From b0f36568e1627c9fbdbc98fcc84a35d6d5614bdc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 27 2010 17:08:59 +0000 Subject: - Allow abrt_helper to getattr on all filesystems - Add label for /opt/real/RealPlayer/plugins/oggfformat\.so --- diff --git a/policy-F13.patch b/policy-F13.patch index cbac574..1c98a43 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1428,8 +1428,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl +## The Fedora hardware profiler client diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.8/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,64 @@ ++++ serefpolicy-3.7.8/policy/modules/admin/smoltclient.te 2010-01-27 09:39:20.000000000 -0500 +@@ -0,0 +1,66 @@ +policy_module(smoltclient,1.0.0) + +######################################## @@ -1469,8 +1469,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl + +corenet_tcp_connect_http_port(smoltclient_t) + -+auth_use_nsswitch(smoltclient_t) -+ +dev_read_sysfs(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) @@ -1480,6 +1478,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl +files_read_etc_files(smoltclient_t) +files_read_usr_files(smoltclient_t) + ++auth_use_nsswitch(smoltclient_t) ++ ++logging_send_syslog_msg(smoltclient_t) ++ +miscfiles_read_localization(smoltclient_t) + +optional_policy(` @@ -2257,8 +2259,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.8/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-01-18 15:18:03.000000000 -0500 -@@ -43,3 +43,48 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/gitosis.if 2010-01-26 09:29:35.000000000 -0500 +@@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2276,8 +2278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. +interface(`gitosis_read_var_lib',` + gen_require(` + type gitosis_var_lib_t; -+ -+') ++ ') + + files_search_var_lib($1) + read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) @@ -2340,8 +2341,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-01-21 11:05:31.000000000 -0500 -@@ -84,10 +84,207 @@ ++++ serefpolicy-3.7.8/policy/modules/apps/gnome.if 2010-01-25 12:24:02.000000000 -0500 +@@ -74,6 +74,24 @@ + + ######################################## + ## ++## Dontaudit search gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`gnome_dontaudit_search_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ dontaudit $1 gnome_home_type:dir search_dir_perms; ++') ++ ++######################################## ++## + ## manage gnome homedir content (.config) + ## + ## +@@ -84,10 +102,207 @@ # interface(`gnome_manage_config',` gen_require(` @@ -5567,6 +5593,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.8/policy/modules/apps/vmware.if +--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.8/policy/modules/apps/vmware.if 2010-01-25 10:36:28.000000000 -0500 +@@ -84,3 +84,22 @@ + logging_search_logs($1) + append_files_pattern($1, vmware_log_t, vmware_log_t) + ') ++ ++######################################## ++## ++## Execute vmware host executables ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vmware_exec_host',` ++ gen_require(` ++ type vmware_host_exec_t; ++ ') ++ ++ can_exec($1, vmware_host_exec_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.8/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/apps/wine.fc 2010-01-18 15:18:03.000000000 -0500 @@ -6069,7 +6121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.fc 2010-01-27 11:30:22.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -6087,14 +6139,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) -@@ -100,6 +103,7 @@ - /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) +@@ -101,6 +104,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -159,6 +163,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -6106,7 +6158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if 2010-01-27 11:29:35.000000000 -0500 @@ -801,6 +801,24 @@ ######################################## @@ -6234,23 +6286,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Do not audit attempts to get the attributes diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.8/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-01-18 15:18:03.000000000 -0500 -@@ -227,11 +227,23 @@ - genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) ++++ serefpolicy-3.7.8/policy/modules/kernel/devices.te 2010-01-27 11:29:16.000000000 -0500 +@@ -232,6 +232,18 @@ + type usb_device_t; + dev_node(usb_device_t) - # ++# +# usb_device_t is the type for /dev/usbmon +# +type usbmon_device_t; +dev_node(usbmon_device_t) + +# - # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ - # - type usb_device_t; - dev_node(usb_device_t) - -+# +# userio_device_t is the type for /dev/uio[0-9]+ +# +type userio_device_t; @@ -7709,7 +7756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # nfs_t is the default type for NFS file systems diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if 2010-01-27 11:28:51.000000000 -0500 @@ -1849,7 +1849,7 @@ ') @@ -10149,7 +10196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.8/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/abrt.te 2010-01-26 14:15:44.