From e1add28df9743d0a1a4eef29ddb724c86e08c7ee Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 27 2010 17:02:49 +0000 Subject: - Allow to openvpn to read utmp - Allow xdm to read the video4linux devices - Add labeling for /etc/openldap/slapd.d directory - Allow tgtd to manage fixed disk device nodes - Allow chsh to execute nxserver - Allow abrt_helper to send system log messages - Add labeling for /etc/zabbix/web directory --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 45d9598..fade903 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -10,6 +10,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(smoltclient_t) optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-01-18 18:24:22.584530156 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2010-01-26 14:45:59.214713808 +0100 +@@ -122,6 +122,10 @@ + # on user home dir + userdom_dontaudit_search_user_home_content(chfn_t) + ++optional_policy(` ++ nx_exec_server(chfn_t) ++') ++ + ######################################## + # + # Crack local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100 @@ -484,8 +498,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(dns, udp,53,s0, tcp,53,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-18 18:27:02.746530790 +0100 -@@ -162,6 +162,8 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-27 17:35:56.087613943 +0100 +@@ -103,6 +103,7 @@ + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) + /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) + /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) + ifdef(`distro_suse', ` +@@ -162,6 +163,8 @@ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) @@ -496,8 +518,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-01-18 18:24:22.673530022 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-18 18:27:02.749530752 +0100 -@@ -3833,6 +3833,24 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2010-01-27 17:35:46.879614965 +0100 +@@ -3551,6 +3551,24 @@ + rw_chr_files_pattern($1, device_t, usb_device_t) + ') + ++###################################### ++## ++## Read USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_usbmon_dev',` ++ gen_require(` ++ type device_t, usbmon_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, usbmon_device_t) ++') ++ + ######################################## + ## + ## Mount a usbfs filesystem. +@@ -3833,6 +3851,24 @@ write_chr_files_pattern($1, device_t, v4l_device_t) ') @@ -524,8 +571,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write VMWare devices. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.32/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-01-18 18:24:22.675530137 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-18 18:27:02.751530797 +0100 -@@ -233,6 +233,12 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.te 2010-01-27 17:34:18.787624215 +0100 +@@ -228,11 +228,23 @@ + genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) + + # ++# usbmon_device_t is the type for /dev/usbmon ++# ++type usbmon_device_t; ++dev_node(usbmon_device_t) ++ ++# + # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ + # type usb_device_t; dev_node(usb_device_t) @@ -576,7 +634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_tunable(xguest_connect_network, true) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-18 18:27:02.754531109 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-27 15:33:53.900626544 +0100 @@ -96,6 +96,7 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) @@ -585,6 +643,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_memory_dev(abrt_t) +@@ -200,10 +201,13 @@ + files_read_etc_files(abrt_helper_t) + files_dontaudit_all_non_security_leaks(abrt_helper_t) + ++fs_getattr_all_fs(abrt_helper_t) + fs_list_inotifyfs(abrt_helper_t) + + auth_use_nsswitch(abrt_helper_t) + ++logging_send_syslog_msg(abrt_helper_t) ++ + miscfiles_read_localization(abrt_helper_t) + + userdom_dontaudit_use_user_terminals(abrt_helper_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.32/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-01-18 18:24:22.729540009 +0100 +++ serefpolicy-3.6.32/policy/modules/services/afs.te 2010-01-20 13:19:16.795611181 +0100 @@ -613,6 +685,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # AFS bossserver local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc +--- nsaserefpolicy/policy/modules/services/apache.fc 2010-01-18 18:24:22.733530530 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2010-01-27 17:22:29.733863060 +0100 +@@ -12,6 +12,7 @@ + /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-01-18 18:24:22.736530563 +0100 +++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-22 17:15:37.455855038 +0100 @@ -665,7 +748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-18 18:30:54.720781297 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-26 15:36:27.882713495 +0100 @@ -309,7 +309,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -675,6 +758,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; +@@ -612,6 +612,11 @@ + avahi_dbus_chat(httpd_t) + ') + ') ++ ++optional_policy(` ++ gitosis_read_var_lib(httpd_t) ++') ++ + optional_policy(` + kerberos_keytab_template(httpd, httpd_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.6.32/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/apcupsd.te 2010-01-18 18:27:02.757542944 +0100 @@ -687,6 +782,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-01-18 18:24:22.741530430 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2010-01-27 17:37:31.626864275 +0100 +@@ -64,6 +64,7 @@ + corenet_udp_sendrecv_all_ports(arpwatch_t) + + dev_read_sysfs(arpwatch_t) ++dev_read_usbmon_dev(arpwatch_t) + + fs_getattr_all_fs(arpwatch_t) + fs_search_auto_mountpoints(arpwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.6.32/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/avahi.fc 2010-01-19 21:19:40.967763409 +0100 @@ -717,8 +823,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-18 18:24:22.782530547 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-18 18:32:00.705531307 +0100 -@@ -277,6 +277,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-27 16:52:32.499864534 +0100 +@@ -82,6 +82,7 @@ + manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + + manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) ++manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) + files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) + +@@ -277,6 +278,8 @@ ') tunable_policy(`use_nfs_home_dirs',` @@ -727,7 +841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_files(dovecot_deliver_t) fs_manage_nfs_symlinks(dovecot_deliver_t) fs_manage_nfs_files(dovecot_t) -@@ -284,6 +286,8 @@ +@@ -284,6 +287,8 @@ ') tunable_policy(`use_samba_home_dirs',` @@ -1029,6 +1143,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`allow_kerberos',` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc +--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-01-26 14:30:08.546712216 +0100 +@@ -2,6 +2,8 @@ + /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + ++/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) ++ + /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) + + ifdef(`distro_debian',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100 @@ -1082,6 +1208,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +term_dontaudit_use_all_user_ptys(memcached_t) +term_dontaudit_use_all_user_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-26 14:38:16.349463228 +0100 +@@ -147,6 +147,8 @@ + dontaudit mysqld_safe_t self:capability sys_ptrace; + allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + ++allow mysqld_safe_t mysqld_t:process signal_perms; ++ + domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + + manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-18 18:24:22.821530899 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-18 18:27:02.765531460 +0100 @@ -1174,9 +1312,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### # # local policy for system check plugins +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if +--- nsaserefpolicy/policy/modules/services/nx.if 2010-01-18 18:24:22.840530591 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/nx.if 2010-01-26 14:43:43.595472728 +0100 +@@ -18,6 +18,24 @@ + spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) + ') + ++####################################### ++## ++## Execute the NX server. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nx_exec_server',` ++ gen_require(` ++ type nx_server_exec_t; ++ ') ++ ++ can_exec($1, nx_server_exec_t) ++') ++ + ######################################## + ## + ## Read nx home directory content diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.32/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-01-18 18:24:22.843530414 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-18 18:27:02.767531435 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/openvpn.te 2010-01-26 14:19:37.820463477 +0100 @@ -85,6 +85,7 @@ corenet_udp_bind_generic_node(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) @@ -1185,9 +1351,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_openvpn_port(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) +@@ -102,6 +103,9 @@ + + auth_use_pam(openvpn_t) + ++init_read_utmp(openvpn_t) ++init_dontaudit_write_utmp(openvpn_t) ++ + logging_send_syslog_msg(openvpn_t) + + miscfiles_read_localization(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 2010-01-18 18:24:22.847540282 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-01-22 16:16:19.936882341 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2010-01-27 16:41:36.145614526 +0100 @@ -41,6 +41,19 @@ allow plymouthd_t self:fifo_file rw_fifo_file_perms; allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; @@ -1227,8 +1403,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -82,6 +83,8 @@ +@@ -80,8 +81,11 @@ + allow plymouth_t self:fifo_file rw_file_perms; + allow plymouth_t self:unix_stream_socket create_stream_socket_perms; ++kernel_read_system_state(plymouth_t) kernel_stream_connect(plymouth_t) +term_use_ptmx(plymouth_t) @@ -1265,6 +1444,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to master process stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t },postfix_master_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.32/policy/modules/services/prelude.te +--- nsaserefpolicy/policy/modules/services/prelude.te 2010-01-18 18:24:22.861530469 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/prelude.te 2010-01-26 15:37:38.488473779 +0100 +@@ -250,6 +250,8 @@ + files_read_etc_files(prelude_lml_t) + files_read_etc_runtime_files(prelude_lml_t) + ++fs_getattr_all_fs(prelude_lml_t) ++fs_list_inotifyfs(prelude_lml_t) + fs_rw_anon_inodefs_files(prelude_lml_t) + + auth_use_nsswitch(prelude_lml_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 +++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-01-18 18:27:02.770531119 +0100 @@ -1321,6 +1512,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te +--- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-01-27 17:37:08.744613818 +0100 +@@ -78,6 +78,7 @@ + dev_read_sysfs(snort_t) + dev_read_rand(snort_t) + dev_read_urand(snort_t) ++dev_read_usbmon_dev(snort_t) + + domain_use_interactive_fds(snort_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.32/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-01-18 18:24:22.895529974 +0100 +++ serefpolicy-3.6.32/policy/modules/services/spamassassin.if 2010-01-18 18:27:02.773531151 +0100 @@ -1758,6 +1960,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) kernel_read_proc_symlinks(tftpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te +--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-01-18 18:24:22.905534669 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2010-01-26 14:33:27.943463104 +0100 +@@ -63,6 +63,7 @@ + files_read_etc_files(tgtd_t) + + storage_getattr_fixed_disk_dev(tgtd_t) ++storage_manage_fixed_disk(tgtd_t) + + logging_send_syslog_msg(tgtd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-01-18 18:24:22.915540061 +0100 +++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-18 18:27:02.776530834 +0100 @@ -1809,7 +2022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-21 18:31:22.661610918 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-26 14:27:29.964713815 +0100 @@ -301,6 +301,8 @@ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) @@ -1819,7 +2032,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) dev_rw_xserver_misc(xauth_t) -@@ -668,6 +670,7 @@ +@@ -506,6 +508,7 @@ + dev_dontaudit_rw_misc(xdm_t) + dev_getattr_video_dev(xdm_t) + dev_setattr_video_dev(xdm_t) ++dev_read_video_dev(xdm_t) + dev_getattr_scanner_dev(xdm_t) + dev_setattr_scanner_dev(xdm_t) + dev_read_sound(xdm_t) +@@ -668,6 +671,7 @@ optional_policy(` gnome_read_gconf_config(xdm_t) @@ -1863,6 +2084,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-01-18 18:24:22.939530053 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2010-01-27 17:43:20.027613211 +0100 +@@ -215,6 +215,8 @@ + allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; + allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; + ++dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; ++ + allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; + + manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100 @@ -1899,21 +2132,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-22 12:18:15.477855412 +0100 -@@ -245,6 +245,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-27 14:59:22.372614529 +0100 +@@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/lib(64)?/codecs/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -433,8 +434,15 @@ + HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -396,10 +400,8 @@ + /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -433,8 +435,17 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/real/RealPlayer/plugins/theorarend\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/real/RealPlayer/plugins/oggfformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -2023,6 +2274,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(load_policy_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-01-18 18:24:22.971530073 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2010-01-27 17:25:30.275614148 +0100 +@@ -87,6 +87,7 @@ + + kernel_read_system_state(dhcpc_t) + kernel_read_network_state(dhcpc_t) ++kernel_read_net_sysctls(dhcpc_t) + kernel_read_kernel_sysctls(dhcpc_t) + kernel_request_load_module(dhcpc_t) + kernel_use_fds(dhcpc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100 +++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index ab55bbc..084fb1e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 77%{?dist} +Release: 78%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -456,6 +456,15 @@ exit 0 %endif %changelog +* Wed Jan 27 2010 Miroslav Grepl 3.6.32-78 +- Allow to openvpn to read utmp +- Allow xdm to read the video4linux devices +- Add labeling for /etc/openldap/slapd.d directory +- Allow tgtd to manage fixed disk device nodes +- Allow chsh to execute nxserver +- Allow abrt_helper to send system log messages +- Add labeling for /etc/zabbix/web directory + * Mon Jan 25 2010 Miroslav Grepl 3.6.32-77 - Allow xenstored to manage files on on a XENFS filesystem - Allow cupsd to setattr on a fonts cache directory