From c3c4a525c2018fb711a80271594539001c7430a0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 06 2008 12:06:47 +0000 Subject: - --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 3a21ba8..5786485 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2662,16 +2662,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-04 12:06:55.000000000 -0400 -@@ -28,6 +28,7 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-06 07:10:39.000000000 -0400 +@@ -26,8 +26,10 @@ + files_read_etc_files(tmpreaper_t) + files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) ++ # why does it need setattr? files_setattr_all_tmp_dirs(tmpreaper_t) +files_dontaudit_getattr_lost_found_dirs(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -42,6 +43,22 @@ +@@ -42,6 +44,22 @@ cron_system_entry(tmpreaper_t,tmpreaper_exec_t) @@ -3644,8 +3647,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.3.1/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-04 12:06:55.000000000 -0400 -@@ -7,15 +7,229 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/gpg.te 2008-04-05 08:04:41.000000000 -0400 +@@ -7,15 +7,230 @@ # # Type for gpg or pgp executables. @@ -3693,6 +3696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +manage_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) +manage_lnk_files_pattern(gpg_t,user_gpg_secret_t,user_gpg_secret_t) +allow gpg_t user_gpg_secret_t:dir create_dir_perms; ++userdom_user_home_dir_filetrans_user_home_content(user, gpg_t, file) +userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir) +userdom_manage_user_home_content_files(user,gpg_t) +userdom_manage_user_tmp_files(user,gpg_t) @@ -5464,8 +5468,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-05 07:52:00.000000000 -0400 -@@ -0,0 +1,186 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-06 06:06:06.000000000 -0400 +@@ -0,0 +1,187 @@ + +policy_module(nsplugin,1.0.0) + @@ -5577,6 +5581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +userdom_tmp_filetrans_user_tmp(user,nsplugin_t, { file dir sock_file }) +userdom_read_user_tmpfs_files(user,nsplugin_t) + ++userdom_read_user_home_content_symlinks(user, nsplugin_t) +userdom_read_user_home_content_files(user, nsplugin_t) +userdom_read_user_tmp_files(user, nsplugin_t) +userdom_write_user_tmp_sockets(user, nsplugin_t) @@ -6632,8 +6637,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-04 12:06:55.000000000 -0400 -@@ -82,6 +82,7 @@ ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-04-05 15:02:25.000000000 -0400 +@@ -75,6 +75,7 @@ + network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) + network_port(apcupsd, tcp,3551,s0, udp,3551,s0) + network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) ++network_port(audit, tcp,60,s0) + network_port(auth, tcp,113,s0) + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) + type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict +@@ -82,6 +83,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(comsat, udp,512,s0) @@ -6641,7 +6654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) -@@ -91,6 +92,7 @@ +@@ -91,6 +93,7 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) @@ -6649,7 +6662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,6 +111,7 @@ +@@ -109,6 +112,7 @@ network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) @@ -6657,7 +6670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -@@ -122,6 +125,8 @@ +@@ -122,6 +126,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -6666,7 +6679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,10 +138,12 @@ +@@ -133,10 +139,12 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -6679,7 +6692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,11 +155,11 @@ +@@ -148,11 +156,11 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -6693,7 +6706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) -@@ -170,7 +177,12 @@ +@@ -170,7 +178,12 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -7217,7 +7230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 06:32:29.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-05 15:31:46.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -7240,15 +7253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # create child processes in the domain allow domain self:process { fork sigchld }; -@@ -96,6 +104,7 @@ - - # list the root directory - files_list_root(domain) -+files_getattr_all_dirs(domain) - - tunable_policy(`global_ssp',` - # enable reading of urandom for all domains: -@@ -140,7 +149,7 @@ +@@ -140,7 +148,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -7257,7 +7262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -148,3 +157,30 @@ +@@ -148,3 +156,31 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -7265,6 +7270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; ++ files_getattr_all_dirs(domain) +') + +optional_policy(` @@ -7290,7 +7296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +dontaudit can_change_object_identity can_change_object_identity:key link; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-06 06:52:30.000000000 -0400 @@ -1266,6 +1266,24 @@ ######################################## @@ -7391,7 +7397,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -4712,12 +4791,14 @@ +@@ -3357,6 +3436,8 @@ + delete_lnk_files_pattern($1,tmpfile,tmpfile) + delete_fifo_files_pattern($1,tmpfile,tmpfile) + delete_sock_files_pattern($1,tmpfile,tmpfile) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) + ') + + ######################################## +@@ -4712,12 +4793,14 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7407,7 +7422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -4756,3 +4837,54 @@ +@@ -4756,3 +4839,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -7488,7 +7503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-04-06 07:10:46.000000000 -0400 @@ -310,6 +310,25 @@ ######################################## @@ -7515,7 +7530,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount an automount pseudo filesystem. ## ## -@@ -1171,6 +1190,25 @@ +@@ -737,6 +756,7 @@ + attribute noxattrfs; + ') + ++ list_dirs_pattern($1,noxattrfs,noxattrfs) + read_files_pattern($1,noxattrfs,noxattrfs) + ') + +@@ -1171,6 +1191,25 @@ ######################################## ## @@ -7541,7 +7564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Create, read, write, and delete files ## on a DOS filesystem. ## -@@ -1625,7 +1663,7 @@ +@@ -1625,7 +1664,7 @@ type nfs_t; ') @@ -7550,7 +7573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2903,6 +2941,7 @@ +@@ -2903,6 +2942,7 @@ type tmpfs_t; ') @@ -7558,7 +7581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy dontaudit $1 tmpfs_t:file rw_file_perms; ') -@@ -3039,6 +3078,25 @@ +@@ -3039,6 +3079,25 @@ ######################################## ## @@ -7584,7 +7607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel block nodes on tmpfs filesystems. ## ## -@@ -3224,6 +3282,7 @@ +@@ -3224,6 +3283,7 @@ ') allow $1 filesystem_type:filesystem getattr; @@ -7592,7 +7615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -3551,3 +3610,123 @@ +@@ -3551,3 +3611,123 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -10872,7 +10895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-05 11:51:54.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -10958,7 +10981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` + polkit_domtrans_auth(consolekit_t) -+ polkit_search_lib(consolekit_t) ++ polkit_read_lib(consolekit_t) +') + +optional_policy(` @@ -14354,6 +14377,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc + files_list_pids($1) + manage_all_pattern($1,fetchmail_var_run_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.3.1/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/fetchmail.te 2008-04-06 06:16:45.000000000 -0400 +@@ -90,6 +90,10 @@ + ') + + optional_policy(` ++ sendmail_manage_log(fetchmail_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(fetchmail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.3.1/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/ftp.fc 2008-04-04 12:06:55.000000000 -0400 @@ -16495,7 +16532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-04-06 05:33:44.000000000 -0400 @@ -25,26 +25,33 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -16546,7 +16583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) -@@ -73,27 +82,36 @@ +@@ -73,27 +82,37 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) @@ -16581,10 +16618,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni -sysnet_read_config(munin_t) +sysnet_exec_ifconfig(munin_t) ++netutils_domtrans_ping(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_sysadm_home_dirs(munin_t) -@@ -108,7 +126,21 @@ +@@ -108,7 +127,21 @@ ') optional_policy(` @@ -16607,7 +16645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -118,3 +150,9 @@ +@@ -118,3 +151,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -17020,7 +17058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-05 15:04:32.000000000 -0400 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -17066,8 +17104,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw mls_file_read_all_levels(NetworkManager_t) -@@ -86,6 +94,8 @@ +@@ -84,8 +92,11 @@ + files_read_usr_files(NetworkManager_t) + init_read_utmp(NetworkManager_t) ++init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +auth_use_nsswitch(NetworkManager_t) @@ -17075,7 +17116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -129,21 +139,21 @@ +@@ -129,21 +140,21 @@ ') optional_policy(` @@ -17102,7 +17143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,19 +165,20 @@ +@@ -155,19 +166,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -18002,7 +18043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-04-05 11:55:13.000000000 -0400 @@ -0,0 +1,189 @@ + +## policy for polkit_auth @@ -19220,8 +19261,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-04 12:06:55.000000000 -0400 -@@ -0,0 +1,162 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-04-05 14:48:36.000000000 -0400 +@@ -0,0 +1,160 @@ +policy_module(prelude,1.0.0) + +######################################## @@ -19363,8 +19404,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +corenet_tcp_bind_all_nodes(audisp_prelude_t) +corenet_tcp_connect_prelude_port(audisp_prelude_t) + -+allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms; -+ +######################################## +# +# prewikka_cgi Declarations @@ -21132,7 +21171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-04 16:10:10.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-04-06 07:25:37.000000000 -0400 @@ -59,6 +59,13 @@ ## gen_tunable(samba_share_nfs,false) @@ -21406,20 +21445,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -774,6 +840,12 @@ +@@ -774,6 +840,14 @@ # optional_policy(` + type samba_unconfined_net_t; + domain_type(samba_unconfined_net_t) + unconfined_domain(samba_unconfined_net_t) ++ role system_r types samba_unconfined_net_t; ++ + manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file) + type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -790,3 +862,40 @@ +@@ -790,3 +864,40 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -21552,7 +21593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.3.1/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/sendmail.if 2008-04-06 06:16:17.000000000 -0400 @@ -149,3 +149,85 @@ logging_log_filetrans($1,sendmail_log_t,file) @@ -25465,7 +25506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-06 06:54:26.