From a96af5497de0382bc2bacbee5dd2a49365ba5e8d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 24 2010 14:36:48 +0000 Subject: - Fixes for boinc policy - Fixes for shorewall policy --- diff --git a/policy-F13.patch b/policy-F13.patch index a954e02..b0b3a13 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -244,8 +244,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.7.19/policy/modules/admin/accountsd.te --- nsaserefpolicy/policy/modules/admin/accountsd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-06-01 13:50:27.639177903 +0200 -@@ -0,0 +1,64 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/accountsd.te 2010-08-24 15:44:39.211083773 +0200 +@@ -0,0 +1,62 @@ +policy_module(accountsd,1.0.0) + +######################################## @@ -257,8 +257,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) + -+permissive accountsd_t; -+ +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) + @@ -2361,8 +2359,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-09 14:15:21.106085482 +0200 -@@ -0,0 +1,68 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-08-24 15:45:05.100083585 +0200 +@@ -0,0 +1,66 @@ +policy_module(shutdown,1.0.0) + +######################################## @@ -2381,8 +2379,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +type shutdown_var_run_t; +files_pid_file(shutdown_var_run_t) + -+permissive shutdown_t; -+ +######################################## +# +# shutdown local policy @@ -3354,8 +3350,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. +sysnet_read_config(gitosis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.19/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-05-28 09:41:59.976610853 +0200 -@@ -1,8 +1,28 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/gnome.fc 2010-08-24 15:33:52.995335336 +0200 +@@ -1,8 +1,31 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) @@ -3365,6 +3361,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++ + +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) @@ -3373,6 +3371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) @@ -4152,7 +4151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.19/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-28 09:41:59.979610866 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-08-24 14:03:22.764083542 +0200 @@ -5,6 +5,7 @@ # # Declarations @@ -4400,7 +4399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) ') -@@ -271,5 +363,46 @@ +@@ -271,5 +363,49 @@ ') optional_policy(` @@ -4426,7 +4425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) + -+') + ') + +############################# +# @@ -4437,6 +4436,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + +can_exec(gpg_web_t, gpg_exec_t) + ++dev_read_rand(gpg_web_t) ++dev_read_urand(gpg_web_t) ++ +files_read_usr_files(gpg_web_t) + +miscfiles_read_localization(gpg_web_t) @@ -4446,7 +4448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + +tunable_policy(`gpg_web_anon_write',` + miscfiles_manage_public_files(gpg_web_t) - ') ++') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.19/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2010-04-13 20:44:37.000000000 +0200 @@ -6903,8 +6905,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-17 15:43:17.915085143 +0200 -@@ -0,0 +1,393 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-24 14:07:38.336335117 +0200 +@@ -0,0 +1,397 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7127,6 +7129,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + sssd_dontaudit_search_lib(sandbox_x_domain) +') + ++optional_policy(` ++ udev_read_db(sandbox_x_domain) ++') ++ +userdom_dontaudit_use_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) + @@ -14488,7 +14494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-04 15:15:10.969085367 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-24 14:04:00.070084847 +0200 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -14734,7 +14740,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -841,6 +897,54 @@ +@@ -836,11 +892,60 @@ + ') + + files_search_var($1) ++ apache_search_sys_content($1) + manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -14789,7 +14801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +962,11 @@ +@@ -858,6 +963,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -14801,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1054,7 @@ +@@ -945,7 +1055,7 @@ type httpd_squirrelmail_t; ') @@ -14810,7 +14822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -985,6 +1094,24 @@ +@@ -985,6 +1095,24 @@ allow $1 httpd_sys_content_t:dir search_dir_perms; ') @@ -14835,7 +14847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Read apache system content. -@@ -1086,6 +1213,25 @@ +@@ -1086,6 +1214,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -14861,7 +14873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1248,7 @@ +@@ -1102,7 +1249,7 @@ type httpd_tmp_t; ') @@ -14870,7 +14882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1318,7 @@ +@@ -1172,7 +1319,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -14879,7 +14891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1348,62 @@ +@@ -1202,12 +1349,62 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -14945,7 +14957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-11 13:56:26.586085235 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-24 14:39:54.754083905 +0200 @@ -19,11 +19,13 @@ # Declarations # @@ -14989,7 +15001,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -101,6 +117,20 @@ +@@ -72,6 +88,13 @@ + + ## + ##

