkManager_t) ') @@ -14007,7 +14069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -184,7 +253,9 @@ +@@ -184,7 +254,9 @@ optional_policy(` vpn_domtrans(NetworkManager_t) @@ -15974,8 +16036,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.3/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 13:10:02.000000000 -0500 -@@ -0,0 +1,240 @@ ++++ serefpolicy-3.6.3/policy/modules/services/polkit.if 2009-01-19 14:47:07.000000000 -0500 +@@ -0,0 +1,241 @@ + +## policy for polkit_auth + @@ -16193,6 +16255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +template(`polkit_role',` + polkit_run_auth($2, $1) + polkit_run_grant($2, $1) ++ polkit_read_lib($2) + polkit_read_reload($2) +') + @@ -20250,17 +20313,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 13:10:02.000000000 -0500 -@@ -118,6 +118,8 @@ ++++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 15:16:22.000000000 -0500 +@@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) +#squid requires the following when run in diskd mode, the recommended setting +fs_rw_tmpfs_files(squid_t) ++fs_list_inotify(squid_t) selinux_dontaudit_getattr_dir(squid_t) -@@ -185,8 +187,3 @@ +@@ -185,8 +188,3 @@ optional_policy(` udev_read_db(squid_t) ') @@ -21444,7 +21508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 14:47:14.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -21810,11 +21874,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +622,18 @@ +@@ -542,6 +622,19 @@ ') optional_policy(` + polkit_domtrans_auth(xdm_t) ++ polkit_read_lib(xdm_t) + polkit_read_reload(xdm_t) +') + @@ -21829,7 +21894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +642,8 @@ +@@ -550,8 +643,8 @@ ') optional_policy(` @@ -21839,7 +21904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +663,10 @@ +@@ -571,6 +664,10 @@ ') optional_policy(` @@ -21850,7 +21915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -635,6 +731,15 @@ +@@ -635,6 +732,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21866,7 +21931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -682,6 +787,7 @@ +@@ -682,6 +788,7 @@ dev_rw_input_dev(xserver_t) dev_rwx_zero(xserver_t) @@ -21874,7 +21939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low(xserver_t) files_read_etc_files(xserver_t) -@@ -697,6 +803,7 @@ +@@ -697,6 +804,7 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21882,7 +21947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_xwin_read_to_clearance(xserver_t) -@@ -806,7 +913,7 @@ +@@ -806,7 +914,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -21891,7 +21956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +937,10 @@ +@@ -830,6 +938,10 @@ xserver_use_user_fonts(xserver_t) @@ -21902,7 +21967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +955,14 @@ +@@ -844,11 +956,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -21918,7 +21983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +970,11 @@ +@@ -856,6 +971,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -21930,7 +21995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1091,37 @@ +@@ -972,6 +1092,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -21968,7 +22033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1136,13 @@ +@@ -986,3 +1137,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO