From d1603e3c3189256406eb35dd234721028782018d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 10 2009 21:38:24 +0000 Subject: - Dontaudit udp_socket leaks for xauth_t --- diff --git a/policy-F12.patch b/policy-F12.patch index f6f90cd..0f10fa7 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -666,8 +666,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-03 13:45:10.000000000 -0500 -@@ -151,11 +151,11 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-12-10 15:16:57.000000000 -0500 +@@ -21,6 +21,25 @@ + + ######################################## + ## ++## Execute the prelink program in the current domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prelink_exec',` ++ gen_require(` ++ type prelink_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, prelink_exec_t) ++') ++ ++######################################## ++## + ## Execute the prelink program in the prelink domain. + ## + ## +@@ -151,11 +170,11 @@ ## ## # @@ -3635,7 +3661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-12-10 16:33:27.000000000 -0500 @@ -59,6 +59,7 @@ manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) @@ -3694,7 +3720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -231,11 +233,15 @@ +@@ -231,11 +233,20 @@ optional_policy(` dbus_system_bus_client(mozilla_t) dbus_session_bus_client(mozilla_t) @@ -3707,10 +3733,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ pulseaudio_exec(mozilla_t) ++ pulseaudio_stream_connect(mozilla_t) ') optional_policy(` -@@ -256,5 +262,10 @@ +@@ -256,5 +267,10 @@ ') optional_policy(` @@ -4065,7 +4096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-12-10 15:41:45.000000000 -0500 @@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) @@ -7282,7 +7313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-05 18:26:09.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-10 10:34:27.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -9979,8 +10010,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-09 10:12:44.000000000 -0500 -@@ -0,0 +1,449 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-10 15:25:20.000000000 -0500 +@@ -0,0 +1,450 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10155,6 +10186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + xserver_rw_shm(unconfined_usertype) + xserver_run_xauth(unconfined_usertype, unconfined_r) ++ xserver_xdm_dbus_chat(unconfined_usertype) + ') +') + @@ -10843,7 +10875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-06 09:56:21.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-10 13:05:08.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10923,7 +10955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +124,84 @@ +@@ -96,22 +124,90 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10931,10 +10963,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# read ~/.abrt/Bugzilla.conf -userdom_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_user_home_content_files(abrt_t) - - optional_policy(` -- dbus_connect_system_bus(abrt_t) -- dbus_system_bus_client(abrt_t) ++ ++optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) +') + @@ -10952,6 +10982,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) ++') + + optional_policy(` +- dbus_connect_system_bus(abrt_t) +- dbus_system_bus_client(abrt_t) ++ prelink_exec(abrt_t) ++ libs_exec_ld_so(abrt_t) ++ corecmd_exec_all_executables(abrt_t) ') # to install debuginfo packages @@ -13919,7 +13957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-12-10 15:36:16.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -13929,11 +13967,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -59,16 +59,21 @@ +@@ -59,16 +59,22 @@ term_use_all_terms(consolekit_t) auth_use_nsswitch(consolekit_t) +auth_manage_pam_console_data(consolekit_t) ++auth_dontaudit_write_login_records(consolekit_t) init_telinit(consolekit_t) init_rw_utmp(consolekit_t) @@ -13951,7 +13990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_user_tmp_files(consolekit_t) hal_ptrace(consolekit_t) -@@ -84,9 +89,12 @@ +@@ -84,9 +90,12 @@ ') optional_policy(` @@ -13965,7 +14004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat(consolekit_t) ') -@@ -100,6 +108,7 @@ +@@ -100,6 +109,7 @@ ') optional_policy(` @@ -13973,7 +14012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -108,10 +117,21 @@ +@@ -108,10 +118,21 @@ optional_policy(` xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) @@ -15478,9 +15517,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dnsmasq_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.32/policy/modules/services/dovecot.fc +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.fc 2009-12-10 13:09:30.000000000 -0500 +@@ -34,6 +34,7 @@ + + /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + ++/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) + /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-10 13:13:04.000000000 -0500 @@ -56,7 +56,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; @@ -15490,7 +15540,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; -@@ -103,6 +103,7 @@ +@@ -73,8 +73,9 @@ + + can_exec(dovecot_t, dovecot_exec_t) + ++manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) + manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +-logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) + + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -103,6 +104,7 @@ dev_read_urand(dovecot_t) fs_getattr_all_fs(dovecot_t) @@ -15498,7 +15559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) -@@ -142,6 +143,10 @@ +@@ -142,6 +144,10 @@ ') optional_policy(` @@ -15509,7 +15570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(dovecot_t) ') -@@ -159,7 +164,7 @@ +@@ -159,7 +165,7 @@ # allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; @@ -15518,7 +15579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -220,15 +225,23 @@ +@@ -220,15 +226,23 @@ ') optional_policy(` @@ -15542,7 +15603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -@@ -260,3 +273,14 @@ +@@ -260,3 +274,14 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) ') @@ -15644,7 +15705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_generic_if(fetchmail_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.32/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/fprintd.te 2009-12-10 15:34:43.000000000 -0500 @@ -37,6 +37,8 @@ files_read_etc_files(fprintd_t) files_read_usr_files(fprintd_t) @@ -15654,12 +15715,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(fprintd_t) miscfiles_read_localization(fprintd_t) -@@ -51,5 +53,7 @@ +@@ -51,5 +53,8 @@ optional_policy(` policykit_read_reload(fprintd_t) policykit_read_lib(fprintd_t) + policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) ++ policykit_dbus_chat_auth(fprintd_t) ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te @@ -16423,8 +16485,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-03 13:45:11.000000000 -0500 -@@ -55,6 +55,9 @@ ++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-12-10 11:28:12.000000000 -0500 +@@ -55,13 +55,16 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -16434,6 +16496,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy + # + + # execute openvt which needs setuid +-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; ++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice sys_resource dac_override dac_read_search mknod sys_rawio sys_tty_config }; + dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; + allow hald_t self:process { getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; @@ -100,7 +103,9 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) @@ -18289,10 +18359,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.6.32/policy/modules/services/ntop.fc +--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ntop.fc 2009-12-10 11:04:30.000000000 -0500 +@@ -1,7 +1,6 @@ + /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) + + /usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0) +-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:ntop_http_content_t,s0) + + /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) + /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-03 13:45:11.000000000 -0500 -@@ -37,7 +37,9 @@ ++++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-12-10 11:04:34.000000000 -0500 +@@ -14,9 +14,6 @@ + type ntop_etc_t; + files_config_file(ntop_etc_t) + +-type ntop_http_content_t; +-files_type(ntop_http_content_t) +- + type ntop_tmp_t; + files_tmp_file(ntop_tmp_t) + +@@ -37,15 +34,14 @@ allow ntop_t self:fifo_file rw_fifo_file_perms; allow ntop_t self:tcp_socket create_stream_socket_perms; allow ntop_t self:udp_socket create_socket_perms; @@ -18302,7 +18393,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ntop_t ntop_etc_t:dir list_dir_perms; read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) -@@ -57,6 +59,8 @@ + read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) + +-allow ntop_t ntop_http_content_t:dir list_dir_perms; +-read_files_pattern(ntop_t, ntop_http_content_t, ntop_http_content_t) +- + manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) + manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t) + files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir }) +@@ -57,6 +53,8 @@ manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) files_pid_filetrans(ntop_t, ntop_var_run_t, file) @@ -18311,7 +18410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_network_state(ntop_t) kernel_read_kernel_sysctls(ntop_t) kernel_list_proc(ntop_t) -@@ -72,12 +76,17 @@ +@@ -72,12 +70,17 @@ corenet_raw_sendrecv_generic_node(ntop_t) corenet_tcp_sendrecv_all_ports(ntop_t) corenet_udp_sendrecv_all_ports(ntop_t) @@ -18329,7 +18428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(ntop_t) fs_search_auto_mountpoints(ntop_t) -@@ -85,6 +94,7 @@ +@@ -85,6 +88,7 @@ logging_send_syslog_msg(ntop_t) miscfiles_read_localization(ntop_t) @@ -18337,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(ntop_t) -@@ -92,6 +102,10 @@ +@@ -92,6 +96,10 @@ userdom_dontaudit_search_user_home_dirs(ntop_t) optional_policy(` @@ -18743,21 +18842,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-03 13:45:11.000000000 -0500 -@@ -1,7 +1,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-10 11:22:15.000000000 -0500 +@@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -+/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) - --/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) ++/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +- /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) - /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) ++/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) ++ ++/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) ++/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) + -+/usr/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) ++/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) ++/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-12-03 13:45:11.000000000 -0500 @@ -19075,8 +19177,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.if serefpolicy-3.6.32/policy/modules/services/plymouth.if --- nsaserefpolicy/policy/modules/services/plymouth.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-03 13:45:11.000000000 -0500 -@@ -0,0 +1,286 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.if 2009-12-10 15:27:49.000000000 -0500 +@@ -0,0 +1,304 @@ +## policy for plymouthd + +######################################## @@ -19099,6 +19201,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Execute a plymoth in the current domain ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`plymouth_exec', ` ++ gen_require(` ++ type plymouthd_exec_t; ++ ') ++ ++ can_exec($1, plymouthd_exec_t) ++') ++ ++######################################## ++## +## Execute a domain transition to run plymouthd. +## +## @@ -19365,8 +19485,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-03 13:45:11.000000000 -0500 -@@ -0,0 +1,101 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-12-10 15:31:04.000000000 -0500 +@@ -0,0 +1,102 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -19425,6 +19545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_usr_files(plymouthd_t) + +miscfiles_read_localization(plymouthd_t) ++miscfiles_read_fonts(plymouthd_t) + +manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) +manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) @@ -19488,8 +19609,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.32/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-03 13:45:11.000000000 -0500 -@@ -17,6 +17,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/policykit.if 2009-12-10 15:31:52.000000000 -0500 +@@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -19498,7 +19619,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 policykit_t:dbus send_msg; allow policykit_t $1:dbus send_msg; ') -@@ -62,6 +64,9 @@ + + ######################################## + ## ++## Send and receive messages from ++## policykit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`policykit_dbus_chat_auth',` ++ gen_require(` ++ type policykit_auth_t; ++ class dbus send_msg; ++ ') ++ ++ ps_process_pattern(policykit_auth_t, $1) ++ ++ allow $1 policykit_auth_t:dbus send_msg; ++ allow policykit_auth_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Execute a domain transition to run polkit_auth. + ## + ## +@@ -62,6 +87,9 @@ policykit_domtrans_auth($1) role $2 types policykit_auth_t; @@ -19508,7 +19658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -206,4 +211,47 @@ +@@ -206,4 +234,47 @@ files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) @@ -19558,7 +19708,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-09 09:05:31.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-10 10:38:47.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -19634,7 +19784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,12 +114,14 @@ +@@ -92,21 +114,25 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -19642,16 +19792,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) - ++files_search_home(policykit_auth_t) ++ +fs_getattr_all_fs(polkit_auth_t) +fs_search_tmpfs(polkit_auth_t) -+ + auth_use_nsswitch(policykit_auth_t) +auth_domtrans_chk_passwd(policykit_auth_t) logging_send_syslog_msg(policykit_auth_t) -@@ -106,7 +130,7 @@ + miscfiles_read_localization(policykit_auth_t) ++miscfiles_read_fonts(policykit_auth_t) + userdom_dontaudit_read_user_home_content_files(policykit_auth_t) optional_policy(` @@ -19660,7 +19813,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +143,14 @@ +@@ -119,6 +145,14 @@ hal_read_state(policykit_auth_t) ') @@ -19675,7 +19828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # polkit_grant