++## Allow http daemon to check spam ++##

++## ++gen_tunable(httpd_can_check_spam, false) ++ ++## ++##

+ ## Allow Apache to communicate with avahi service via dbus + ##

+ ## +@@ -101,6 +124,20 @@ ## ##

@@ -15010,7 +15036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## -@@ -108,6 +138,13 @@ +@@ -108,6 +145,13 @@ ## ##

@@ -15024,7 +15050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -131,7 +168,7 @@ +@@ -131,7 +175,7 @@ ## ##

@@ -15033,7 +15059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ##

## gen_tunable(httpd_use_gpg, false) -@@ -143,6 +180,13 @@ +@@ -143,6 +187,13 @@ ## gen_tunable(httpd_use_nfs, false) @@ -15047,7 +15073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -218,6 +262,10 @@ +@@ -218,6 +269,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -15058,7 +15084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +274,10 @@ +@@ -226,6 +281,10 @@ apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -15069,7 +15095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +285,7 @@ +@@ -233,6 +292,7 @@ userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -15077,7 +15103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -286,6 +339,7 @@ +@@ -286,6 +346,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -15085,7 +15111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -355,6 +409,7 @@ +@@ -355,6 +416,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -15093,7 +15119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +420,10 @@ +@@ -365,8 +427,10 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -15104,7 +15130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +435,12 @@ +@@ -378,12 +442,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -15120,7 +15146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -402,6 +459,10 @@ +@@ -402,6 +466,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -15131,7 +15157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -420,12 +481,23 @@ +@@ -420,12 +488,23 @@ miscfiles_manage_public_files(httpd_t) ') @@ -15157,7 +15183,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -446,6 +518,16 @@ +@@ -439,6 +518,7 @@ + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) ++ corenet_tcp_connect_squid_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) +@@ -446,6 +526,16 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -15174,7 +15208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') -@@ -456,6 +538,10 @@ +@@ -456,6 +546,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -15185,7 +15219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +556,25 @@ +@@ -470,11 +564,25 @@ userdom_read_user_home_content_files(httpd_t) ') @@ -15211,7 +15245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,9 +584,22 @@ +@@ -484,9 +592,22 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -15234,7 +15268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -500,8 +613,11 @@ +@@ -500,8 +621,11 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -15246,7 +15280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -514,6 +630,9 @@ +@@ -514,6 +638,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -15256,7 +15290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +647,7 @@ +@@ -528,7 +655,7 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -15265,7 +15299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +656,12 @@ +@@ -537,8 +664,12 @@ ') optional_policy(` @@ -15279,7 +15313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -557,6 +680,7 @@ +@@ -557,6 +688,7 @@ optional_policy(` # Allow httpd to work with mysql @@ -15287,7 +15321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +691,7 @@ +@@ -567,6 +699,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -15295,7 +15329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +702,23 @@ +@@ -577,12 +710,23 @@ ') optional_policy(` @@ -15319,7 +15353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +727,11 @@ +@@ -591,6 +735,11 @@ ') optional_policy(` @@ -15331,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -618,6 +759,10 @@ +@@ -618,6 +767,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -15342,7 +15376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +844,18 @@ +@@ -699,17 +852,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -15364,7 +15398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +886,21 @@ +@@ -740,10 +894,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -15387,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +926,12 @@ +@@ -769,6 +934,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -15400,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -792,9 +955,13 @@ +@@ -792,9 +963,13 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -15414,10 +15448,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +970,22 @@ +@@ -803,6 +978,28 @@ mta_send_mail(httpd_sys_script_t) ') ++optional_policy(` ++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` ++ spamassassin_domtrans_client(httpd_t) ++ ') ++') ++ +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) @@ -15437,7 +15477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1013,16 @@ +@@ -830,6 +1027,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -15454,7 +15494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1035,7 @@ +@@ -842,6 +1049,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -15462,7 +15502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1085,33 @@ +@@ -891,11 +1099,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -15485,11 +15525,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_suexec_t) - ') ++') + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) -+') + ') + +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; @@ -15877,7 +15917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc --- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-09 14:45:31.106085169 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-24 11:08:39.309083977 +0200 @@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) @@ -16044,8 +16084,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-20 13:54:00.869085496 +0200 -@@ -0,0 +1,153 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-24 14:44:00.443083769 +0200 +@@ -0,0 +1,160 @@ + +policy_module(boinc,1.0.0) + @@ -16076,18 +16116,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +domain_type(boinc_project_t) +role system_r types boinc_project_t; + -+permissive boinc_project_t; -+ +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + ++permissive boinc_project_t; ++ +######################################## +# +# boinc local policy +# + +allow boinc_t self:capability { kill }; -+allow boinc_t self:process { setsched }; ++allow boinc_t self:process { setsched sigkill }; + +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; @@ -16105,7 +16145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) ++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir }) + +allow boinc_t boinc_project_t:process sigkill; + @@ -16166,6 +16206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +# + +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) ++allow boinc_t boinc_project_t:process sigkill; + +allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; @@ -16178,7 +16219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) -+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir }) ++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { dir } ) + +allow boinc_project_t boinc_project_var_lib_t:file execmod; + @@ -16186,8 +16227,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_project_t boinc_t:shm rw_shm_perms; +allow boinc_project_t boinc_tmpfs_t:file { read write }; + ++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + ++corecmd_exec_bin(boinc_project_t) ++corecmd_exec_shell(boinc_project_t) ++ +kernel_read_system_state(boinc_project_t) +kernel_read_kernel_sysctls(boinc_project_t) +kernel_search_vm_sysctl(boinc_project_t) @@ -16197,6 +16242,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +dev_rw_xserver_misc(boinc_project_t) + ++files_read_etc_files(boinc_project_t) ++ +miscfiles_read_localization(boinc_project_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc @@ -16793,8 +16840,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-05-28 09:42:00.074610853 +0200 -@@ -0,0 +1,75 @@ ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-08-24 15:45:24.605099189 +0200 +@@ -0,0 +1,73 @@ +policy_module(certmonger,1.0.0) + +######################################## @@ -16806,8 +16853,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +type certmonger_exec_t; +init_daemon_domain(certmonger_t, certmonger_exec_t) + -+permissive certmonger_t; -+ +type certmonger_initrc_exec_t; +init_script_file(certmonger_initrc_exec_t) + @@ -18605,7 +18650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.19/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-05-28 09:42:00.091610700 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cron.te 2010-08-24 15:32:42.307335306 +0200 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -18670,7 +18715,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -194,6 +209,8 @@ +@@ -168,6 +183,9 @@ + list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + ++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++ ++ + kernel_read_kernel_sysctls(crond_t) + kernel_read_fs_sysctls(crond_t) + kernel_search_key(crond_t) +@@ -194,6 +212,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -18679,7 +18734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -209,7 +226,9 @@ +@@ -209,7 +229,9 @@ auth_use_nsswitch(crond_t) @@ -18689,7 +18744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -220,8 +239,10 @@ +@@ -220,8 +242,10 @@ userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -18700,7 +18755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` # pam_limits is used -@@ -241,8 +262,17 @@ +@@ -241,8 +265,17 @@ ') ') @@ -18720,7 +18775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -251,6 +281,20 @@ +@@ -251,6 +284,20 @@ ') optional_policy(` @@ -18741,7 +18796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron amanda_search_var_lib(crond_t) ') -@@ -260,6 +304,8 @@ +@@ -260,6 +307,8 @@ optional_policy(` hal_dbus_chat(crond_t) @@ -18750,7 +18805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -291,6 +337,8 @@ +@@ -291,6 +340,8 @@ # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; @@ -18759,7 +18814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -302,10 +350,17 @@ +@@ -302,10 +353,17 @@ # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -18778,7 +18833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -325,6 +380,7 @@ +@@ -325,6 +383,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -18786,7 +18841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -336,9 +392,13 @@ +@@ -336,9 +395,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -18801,7 +18856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -361,6 +421,7 @@ +@@ -361,6 +424,7 @@ dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -18809,7 +18864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -387,6 +448,7 @@ +@@ -387,6 +451,7 @@ # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -18817,7 +18872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -411,6 +473,8 @@ +@@ -411,6 +476,8 @@ ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -18826,7 +18881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -435,6 +499,8 @@ +@@ -435,6 +502,8 @@ apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -18835,7 +18890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -442,6 +508,14 @@ +@@ -442,6 +511,14 @@ ') optional_policy(` @@ -18850,7 +18905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ftp_read_log(system_cronjob_t) ') -@@ -452,15 +526,24 @@ +@@ -452,15 +529,24 @@ ') optional_policy(` @@ -18875,7 +18930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -476,7 +559,7 @@ +@@ -476,7 +562,7 @@ prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -18884,7 +18939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -491,6 +574,7 @@ +@@ -491,6 +577,7 @@ optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -18892,7 +18947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -498,6 +582,9 @@ +@@ -498,6 +585,9 @@ ') optional_policy(` @@ -18902,7 +18957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -591,6 +678,7 @@ +@@ -591,6 +681,7 @@ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -19291,7 +19346,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.19/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-05-28 09:42:00.094610780 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cyrus.te 2010-08-24 14:09:21.658222360 +0200 +@@ -27,7 +27,7 @@ + # Local policy + # + +-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; ++allow cyrus_t self:capability { dac_override fsetid net_bind_service setgid setuid sys_resource }; + dontaudit cyrus_t self:capability sys_tty_config; + allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow cyrus_t self:process setrlimit; @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -20259,7 +20323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-17 15:14:20.563085303 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-24 14:32:28.482083467 +0200 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -20342,10 +20406,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) -@@ -142,6 +160,10 @@ +@@ -142,6 +160,16 @@ ') optional_policy(` ++ postfix_manage_private_sockets(dovecot_t) ++ postfix_search_spool(dovecot_t) ++') ++ ++ ++optional_policy(` + postgresql_stream_connect(dovecot_t) +') + @@ -20353,7 +20423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -172,11 +194,6 @@ +@@ -172,11 +200,6 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) @@ -20365,7 +20435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,11 +214,13 @@ +@@ -197,11 +220,13 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) @@ -20380,7 +20450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) -@@ -225,6 +244,7 @@ +@@ -225,6 +250,7 @@ ') optional_policy(` @@ -20388,7 +20458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,18 +254,28 @@ +@@ -234,18 +260,28 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -20417,7 +20487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -263,15 +293,24 @@ +@@ -263,15 +299,24 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`use_nfs_home_dirs',` @@ -23047,7 +23117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-17 15:09:15.400085159 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-24 13:50:13.396084105 +0200 @@ -21,8 +21,8 @@ type etc_mail_t; files_config_file(etc_mail_t) @@ -23059,7 +23129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -57,15 +57,18 @@ +@@ -57,15 +57,14 @@ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) @@ -23075,14 +23145,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. -kernel_request_load_module(system_mail_t) +files_read_all_tmp_files(system_mail_t) +files_read_usr_files(system_mail_t) -+ -+kernel_read_system_state(user_mail_domain) -+kernel_read_network_state(user_mail_domain) -+kernel_request_load_module(user_mail_domain) dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) -@@ -75,10 +78,15 @@ +@@ -75,10 +74,15 @@ selinux_getattr_fs(system_mail_t) @@ -23098,7 +23164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -89,6 +97,7 @@ +@@ -89,6 +93,7 @@ apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -23106,7 +23172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -100,6 +109,11 @@ +@@ -100,6 +105,11 @@ ') optional_policy(` @@ -23118,7 +23184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -107,6 +121,9 @@ +@@ -107,6 +117,9 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -23128,23 +23194,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -120,12 +137,13 @@ +@@ -120,12 +133,8 @@ ') optional_policy(` - exim_domtrans(system_mail_t) - exim_manage_log(system_mail_t) -+ exim_domtrans(user_mail_domain) -+ exim_manage_log(user_mail_domain) - ') - - optional_policy(` +-') +- +-optional_policy(` fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_leaks(system_mail_t) ') optional_policy(` -@@ -142,6 +160,10 @@ +@@ -142,6 +151,10 @@ ') optional_policy(` @@ -23155,28 +23219,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. nagios_read_tmp_files(system_mail_t) ') -@@ -156,15 +178,15 @@ - domain_use_interactive_fds(system_mail_t) +@@ -154,18 +167,6 @@ + files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) - # postfix needs this for newaliases + domain_use_interactive_fds(system_mail_t) +- +- # postfix needs this for newaliases - files_getattr_tmp_dirs(system_mail_t) -+ files_getattr_tmp_dirs(user_mail_domain) - +- - postfix_exec_master(system_mail_t) - postfix_read_config(system_mail_t) - postfix_search_spool(system_mail_t) -+ postfix_exec_master(user_mail_domain) -+ postfix_read_config(user_mail_domain) -+ postfix_search_spool(user_mail_domain) - - ifdef(`distro_redhat',` - # compatability for old default main.cf +- +- ifdef(`distro_redhat',` +- # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) -+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') +- ') ') -@@ -185,6 +207,10 @@ + optional_policy(` +@@ -185,6 +186,10 @@ ') optional_policy(` @@ -23187,7 +23249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,7 +242,8 @@ +@@ -216,7 +221,8 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -23197,7 +23259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -245,6 +272,10 @@ +@@ -245,6 +251,10 @@ mailman_read_data_symlinks(mailserver_delivery) ') @@ -23208,6 +23270,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## # # User send mail local policy +@@ -288,3 +298,33 @@ + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) + ') ++ ++####################################### ++# ++# Common user_mail_domain policy ++# ++ ++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) ++ ++kernel_read_system_state(user_mail_domain) ++kernel_read_network_state(user_mail_domain) ++kernel_request_load_module(user_mail_domain) ++ ++optional_policy(` ++ # postfix needs this for newaliases ++ files_getattr_tmp_dirs(user_mail_domain) ++ ++ postfix_exec_master(user_mail_domain) ++ postfix_read_config(user_mail_domain) ++ postfix_search_spool(user_mail_domain) ++ ++ ifdef(`distro_redhat',` ++ # compatability for old default main.cf ++ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) ++ ') ++') ++ ++optional_policy(` ++ exim_domtrans(user_mail_domain) ++ exim_manage_log(user_mail_domain) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-28 09:42:00.127610888 +0200 @@ -27532,7 +27628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-08-02 09:16:41.169891320 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-08-24 14:10:06.610083596 +0200 @@ -6,6 +6,15 @@ # Declarations # @@ -27811,12 +27907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -379,6 +435,12 @@ +@@ -379,6 +435,14 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + ++corecmd_exec_bin(postfix_pipe_t) ++ +optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') @@ -27824,7 +27922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +450,16 @@ +@@ -388,6 +452,16 @@ ') optional_policy(` @@ -27841,7 +27939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +487,10 @@ +@@ -415,6 +489,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -27852,7 +27950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +500,11 @@ +@@ -424,8 +502,11 @@ ') optional_policy(` @@ -27866,7 +27964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +530,17 @@ +@@ -451,6 +532,17 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -27884,7 +27982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +554,7 @@ +@@ -464,6 +556,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -27892,7 +27990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -499,13 +590,14 @@ +@@ -499,13 +592,14 @@ # # connect to master process @@ -27908,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +627,18 @@ +@@ -535,9 +629,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -27927,7 +28025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +660,22 @@ +@@ -559,20 +662,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -28564,8 +28662,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.7.19/policy/modules/services/qpidd.te --- nsaserefpolicy/policy/modules/services/qpidd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-06-28 16:21:33.763401566 +0200 -@@ -0,0 +1,61 @@ ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.te 