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10235,7 +10282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -96,22 +130,93 @@ +@@ -96,22 +130,96 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10317,9 +10364,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +files_dontaudit_all_non_security_leaks(abrt_helper_t) + +fs_list_inotifyfs(abrt_helper_t) ++fs_getattr_all_fs(abrt_helper_t) + +auth_use_nsswitch(abrt_helper_t) + ++logging_send_syslog_msg(abrt_helper_t) ++ +miscfiles_read_localization(abrt_helper_t) + +userdom_dontaudit_use_user_terminals(abrt_helper_t) @@ -10806,8 +10856,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav sysnet_use_ldap(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-18 15:18:03.000000000 -0500 -@@ -2,11 +2,15 @@ ++++ serefpolicy-3.7.8/policy/modules/services/apache.fc 2010-01-27 11:16:47.000000000 -0500 +@@ -2,12 +2,17 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -10823,9 +10873,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -21,10 +25,13 @@ + /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +@@ -21,10 +26,13 @@ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) @@ -10839,7 +10891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,14 +39,28 @@ +@@ -32,14 +40,28 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10868,7 +10920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,16 +68,21 @@ +@@ -47,16 +69,21 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -10890,7 +10942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +90,33 @@ +@@ -64,11 +91,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -11652,7 +11704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-01-21 15:05:52.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/apache.te 2010-01-27 08:23:39.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -11955,7 +12007,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -11966,8 +12019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -12095,7 +12147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +617,13 @@ +@@ -459,8 +617,18 @@ ') optional_policy(` @@ -12106,12 +12158,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + avahi_dbus_chat(httpd_t) + ') +') ++ ++optional_policy(` ++ gitosis_read_var_lib(httpd_t) ++') ++ +optional_policy(` + kerberos_keytab_template(httpd, httpd_t) ') optional_policy(` -@@ -468,22 +631,19 @@ +@@ -468,22 +636,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12137,7 +12194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -494,12 +654,23 @@ +@@ -494,12 +659,23 @@ ') optional_policy(` @@ -12161,7 +12218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -508,6 +679,7 @@ +@@ -508,6 +684,7 @@ ') optional_policy(` @@ -12169,7 +12226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +707,23 @@ +@@ -535,6 +712,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12193,7 +12250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -564,20 +753,25 @@ +@@ -564,20 +758,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12225,7 +12282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -595,23 +789,24 @@ +@@ -595,23 +794,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12254,7 +12311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +819,7 @@ +@@ -624,6 +824,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12262,7 +12319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +827,31 @@ +@@ -631,22 +832,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12301,7 +12358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,16 +877,16 @@ +@@ -672,16 +882,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12322,7 +12379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +904,24 @@ +@@ -699,12 +909,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12349,7 +12406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +929,35 @@ +@@ -712,6 +934,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12385,7 +12442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +970,10 @@ +@@ -724,6 +975,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12396,7 +12453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -735,6 +985,8 @@ +@@ -735,6 +990,8 @@ # httpd_rotatelogs local policy # @@ -12405,7 +12462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +1006,88 @@ +@@ -754,11 +1011,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12425,12 +12482,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_suexec_t) -+') + ') + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) @@ -12513,7 +12570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. xserver_domtrans(apmd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te 2010-01-27 11:31:50.000000000 -0500 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -12530,6 +12587,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) +@@ -62,6 +64,7 @@ + corenet_udp_sendrecv_all_ports(arpwatch_t) + + dev_read_sysfs(arpwatch_t) ++dev_read_usbmon_dev(arpwatch_t) + + fs_getattr_all_fs(arpwatch_t) + fs_search_auto_mountpoints(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.8/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/services/asterisk.if 2010-01-21 14:59:59.000000000 -0500 @@ -15723,7 +15788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.8/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/devicekit.te 2010-01-27 08:37:23.