From bf99266050c07a40abf8a83acc52ea09cdb7ad52 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 17 2010 15:44:23 +0000 Subject: - Fix path for /var/spool/abrt Resolves: #591561 - Allow nfs_t as an entrypoint for http_sys_script_t Resolves: #580568 - Add policy for piranha Resolves: #584415 - Lots of fixes for sosreport --- diff --git a/config.tgz b/config.tgz index 27ce15b..c5b01c6 100644 Binary files a/config.tgz and b/config.tgz differ diff --git a/modules-minimum.conf b/modules-minimum.conf index ebea990..967a530 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -2113,18 +2113,18 @@ guest = module xguest = module # Layer: services -# Module: courier +# Module: cgroup # -# IMAP and POP3 email servers +# Tools and libraries to control and monitor control groups # -courier = module +cgroup = module # Layer: services -# Module: cgroup +# Module: courier # -# Tools and libraries to control and monitor control groups +# IMAP and POP3 email servers # -cgroup = module +courier = module # Layer: services # Module: denyhosts diff --git a/modules-mls.conf b/modules-mls.conf index e760232..86a4270 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1959,6 +1959,13 @@ guest = module xguest = module # Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: services # Module: courier # # IMAP and POP3 email servers diff --git a/modules-targeted.conf b/modules-targeted.conf index ebea990..967a530 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2113,18 +2113,18 @@ guest = module xguest = module # Layer: services -# Module: courier +# Module: cgroup # -# IMAP and POP3 email servers +# Tools and libraries to control and monitor control groups # -courier = module +cgroup = module # Layer: services -# Module: cgroup +# Module: courier # -# Tools and libraries to control and monitor control groups +# IMAP and POP3 email servers # -cgroup = module +courier = module # Layer: services # Module: denyhosts diff --git a/policy-F13.patch b/policy-F13.patch index 3fdd0e3..40ebc88 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1869,7 +1869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-05-14 10:22:31.000000000 -0400 @@ -73,12 +73,16 @@ # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) @@ -1888,10 +1888,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) -@@ -135,6 +139,9 @@ +@@ -134,7 +138,11 @@ + userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) +- userdom_dontaudit_search_user_home_content($1_sudo_t) ++ userdom_search_user_home_content($1_sudo_t) ++ userdom_search_admin_dir($1_sudo_t) + userdom_manage_all_users_keys($1_sudo_t) + + mta_role($2, $1_sudo_t) @@ -2159,6 +2162,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool term_use_unallocated_ttys(vbetool_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.7.19/policy/modules/admin/vpn.if +--- nsaserefpolicy/policy/modules/admin/vpn.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/vpn.if 2010-05-17 09:18:33.000000000 -0400 +@@ -110,7 +110,7 @@ + ## + ## + # +-interface(`vpnc_dbus_chat',` ++interface(`vpn_dbus_chat',` + gen_require(` + type vpnc_t; + class dbus send_msg; +@@ -119,3 +119,21 @@ + allow $1 vpnc_t:dbus send_msg; + allow vpnc_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Relabelfrom from vpnc socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vpn_relabelfrom_tun_socket',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 vpnc_t:tun_socket relabelfrom; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.19/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/admin/vpn.te 2010-04-19 09:28:05.000000000 -0400 @@ -2388,10 +2425,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te 2010-04-14 10:48:18.000000000 -0400 -@@ -26,7 +26,7 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te 2010-05-17 09:08:40.000000000 -0400 +@@ -25,8 +25,10 @@ + dev_rw_sysfs(cpufreqselector_t) ++miscfiles_read_localization(cpufreqselector_t) ++ userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) +userdom_dontaudit_search_admin_dir(cpufreqselector_t) @@ -5282,10 +5322,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.19/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/openoffice.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,3 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/openoffice.fc 2010-05-17 10:27:48.000000000 -0400 +@@ -0,0 +1,4 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) ++/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.19/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 @@ -5818,8 +5859,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-11 13:32:11.000000000 -0400 -@@ -0,0 +1,293 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-13 13:55:29.000000000 -0400 +@@ -0,0 +1,294 @@ + +## policy for sandbox + @@ -5901,9 +5942,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + gen_require(` + attribute sandbox_domain; + attribute sandbox_file_type; ++ attribute sandbox_x_type; + ') + -+ type $1_t, sandbox_domain; ++ type $1_t, sandbox_domain, sandbox_x_type; + domain_type($1_t) + + mls_rangetrans_target($1_t) @@ -6115,8 +6157,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-13 11:45:38.000000000 -0400 -@@ -0,0 +1,379 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-05-13 13:55:40.000000000 -0400 +@@ -0,0 +1,385 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6124,6 +6166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +attribute sandbox_file_type; +attribute sandbox_web_type; +attribute sandbox_tmpfs_type; ++attribute sandbox_x_type; + +######################################## +# @@ -6277,6 +6320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +files_search_home(sandbox_x_domain) +files_dontaudit_list_tmp(sandbox_x_domain) + ++kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) + @@ -6447,6 +6491,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') + +optional_policy(` ++ consolekit_dbus_chat(sandbox_web_type) ++') ++ ++optional_policy(` + hal_dbus_chat(sandbox_web_type) +') + @@ -7405,7 +7453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-05-14 14:16:38.000000000 -0400 @@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) @@ -7414,9 +7462,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) +@@ -163,6 +164,7 @@ + + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) ++/dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-30 09:01:39.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-05-17 11:06:34.000000000 -0400 @@ -934,6 +934,42 @@ ######################################## @@ -7586,7 +7642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.19/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-04-20 08:57:24.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/domain.if 2010-05-17 10:46:19.000000000 -0400 @@ -611,7 +611,7 @@ ######################################## @@ -7693,7 +7749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-05-13 10:40:35.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2010-05-17 11:31:05.000000000 -0400 @@ -5,6 +5,21 @@ # # Declarations @@ -7786,7 +7842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +187,76 @@ +@@ -153,3 +187,79 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -7827,6 +7883,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + rpm_inherited_fifo(domain) +') + ++optional_policy(` ++ sosreport_append_tmp_files(domain) ++') + +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them @@ -7956,7 +8015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-05 14:44:26.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-12 14:48:58.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-05-17 10:59:49.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8851,82 +8910,156 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-13 11:18:14.000000000 -0400 -@@ -567,12 +567,12 @@ ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-05-13 15:55:04.000000000 -0400 +@@ -559,7 +559,7 @@ + + ######################################## + ## +-## Mount a cgroup filesystem. ++## Delete directories on cgroupfs. + ## + ## + ## +@@ -567,18 +567,17 @@ ## ## # -interface(`fs_mount_cgroup', ` -+interface(`fs_mount_cgroupfs', ` ++interface(`fs_delete_cgroupfs_dirs', ` gen_require(` - type cgroup_t; + type cgroupfs_t; ') - allow $1 cgroup_t:filesystem mount; -+ allow $1 cgroupfs_t:filesystem mount; ++ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t) ') ######################################## -@@ -586,12 +586,12 @@ + ## +-## Remount a cgroup filesystem This allows +-## some mount options to be changed. ++## Mount a cgroup filesystem. + ## + ## + ## +@@ -586,17 +585,18 @@ ## ## # -interface(`fs_remount_cgroup', ` -+interface(`fs_remount_cgroupfs', ` ++interface(`fs_mount_cgroupfs', ` gen_require(` - type cgroup_t; + type cgroupfs_t; ') - allow $1 cgroup_t:filesystem remount; -+ allow $1 cgroupfs_t:filesystem remount; ++ allow $1 cgroupfs_t:filesystem mount; ') ######################################## -@@ -604,12 +604,12 @@ + ## +-## Unmount a cgroup file system. ++## Remount a cgroup filesystem This allows ++## some mount options to be changed. + ## + ## + ## +@@ -604,70 +604,67 @@ ## ## # -interface(`fs_unmount_cgroup', ` -+interface(`fs_unmount_cgroupfs', ` ++interface(`fs_remount_cgroupfs', ` gen_require(` - type cgroup_t; + type cgroupfs_t; ') - allow $1 cgroup_t:filesystem unmount; -+ allow $1 cgroupfs_t:filesystem unmount; ++ allow $1 cgroupfs_t:filesystem remount; ') ######################################## -@@ -623,7 +623,7 @@ + ## +-## Get the attributes of a cgroup filesystem. ++## Unmount a cgroup file system. + ## + ## + ## + ## Domain allowed access. + ## ## - ## +-## # -interface(`fs_getattr_cgroup',` -+interface(`fs_getattr_cgroupfs',` ++interface(`fs_unmount_cgroupfs', ` gen_require(` - type cifs_t; +- type cifs_t; ++ type cgroupfs_t; ') -@@ -642,13 +642,13 @@ - ## + +- allow $1 cifs_t:filesystem getattr; ++ allow $1 cgroupfs_t:filesystem unmount; + ') + + ######################################## + ## +-## list dirs on cgroup +-## file systems. ++## Get the attributes of a cgroup filesystem. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## ## # -interface(`fs_list_cgroup_dirs', ` -+interface(`fs_list_cgroupfs_dirs', ` - gen_require(` +- gen_require(` - type cgroup_t; -+ type cgroupfs_t; - - ') +- +- ') ++interface(`fs_getattr_cgroupfs',` ++ gen_require(` ++ type cgroupfs_t; ++ ') - list_dirs_pattern($1, cgroup_t, cgroup_t) -+ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t) ++ allow $1 cgroupfs_t:filesystem getattr; ') ######################################## -@@ -680,13 +680,13 @@ + ## +-## Do not audit attempts to read +-## dirs on a CIFS or SMB filesystem. ++## list dirs on cgroup ++## file systems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_cifs_dirs',` ++interface(`fs_list_cgroupfs_dirs', ` + gen_require(` +- type cifs_t; ++ type cgroupfs_t; + ') + +- dontaudit $1 cifs_t:dir list_dir_perms; ++ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t) + ') + + ######################################## +@@ -680,13 +677,13 @@ ## ## # @@ -8943,7 +9076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -700,13 +700,13 @@ +@@ -700,13 +697,13 @@ ## ## # @@ -8960,7 +9093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -720,13 +720,13 @@ +@@ -720,13 +717,13 @@ ## ## # @@ -8977,7 +9110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -740,13 +740,13 @@ +@@ -740,13 +737,12 @@ ## ## # @@ -8985,8 +9118,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +interface(`fs_write_cgroupfs_files', ` gen_require(` - type cgroup_t; +- + type cgroupfs_t; - ') - write_files_pattern($1, cgroup_t, cgroup_t) @@ -8994,7 +9127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -760,13 +760,13 @@ +@@ -760,13 +756,52 @@ ## ## # @@ -9008,10 +9141,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - rw_files_pattern($1, cgroup_t, cgroup_t) + rw_files_pattern($1, cgroupfs_t, cgroupfs_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to getattr, ++## open, read and write files on cgroup ++## file systems. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_rw_cgroupfs_files',` ++ gen_require(` ++ type cgroupfs_t; ++ ') ++ ++ dontaudit $1 cgroupfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read ++## dirs on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_cifs_dirs',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ dontaudit $1 cifs_t:dir list_dir_perms; ') ######################################## -@@ -1141,7 +1141,7 @@ +@@ -1141,7 +1176,7 @@ type cifs_t; ') @@ -9020,7 +9192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -1404,6 +1404,25 @@ +@@ -1404,6 +1439,25 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -9046,7 +9218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1899,6 +1918,7 @@ +@@ -1899,6 +1953,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -9054,7 +9226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2315,25 @@ +@@ -2295,6 +2350,25 @@ ######################################## ## @@ -9080,7 +9252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2349,7 +2388,7 @@ +@@ -2349,7 +2423,7 @@ type nfs_t; ') @@ -9089,7 +9261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2576,24 @@ +@@ -2537,6 +2611,24 @@ ######################################## ## @@ -9114,7 +9286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2802,7 @@ +@@ -2745,7 +2837,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -9123,7 +9295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3870,6 +3927,24 @@ +@@ -3870,6 +3962,24 @@ ######################################## ## @@ -9148,7 +9320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4507,44 @@ +@@ -4432,6 +4542,44 @@ ######################################## ## @@ -9193,7 +9365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4662,24 @@ +@@ -4549,3 +4697,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -9255,7 +9427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-11 09:49:46.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-17 11:09:27.000000000 -0400 @@ -534,6 +534,37 @@ ######################################## @@ -9710,6 +9882,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te +--- nsaserefpolicy/policy/modules/roles/secadm.