From f7782b029dd3e97201f13eafb4a45fa7f73c3132 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 01 2009 16:14:39 +0000 Subject: - Major fixup of ntop policy - Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 - Allow xdm to signal session bus - Allow modemmanager to use generic ptys, and sys_tty_config capability - Allow abrt_helper chown access, dontaudit leaks - Allow logwatch to list cifs and nfs file systems - Allow kismet to read network state - Allow cupsd_config_t to connecto unconfined unix_stream - Fix avahi labeling and allow avahi to manage /etc/resolv.conf - Allow sshd to read usr_t files - Allow login programs to manage pcscd_var_run_t files - Allow tor to read usr_t files --- diff --git a/policy-F12.patch b/policy-F12.patch index 07c41b7..d8e1636 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -250,7 +250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.32/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-11-09 13:10:35.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-12-01 08:03:22.000000000 -0500 @@ -26,6 +26,9 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) @@ -261,7 +261,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # kismet local policy -@@ -59,6 +62,12 @@ +@@ -45,7 +48,8 @@ + + manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) + manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) +-files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) ++manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) ++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) + + manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) + manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) +@@ -59,8 +63,15 @@ allow kismet_t kismet_var_run_t:dir manage_dir_perms; files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) @@ -273,6 +283,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_search_debugfs(kismet_t) kernel_read_system_state(kismet_t) ++kernel_read_network_state(kismet_t) + + corecmd_exec_bin(kismet_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400 @@ -336,8 +349,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.32/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-09-30 16:12:48.000000000 -0400 -@@ -136,4 +136,5 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/logwatch.te 2009-12-01 10:47:58.000000000 -0500 +@@ -93,6 +93,13 @@ + sysnet_exec_ifconfig(logwatch_t) + + userdom_dontaudit_search_user_home_dirs(logwatch_t) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs(logwatch_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs(logwatch_t) ++') + + mta_send_mail(logwatch_t) + +@@ -136,4 +143,5 @@ optional_policy(` samba_read_log(logwatch_t) @@ -627,7 +654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-18 10:29:18.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-30 11:31:33.000000000 -0500 @@ -21,8 +21,23 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -693,7 +720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +119,53 @@ +@@ -99,5 +119,54 @@ ') optional_policy(` @@ -721,7 +748,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# This sucks: can it not just append? +rw_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) + -+write_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) ++manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) ++files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) + +corecmd_exec_bin(prelink_cron_system_t) +corecmd_exec_shell(prelink_cron_system_t) @@ -812,7 +840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-24 07:36:02.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-30 16:00:40.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -860,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -146,6 +174,42 @@ +@@ -146,6 +174,41 @@ ######################################## ## @@ -874,11 +902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`rpm_dontaudit_leaks',` + gen_require(` -+ type rpm_t; -+ type rpm_script_t; -+ type rpm_var_run_t; -+ type rpm_tmp_t; -+ type rpm_tmpfs_t; ++ type rpm_t, rpm_var_cache_t; ++ type rpm_script_t, rpm_var_run_t, rpm_tmp_t; ++ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; + ') + + dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; @@ -896,6 +922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 rpm_tmpfs_t:file write_file_perms; + dontaudit $1 rpm_script_tmp_t:file write_file_perms; + dontaudit $1 rpm_var_lib_t:file { read write }; ++ dontaudit $1 rpm_var_cache_t:file { read write }; +') + +######################################## @@ -903,7 +930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +231,68 @@ +@@ -167,6 +230,68 @@ ######################################## ## @@ -972,7 +999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +312,24 @@ +@@ -186,6 +311,24 @@ ######################################## ## @@ -997,7 +1024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +363,51 @@ +@@ -219,7 +362,51 @@ ') files_search_tmp($1) @@ -1049,7 +1076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +429,25 @@ +@@ -241,6 +428,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -1075,7 +1102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +472,48 @@ +@@ -265,6 +471,48 @@ ######################################## ## @@ -1124,7 +1151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +532,99 @@ +@@ -283,3 +531,99 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1503,8 +1530,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol java_domtrans_unconfined(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.6.32/policy/modules/admin/shorewall.fc --- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.fc 2009-10-27 09:33:16.000000000 -0400 -@@ -4,8 +4,9 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/shorewall.fc 2009-12-01 10:18:24.000000000 -0500 +@@ -4,8 +4,12 @@ /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) @@ -1515,6 +1542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) ++ ++/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.6.32/policy/modules/admin/shorewall.if --- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/shorewall.if 2009-10-27 09:33:58.000000000 -0400 @@ -1567,8 +1597,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.6.32/policy/modules/admin/shorewall.te --- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2009-09-30 16:12:48.000000000 -0400 -@@ -80,6 +80,8 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/shorewall.te 2009-12-01 10:18:37.000000000 -0500 +@@ -21,6 +21,9 @@ + type shorewall_lock_t; + files_lock_file(shorewall_lock_t) + ++type shorewall_log_t; ++logging_log_file(shorewall_log_t) ++ + # tmp files + type shorewall_tmp_t; + files_tmp_file(shorewall_tmp_t) +@@ -49,6 +52,10 @@ + manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) + files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) + ++manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) ++manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) ++logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) ++ + manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) + manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) + files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) +@@ -80,6 +87,8 @@ sysnet_domtrans_ifconfig(shorewall_t) @@ -5953,22 +6004,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-24 08:27:37.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-12-01 09:36:15.000000000 -0500 @@ -1,4 +1,4 @@ - +c # # /bin # -@@ -54,6 +54,7 @@ - /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) - /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -44,16 +44,19 @@ + /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) + /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) + /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) + + /etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + +-/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) +-/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0) +-/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) +-/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) ++/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -125,6 +126,7 @@ +@@ -125,6 +128,7 @@ /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) @@ -5976,7 +6043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt -@@ -135,13 +137,15 @@ +@@ -135,13 +139,15 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -5993,7 +6060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -211,6 +215,8 @@ +@@ -211,6 +217,8 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -6002,7 +6069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +227,9 @@ +@@ -221,6 +229,9 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -6012,7 +6079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +272,7 @@ +@@ -263,6 +274,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -6020,7 +6087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +325,21 @@ +@@ -315,3 +327,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6087,9 +6154,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') +Binary files nsaserefpolicy/policy/modules/kernel/corecommands.pp and serefpolicy-3.6.32/policy/modules/kernel/corecommands.pp differ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-11-25 13:14:27.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-12-01 09:06:22.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6161,7 +6229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -138,7 +148,7 @@ +@@ -138,21 +148,29 @@ network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -6169,8 +6237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) ++network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) network_port(ocsp, tcp,9080,s0) -@@ -147,12 +157,19 @@ + network_port(openvpn, tcp,1194,s0, udp,1194,s0) + network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -6190,7 +6260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -171,29 +188,37 @@ +@@ -171,29 +189,37 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -6203,8 +6273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) network_port(speech, tcp,8036,s0) --network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -+network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0, tcp,9000,s0) # snmp and htcp + network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict @@ -6232,7 +6301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -222,6 +247,8 @@ +@@ -222,6 +248,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -6306,7 +6375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-25 12:42:35.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-30 14:35:16.000000000 -0500 @@ -1692,6 +1692,78 @@ ######################################## @@ -6474,7 +6543,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ## -@@ -2046,6 +2192,78 @@ +@@ -1836,6 +1982,24 @@ + + ######################################## + ## ++## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_dontaudit_read_memory_dev',` ++ gen_require(` ++ type memory_device_t; ++ ') ++ ++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++') ++ ++######################################## ++## + ## Read raw memory devices (e.g. /dev/mem). + ## + ## +@@ -2046,6 +2210,78 @@ ######################################## ## @@ -6553,7 +6647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of the mouse devices. ## ## -@@ -2305,6 +2523,25 @@ +@@ -2305,6 +2541,25 @@ ######################################## ## @@ -6579,7 +6673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -@@ -3599,6 +3836,24 @@ +@@ -3599,6 +3854,24 @@ ######################################## ## @@ -6662,7 +6756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-23 17:52:24.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-30 15:50:22.