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15739,7 +15804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:process signal_perms; ++allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -15849,19 +15914,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +174,10 @@ +@@ -139,9 +174,11 @@ # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; ++allow devicekit_power_t self:process getsched; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +187,7 @@ +@@ -151,6 +188,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15869,7 +15935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +196,7 @@ +@@ -159,6 +197,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15877,7 +15943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +205,17 @@ +@@ -167,12 +206,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15895,7 +15961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +223,10 @@ +@@ -180,6 +224,10 @@ ') optional_policy(` @@ -15906,7 +15972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +250,23 @@ +@@ -203,17 +251,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -16078,8 +16144,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-01-18 15:18:03.000000000 -0500 -@@ -73,8 +73,14 @@ ++++ serefpolicy-3.7.8/policy/modules/services/dovecot.te 2010-01-27 10:51:08.000000000 -0500 +@@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16095,7 +16161,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -103,6 +109,7 @@ + manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + + manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) ++manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) + +@@ -103,6 +110,7 @@ dev_read_urand(dovecot_t) fs_getattr_all_fs(dovecot_t) @@ -16103,7 +16176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) -@@ -142,6 +149,10 @@ +@@ -142,6 +150,10 @@ ') optional_policy(` @@ -16114,7 +16187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -172,11 +183,6 @@ +@@ -172,11 +184,6 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) @@ -16126,7 +16199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,8 +203,9 @@ +@@ -197,8 +204,9 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) @@ -16137,7 +16210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove init_rw_utmp(dovecot_auth_t) -@@ -225,6 +232,7 @@ +@@ -225,6 +233,7 @@ ') optional_policy(` @@ -16145,7 +16218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,6 +242,8 @@ +@@ -234,6 +243,8 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -16154,7 +16227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -@@ -263,11 +273,19 @@ +@@ -263,11 +274,19 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`use_nfs_home_dirs',` @@ -17900,7 +17973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_console(memcached_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.8/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/modemmanager.te 2010-01-27 08:38:46.000000000 -0500 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -17908,7 +17981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode - -allow modemmanager_t self:process signal; +allow modemmanager_t self:capability { sys_admin sys_tty_config }; -+allow modemmanager_t self:process signal; ++allow modemmanager_t self:process { getsched signal }; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -18209,7 +18282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq mysql_write_log(mysqld_safe_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.8/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.fc 2010-01-27 08:48:15.000000000 -0500 @@ -1,16 +1,85 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -18244,8 +18317,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# check disk plugins +/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + +# system plugins +/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) @@ -18461,7 +18534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.8/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/nagios.te 2010-01-27 08:54:01.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -18571,7 +18644,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -127,52 +172,59 @@ +@@ -118,61 +163,63 @@ + udev_read_db(nagios_t) + ') + +-# cjp: leaked file descriptors: +-# for open file handles +-#dontaudit system_mail_t nagios_etc_t:file read; +-#dontaudit system_mail_t nagios_log_t:fifo_file read; +- + ######################################## # # Nagios CGI local policy # @@ -18581,46 +18663,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; - +- -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + +-kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) --kernel_read_system_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) --corecmd_exec_bin(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - -domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++kernel_read_system_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) -- ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` @@ -18633,15 +18715,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # Nagios remote plugin executor local policy # -+allow nrpe_t self:capability {setuid setgid}; - dontaudit nrpe_t self:capability sys_tty_config; - allow nrpe_t self:process { setpgid signal_perms }; +-dontaudit nrpe_t self:capability sys_tty_config; +-allow nrpe_t self:process { setpgid signal_perms }; ++allow nrpe_t self:capability { setuid setgid }; ++dontaudit nrpe_t self:capability {sys_tty_config sys_resource}; ++allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; +allow nrpe_t self:tcp_socket create_stream_socket_perms; ++ ++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) -allow nrpe_t nrpe_etc_t:file read_file_perms; -+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) -+ +read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) files_search_etc(nrpe_t) @@ -18656,7 +18740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,11 +235,15 @@ +@@ -183,15 +230,21 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -18672,7 +18756,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) -@@ -209,3 +265,84 @@ + ++mta_send_mail(nrpe_t) ++ + userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + + optional_policy(` +@@ -209,3 +262,85 @@ optional_policy(` udev_read_db(nrpe_t) ') @@ -18734,6 +18824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# + +allow nagios_system_plugin_t self:capability dac_override; ++dontaudit nagios_system_plugin_t self:capability { setuid setgid }; + +# check_log +manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) @@ -20448,8 +20539,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.7.8/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-01-18 15:18:03.000000000 -0500 -@@ -0,0 +1,98 @@ ++++ serefpolicy-3.7.8/policy/modules/services/plymouth.te 2010-01-27 10:37:10.000000000 -0500 +@@ -0,0 +1,101 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -20528,6 +20619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +allow plymouth_t self:fifo_file rw_file_perms; +allow plymouth_t self:unix_stream_socket create_stream_socket_perms; + ++kernel_read_system_state(plymouth_t) +kernel_stream_connect(plymouth_t) + +domain_use_interactive_fds(plymouth_t) @@ -20536,6 +20628,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + +miscfiles_read_localization(plymouth_t) + ++term_use_ptmx(plymouth_t) ++ +plymouth_stream_connect(plymouth_t) + +optional_policy(` @@ -20667,7 +20761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-25 12:24:39.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -20700,7 +20794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli auth_use_nsswitch(policykit_t) -@@ -68,21 +73,38 @@ +@@ -68,21 +73,42 @@ miscfiles_read_localization(policykit_t) @@ -20719,6 +20813,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + rpm_dbus_chat(policykit_t) + ') +') ++ ++optional_policy(` ++ gnome_dontaudit_search_config(policykit_t) ++') ######################################## # @@ -20743,7 +20841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,21 +114,25 @@ +@@ -92,21 +118,25 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -20772,7 +20870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +145,14 @@ +@@ -119,6 +149,14 @@ hal_read_state(policykit_auth_t) ') @@ -20787,7 +20885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -126,7 +160,8 @@ +@@ -126,7 +164,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -20797,7 +20895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +191,12 @@ +@@ -156,9 +195,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -20811,7 +20909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +208,8 @@ +@@ -170,7 +212,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -21706,7 +21804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. consoletype_exec(pppd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.8/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/prelude.te 2010-01-26 09:32:03.000000000 -0500 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -21715,6 +21813,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel dev_read_rand(prelude_t) dev_read_urand(prelude_t) +@@ -250,6 +251,8 @@ + files_read_etc_files(prelude_lml_t) + files_read_etc_runtime_files(prelude_lml_t) + ++fs_getattr_all_fs(prelude_lml_t) ++fs_list_inotifyfs(prelude_lml_t) + fs_rw_anon_inodefs_files(prelude_lml_t) + + auth_use_nsswitch(prelude_lml_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/services/procmail.te 2010-01-18 15:18:03.000000000 -0500 @@ -24623,7 +24730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t self:fifo_file rw_fifo_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.8/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/snort.te 2010-01-27 11:31:24.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25707,6 +25814,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd + + allow $1 tgtd_t:sem { rw_sem_perms }; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.8/policy/modules/services/tgtd.te +--- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/tgtd.te 2010-01-26 08:47:40.000000000 -0500 +@@ -60,7 +60,7 @@ + + files_read_etc_files(tgtd_t) + +-storage_getattr_fixed_disk_dev(tgtd_t) ++storage_manage_fixed_disk(tgtd_t) + + logging_send_syslog_msg(tgtd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.8/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/services/tor.te 2010-01-18 15:18:03.000000000 -0500 @@ -27413,7 +27532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-21 11:13:43.