local policy -@@ -126,7 +158,8 @@ +@@ -126,7 +160,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -19685,7 +19838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +189,12 @@ +@@ -156,9 +191,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -19699,7 +19852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +206,8 @@ +@@ -170,7 +208,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -26357,21 +26510,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-05 06:43:26.000000000 -0500 -@@ -74,6 +74,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-12-10 15:23:11.000000000 -0500 +@@ -74,6 +74,13 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) +ifdef(`hide_broken_symptoms', ` + dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms; + dontaudit iceauth_t $2:tcp_socket rw_socket_perms; ++ dontaudit iceauth_t $2:udp_socket rw_socket_perms; + fs_dontaudit_rw_anon_inodefs_files(iceauth_t) +') + allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -89,8 +95,8 @@ +@@ -89,8 +96,8 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -26382,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $2 xdm_t:tcp_socket { read write }; # Client read xserver shm -@@ -211,6 +217,7 @@ +@@ -211,6 +218,7 @@ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -26390,7 +26544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -245,7 +252,7 @@ +@@ -245,7 +253,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -26399,7 +26553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Client read xserver shm allow $1 xserver_t:fd use; -@@ -299,7 +306,7 @@ +@@ -299,7 +307,7 @@ interface(`xserver_user_client',` refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` @@ -26408,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') -@@ -308,14 +315,14 @@ +@@ -308,14 +316,14 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26428,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -367,7 +374,6 @@ +@@ -367,7 +375,6 @@ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; @@ -26436,7 +26590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol attribute xproperty_type; attribute xevent_type; attribute input_xevent_type; -@@ -376,6 +382,8 @@ +@@ -376,6 +383,8 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -26445,7 +26599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -383,20 +391,11 @@ +@@ -383,20 +392,11 @@ # Local Policy # @@ -26466,7 +26620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; -@@ -409,8 +408,10 @@ +@@ -409,8 +409,10 @@ type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; type_transition $2 client_xevent_t:x_event $1_client_xevent_t; type_transition $2 xevent_t:x_event $1_default_xevent_t; @@ -26478,7 +26632,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -484,13 +485,14 @@ +@@ -484,13 +486,14 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -26497,7 +26651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; -@@ -498,9 +500,9 @@ +@@ -498,9 +501,9 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -26510,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -526,6 +528,10 @@ +@@ -526,6 +529,10 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -26521,7 +26675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -585,6 +591,12 @@ +@@ -585,6 +592,13 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -26529,12 +26683,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifdef(`hide_broken_symptoms', ` + dontaudit xauth_t $1:unix_stream_socket rw_socket_perms; + dontaudit xauth_t $1:tcp_socket rw_socket_perms; ++ dontaudit xauth_t $1:udp_socket rw_socket_perms; + fs_dontaudit_rw_anon_inodefs_files(xauth_t) +') ') ######################################## -@@ -728,7 +740,7 @@ +@@ -728,7 +742,7 @@ type xdm_t; ') @@ -26543,7 +26698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -764,11 +776,11 @@ +@@ -764,11 +778,11 @@ # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -26557,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -802,10 +814,10 @@ +@@ -802,10 +816,10 @@ # interface(`xserver_setattr_xdm_tmp_dirs',` gen_require(` @@ -26570,7 +26725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -821,12 +833,13 @@ +@@ -821,12 +835,13 @@ # interface(`xserver_create_xdm_tmp_sockets',` gen_require(` @@ -26587,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -845,7 +858,44 @@ +@@ -845,7 +860,44 @@ ') files_search_pids($1) @@ -26633,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -868,6 +918,75 @@ +@@ -868,6 +920,75 @@ ######################################## ## @@ -26709,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -886,6 +1005,24 @@ +@@ -886,6 +1007,24 @@ ######################################## ## @@ -26734,7 +26889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -961,6 +1098,27 @@ +@@ -961,6 +1100,27 @@ ######################################## ## @@ -26762,7 +26917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1014,11 +1172,11 @@ +@@ -1014,11 +1174,11 @@ # interface(`xserver_read_xdm_tmp_files',` gen_require(` @@ -26776,7 +26931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1033,11 +1191,11 @@ +@@ -1033,11 +1193,11 @@ # interface(`xserver_dontaudit_read_xdm_tmp_files',` gen_require(` @@ -26791,7 +26946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1052,11 +1210,11 @@ +@@ -1052,11 +1212,11 @@ # interface(`xserver_rw_xdm_tmp_files',` gen_require(` @@ -26806,7 +26961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1071,10 +1229,10 @@ +@@ -1071,10 +1231,10 @@ # interface(`xserver_manage_xdm_tmp_files',` gen_require(` @@ -26819,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1089,10 +1247,10 @@ +@@ -1089,10 +1249,10 @@ # interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` gen_require(` @@ -26832,7 +26987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1107,10 +1265,11 @@ +@@ -1107,10 +1267,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -26845,7 +27000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1248,6 +1407,288 @@ +@@ -1248,6 +1409,288 @@ ######################################## ## @@ -27134,7 +27289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1261,7 +1702,103 @@ +@@ -1261,7 +1704,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -27240,7 +27395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-09 11:40:19.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-10 15:28:03.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -27734,7 +27889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -542,6 +677,38 @@ +@@ -542,6 +677,39 @@ ') optional_policy(` @@ -27751,6 +27906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + plymouth_search_spool(xdm_t) ++ plymouth_exec(xdm_t) +') + +optional_policy(` @@ -27773,7 +27929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +717,9 @@ +@@ -550,8 +718,9 @@ ') optional_policy(` @@ -27785,7 +27941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +728,6 @@ +@@ -560,7 +729,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -27793,7 +27949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +738,10 @@ +@@ -571,6 +739,10 @@ ') optional_policy(` @@ -27804,7 +27960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +758,9 @@ +@@ -587,10 +759,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27816,7 +27972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +772,12 @@ +@@ -602,9 +773,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27829,7 +27985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +789,14 @@ +@@ -616,13 +790,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -27845,7 +28001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +809,19 @@ +@@ -635,9 +810,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27865,7 +28021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +855,6 @@ +@@ -671,7 +856,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27873,7 +28029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +864,12 @@ +@@ -681,9 +865,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -27887,7 +28043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +884,12 @@ +@@ -698,8 +885,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27900,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +911,7 @@ +@@ -721,6 +912,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -27908,7 +28064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +934,7 @@ +@@ -743,7 +935,7 @@ ') ifdef(`enable_mls',` @@ -27917,7 +28073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +966,20 @@ +@@ -775,12 +967,20 @@ ') optional_policy(` @@ -27939,7 +28095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +1006,12 @@ +@@ -807,12 +1007,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -27956,7 +28112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1027,14 @@ +@@ -828,9 +1028,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27971,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1049,14 @@ +@@ -845,11 +1050,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -27987,7 +28143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1089,8 @@ +@@ -882,6 +1090,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -27996,7 +28152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1115,8 @@ +@@ -906,6 +1116,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -28005,7 +28161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1184,49 @@ +@@ -973,17 +1185,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28184,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-07 15:55:13.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-10 15:35:58.