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/secadm.te 2010-05-14 14:44:51.000000000 -0400 +@@ -10,6 +10,8 @@ + + userdom_unpriv_user_template(secadm) + userdom_security_admin_template(secadm_t, secadm_r) ++userdom_inherit_append_admin_home_files(secadm_t) ++userdom_read_admin_home_files(secadm_t) + + ######################################## + # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500 +++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-12 09:01:18.000000000 -0400 @@ -10940,7 +11124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-12 09:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-17 09:19:57.000000000 -0400 @@ -0,0 +1,435 @@ +policy_module(unconfineduser, 1.0.0) + @@ -11211,7 +11395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` -+ vpnc_dbus_chat(unconfined_usertype) ++ vpn_dbus_chat(unconfined_usertype) + ') +') + @@ -11572,8 +11756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. +gen_user(xguest_u, user, xguest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -1,11 +1,17 @@ ++++ serefpolicy-3.7.19/policy/modules/services/abrt.fc 2010-05-13 15:10:21.000000000 -0400 +@@ -1,11 +1,18 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -11585,6 +11769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) ++/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) @@ -11594,7 +11779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-13 10:40:09.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-17 11:04:12.000000000 -0400 @@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -11657,7 +11842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ###################################### ## ## Read abrt logs. -@@ -76,6 +124,121 @@ +@@ -76,6 +124,140 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -11680,6 +11865,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + ++###################################### ++## ++## manage abrt PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_manage_pid_files',` ++ gen_require(` ++ type abrt_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ++') ++ +######################################## +## +## Connect to abrt over an unix stream socket. @@ -11781,7 +11985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-05-13 10:01:09.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-05-14 14:40:37.000000000 -0400 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -14522,39 +14726,202 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,9 @@ -+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) -+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-05-13 15:55:04.000000000 -0400 +@@ -0,0 +1,12 @@ ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) ++ ++/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) ++/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + -+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t, s0) -+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) ++/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) + -+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) ++/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0) ++/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) + -+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t, s0) ++/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,35 @@ -+## Control group rules engine daemon. ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.if 2010-05-13 15:55:04.000000000 -0400 +@@ -0,0 +1,243 @@ ++## libcg is a library that abstracts the control group file system in Linux. +## +##

-+## cgrulesengd is a daemon, which distributes processes -+## to control groups. When any process changes its -+## effective UID or GID, cgred inspects list of -+## rules loaded from cgrules.conf file and moves the -+## process to the appropriate control group. -+##

-+##

-+## The list of rules is read during the daemon startup and -+## are cached in daemons memory. The daemon reloads the -+## list of rules when it receives SIGUSR2 signal. ++## libcg aims to provide programmers easily usable APIs to use the control group file system. +##

+## + +######################################## +## ++## Execute a domain transition to run cgconfig. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgroup_domtrans_cgconfigparser',` ++ gen_require(` ++ type cgconfigparser_t, cgconfigparser_exec_t; ++ ') ++ ++ domtrans_pattern($1, cgconfigparser_exec_t, cgconfigparser_t) ++ corecmd_search_bin($1) ++') ++ ++######################################## ++## ++## Execute cgconfigparser server in the ++## cgconfigparser domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgroup_initrc_domtrans_cgconfigparser',` ++ gen_require(` ++ type cgconfig_initrc_exec_t; ++ ') ++ ++ files_search_etc($1) ++ init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run cgred. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgroup_domtrans_cgred',` ++ gen_require(` ++ type cgred_t, cgred_exec_t; ++ ') ++ ++ domtrans_pattern($1, cgred_exec_t, cgred_t) ++ corecmd_search_bin($1) ++') ++ ++######################################## ++## ++## Execute cgred server in the ++## cgred domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cgroup_initrc_domtrans_cgred',` ++ gen_require(` ++ type cgred_initrc_exec_t; ++ ') ++ ++ files_search_etc($1) ++ init_labeled_script_domtrans($1, cgred_initrc_exec_t) ++') ++ ++######################################## ++## ++## Delete cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgroup_delete_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ delete_dirs_pattern($1, cgroup_t, cgroup_t) ++ cgroup_search_cgroup_dirs($1) ++') ++ ++######################################## ++## ++## List cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgroup_list_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 cgroup_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Manage cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgroup_manage_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 cgroup_t:dir manage_dir_perms; ++') ++ ++######################################## ++## ++## Read and write cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgroup_rw_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 cgroup_t:dir rw_dir_perms; ++') ++ ++######################################## ++## ++## Search cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cgroup_search_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 cgroup_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Read and write cgred sock file in /var/run. +## +## @@ -14568,18 +14935,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + type cgred_var_run_t, cgred_t; + ') + -+ files_search_pids($1) + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) ++ files_search_pids($1) +') + ++######################################## ++## ++## All of the rules required to administrate ++## an cgroup environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cgroup_admin',` ++ gen_require(` ++ type cgred_t, cgconfigparser_t, cgred_var_run_t; ++ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; ++ type cgred_etc_t, cgroup_t, cgroupfs_t; ++ ') ++ ++ allow $1 cgconfigparser_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, cgconfigparser_t, cgconfigparser_t) ++ ++ allow $1 cgred_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, cgred_t, cgred_t) ++ ++ admin_pattern($1, cgroup_t) ++ admin_pattern($1, cgroupfs_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, cgconfig_etc_t) ++ admin_pattern($1, cgred_etc_t) ++ ++ files_list_var($1) ++ admin_pattern($1, cgred_var_run_t) ++ ++ cgroup_initrc_domtrans_cgconfigparser($1) ++ domain_system_change_exemption($1) ++ role_transition $2 cgconfig_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ cgroup_initrc_domtrans_cgred($1) ++ role_transition $2 cgred_initrc_exec_t system_r; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-05-13 11:37:22.000000000 -0400 -@@ -0,0 +1,87 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-05-13 15:55:04.000000000 -0400 +@@ -0,0 +1,102 @@ ++ +policy_module(cgroup, 1.0.0) + +######################################## +# ++# cgroup global declarations. ++# ++ ++type cgroup_t; ++files_mountpoint(cgroup_t) ++ ++######################################## ++# +# cgred personal declarations. +# + @@ -14593,8 +15017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +type cgred_var_run_t; +files_pid_file(cgred_var_run_t) + -+type cgroup_t; -+files_mountpoint(cgroup_t) ++type cgrules_etc_t; ++files_config_file(cgrules_etc_t) + +######################################## +# @@ -14608,8 +15032,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +type cgconfig_initrc_exec_t; +init_script_file(cgconfig_initrc_exec_t) + -+permissive cgconfigparser_t; -+permissive cgred_t; ++type cgconfig_etc_t; ++files_config_file(cgconfig_etc_t) + +######################################## +# @@ -14620,36 +15044,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +allow cgred_t self:netlink_socket { write bind create read }; +allow cgred_t self:unix_dgram_socket { write create connect }; + -+manage_sock_files_pattern(cgred_t, cgred_var_run_t, -+cgred_var_run_t) ++allow cgred_t cgrules_etc_t:file read_file_perms; ++ ++manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file) + -+domain_read_all_domains_state(cgred_t) ++kernel_read_system_state(cgred_t) + -+files_read_etc_files(cgred_t) ++domain_read_all_domains_state(cgred_t) + +files_search_all(cgred_t) +files_getattr_all_files(cgred_t) +files_getattr_all_dirs(cgred_t) +files_getattr_all_sockets(cgred_t) +files_getattr_all_pipes(cgred_t) -+files_getattr_all_symlinks(cgred_t) -+# read all link files. ++files_read_all_symlinks(cgred_t) + -+kernel_read_system_state(cgred_t) ++# /etc/group ++files_read_etc_files(cgred_t) ++ ++fs_write_cgroupfs_files(cgred_t) + +logging_send_syslog_msg(cgred_t) + +miscfiles_read_localization(cgred_t) + -+optional_policy(` -+ fs_write_cgroupfs_files(cgred_t) -+') -+ +######################################## +# +# cgconfig personal policy. +# ++ ++allow cgconfigparser_t self:capability { chown sys_admin }; ++ ++allow cgconfigparser_t cgconfig_etc_t:file read_file_perms; ++ +manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t) +manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t) +allow cgconfigparser_t cgroup_t:dir mounton; @@ -14657,12 +15085,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) + ++# /etc/nsswitch.conf +files_read_etc_files(cgconfigparser_t) + +fs_manage_cgroupfs_dirs(cgconfigparser_t) ++fs_mount_cgroupfs(cgconfigparser_t) +fs_rw_cgroupfs_files(cgconfigparser_t) ++fs_unmount_cgroupfs(cgconfigparser_t) +fs_setattr_cgroupfs_files(cgconfigparser_t) -+fs_mount_cgroupfs(cgconfigparser_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.19/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-03-29 15:04:22.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/chronyd.if 2010-05-07 09:36:10.000000000 -0400 @@ -18927,7 +19357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-03-29 15:04:22.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-12 14:01:49.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-05-14 14:50:14.000000000 -0400 @@ -10,6 +10,9 @@ type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) @@ -18953,7 +19383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) -+domain_dontaudit_getattr_all_domains(ksmtuned_t) ++domain_dontaudit_read_all_domains_state(ksmtuned_t) corecmd_exec_bin(ksmtuned_t) @@ -20697,7 +21127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-11 13:37:59.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-17 09:28:33.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -20934,7 +21364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -179,12 +264,15 @@ +@@ -179,12 +264,16 @@ ') optional_policy(` @@ -20947,6 +21377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) + vpn_signull(NetworkManager_t) ++ vpn_relabelfrom_tun_socket(NetworkManager_t) ') ######################################## @@ -28171,7 +28602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-04-26 14:24:32.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-05-17 09:04:50.000000000 -0400 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -28218,7 +28649,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt optional_policy(` xserver_rw_shm($1_t) ') -@@ -192,6 +180,7 @@ +@@ -171,6 +159,7 @@ + files_search_etc($1) + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ++ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + ') + + ######################################## +@@ -192,6 +181,7 @@ files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -28226,7 +28665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -433,15 +422,15 @@ +@@ -433,15 +423,15 @@ ## ## # @@ -28247,7 +28686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +505,32 @@ +@@ -516,3 +506,32 @@ virt_manage_log($1) ') @@ -28282,7 +28721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-13 11:15:36.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-05-14 14:29:09.000000000 -0400 @@ -36,13 +36,6 @@ ## @@ -28313,15 +28752,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virt_etc_t; files_config_file(virt_etc_t) -@@ -74,6 +67,7 @@ +@@ -72,8 +65,12 @@ + virt_image(virt_content_t) + userdom_user_home_content(virt_content_t) ++type virt_tmp_t; ++files_tmp_file(virt_tmp_t) ++ type virt_log_t; logging_log_file(virt_log_t) +mls_trusted_object(virt_log_t) type virt_var_run_t; files_pid_file(virt_var_run_t) -@@ -90,6 +84,11 @@ +@@ -90,6 +87,11 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -28333,7 +28777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -105,10 +104,6 @@ +@@ -105,10 +107,6 @@ allow svirt_t self:udp_socket create_socket_perms; @@ -28344,7 +28788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) allow svirt_t svirt_image_t:dir search_dir_perms; -@@ -155,12 +150,9 @@ +@@ -155,12 +153,9 @@ fs_manage_cifs_files(svirt_t) ') @@ -28358,8 +28802,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') -@@ -187,13 +179,16 @@ +@@ -185,15 +180,19 @@ + allow virtd_t self:unix_stream_socket create_stream_socket_perms; + allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tun_socket create_socket_perms; ++allow virtd_t self:rawip_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) @@ -28378,7 +28825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -205,6 +200,7 @@ +@@ -205,9 +204,15 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -28386,7 +28833,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow virtd_t virt_image_type:file { relabelfrom relabelto }; allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; -@@ -252,21 +248,35 @@ ++manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) ++manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) ++files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) ++can_exec(virtd_t, virt_tmp_t) ++ + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) + manage_files_pattern(virtd_t, virt_log_t, virt_log_t) + logging_log_filetrans(virtd_t, virt_log_t, { file dir }) +@@ -252,21 +257,35 @@ # Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) @@ -28425,7 +28880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) -@@ -291,15 +301,22 @@ +@@ -291,15 +310,22 @@ logging_send_syslog_msg(virtd_t) @@ -28448,7 +28903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +387,7 @@ +@@ -370,6 +396,7 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -28456,7 +28911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -407,6 +425,20 @@ +@@ -407,6 +434,20 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -28477,7 +28932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -446,6 +478,10 @@ +@@ -446,6 +487,10 @@ fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -28488,7 +28943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) -@@ -462,8 +498,13 @@ +@@ -462,8 +507,13 @@ ') optional_policy(` @@ -28650,7 +29105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-11 11:03:17.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-05-14 14:47:24.000000000 -0400 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -28798,17 +29253,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +577,9 @@ +@@ -545,6 +577,27 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) +ifdef(`hide_broken_symptoms', ` + dontaudit xauth_t $1:socket_class_set { read write }; +') ++') ++ ++######################################## ++## ++## Dontaudit exec of Xauthority program. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dontaudit_exec_xauth',` ++ gen_require(` ++ type xauth_exec_t; ++ ') ++ ++ dontaudit $1 xauth_exec_t:file execute; ') ######################################## -@@ -598,6 +633,7 @@ +@@ -598,6 +651,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -28816,7 +29289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +841,7 @@ +@@ -805,7 +859,7 @@ ') files_search_pids($1) @@ -28825,7 +29298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -916,7 +952,7 @@ +@@ -916,7 +970,7 @@ type xserver_log_t; ') @@ -28834,7 +29307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -964,6 +1000,44 @@ +@@ -964,6 +1018,44 @@ ######################################## ## @@ -28879,7 +29352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm temporary files. ## ## -@@ -1224,9 +1298,20 @@ +@@ -1224,9 +1316,20 @@ class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -28900,7 +29373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1335,329 @@ +@@ -1250,3 +1353,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -29232,7 +29705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-11 10:03:21.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-17 08:29:34.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -29546,10 +30019,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -326,32 +433,52 @@ +@@ -326,32 +433,53 @@ allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) ++read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) +read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! @@ -29604,7 +30078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +486,13 @@ +@@ -359,10 +487,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -29618,7 +30092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,15 +501,21 @@ +@@ -371,15 +502,21 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -29641,7 +30115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -394,11 +530,14 @@ +@@ -394,11 +531,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -29656,7 +30130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +545,7 @@ +@@ -406,6 +546,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -29664,7 +30138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +554,22 @@ +@@ -414,18 +555,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -29690,7 +30164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +580,17 @@ +@@ -436,9 +581,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -29708,7 +30182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +599,19 @@ +@@ -447,14 +600,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29728,7 +30202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +622,12 @@ +@@ -465,10 +623,12 @@ logging_read_generic_logs(xdm_t) @@ -29743,7 +30217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +636,11 @@ +@@ -477,6 +637,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29755,7 +30229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +673,12 @@ +@@ -509,10 +674,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -29768,7 +30242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +686,50 @@ +@@ -520,12 +687,50 @@ ') optional_policy(` @@ -29812,14 +30286,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) -+ gnome_append_gconf_home_files(xdm_t) ++ gnome_read_gconf_config(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') -@@ -543,20 +747,59 @@ +@@ -543,20 +748,59 @@ ') optional_policy(` @@ -29881,7 +30355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +808,6 @@ +@@ -565,7 +809,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -29889,7 +30363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +818,10 @@ +@@ -576,6 +819,10 @@ ') optional_policy(` @@ -29900,7 +30374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +846,9 @@ +@@ -600,10 +847,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29912,7 +30386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +860,18 @@ +@@ -615,6 +861,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29931,7 +30405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +891,19 @@ +@@ -634,12 +892,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29953,7 +30427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +937,6 @@ +@@ -673,7 +938,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29961,7 +30435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +946,12 @@ +@@ -683,9 +947,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -29975,7 +30449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +966,13 @@ +@@ -700,8 +967,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29989,7 +30463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +994,14 @@ +@@ -723,11 +995,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -30004,7 +30478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1053,24 @@ +@@ -779,12 +1054,24 @@ ') optional_policy(` @@ -30030,7 +30504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1097,7 @@ +@@ -811,7 +1098,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -30039,7 +30513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1118,14 @@ +@@ -832,9 +1119,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -30054,7 +30528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1140,14 @@ +@@ -849,11 +1141,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -30071,7 +30545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1293,33 @@ +@@ -999,3 +1294,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30143,7 +30617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-04-30 08:25:24.