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -25702,7 +25743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -208,8 +328,8 @@ +@@ -208,14 +328,15 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -25713,7 +25754,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -226,9 +346,12 @@ + domain_use_interactive_fds(xdm_t) + # Do not audit denied probes of /proc. + domain_dontaudit_read_all_domains_state(xdm_t) ++domain_dontaudit_ptrace_all_domains_state(xdm_t) + + files_read_etc_files(xdm_t) + files_read_var_files(xdm_t) +@@ -226,9 +347,12 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -25726,7 +25774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -237,6 +360,7 @@ +@@ -237,6 +361,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25734,7 +25782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -245,6 +369,7 @@ +@@ -245,6 +370,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -25742,17 +25790,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,22 +381,28 @@ +@@ -256,22 +382,28 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) +logging_send_audit_msgs(xdm_t) miscfiles_read_localization(xdm_t) - miscfiles_read_fonts(xdm_t) - --sysnet_read_config(xdm_t) +-miscfiles_read_fonts(xdm_t) - +-sysnet_read_config(xdm_t) ++miscfiles_manage_fonts(xdm_t) + userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -25773,7 +25822,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -301,10 +432,15 @@ +@@ -297,14 +429,20 @@ + # xserver_rw_session_template(xdm,unpriv_userdomain) + # dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write }; + # allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms; ++ userdom_dontaudit_write_sysadm_home_dirs(xdm_t) + ') optional_policy(` alsa_domtrans(xdm_t) @@ -25790,7 +25844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +448,23 @@ +@@ -312,6 +450,23 @@ ') optional_policy(` @@ -25814,7 +25868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +475,10 @@ +@@ -322,6 +477,10 @@ ') optional_policy(` @@ -25825,7 +25879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +492,11 @@ +@@ -335,6 +494,11 @@ ') optional_policy(` @@ -25837,7 +25891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +505,8 @@ +@@ -343,8 +507,8 @@ ') optional_policy(` @@ -25847,7 +25901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +542,7 @@ +@@ -380,7 +544,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -25856,7 +25910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +554,15 @@ +@@ -392,6 +556,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -25872,7 +25926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +575,17 @@ +@@ -404,9 +577,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -25890,7 +25944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +599,22 @@ +@@ -420,6 +601,22 @@ ') optional_policy(` @@ -25913,7 +25967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +624,139 @@ +@@ -429,47 +626,139 @@ ') optional_policy(` @@ -27024,7 +27078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-06 06:35:10.000000000 -0400 @@ -10,6 +10,20 @@ # Declarations # @@ -27314,6 +27368,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t zebra_read_config(initrc_t) ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-04-06 05:52:40.000000000 -0400 +@@ -48,6 +48,7 @@ + + fs_getattr_xattr_fs(iptables_t) + fs_search_auto_mountpoints(iptables_t) ++fs_list_inotifyfs(iptables_t) + + mls_file_read_all_levels(iptables_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-04 12:06:56.000000000 -0400 @@ -27327,8 +27392,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 07:22:08.000000000 -0400 -@@ -133,6 +133,7 @@ ++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-05 08:09:49.000000000 -0400 +@@ -69,8 +69,10 @@ + ifdef(`distro_gentoo',` + # despite the extensions, they are actually libs + /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) ++/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) + /opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0) + /opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) ++/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) + + /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -133,6 +135,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27336,7 +27412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -165,6 +166,7 @@ +@@ -165,6 +168,7 @@ # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27344,7 +27420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -183,6 +185,7 @@ +@@ -183,6 +187,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27352,7 +27428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -242,7 +245,7 @@ +@@ -242,7 +247,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27361,7 +27437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -287,11 +290,15 @@ +@@ -287,11 +292,15 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27377,7 +27453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +311,11 @@ +@@ -304,3 +313,11 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -27391,7 +27467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-05 07:34:59.