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -28502,16 +28658,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-03 13:45:11.000000000 -0500 -@@ -103,6 +103,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-12-10 13:28:10.000000000 -0500 +@@ -103,8 +103,10 @@ fs_dontaudit_getattr_xattr_fs(chkpwd_t) +term_dontaudit_use_console(chkpwd_t) term_dontaudit_use_unallocated_ttys(chkpwd_t) term_dontaudit_use_generic_ptys(chkpwd_t) ++term_dontaudit_use_all_server_ptys(chkpwd_t) -@@ -125,9 +126,18 @@ + auth_use_nsswitch(chkpwd_t) + +@@ -125,9 +127,18 @@ ') optional_policy(` @@ -29537,7 +29696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-12-10 11:41:15.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -29552,7 +29711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type ipsec_t; type ipsec_exec_t; init_daemon_domain(ipsec_t, ipsec_exec_t) -@@ -15,6 +22,9 @@ +@@ -15,13 +22,22 @@ type ipsec_conf_file_t; files_type(ipsec_conf_file_t) @@ -29562,17 +29721,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for file(s) containing ipsec keys - RSA or preshared type ipsec_key_file_t; files_type(ipsec_key_file_t) -@@ -22,6 +32,9 @@ - # Default type for IPSEC SPD entries - type ipsec_spd_t; +type ipsec_log_t; +logging_log_file(ipsec_log_t) + + # Default type for IPSEC SPD entries + type ipsec_spd_t; + ++type ipsec_tmp_t; ++files_tmp_file(ipsec_tmp_t) ++ # type for runtime files, including pluto.ctl type ipsec_var_run_t; files_pid_file(ipsec_var_run_t) -@@ -43,6 +56,9 @@ +@@ -43,6 +59,9 @@ init_daemon_domain(racoon_t, racoon_exec_t) role system_r types racoon_t; @@ -29582,7 +29744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type setkey_t; type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) -@@ -53,21 +69,23 @@ +@@ -53,21 +72,23 @@ # ipsec Local policy # @@ -29609,7 +29771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -82,16 +100,17 @@ +@@ -82,16 +103,17 @@ # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; @@ -29629,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_getattr_core_if(ipsec_t) kernel_getattr_message_if(ipsec_t) -@@ -120,7 +139,9 @@ +@@ -120,7 +142,9 @@ domain_use_interactive_fds(ipsec_t) @@ -29639,7 +29801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) -@@ -154,16 +175,19 @@ +@@ -154,16 +178,19 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; @@ -29661,7 +29823,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -241,6 +265,7 @@ +@@ -188,6 +215,10 @@ + manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) + files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file) + ++manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) ++manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) ++files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) ++ + # whack needs to connect to pluto + stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) + +@@ -241,6 +272,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -29669,7 +29842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ipsec_mgmt_t) -@@ -280,6 +305,13 @@ +@@ -280,6 +312,13 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; @@ -29683,7 +29856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # manage pid file manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -297,6 +329,13 @@ +@@ -297,6 +336,13 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -29697,7 +29870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) -@@ -314,6 +353,8 @@ +@@ -314,6 +360,8 @@ files_read_etc_files(racoon_t) @@ -29706,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) -@@ -328,6 +369,14 @@ +@@ -328,6 +376,14 @@ miscfiles_read_localization(racoon_t) @@ -29721,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Setkey local policy -@@ -341,12 +390,15 @@ +@@ -341,12 +397,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -29737,6 +29910,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) +@@ -358,3 +417,5 @@ + seutil_read_config(setkey_t) + + userdom_use_user_terminals(setkey_t) ++ ++userdom_read_user_tmp_files(setkey_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-12-03 13:45:11.000000000 -0500 @@ -33838,7 +34017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-09 09:27:20.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-10 15:29:01.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 7c4e142..2985949 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 57%{?dist} +Release: 58%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,8 +449,20 @@ exit 0 %endif %changelog +* Thu Dec 10 2009 Dan Walsh 3.6.32-58 +- Dontaudit udp_socket leaks for xauth_t + * Wed Dec 9 2009 Dan Walsh 3.6.32-57 - Allow unconfined_t to send dbus messages to setroubleshoot +- Allow confined screen app to setattr on user ttys +- remove wine_t from unconfined domain when unconfined.pp disabled +- Allow sysadm_t to communicate with racoon +- Allow xauth to be run from all unconfined user types +- Fix labeling on all /var/cache/mod_* apps +- Allow asterisk to communicate with postgresql +- Fix labeling for /var/lib/certmaster +- Add policy for ksmtuned and tgtd +- Fixes fro vhostmd * Mon Dec 7 2009 Dan Walsh 3.6.32-56 - Dontaudit exec of fusermount from xguest