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-17 10:44:07.000000000 -0400 @@ -41,7 +41,6 @@ ## # @@ -30786,7 +31260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-13 11:19:28.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-17 10:47:03.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -30964,19 +31438,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) -@@ -352,6 +401,11 @@ +@@ -352,6 +401,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) +fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) -+fs_rw_cgroupfs_files(initrc_t) -+fs_setattr_cgroupfs_files(initrc_t) -+fs_manage_cgroupfs_dirs(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -364,6 +418,7 @@ +@@ -364,6 +415,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30984,7 +31455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -395,15 +450,16 @@ +@@ -395,15 +447,16 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -31003,7 +31474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) -@@ -471,7 +527,7 @@ +@@ -471,7 +524,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -31012,7 +31483,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -517,6 +573,23 @@ +@@ -495,6 +548,12 @@ + fs_read_tmpfs_symlinks(initrc_t) + fs_rw_tmpfs_chr_files(initrc_t) + ++ # /sbin/cgclear ++ fs_delete_cgroupfs_dirs(initrc_t) ++ fs_list_cgroupfs_dirs(initrc_t) ++ # w for /bin/cgcexec and rw for /sbin/cgclear ++ fs_rw_cgroupfs_files(initrc_t) ++ + storage_manage_fixed_disk(initrc_t) + storage_dev_filetrans_fixed_disk(initrc_t) + storage_getattr_removable_dev(initrc_t) +@@ -517,6 +576,24 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -31020,6 +31504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + ') + + optional_policy(` ++ cgroup_delete_cgroup_dirs(initrc_t) + cgroup_stream_connect(initrc_t) + ') + @@ -31036,7 +31521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -528,6 +601,7 @@ +@@ -528,6 +605,7 @@ optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) @@ -31044,7 +31529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -542,6 +616,35 @@ +@@ -542,6 +620,35 @@ ') ') @@ -31080,7 +31565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +657,8 @@ +@@ -554,6 +661,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -31089,7 +31574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -578,6 +683,11 @@ +@@ -578,6 +687,11 @@ ') optional_policy(` @@ -31101,7 +31586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -594,6 +704,7 @@ +@@ -594,6 +708,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -31109,7 +31594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -647,11 +758,6 @@ +@@ -647,11 +762,6 @@ ') optional_policy(` @@ -31121,7 +31606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t kerberos_use(initrc_t) ') -@@ -690,12 +796,22 @@ +@@ -690,12 +800,22 @@ ') optional_policy(` @@ -31144,7 +31629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +834,10 @@ +@@ -718,6 +838,10 @@ ') optional_policy(` @@ -31155,7 +31640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -760,8 +880,6 @@ +@@ -760,8 +884,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -31164,7 +31649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -774,10 +892,12 @@ +@@ -774,10 +896,12 @@ squid_manage_logs(initrc_t) ') @@ -31177,7 +31662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +910,7 @@ +@@ -790,6 +914,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -31185,7 +31670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +919,18 @@ +@@ -798,11 +923,18 @@ ') optional_policy(` @@ -31205,7 +31690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +940,25 @@ +@@ -812,6 +944,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -31231,7 +31716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +984,34 @@ +@@ -837,3 +988,34 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -33141,7 +33626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-04-14 13:19:01.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-05-14 14:48:05.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -33232,7 +33717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -261,21 +266,17 @@ +@@ -261,25 +266,25 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -33256,7 +33741,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) -@@ -313,6 +314,8 @@ + ++optional_policy(` ++ xserver_dontaudit_exec_xauth(newrole_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(newrole_t) +@@ -313,6 +318,8 @@ kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -33265,7 +33758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -336,6 +339,8 @@ +@@ -336,6 +343,8 @@ seutil_libselinux_linked(restorecond_t) @@ -33274,7 +33767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -354,7 +359,7 @@ +@@ -354,7 +363,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -33283,7 +33776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -383,7 +388,6 @@ +@@ -383,7 +392,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -33291,7 +33784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -406,6 +410,10 @@ +@@ -406,6 +414,10 @@ ') ') @@ -33302,7 +33795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -421,61 +429,22 @@ +@@ -421,61 +433,22 @@ # semodule local policy # @@ -33319,17 +33812,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) -- --corecmd_exec_bin(semanage_t) -- --dev_read_urand(semanage_t) +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --domain_use_interactive_fds(semanage_t) +-corecmd_exec_bin(semanage_t) +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) +-dev_read_urand(semanage_t) +- +-domain_use_interactive_fds(semanage_t) +- -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -33351,13 +33844,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) -- --miscfiles_read_localization(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) +-logging_send_syslog_msg(semanage_t) +- +-miscfiles_read_localization(semanage_t) +- -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -33372,7 +33865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +453,23 @@ +@@ -484,12 +457,23 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -33396,7 +33889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,112 +479,50 @@ +@@ -499,112 +483,50 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -33560,8 +34053,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.7.19/policy/modules/system/sosreport.if --- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/sosreport.if 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,113 @@ ++++ serefpolicy-3.7.19/policy/modules/system/sosreport.if 2010-05-17 11:12:00.000000000 -0400 +@@ -0,0 +1,131 @@ + +## policy for sosreport + @@ -33675,10 +34168,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) +') ++ ++######################################## ++## ++## Append sosreport tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sosreport_append_tmp_files',` ++ gen_require(` ++ type sosreport_tmp_t; ++ ') ++ ++ allow $1 sosreport_tmp_t:file append; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.7.19/policy/modules/system/sosreport.te --- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/sosreport.te 2010-04-14 10:48:18.000000000 -0400 -@@ -0,0 +1,128 @@ ++++ serefpolicy-3.7.19/policy/modules/system/sosreport.te 2010-05-17 