From 8e9aa28f31b14d12d3b2971a169661bc6fb9960e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 19 2010 11:38:59 +0000 Subject: - Fixes for memcached from Dan Walsh - Allow podsleuth to read user tmpfs files - Allow tftpd to read system state information in proc --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 66ad0de..d752f25 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -1,6 +1,17 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.32/policy/modules/apps/gpg.fc +--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/apps/gpg.fc 2010-01-19 12:03:52.541857693 +0100 +@@ -1,5 +1,7 @@ + HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) + ++/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) ++ + /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) + /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) + /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-11 18:21:26.000000000 +0100 +--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-18 18:24:22.616539953 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-18 18:27:02.741544960 +0100 @@ -11,6 +11,7 @@ /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -9,9 +20,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-01-18 18:24:22.631540185 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2010-01-19 11:53:14.080857057 +0100 +@@ -73,6 +73,7 @@ + + sysnet_dns_name_resolve(podsleuth_t) + ++userdom_read_user_tmpfs_files(podsleuth_t) + userdom_signal_unpriv_users(podsleuth_t) + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if ---- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100 +--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-18 18:24:22.648539903 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-18 18:27:02.742545576 +0100 @@ -45,9 +45,10 @@ allow sandbox_x_domain $1:process { sigchld signal }; allow sandbox_x_domain sandbox_x_domain:process signal; @@ -88,8 +110,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te ---- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-11 13:38:03.000000000 +0100 +--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-18 18:24:22.649539960 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-18 18:27:02.743530757 +0100 @@ -10,14 +10,15 @@ # @@ -187,8 +209,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_bus_client(sandbox_net_client_t) dbus_read_config(sandbox_net_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.32/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-11 16:01:58.000000000 +0100 +--- nsaserefpolicy/policy/modules/apps/wine.if 2010-01-18 18:24:22.657540000 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/wine.if 2010-01-18 18:27:02.744541291 +0100 @@ -143,6 +143,10 @@ userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_tmpfs_role($2, $1_wine_t) @@ -201,8 +223,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`mmap_low_allowed',` domain_mmap_low($1_wine_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-11 16:01:03.000000000 +0100 +--- nsaserefpolicy/policy/modules/apps/wine.te 2010-01-18 18:24:22.664530344 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2010-01-18 18:27:02.745530942 +0100 @@ -6,6 +6,15 @@ # Declarations # @@ -231,9 +253,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low_type(wine_t) tunable_policy(`mmap_low_allowed',` domain_mmap_low(wine_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100 +@@ -92,8 +92,8 @@ + network_port(dbskkd, tcp,1178,s0) + network_port(dcc, udp,6276,s0, udp,6277,s0) + network_port(dccm, tcp,5679,s0, udp,5679,s0) +-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0) +-network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) ++network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) ++network_port(dhcpd, udp,67,s0, udp,547,s0, tcp,547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) + network_port(dict, tcp,2628,s0) + network_port(distccd, tcp,3632,s0) + network_port(dns, udp,53,s0, tcp,53,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100 +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-18 18:27:02.746530790 +0100 @@ -162,6 +162,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -244,8 +280,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-09 20:40:52.000000000 +0100 +--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-18 18:27:02.749530752 +0100 @@ -3833,6 +3833,24 @@ write_chr_files_pattern($1, device_t, v4l_device_t) ') @@ -272,8 +308,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## Read and write VMWare devices. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-09 20:38:38.000000000 +0100 +--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-18 18:27:02.751530797 +0100 @@ -233,6 +233,12 @@ type usb_device_t; dev_node(usb_device_t) @@ -288,8 +324,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_node(v4l_device_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc ---- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-12 13:41:16.000000000 +0100 +--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100 @@ -2,7 +2,7 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -300,8 +336,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te ---- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-12 13:42:23.000000000 +0100 +--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-18 18:27:02.753530981 +0100 @@ -39,6 +39,8 @@ type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -312,8 +348,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_user_exemption_target(unconfined_t) allow system_r unconfined_r; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-14 20:12:41.000000000 +0100 +--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-18 18:24:22.724546986 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-18 18:27:02.754531109 +0100 @@ -15,7 +15,7 @@ ## @@ -324,8 +360,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## gen_tunable(xguest_connect_network, true) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te ---- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-18 18:27:02.754531109 +0100 @@ -96,6 +96,7 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) @@ -335,8 +371,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_sysfs(abrt_t) dev_dontaudit_read_memory_dev(abrt_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-10 20:47:24.