From a350edfdad80a50fcd7a6af8d945452c4adff9c1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 29 2007 17:18:01 +0000 Subject: - Fixes for avahi, procmail, postfix --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 0e8f5f1..f825b2f 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -1196,7 +1196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-05-29 11:35:27.000000000 -0400 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1209,7 +1209,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -256,3 +261,5 @@ +@@ -248,6 +253,7 @@ + /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) + + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) + /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -256,3 +262,5 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -2704,6 +2712,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t) +corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-2.6.4/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/arpwatch.te 2007-05-29 09:01:26.000000000 -0400 +@@ -28,7 +28,6 @@ + allow arpwatch_t self:process signal_perms; + allow arpwatch_t self:unix_dgram_socket create_socket_perms; + allow arpwatch_t self:unix_stream_socket create_stream_socket_perms; +-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms; + allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; + allow arpwatch_t self:udp_socket create_socket_perms; + allow arpwatch_t self:packet_socket create_socket_perms; +@@ -78,8 +77,6 @@ + + miscfiles_read_localization(arpwatch_t) + +-sysnet_read_config(arpwatch_t) +- + userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) + userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t) + +@@ -92,7 +89,7 @@ + ') + + optional_policy(` +- nis_use_ypbind(arpwatch_t) ++ auth_use_nsswitch(arpwatch_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.6.4/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/automount.te 2007-05-21 10:46:53.000000000 -0400 @@ -2725,7 +2762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto domain_use_interactive_fds(automount_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.6.4/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/avahi.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/avahi.te 2007-05-29 09:12:19.000000000 -0400 @@ -18,7 +18,7 @@ # Local policy # @@ -2735,6 +2772,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms setcap }; allow avahi_t self:fifo_file { read write }; +@@ -32,6 +32,8 @@ + allow avahi_t avahi_var_run_t:dir setattr; + files_pid_filetrans(avahi_t,avahi_var_run_t,file) + ++auth_use_nsswitch(avahi_t) ++ + kernel_read_kernel_sysctls(avahi_t) + kernel_list_proc(avahi_t) + kernel_read_proc_symlinks(avahi_t) +@@ -63,8 +65,6 @@ + files_read_etc_runtime_files(avahi_t) + files_read_usr_files(avahi_t) + +-auth_use_nsswitch(avahi_t) +- + init_signal_script(avahi_t) + init_signull_script(avahi_t) + +@@ -75,8 +75,6 @@ + + miscfiles_read_localization(avahi_t) + +-sysnet_read_config(avahi_t) +- + userdom_dontaudit_use_unpriv_user_fds(avahi_t) + userdom_dontaudit_search_sysadm_home_dirs(avahi_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-05-21 10:46:53.000000000 -0400 @@ -2759,7 +2823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-2.6.4/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/consolekit.te 2007-05-29 11:04:09.000000000 -0400 @@ -10,7 +10,6 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -2776,7 +2840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) -@@ -50,8 +48,15 @@ +@@ -50,8 +48,16 @@ libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) @@ -2788,13 +2852,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +userdom_ptrace_all_users(consolekit_t) +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) ++domain_dontaudit_ptrace_all_domains(consolekit_t) + optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_send_system_bus(consolekit_t) -@@ -68,3 +73,9 @@ +@@ -67,4 +73,11 @@ + optional_policy(` xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) ++ xserver_stream_connect_xdm(consolekit_t) ') + +ifdef(`targeted_policy',` @@ -3406,7 +3473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-05-22 14:42:12.