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-25 12:06:19.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -27785,7 +27904,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -418,14 +514,17 @@ +@@ -414,18 +510,21 @@ + dev_getattr_misc_dev(xdm_t) + dev_setattr_misc_dev(xdm_t) + dev_dontaudit_rw_misc(xdm_t) +-dev_getattr_video_dev(xdm_t) ++dev_read_video_dev(xdm_t) dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -28633,13 +28757,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # PAM local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.8/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/fstools.fc 2010-01-27 09:25:00.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -22,7 +21,6 @@ +@@ -19,10 +18,10 @@ + /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) + /sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) ++/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29726,7 +29854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/ipsec.te 2010-01-27 11:40:13.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -29763,15 +29891,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) -@@ -99,6 +109,7 @@ +@@ -98,7 +108,9 @@ + corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; ++dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; allow ipsec_mgmt_t ipsec_t:process sigchld; +sysnet_domtrans_ifconfig(ipsec_t) kernel_read_kernel_sysctls(ipsec_t) kernel_list_proc(ipsec_t) -@@ -171,8 +182,9 @@ +@@ -171,8 +183,9 @@ # ipsec_mgmt Local policy # @@ -29783,7 +29913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +194,9 @@ +@@ -182,6 +195,9 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -29793,6 +29923,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +@@ -209,7 +225,6 @@ + # whack needs to connect to pluto + stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) + +-can_exec(ipsec_mgmt_t, ipsec_exec_t) + can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) + allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; + @@ -259,6 +274,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) @@ -29978,7 +30116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/libraries.fc 2010-01-26 15:36:44.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30195,7 +30333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,10 +317,134 @@ +@@ -307,10 +317,137 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -30275,6 +30413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30286,10 +30427,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30330,6 +30469,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/real/RealPlayer/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.8/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.8/policy/modules/system/libraries.if 2010-01-18 15:18:03.000000000 -0500 @@ -31071,7 +31212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/mount.te 2010-01-25 10:51:48.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -31273,15 +31414,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +258,7 @@ +@@ -186,6 +258,11 @@ optional_policy(` samba_domtrans_smbmount(mount_t) + samba_read_config(mount_t) ++') ++ ++optional_policy(` ++ vmware_exec_host(mount_t) ') ######################################## -@@ -195,5 +268,9 @@ +@@ -195,5 +272,9 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -32318,7 +32463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/sysnetwork.te 2010-01-27 11:22:49.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -32341,7 +32486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process signal_perms; -allow dhcpc_t self:fifo_file rw_file_perms; -+allow dhcpc_t self:process { getcap setcap setfscreate ptrace signal_perms }; ++allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; + +allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; @@ -32367,15 +32512,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_etc_filetrans(dhcpc_t, net_conf_t, file) # create temp files -@@ -81,6 +88,7 @@ +@@ -80,7 +87,9 @@ + kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) ++kernel_search_network_sysctl(dhcpc_t) kernel_read_kernel_sysctls(dhcpc_t) +kernel_request_load_module(dhcpc_t) kernel_use_fds(dhcpc_t) corecmd_exec_bin(dhcpc_t) -@@ -107,14 +115,17 @@ +@@ -107,14 +116,17 @@ # for SSP: dev_read_urand(dhcpc_t) @@ -32394,7 +32541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -146,7 +157,7 @@ +@@ -146,7 +158,7 @@ ') optional_policy(` @@ -32403,7 +32550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -183,25 +194,23 @@ +@@ -183,25 +195,23 @@ ') optional_policy(` @@ -32437,7 +32584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -212,6 +221,7 @@ +@@ -212,6 +222,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -32445,7 +32592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -223,6 +233,10 @@ +@@ -223,6 +234,10 @@ ') optional_policy(` @@ -32456,7 +32603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -235,7 +249,6 @@ +@@ -235,7 +250,6 @@ # allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -32464,7 +32611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -249,6 +262,8 @@ +@@ -249,6 +263,8 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -32473,7 +32620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -@@ -260,7 +275,9 @@ +@@ -260,7 +276,9 @@ kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) @@ -32483,7 +32630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +286,23 @@ +@@ -269,15 +287,23 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -32508,7 +32655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +319,8 @@ +@@ -294,6 +320,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -32517,7 +32664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +357,22 @@ +@@ -330,8 +358,22 @@ ') optional_policy(` @@ -33378,7 +33525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if 2010-01-27 11:14:58.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -34735,23 +34882,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1686,11 +1875,12 @@ +@@ -1686,11 +1875,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` - type user_home_t; + attribute user_home_type; ++ type user_home_dir_t; ') - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; ++ dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; ') ######################################## -@@ -1797,19 +1987,32 @@ +@@ -1797,19 +1989,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -34791,7 +34940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1844,6 +2047,7 @@ +@@ -1844,6 +2049,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -34799,7 +34948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,6 +2400,25 @@ +@@ -2196,6 +2402,25 @@ ######################################## ## @@ -34825,7 +34974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to manage users ## temporary files. ## -@@ -2276,7 +2499,7 @@ +@@ -2276,7 +2501,7 @@ ######################################## ## ## Create, read, write, and delete user @@ -34834,7 +34983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2284,19 +2507,19 @@ +@@ -2284,19 +2509,19 @@ ## ## # @@ -34857,7 +35006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2304,19 +2527,19 @@ +@@ -2304,19 +2529,19 @@ ## ## # @@ -34880,17 +35029,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2324,12 +2547,52 @@ +@@ -2324,7 +2549,47 @@ ## ## # -interface(`userdom_manage_user_tmp_sockets',` +interface(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - -- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++ gen_require(` ++ type user_tmp_t; ++ ') ++ + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') @@ -34927,15 +35075,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +# +interface(`userdom_manage_user_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') - -@@ -2391,7 +2654,7 @@ + gen_require(` + type user_tmp_t; + ') +@@ -2391,7 +2656,7 @@ ######################################## ## @@ -34944,7 +35087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2399,19 +2662,21 @@ +@@ -2399,19 +2664,21 @@ ## ## # @@ -34970,7 +35113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2419,15 +2684,14 @@ +@@ -2419,15 +2686,14 @@ ## ## # @@ -34990,7 +35133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2749,7 +3013,7 @@ +@@ -2749,7 +3015,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -34999,7 +35142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3029,33 @@ +@@ -2765,11 +3031,33 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -35035,7 +35178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2897,7 +3183,43 @@ +@@ -2897,7 +3185,43 @@ type user_tmp_t; ') @@ -35080,7 +35223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2934,6 +3256,7 @@ +@@ -2934,6 +3258,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -35088,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3064,3 +3387,674 @@ +@@ -3064,3 +3389,674 @@ allow $1 userdomain:dbus send_msg; ') @@ -35885,7 +36028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/system/xen.te 2010-01-25 11:49:09.000000000 -0500 @@ -85,6 +85,7 @@ type xenconsoled_t; type xenconsoled_exec_t; @@ -35929,16 +36072,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ######################################## # # Xen store local policy -@@ -340,6 +348,8 @@ +@@ -340,6 +348,9 @@ files_read_usr_files(xenstored_t) +fs_search_xenfs(xenstored_t) ++fs_manage_xenfs_files(xenstored_t) + storage_raw_read_fixed_disk(xenstored_t) storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) -@@ -421,7 +431,14 @@ +@@ -421,7 +432,14 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` @@ -35953,7 +36097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te virt_stream_connect(xm_t) ') -@@ -438,6 +455,8 @@ +@@ -438,6 +456,8 @@ fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 14757e8..eed8a7b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.8 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -459,6 +459,10 @@ exit 0 %endif %changelog +* Mon Jan 25 2010 Dan Walsh 3.7.8-3 +- Allow abrt_helper to getattr on all filesystems +- Add label for /opt/real/RealPlayer/plugins/oggfformat\.so + * Thu Jan 21 2010 Dan Walsh 3.7.8-2 - Add gstreamer_home_t for ~/.gstreamer