2010-08-24 15:45:39.029334176 +0200 +@@ -0,0 +1,59 @@ +policy_module(qpidd,1.0.0) + +######################################## @@ -28577,8 +28675,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +type qpidd_exec_t; +init_daemon_domain(qpidd_t, qpidd_exec_t) + -+permissive qpidd_t; -+ +type qpidd_initrc_exec_t; +init_script_file(qpidd_initrc_exec_t) + @@ -32869,16 +32965,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.7.19/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ulogd.te 2010-08-18 13:20:36.768085114 +0200 -@@ -32,6 +32,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ulogd.te 2010-08-24 14:41:34.195084825 +0200 +@@ -32,6 +32,9 @@ allow ulogd_t self:capability net_admin; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; ++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; ++allow ulogd_t self:udp_socket create_socket_perms; # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -44,6 +45,16 @@ +@@ -44,6 +47,19 @@ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) @@ -32888,12 +32986,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog miscfiles_read_localization(ulogd_t) + ++sysnet_dns_name_resolve(ulogd_t) ++ +optional_policy(` + mysql_stream_connect(ulogd_t) +') + +optional_policy(` + postgresql_stream_connect(ulogd_t) ++ postgresql_tcp_connect(ulogd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-13 20:44:36.000000000 +0200 @@ -36930,17 +37031,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-17 11:05:48.905085267 +0200 -@@ -127,17 +127,16 @@ ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-24 15:43:47.418115008 +0200 +@@ -127,17 +127,19 @@ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/codec/plugins/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -36952,7 +37056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,6 +150,7 @@ +@@ -151,6 +153,7 @@ /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -36960,7 +37064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +208,7 @@ +@@ -208,6 +211,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -36968,7 +37072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -302,13 +303,8 @@ +@@ -302,13 +306,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -36984,7 +37088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +315,153 @@ +@@ -319,14 +318,153 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -37057,7 +37161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libpostproc4vlc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libpostproc.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -38100,7 +38204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-07-23 14:17:46.258138786 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-08-24 15:45:51.837083741 +0200 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -38117,7 +38221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -29,6 +36,19 @@ +@@ -29,6 +36,17 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -38132,12 +38236,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +type showmount_exec_t; +application_domain(showmount_t, showmount_exec_t) +role system_r types showmount_t; -+ -+permissive showmount_t; ######################################## # -@@ -36,7 +56,11 @@ +@@ -36,7 +54,11 @@ # # setuid/setgid needed to mount cifs @@ -38150,7 +38252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,30 +71,52 @@ +@@ -47,30 +69,52 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -38205,7 +38307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +126,19 @@ +@@ -80,15 +124,19 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -38228,7 +38330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +149,7 @@ +@@ -99,6 +147,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -38236,7 +38338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +158,8 @@ +@@ -107,6 +156,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -38245,7 +38347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +170,12 @@ +@@ -117,6 +168,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -38258,7 +38360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +191,17 @@ +@@ -132,10 +189,17 @@ ') ') @@ -38276,7 +38378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +231,8 @@ +@@ -165,6 +229,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -38285,7 +38387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +240,25 @@ +@@ -172,6 +238,25 @@ ') optional_policy(` @@ -38311,7 +38413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +266,11 @@ +@@ -179,6 +264,11 @@ ') ') @@ -38323,7 +38425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +278,19 @@ +@@ -186,6 +276,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -38343,7 +38445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +299,42 @@ +@@ -194,6 +297,42 @@ # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 647c862..4005798 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 49%{?dist} +Release: 50%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Tue Aug 24 2010 Miroslav Grepl 3.7.19-50 +- Fixes for boinc policy +- Fixes for shorewall policy + * Fri Aug 20 2010 Miroslav Grepl 3.7.19-49 - Add label for /var/cache/rpcbind directory - Add chrome_role for xguest