11:09:00.000000000 -0400 +@@ -0,0 +1,155 @@ + +policy_module(sosreport,1.0.0) + @@ -33703,7 +34214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +# sosreport local policy +# + -+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override }; ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; +allow sosreport_t self:process { setsched signull }; + +allow sosreport_t self:fifo_file rw_fifo_file_perms; @@ -33722,22 +34233,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) +fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file) + -+kernel_read_device_sysctls(sosreport_t) -+kernel_read_hotplug_sysctls(sosreport_t) -+kernel_read_kernel_sysctls(sosreport_t) -+kernel_read_modprobe_sysctls(sosreport_t) -+kernel_read_net_sysctls(sosreport_t) +kernel_read_network_state(sosreport_t) -+kernel_read_rpc_sysctls(sosreport_t) ++kernel_read_all_sysctls(sosreport_t) +kernel_read_software_raid_state(sosreport_t) -+kernel_read_unix_sysctls(sosreport_t) -+kernel_read_vm_sysctls(sosreport_t) +kernel_search_debugfs(sosreport_t) ++kernel_read_messages(sosreport_t) + +corecmd_exec_all_executables(sosreport_t) + +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) ++dev_getattr_generic_chr_files(sosreport_t) ++dev_getattr_generic_blk_files(sosreport_t) ++dev_getattr_mtrr_dev(sosreport_t) + +dev_read_rand(sosreport_t) +dev_read_urand(sosreport_t) @@ -33746,11 +34254,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + +domain_getattr_all_domains(sosreport_t) +domain_read_all_domains_state(sosreport_t) ++domain_getattr_all_sockets(sosreport_t) ++domain_getattr_all_pipes(sosreport_t) ++domain_signull_all_domains(sosreport_t) + +# for blkid.tab +files_manage_etc_runtime_files(sosreport_t) +files_etc_filetrans_etc_runtime(sosreport_t, file) + ++files_getattr_all_sockets(sosreport_t) +files_exec_etc_files(sosreport_t) +files_list_all(sosreport_t) +files_read_config_files(sosreport_t) @@ -33760,8 +34272,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +files_read_var_lib_files(sosreport_t) +files_read_var_symlinks(sosreport_t) +files_read_kernel_modules(sosreport_t) ++files_read_all_symlinks(sosreport_t) + +fs_getattr_all_fs(sosreport_t) ++fs_list_inotifyfs(sosreport_t) + +# cjp: some config files do not have configfile attribute +# sosreport needs to read various files on system @@ -33783,14 +34297,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +sysnet_read_config(sosreport_t) + +optional_policy(` ++ abrt_manage_pid_files(sosreport_t) ++') ++ ++optional_policy(` + cups_stream_connect(sosreport_t) +') + +optional_policy(` ++ dmesg_domtrans(sosreport_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(sosreport_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(sosreport_t) ++ ++ optional_policy(` ++ hal_dbus_chat(sosreport_t) ++ ') ++') ++ ++optional_policy(` + lvm_domtrans(sosreport_t) +') + +optional_policy(` ++ mount_domtrans(sosreport_t) ++') ++ ++optional_policy(` + pulseaudio_stream_connect(sosreport_t) +') + @@ -34923,7 +35461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-13 11:47:27.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-17 09:19:46.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -34935,7 +35473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,89 @@ +@@ -43,69 +44,90 @@ term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -35054,6 +35592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + files_exec_usr_files($1_t) + + fs_list_cgroupfs_dirs($1_usertype) ++ fs_dontaudit_rw_cgroupfs_files($1_usertype) - libs_exec_ld_so($1_t) + storage_rw_fuse($1_usertype) @@ -35072,12 +35611,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +137,12 @@ +@@ -116,6 +138,16 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` ++ cgroup_list_cgroup_dirs($1_usertype) ++ ') ++ ++ optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) + ssh_signal($1_t) @@ -35085,7 +35628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -147,6 +174,7 @@ +@@ -147,6 +179,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35093,7 +35636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') role $1 types { user_home_t user_home_dir_t }; -@@ -157,6 +185,7 @@ +@@ -157,6 +190,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; @@ -35101,7 +35644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; -@@ -168,27 +197,6 @@ +@@ -168,27 +202,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -35129,7 +35672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -220,9 +228,10 @@ +@@ -220,9 +233,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35141,7 +35684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -232,17 +241,21 @@ +@@ -232,17 +246,21 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -35173,7 +35716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +263,23 @@ +@@ -250,25 +268,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -35203,7 +35746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -303,6 +314,7 @@ +@@ -303,6 +319,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -35211,7 +35754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -322,6 +334,7 @@ +@@ -322,6 +339,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -35219,7 +35762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -368,46 +381,41 @@ +@@ -368,46 +386,41 @@ ####################################### ## @@ -35241,12 +35784,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; ++interface(`userdom_basic_networking',` - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) @@ -35258,7 +35799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) -- ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; + - corenet_all_recvfrom_labeled($1_t, $1_t) + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) @@ -35286,7 +35829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -438,6 +446,7 @@ +@@ -438,6 +451,7 @@ dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -35294,7 +35837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -498,7 +507,7 @@ +@@ -498,7 +512,7 @@ attribute unpriv_userdomain; ') @@ -35303,7 +35846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -508,71 +517,77 @@ +@@ -508,71 +522,78 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35324,27 +35867,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -35367,6 +35910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + files_read_config_files($1_usertype) + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) ++ fs_rw_cgroupfs_files($1_usertype) + + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) @@ -35419,7 +35963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`user_ttyfile_stat',` -@@ -580,65 +595,104 @@ +@@ -580,65 +601,104 @@ ') optional_policy(` @@ -35470,37 +36014,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_var_lib_files($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpnc_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_var_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ') ') @@ -35529,20 +36073,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ ') -+ -+ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -649,41 +703,50 @@ +@@ -649,41 +709,50 @@ optional_policy(` # to allow monitoring of pcmcia status @@ -35604,7 +36148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -711,13 +774,26 @@ +@@ -711,13 +780,26 @@ userdom_base_user_template($1) @@ -35613,12 +36157,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -35636,7 +36180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +811,73 @@ +@@ -735,70 +817,73 @@ allow $1_t self:context contains; @@ -35701,10 +36245,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -35743,7 +36287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -830,12 +909,35 @@ +@@ -830,12 +915,35 @@ typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -35779,7 +36323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -871,45 +973,83 @@ +@@ -871,45 +979,83 @@ # auth_role($1_r, $1_t) @@ -35854,14 +36398,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + policykit_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -+ pulseaudio_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + rtkit_scheduled($1_usertype) ') @@ -35878,7 +36422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -944,7 +1084,7 @@ +@@ -944,7 +1090,7 @@ # # Inherit rules for ordinary users. @@ -35887,7 +36431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1093,73 @@ +@@ -953,54 +1099,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -35991,7 +36535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1036,7 +1195,7 @@ +@@ -1036,7 +1201,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36000,7 +36544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1071,6 +1230,9 @@ +@@ -1071,6 +1236,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36010,7 +36554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1247,7 @@ +@@ -1085,6 +1253,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36018,7 +36562,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1120,6 +1283,8 @@ +@@ -1116,10 +1285,13 @@ + domain_sigchld_all_domains($1_t) + # for lsof + domain_getattr_all_sockets($1_t) ++ domain_dontaudit_getattr_all_sockets($1_t) + files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -36027,7 +36576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1139,6 +1304,7 @@ +@@ -1139,6 +1311,7 @@ logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -36035,7 +36584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1207,6 +1373,8 @@ +@@ -1207,6 +1380,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36044,7 +36593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1234,6 +1402,7 @@ +@@ -1234,6 +1409,7 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -36052,7 +36601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_setfiles($1, $2) optional_policy(` -@@ -1272,11 +1441,15 @@ +@@ -1272,11 +1448,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -36068,7 +36617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,6 +1560,7 @@ +@@ -1387,6 +1567,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36076,7 +36625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1433,6 +1607,14 @@ +@@ -1433,6 +1614,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36091,7 +36640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1630,11 @@ +@@ -1448,9 +1637,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36103,7 +36652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1691,42 @@ +@@ -1507,6 +1698,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -36146,7 +36695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,6 +1801,8 @@ +@@ -1581,6 +1808,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36155,7 +36704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1595,10 +1817,12 @@ +@@ -1595,10 +1824,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` @@ -36170,7 +36719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1641,6 +1865,24 @@ +@@ -1641,6 +1872,24 @@ ######################################## ## @@ -36195,7 +36744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1692,6 +1934,7 @@ +@@ -1692,6 +1941,7 @@ type user_home_dir_t, user_home_t; ') @@ -36203,7 +36752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1708,11 +1951,14 @@ +@@ -1708,11 +1958,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36221,7 +36770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1802,8 +2048,7 @@ +@@ -1802,8 +2055,7 @@ type user_home_dir_t, user_home_t; ') @@ -36231,7 +36780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1819,20 +2064,14 @@ +@@ -1819,20 +2071,14 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -36256,7 +36805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -1866,6 +2105,7 @@ +@@ -1866,6 +2112,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -36264,7 +36813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2102,6 +2342,25 @@ +@@ -2102,6 +2349,25 @@ ######################################## ## @@ -36290,7 +36839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to list user ## temporary directories. ## -@@ -2218,7 +2477,7 @@ +@@ -2218,7 +2484,7 @@ ######################################## ## @@ -36299,7 +36848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## temporary files. ## ## -@@ -2227,32 +2486,51 @@ +@@ -2227,30 +2493,49 @@ ## ## # @@ -36333,8 +36882,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -- allow $1 user_tmp_t:dir list_dir_perms; -- files_search_tmp($1) + dontaudit $1 user_tmp_t:file manage_file_perms; +') + @@ -36354,12 +36901,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ allow $1 user_tmp_t:dir list_dir_perms; -+ files_search_tmp($1) + allow $1 user_tmp_t:dir list_dir_perms; + files_search_tmp($1) ') - - ######################################## -@@ -2427,13 +2705,14 @@ +@@ -2427,13 +2712,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -36375,7 +36920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2454,6 +2733,24 @@ +@@ -2454,6 +2740,24 @@ ######################################## ## @@ -36400,7 +36945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2747,6 +3044,25 @@ +@@ -2747,6 +3051,25 @@ ######################################## ## @@ -36426,7 +36971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2787,7 +3103,7 @@ +@@ -2787,7 +3110,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -36435,7 +36980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3119,13 @@ +@@ -2803,11 +3126,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -36451,7 +36996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2944,7 +3262,7 @@ +@@ -2944,7 +3269,7 @@ type user_tmp_t; ') @@ -36460,7 +37005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3299,7 @@ +@@ -2981,6 +3306,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -36468,7 +37013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3430,664 @@ +@@ -3111,3 +3437,664 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 187eed2..ae77e56 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -468,9 +468,17 @@ exit 0 %endif %changelog +* Thu May 13 2010 Dan Walsh 3.7.19-17 +- Fix path for /var/spool/abrt +Resolves: #591561 +- Allow nfs_t as an entrypoint for http_sys_script_t +Resolves: #580568 +- Add policy for piranha +Resolves: #584415 +- Lots of fixes for sosreport + * Wed May 12 2010 Dan Walsh 3.7.19-16 - Allow xm_t to read network state and get and set capabilities -Resolves: #591561 - Allow policykit to getattr all processes - Allow denyhosts to connect to tcp port 9911 - Allow pyranha to use raw ip sockets and ptrace itself