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-05-29 09:07:20.000000000 -0400 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -3420,29 +3487,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_cert_t; files_type(dovecot_cert_t) -@@ -111,7 +117,6 @@ +@@ -46,8 +52,6 @@ + allow dovecot_t self:tcp_socket create_stream_socket_perms; + allow dovecot_t self:unix_dgram_socket create_socket_perms; + allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms; +- + domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + + allow dovecot_t dovecot_cert_t:dir list_dir_perms; +@@ -67,6 +71,8 @@ + manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) + files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) + ++auth_use_nsswitch(dovecot_t) ++ + kernel_read_kernel_sysctls(dovecot_t) + kernel_read_system_state(dovecot_t) + +@@ -110,9 +116,6 @@ + miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) - sysnet_read_config(dovecot_t) +-sysnet_read_config(dovecot_t) -sysnet_use_ldap(dovecot_auth_t) - +- userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) -@@ -138,11 +143,11 @@ - ') - - optional_policy(` -- squid_dontaudit_search_cache(dovecot_t) -+ udev_read_db(dovecot_t) + userdom_priveleged_home_dir_manager(dovecot_t) +@@ -130,10 +133,6 @@ ') optional_policy(` -- udev_read_db(dovecot_t) -+ squid_dontaudit_search_cache(dovecot_t) +- nis_use_ypbind(dovecot_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(dovecot_t) ') - ######################################## -@@ -150,19 +155,20 @@ +@@ -150,25 +149,29 @@ # dovecot auth local policy # @@ -3465,7 +3549,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; -@@ -177,6 +183,7 @@ + kernel_read_all_sysctls(dovecot_auth_t) + kernel_read_system_state(dovecot_auth_t) + ++logging_send_syslog_msg(dovecot_auth_t) ++logging_send_audit_msg(dovecot_auth_t) ++ + dev_read_urand(dovecot_auth_t) + + auth_domtrans_chk_passwd(dovecot_auth_t) +@@ -177,6 +180,7 @@ files_read_etc_files(dovecot_auth_t) files_read_etc_runtime_files(dovecot_auth_t) files_search_pids(dovecot_auth_t) @@ -3473,26 +3566,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -191,11 +198,51 @@ - seutil_dontaudit_search_config(dovecot_auth_t) +@@ -190,12 +194,46 @@ - sysnet_dns_name_resolve(dovecot_auth_t) -+sysnet_use_ldap(dovecot_auth_t) + seutil_dontaudit_search_config(dovecot_auth_t) +-sysnet_dns_name_resolve(dovecot_auth_t) +- optional_policy(` kerberos_use(dovecot_auth_t) ') -+logging_send_syslog_msg(dovecot_auth_t) -+logging_send_audit_msg(dovecot_auth_t) -+ -+optional_policy(` + optional_policy(` +- logging_send_syslog_msg(dovecot_auth_t) + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) +') + - optional_policy(` -- logging_send_syslog_msg(dovecot_auth_t) ++optional_policy(` + postfix_create_pivate_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') @@ -4062,6 +4152,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. # apache should set close-on-exec apache_dontaudit_append_log(system_mail_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-05-29 09:04:20.000000000 -0400 +@@ -73,8 +73,10 @@ + corenet_udp_sendrecv_all_nodes(nagios_t) + corenet_tcp_sendrecv_all_ports(nagios_t) + corenet_udp_sendrecv_all_ports(nagios_t) ++corenet_tcp_connect_all_ports(nagios_t) + + dev_read_sysfs(nagios_t) ++dev_read_urand(nagios_t) + + domain_use_interactive_fds(nagios_t) + # for ps +@@ -97,8 +99,6 @@ + + miscfiles_read_localization(nagios_t) + +-sysnet_read_config(nagios_t) +- + userdom_dontaudit_use_unpriv_user_fds(nagios_t) + userdom_dontaudit_search_sysadm_home_dirs(nagios_t) + +@@ -121,7 +121,7 @@ + ') + + optional_policy(` +- nis_use_ypbind(nagios_t) ++ auth_use_nsswitch(nagios_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-05-21 10:46:53.000000000 -0400 @@ -4088,6 +4210,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t) + +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-2.6.4/policy/modules/services/nis.fc +--- nsaserefpolicy/policy/modules/services/nis.fc 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/nis.fc 2007-05-29 11:39:06.000000000 -0400 +@@ -4,6 +4,7 @@ + /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) ++/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + + /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if --- nsaserefpolicy/policy/modules/services/nis.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/nis.if 2007-05-21 10:46:53.000000000 -0400 @@ -4434,16 +4567,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-05-21 10:46:53.000000000 -0400 -@@ -122,6 +122,7 @@ - allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; - allow postfix_$1_t self:tcp_socket create_socket_perms; - allow postfix_$1_t self:udp_socket create_socket_perms; -+ allow postfix_$1_t self:netlink_route_socket r_netlink_socket_perms; ++++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-05-29 09:03:07.000000000 -0400 +@@ -116,6 +116,10 @@ + ## + # + template(`postfix_server_domain_template',` ++ gen_require(` ++ type postfix_master_t; ++ ') ++ + postfix_domain_template($1) - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + allow postfix_$1_t self:capability { setuid setgid dac_override }; +@@ -137,10 +141,8 @@ + corenet_tcp_connect_all_ports(postfix_$1_t) + corenet_sendrecv_all_client_packets(postfix_$1_t) -@@ -455,3 +456,22 @@ +- sysnet_read_config(postfix_$1_t) +- + optional_policy(` +- nis_use_ypbind(postfix_$1_t) ++ auth_use_nsswitch(postfix_$1_t) + ') + ') + +@@ -455,3 +457,22 @@ typeattribute $1 postfix_user_domtrans; ') @@ -4468,8 +4616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-05-21 10:46:53.000000000 -0400 -@@ -169,6 +169,8 @@ ++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-05-29 11:49:32.000000000 -0400 +@@ -169,12 +169,18 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -4478,7 +4626,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(postfix_master_t) term_dontaudit_use_generic_ptys(postfix_master_t) -@@ -184,6 +186,10 @@ + ') + + optional_policy(` ++ auth_use_nsswitch(postfix_master_t) ++') ++ ++optional_policy(` + cyrus_stream_connect(postfix_master_t) + ') + +@@ -184,6 +190,10 @@ ') optional_policy(` @@ -4489,7 +4647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post nis_use_ypbind(postfix_master_t) ') -@@ -210,6 +216,7 @@ +@@ -210,6 +220,7 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; @@ -4497,7 +4655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_bounce_t postfix_public_t:sock_file write; allow postfix_bounce_t postfix_public_t:dir search; -@@ -228,6 +235,7 @@ +@@ -228,6 +239,7 @@ # allow postfix_cleanup_t self:process setrlimit; @@ -4505,7 +4663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t) -@@ -250,6 +258,7 @@ +@@ -250,6 +262,7 @@ allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; @@ -4513,7 +4671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t) manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t) -@@ -369,6 +378,7 @@ +@@ -369,6 +382,7 @@ # allow postfix_pickup_t self:tcp_socket create_socket_perms; @@ -4521,7 +4679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t) -@@ -386,7 +396,7 @@ +@@ -386,7 +400,7 @@ # Postfix pipe local policy # @@ -4530,7 +4688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -395,6 +405,10 @@ +@@ -395,6 +409,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -4541,7 +4699,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -475,6 +489,8 @@ +@@ -441,6 +459,10 @@ + ') + + optional_policy(` ++ fstools_read_pipes(postfix_postdrop_t) ++') ++ ++optional_policy(` + ppp_use_fds(postfix_postqueue_t) + ppp_sigchld(postfix_postqueue_t) + ') +@@ -475,6 +497,8 @@ # Postfix qmgr local policy # @@ -4550,7 +4719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t) -@@ -519,8 +535,6 @@ +@@ -519,8 +543,6 @@ # Postfix smtp delivery local policy # @@ -4559,7 +4728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -552,9 +566,18 @@ +@@ -552,9 +574,18 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -5426,7 +5595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +unconfined_domain(samba_unconfined_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-05-29 10:35:15.000000000 -0400 @@ -63,6 +63,7 @@ selinux_compute_access_vector(saslauthd_t) @@ -5435,6 +5604,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl auth_use_nsswitch(saslauthd_t) domain_use_interactive_fds(saslauthd_t) +@@ -79,6 +80,7 @@ + libs_use_shared_libs(saslauthd_t) + + logging_send_syslog_msg(saslauthd_t) ++logging_send_audit_msg(saslauthd_t) + + miscfiles_read_localization(saslauthd_t) + miscfiles_read_certs(saslauthd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.6.4/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/sendmail.if 2007-05-21 10:46:53.000000000 -0400 @@ -5565,6 +5742,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.6.4/policy/modules/services/spamassassin.if +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/spamassassin.if 2007-05-29 10:25:34.000000000 -0400 +@@ -466,6 +466,7 @@ + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.6.4/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/spamassassin.te 2007-05-21 10:46:53.000000000 -0400 @@ -5929,13 +6117,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-05-29 09:10:31.000000000 -0400 @@ -27,11 +27,9 @@ domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) - allow $1_chkpwd_t self:capability { audit_control setuid }; -+ allow $1_chkpwd_t self:capability setuid; ++ allow $1_chkpwd_t self:capability { dac_override setuid }; allow $1_chkpwd_t self:process getattr; - send_audit_msgs_pattern($1_chkpwd_t) @@ -5951,16 +6139,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo miscfiles_read_localization($1_chkpwd_t) -@@ -109,7 +108,7 @@ +@@ -109,7 +108,8 @@ role $3 types system_chkpwd_t; # cjp: is this really needed? - allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + logging_send_audit_msg($2) ++ logging_set_loginuid($1) dontaudit $2 shadow_t:file { getattr read }; -@@ -152,21 +151,12 @@ +@@ -152,21 +152,12 @@ ## # template(`auth_domtrans_user_chk_passwd',` @@ -5987,7 +6176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -180,6 +170,9 @@ +@@ -180,6 +171,9 @@ ## # interface(`auth_login_pgm_domain',` @@ -5997,17 +6186,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -187,6 +180,9 @@ +@@ -187,6 +181,11 @@ domain_obj_id_change_exemption($1) role system_r types $1; + auth_keyring_domain($1) + allow $1 keyring_type:key { search link }; + ++ logging_send_audit_msg($1) ++ # for SSP/ProPolice dev_read_urand($1) -@@ -211,9 +207,11 @@ +@@ -211,9 +210,11 @@ auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) @@ -6020,7 +6211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_rw_utmp($1) logging_send_syslog_msg($1) -@@ -221,6 +219,7 @@ +@@ -221,6 +222,7 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -6028,7 +6219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -320,10 +319,6 @@ +@@ -320,10 +322,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -6039,7 +6230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -357,6 +352,37 @@ +@@ -357,6 +355,37 @@ ######################################## ## @@ -6077,7 +6268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -1391,3 +1417,114 @@ +@@ -1391,3 +1420,114 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -6288,6 +6479,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-2.6.4/policy/modules/system/fstools.if +--- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-07 14:51:02.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/fstools.if 2007-05-29 11:48:37.000000000 -0400 +@@ -124,3 +124,22 @@ + + allow $1 swapfile_t:file getattr; + ') ++ ++######################################## ++## ++## Read fstools unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fstools_read_pipes',` ++ gen_require(` ++ type fsdaemon_t; ++ ') ++ ++ allow $1 fsdaemon_t:fifo_file read_fifo_file_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-05-21 10:46:53.000000000 -0400 @@ -6779,8 +6996,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.4/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/logging.if 2007-05-21 10:46:53.000000000 -0400 -@@ -302,6 +302,25 @@ ++++ serefpolicy-2.6.4/policy/modules/system/logging.if 2007-05-29 09:11:30.000000000 -0400 +@@ -223,6 +223,25 @@ + + ######################################## + ## ++## Execute klogd in the klog domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_domtrans_klog',` ++ gen_require(` ++ type klogd_t, klogd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,klogd_exec_t,klogd_t) ++') ++ ++######################################## ++## + ## Create an object in the log directory, with a private + ## type using a type transition. + ## +@@ -302,6 +321,25 @@ ######################################## ## @@ -6806,7 +7049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -436,7 +455,7 @@ +@@ -436,7 +474,7 @@ files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -6815,7 +7058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -480,6 +499,8 @@ +@@ -480,6 +518,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) @@ -6824,7 +7067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -563,3 +584,121 @@ +@@ -563,3 +603,121 @@ files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ') @@ -6868,7 +7111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + typeattribute $1 can_set_loginuid, can_send_audit_msg; + + allow $1 self:capability audit_control; -+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay }; ++ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay }; +') + +######################################## @@ -7101,7 +7344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.4/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-05-29 11:16:14.000000000 -0400 @@ -102,6 +102,7 @@ init_use_fds(insmod_t) init_use_script_fds(insmod_t) @@ -7110,7 +7353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti libs_use_ld_so(insmod_t) libs_use_shared_libs(insmod_t) -@@ -123,6 +124,14 @@ +@@ -123,6 +124,18 @@ ') optional_policy(` @@ -7118,6 +7361,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti +') + +optional_policy(` ++ firstboot_dontaudit_rw_pipes(insmod_t) ++') ++ ++optional_policy(` + hal_write_log(insmod_t) +') + @@ -7125,7 +7372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti hotplug_search_config(insmod_t) ') -@@ -155,6 +164,7 @@ +@@ -155,6 +168,7 @@ optional_policy(` rpm_rw_pipes(insmod_t) @@ -7133,7 +7380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -@@ -185,6 +195,7 @@ +@@ -185,6 +199,7 @@ files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) @@ -7684,7 +7931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/unconfined.if 2007-05-21 10:46:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/unconfined.if 2007-05-29 11:47:34.000000000 -0400 @@ -18,7 +18,7 @@ ')