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-18 18:27:02.756530665 +0100 @@ -16,6 +16,7 @@ attribute httpd_exec_scripts; attribute httpd_script_exec_type; @@ -354,9 +390,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_cgi',` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100 +@@ -309,7 +309,7 @@ + manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) +-files_var_filetrans(httpd_t, httpd_cache_t, dir) ++files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) + + # Allow the httpd_t to read the web servers config files + allow httpd_t httpd_config_t:dir list_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-06 13:06:31.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100 @@ -31,7 +31,7 @@ # @@ -366,9 +414,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc +--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 11:57:43.789607625 +0100 +@@ -6,4 +6,4 @@ + + /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) + +-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) ++/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-08 20:32:23.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-18 18:24:22.771540183 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-18 18:27:02.758531199 +0100 @@ -555,6 +555,7 @@ logging_send_syslog_msg(cupsd_lpd_t) @@ -378,21 +435,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(cupsd_lpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-10 20:48:24.000000000 +0100 -@@ -276,7 +276,11 @@ - mta_manage_spool(dovecot_deliver_t) +--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-18 18:32:00.705531307 +0100 +@@ -277,6 +277,8 @@ ') -+ -+ tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(dovecot_deliver_t) + fs_manage_nfs_dirs(dovecot_t) fs_manage_nfs_files(dovecot_deliver_t) fs_manage_nfs_symlinks(dovecot_deliver_t) fs_manage_nfs_files(dovecot_t) -@@ -284,6 +288,8 @@ +@@ -284,6 +286,8 @@ ') tunable_policy(`use_samba_home_dirs',` @@ -402,8 +456,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_symlinks(dovecot_deliver_t) fs_manage_cifs_files(dovecot_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if ---- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-08 16:30:32.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-18 18:24:22.784531151 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-18 18:27:02.761531161 +0100 @@ -138,6 +138,24 @@ dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ') @@ -431,7 +485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-15 12:37:45.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-18 18:27:02.762530869 +0100 @@ -115,6 +115,43 @@ role $2 types ftpdctl_t; ') @@ -477,8 +531,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-15 12:44:47.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-18 18:24:22.787539983 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-18 18:27:02.763531066 +0100 @@ -53,6 +53,39 @@ ## gen_tunable(ftp_home_dir, false) @@ -612,8 +666,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_nfs_symlinks(ftpd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te ---- nsaserefpolicy/policy/modules/services/git.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-14 20:34:07.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/git.te 2010-01-18 18:24:22.790540016 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-18 18:27:02.764531054 +0100 @@ -73,7 +73,7 @@ # @@ -623,9 +677,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow gitd_type self:udp_socket create_socket_perms; allow gitd_type self:unix_dgram_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.32/policy/modules/services/memcached.te +--- nsaserefpolicy/policy/modules/services/memcached.te 2010-01-18 18:24:22.809536705 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/memcached.te 2010-01-19 11:45:44.999857263 +0100 +@@ -1,5 +1,5 @@ + +-policy_module(memcached, 1.1.0) ++policy_module(memcached, 1.1.1) + + ######################################## + # +@@ -22,9 +22,12 @@ + # + + allow memcached_t self:capability { setuid setgid }; ++dontaudit memcached_t self:capability sys_tty_config; ++allow memcached_t self:process { fork setrlimit signal_perms }; + allow memcached_t self:tcp_socket create_stream_socket_perms; + allow memcached_t self:udp_socket { create_socket_perms listen }; + allow memcached_t self:fifo_file rw_fifo_file_perms; ++allow memcached_t self:unix_stream_socket create_stream_socket_perms; + + corenet_all_recvfrom_unlabeled(memcached_t) + corenet_udp_sendrecv_generic_if(memcached_t) +@@ -42,12 +45,15 @@ + manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) + +-files_read_etc_files(memcached_t) +- ++kernel_read_kernel_sysctls(memcached_t) + kernel_read_system_state(memcached_t) + ++files_read_etc_files(memcached_t) ++ + auth_use_nsswitch(memcached_t) + + miscfiles_read_localization(memcached_t) + +-sysnet_dns_name_resolve(memcached_t) ++term_dontaudit_use_all_user_ptys(memcached_t) ++term_dontaudit_use_all_user_ttys(memcached_t) ++term_dontaudit_use_console(memcached_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100 @@ -27,26 +27,62 @@ # check disk plugins @@ -692,8 +788,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 12:27:10.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-18 18:24:22.823530245 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-18 18:27:02.766531099 +0100 @@ -118,6 +118,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) @@ -705,8 +801,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(nagios_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-11 15:49:03.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100 @@ -85,6 +85,7 @@ corenet_udp_bind_generic_node(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) @@ -716,8 +812,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100 @@ -443,6 +443,7 @@ optional_policy(` @@ -745,8 +841,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-06 13:55:09.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100 @@ -286,6 +286,8 @@ allow smbd_t winbind_t:process { signal signull }; @@ -774,8 +870,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow swat_t nmbd_exec_t:file mmap_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-08 16:31:13.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-18 18:24:22.889530888 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-18 18:27:02.771531176 +0100 @@ -136,6 +136,8 @@ optional_policy(` @@ -786,8 +882,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-06 15:41:37.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-18 18:27:02.772530814 +0100 @@ -27,7 +27,7 @@ # allow snmpd_t self:capability { dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; @@ -798,8 +894,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-06 15:40:10.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100 @@ -267,6 +267,24 @@ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ') @@ -826,8 +922,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-15 12:33:14.