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-06 06:36:11.000000000 -0400 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -27428,7 +27504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -86,6 +94,10 @@ +@@ -70,6 +78,7 @@ + files_delete_etc_files(ldconfig_t) + + init_use_script_ptys(ldconfig_t) ++init_read_script_tmp_files(ldconfig_t) + + libs_use_ld_so(ldconfig_t) + libs_use_shared_libs(ldconfig_t) +@@ -86,6 +95,10 @@ ') ') @@ -27439,7 +27523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -102,4 +114,10 @@ +@@ -102,4 +115,10 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) @@ -27503,16 +27587,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-04 12:06:56.000000000 -0400 -@@ -4,6 +4,7 @@ ++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-05 15:01:37.000000000 -0400 +@@ -4,6 +4,8 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) ++/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -46,7 +47,7 @@ +@@ -46,7 +48,7 @@ ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) @@ -27521,7 +27606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) -@@ -57,3 +58,8 @@ +@@ -57,3 +59,8 @@ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -27532,7 +27617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-05 14:44:00.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -27758,8 +27843,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-04 12:06:56.000000000 -0400 -@@ -61,10 +61,24 @@ ++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-05 15:23:59.000000000 -0400 +@@ -61,10 +61,29 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -27781,10 +27866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +type audisp_var_run_t; +files_pid_file(audisp_var_run_t) + ++type audisp_remote_t; ++type audisp_remote_exec_t; ++domain_type(audisp_remote_t) ++domain_entry_file(audisp_remote_t, audisp_remote_exec_t) ++ ######################################## # # Auditctl local policy -@@ -84,6 +98,7 @@ +@@ -84,6 +103,7 @@ kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) @@ -27792,7 +27882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) -@@ -158,9 +173,12 @@ +@@ -158,9 +178,12 @@ mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory @@ -27805,7 +27895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t) -@@ -171,6 +189,10 @@ +@@ -171,6 +194,10 @@ ') optional_policy(` @@ -27816,7 +27906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin seutil_sigchld_newrole(auditd_t) ') -@@ -208,6 +230,7 @@ +@@ -208,6 +235,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) @@ -27824,7 +27914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -@@ -252,7 +275,6 @@ +@@ -252,7 +280,6 @@ dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog allow syslogd_t self:process { signal_perms setpgid }; @@ -27832,7 +27922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -262,7 +284,7 @@ +@@ -262,7 +289,7 @@ allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -27841,7 +27931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) -@@ -274,6 +296,9 @@ +@@ -274,6 +301,9 @@ # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; @@ -27851,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage temporary files manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -@@ -295,6 +320,7 @@ +@@ -295,6 +325,7 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) @@ -27859,7 +27949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin dev_filetrans(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) -@@ -327,6 +353,8 @@ +@@ -327,6 +358,8 @@ # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) @@ -27868,7 +27958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) -@@ -339,19 +367,20 @@ +@@ -339,19 +372,20 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -27891,7 +27981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -@@ -380,15 +409,11 @@ +@@ -380,15 +414,11 @@ ') optional_policy(` @@ -27909,7 +27999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') optional_policy(` -@@ -399,3 +424,37 @@ +@@ -399,3 +429,64 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -27947,6 +28037,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +logging_domtrans_audisp(auditd_t) +logging_audisp_signal(auditd_t) + ++######################################## ++# ++# audisp_remote local policy ++# ++ ++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t) ++ ++allow audisp_remote_t self:tcp_socket create_socket_perms; ++ ++corenet_all_recvfrom_unlabeled(audisp_remote_t) ++corenet_all_recvfrom_netlabel(audisp_remote_t) ++corenet_tcp_sendrecv_all_if(audisp_remote_t) ++corenet_tcp_sendrecv_all_nodes(audisp_remote_t) ++corenet_tcp_connect_audit_port(audisp_remote_t) ++ ++files_read_etc_files(audisp_remote_t) ++ ++libs_use_ld_so(audisp_remote_t) ++libs_use_shared_libs(audisp_remote_t) ++ ++logging_send_syslog_msg(audisp_remote_t) ++logging_audisp_system_domain(audisp_remote_t, audisp_remote_exec_t) ++ ++miscfiles_read_localization(audisp_remote_t) ++ ++sysnet_dns_name_resolve(audisp_remote_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-04-04 12:06:56.000000000 -0400 @@ -28136,7 +28253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-06 06:44:20.000000000 -0400 @@ -489,3 +489,44 @@ manage_lnk_files_pattern($1,locale_t,locale_t) ') @@ -29616,7 +29733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-06 07:09:34.000000000 -0400 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat @@ -30513,7 +30630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-05 07:57:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-06 07:10:40.000000000 -0400 @@ -29,9 +29,14 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ad1a731..55439d3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Sat Apr 5 2008 Dan Walsh 3.3.1-29 +- + * Fri Apr 4 2008 Dan Walsh 3.3.1-28 - Allow radvd to use fifo_file - dontaudit setfiles reading links