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-18 18:24:22.899530064 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-18 18:27:02.774530790 +0100 @@ -8,31 +8,6 @@ ## @@ -934,8 +1030,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - fs_manage_cifs_files(sftpd_t) -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if ---- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-18 18:24:22.901529830 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-18 18:27:02.775542370 +0100 @@ -95,6 +95,25 @@ files_search_var_lib($1) ') @@ -962,9 +1058,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read sssd lib files. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.6.32/policy/modules/services/tftp.te +--- nsaserefpolicy/policy/modules/services/tftp.te 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/tftp.te 2010-01-19 12:02:02.773609654 +0100 +@@ -50,6 +50,7 @@ + manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) + files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) + ++kernel_read_system_state(tftpd_t) + kernel_read_kernel_sysctls(tftpd_t) + kernel_list_proc(tftpd_t) + kernel_read_proc_symlinks(tftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-11 13:32:35.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100 @@ -226,7 +226,7 @@ sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) @@ -984,8 +1091,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-08 14:49:31.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-18 18:27:02.777542764 +0100 @@ -65,6 +65,8 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -1012,8 +1119,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-08 14:07:19.000000000 +0100 +--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-18 18:27:02.779530727 +0100 @@ -301,6 +301,8 @@ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) @@ -1025,7 +1132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_xserver_misc(xauth_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-14 20:30:58.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-18 18:27:02.780542727 +0100 @@ -125,6 +125,10 @@ ') @@ -1038,8 +1145,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-15 12:26:30.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100 @@ -212,6 +212,10 @@ ') @@ -1061,7 +1168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # system-config-services causes avc messages that should be dontaudited diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100 @@ -1,3 +1,5 @@ + +/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -1069,8 +1176,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-09 20:37:11.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-18 18:27:02.783531305 +0100 @@ -35,10 +35,13 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:sem create_sem_perms; @@ -1094,8 +1201,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(iscsid_t) domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-19 12:16:16.415620342 +0100 @@ -245,6 +245,7 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -1104,7 +1211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -433,8 +434,13 @@ +@@ -433,8 +434,14 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -1118,9 +1225,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/local/MATHWORKS_R2009B/bin/glnxa64/libtbb.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-08 20:32:11.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-18 18:27:02.787531116 +0100 @@ -618,3 +618,22 @@ manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -1145,8 +1253,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.32/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-11 15:53:37.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/mount.te 2010-01-18 18:24:22.961540534 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/mount.te 2010-01-18 18:27:02.788530824 +0100 @@ -181,6 +181,7 @@ auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) @@ -1156,8 +1264,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-15 12:28:55.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-18 18:24:22.967540599 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-18 18:27:02.789530951 +0100 @@ -190,6 +190,7 @@ init_use_script_fds(load_policy_t) @@ -1167,8 +1275,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(load_policy_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100 @@ -21,6 +21,8 @@ allow $1 self:capability all_capabilities; allow $1 self:fifo_file manage_fifo_file_perms; @@ -1179,8 +1287,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 self:process transition; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-07 16:46:35.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100 @@ -6,4 +6,5 @@ /dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) /dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) @@ -1188,8 +1296,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-11 13:53:41.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-18 18:27:02.794530889 +0100 @@ -3631,6 +3631,24 @@ ######################################## @@ -1216,8 +1324,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-09 20:35:37.000000000 +0100 +--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-18 18:24:22.987540070 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-18 18:27:02.796530655 +0100 @@ -248,6 +248,7 @@ # @@ -1246,8 +1354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # Xen store local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-15 12:24:53.000000000 +0100 +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-18 18:24:22.988541733 +0100 ++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-18 18:27:02.798533004 +0100 @@ -28,7 +28,7 @@ # # All socket classes. @@ -1258,8 +1366,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users ---- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100 -+++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100 +--- nsaserefpolicy/policy/users 2010-01-18 18:24:22.989541023 +0100 ++++ serefpolicy-3.6.32/policy/users 2010-01-18 18:27:02.799531176 +0100 @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. diff --git a/selinux-policy.spec b/selinux-policy.spec index 648a512..349095b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -456,6 +456,11 @@ exit 0 %endif %changelog +* Tue Jan 19 2010 Miroslav Grepl 3.6.32-72 +- Fixes for memcached from Dan Walsh +- Allow podsleuth to read user tmpfs files +- Allow tftpd to read system state information in proc + * Fri Jan 15 2010 Miroslav Grepl 3.6.32-71 - Allow hotplug to transition to brctl domain - Fixes for sftpd