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -6841,7 +6935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unconfined access to domains. ## ## -@@ -1304,3 +1375,20 @@ +@@ -1304,3 +1375,39 @@ typeattribute $1 process_uncond_exempt; ') @@ -6862,6 +6956,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_domain_type:process signal; +') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_dontaudit_leaks',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:socket_class_set { read write }; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-11-13 11:32:04.000000000 -0500 @@ -7029,7 +7142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-24 10:10:59.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-12-01 10:00:54.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7575,7 +7688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-25 06:35:07.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-30 08:18:23.000000000 -0500 @@ -290,7 +290,7 @@ ######################################## @@ -7612,6 +7725,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount an automount pseudo filesystem. ## ## +@@ -886,7 +906,7 @@ + type cifs_t; + ') + +- dontaudit $1 cifs_t:file { read write }; ++ dontaudit $1 cifs_t:file rw_inherited_file_perms; + ') + + ######################################## @@ -1149,6 +1169,44 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -7682,6 +7804,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## +@@ -1971,7 +2047,7 @@ + type nfs_t; + ') + +- dontaudit $1 nfs_t:file rw_file_perms; ++ dontaudit $1 nfs_t:file rw_inherited_file_perms; + ') + + ######################################## @@ -1993,6 +2069,25 @@ read_lnk_files_pattern($1, nfs_t, nfs_t) ') @@ -8304,7 +8435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-11-23 11:44:39.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-11-30 16:16:36.000000000 -0500 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -8960,8 +9091,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-11-17 16:08:26.000000000 -0500 -@@ -0,0 +1,638 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-12-01 11:06:51.000000000 -0500 +@@ -0,0 +1,667 @@ +## Unconfiend user role + +######################################## @@ -9378,6 +9509,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Do not audit attempts to read or write ++## unconfined domain packet sockets. ++## ++## ++##

++## Do not audit attempts to read or write ++## unconfined domain packet sockets. ++##

++##

++## This interface was added due to a broken ++## symptom. ++##

++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_packet_sockets',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:packet_socket { read write }; ++') ++ ++######################################## ++## +## Create keys for the unconfined domain. +## +## @@ -10469,7 +10629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-24 10:11:37.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-30 17:31:37.000000000 -0500 @@ -33,12 +33,23 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10516,7 +10676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +89,29 @@ +@@ -75,18 +89,30 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10528,6 +10688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) ++dev_dontaudit_read_memory_dev(abrt_t) + +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) @@ -10546,7 +10707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +121,64 @@ +@@ -96,22 +122,75 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10562,15 +10723,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + nis_use_ypbind(abrt_t) +') ++ ++optional_policy(` ++ nsplugin_read_rw_files(abrt_t) ++ nsplugin_read_home(abrt_t) ++') optional_policy(` - dbus_connect_system_bus(abrt_t) - dbus_system_bus_client(abrt_t) -+ nsplugin_read_rw_files(abrt_t) -+ nsplugin_read_home(abrt_t) -+') -+ -+optional_policy(` + policykit_dbus_chat(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) @@ -10605,7 +10766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# abrt--helper local policy +# + -+allow abrt_helper_t self:capability { setgid }; ++allow abrt_helper_t self:capability { chown setgid }; +read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) + +manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) @@ -10613,10 +10774,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + ++auth_use_nsswitch(abrt_helper_t) ++ +files_read_etc_files(abrt_helper_t) + +userdom_dontaudit_use_user_terminals(abrt_helper_t) + ++ifdef(`hide_broken_symptoms', ` ++ domain_dontaudit_leaks(abrt_helper_t) ++ userdom_dontaudit_read_user_home_content_files(abrt_helper_t) ++ userdom_dontaudit_read_user_tmp_files(abrt_helper_t) ++ optional_policy(` ++ rpm_dontaudit_leaks(abrt_helper_t) ++ ') ++') ++ +permissive abrt_helper_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-09-16 10:01:19.000000000 -0400 @@ -11025,7 +11197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-10-21 11:09:04.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-11-30 09:43:19.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -11631,7 +11803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-11-23 11:24:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-01 10:01:09.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -11805,7 +11977,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -272,6 +332,7 @@ +@@ -249,6 +309,7 @@ + manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) + manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) ++files_var_filetrans(httpd_t, httpd_cache_t, dir) + + # Allow the httpd_t to read the web servers config files + allow httpd_t httpd_config_t:dir list_dir_perms; +@@ -272,6 +333,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -11813,7 +11993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +344,9 @@ +@@ -283,9 +345,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -11826,7 +12006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +362,7 @@ +@@ -301,6 +363,7 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -11834,7 +12014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,16 +374,18 @@ +@@ -312,16 +375,18 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -11858,7 +12038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +399,11 @@ +@@ -335,12 +400,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -11873,7 +12053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -356,8 +419,13 @@ +@@ -356,8 +420,13 @@ files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) @@ -11887,7 +12067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_read_lib_files(httpd_t) -@@ -372,18 +440,33 @@ +@@ -372,18 +441,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -11925,7 +12105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -391,32 +474,70 @@ +@@ -391,32 +475,70 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12001,7 +12181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +545,23 @@ +@@ -424,11 +546,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12025,7 +12205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +584,14 @@ +@@ -451,6 +585,14 @@ ') optional_policy(` @@ -12040,7 +12220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +600,13 @@ +@@ -459,8 +601,13 @@ ') optional_policy(` @@ -12056,7 +12236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +614,19 @@ +@@ -468,22 +615,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12082,7 +12262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -494,12 +637,23 @@ +@@ -494,12 +638,23 @@ ') optional_policy(` @@ -12106,7 +12286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +662,7 @@ +@@ -508,6 +663,7 @@ ') optional_policy(` @@ -12114,7 +12294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +690,23 @@ +@@ -535,6 +691,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12138,7 +12318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +736,25 @@ +@@ -564,20 +737,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12170,7 +12350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +772,24 @@ +@@ -595,23 +773,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12199,7 +12379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +802,7 @@ +@@ -624,6 +803,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12207,7 +12387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +810,31 @@ +@@ -631,22 +811,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12246,7 +12426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +860,14 @@ +@@ -672,15 +861,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12265,7 +12445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +886,24 @@ +@@ -699,12 +887,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12292,7 +12472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +911,35 @@ +@@ -712,6 +912,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12328,7 +12508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +952,10 @@ +@@ -724,6 +953,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12339,7 +12519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +967,8 @@ +@@ -735,6 +968,8 @@ # httpd_rotatelogs local policy # @@ -12348,7 +12528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +988,88 @@ +@@ -754,11 +989,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12514,7 +12694,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-11-23 13:38:23.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-01 10:13:03.000000000 -0500 @@ -34,6 +34,8 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12524,7 +12704,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -@@ -97,6 +99,7 @@ +@@ -42,10 +44,11 @@ + # dac_override for /var/run/asterisk + allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; + dontaudit asterisk_t self:capability sys_tty_config; +-allow asterisk_t self:process { setsched signal_perms }; ++allow asterisk_t self:process { setsched signal_perms getcap setcap }; + allow asterisk_t self:fifo_file rw_fifo_file_perms; + allow asterisk_t self:sem create_sem_perms; + allow asterisk_t self:shm create_shm_perms; ++allow asterisk_t self:unix_stream_socket connectto; + allow asterisk_t self:tcp_socket create_stream_socket_perms; + allow asterisk_t self:udp_socket create_socket_perms; + +@@ -84,6 +87,7 @@ + + corecmd_exec_bin(asterisk_t) + corecmd_search_bin(asterisk_t) ++corecmd_exec_shell(asterisk_t) + + corenet_all_recvfrom_unlabeled(asterisk_t) + corenet_all_recvfrom_netlabel(asterisk_t) +@@ -97,6 +101,7 @@ corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) @@ -12532,7 +12733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) -@@ -107,6 +110,7 @@ +@@ -107,6 +112,7 @@ dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -12540,6 +12741,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) +@@ -119,20 +125,16 @@ + fs_getattr_all_fs(asterisk_t) + fs_search_auto_mountpoints(asterisk_t) + ++auth_use_nsswitch(asterisk_t) ++ + logging_send_syslog_msg(asterisk_t) + + miscfiles_read_localization(asterisk_t) + +-sysnet_read_config(asterisk_t) +- + userdom_dontaudit_use_unpriv_user_fds(asterisk_t) + userdom_dontaudit_search_user_home_dirs(asterisk_t) + + optional_policy(` +- nis_use_ypbind(asterisk_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(asterisk_t) + ') + +@@ -140,7 +142,3 @@ + udev_read_db(asterisk_t) + ') + +-ifdef(`TODO',` +-allow initrc_t asterisk_var_run_t:fifo_file unlink; +-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-11-09 08:40:15.000000000 -0500 @@ -12561,7 +12793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.32/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2009-11-18 16:50:59.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2009-12-01 09:39:39.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12579,6 +12811,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) +@@ -47,6 +48,9 @@ + kernel_read_proc_symlinks(avahi_t) + kernel_read_network_state(avahi_t) + ++corecmd_exec_bin(avahi_t) ++corecmd_exec_shell(avahi_t) ++ + corenet_all_recvfrom_unlabeled(avahi_t) + corenet_all_recvfrom_netlabel(avahi_t) + corenet_tcp_sendrecv_generic_if(avahi_t) +@@ -85,6 +89,10 @@ + miscfiles_read_localization(avahi_t) + miscfiles_read_certs(avahi_t) + ++sysnet_domtrans_ifconfig(avahi_t) ++sysnet_manage_config(avahi_t) ++sysnet_etc_filetrans_config(avahi_t) ++ + userdom_dontaudit_use_unpriv_user_fds(avahi_t) + userdom_dontaudit_search_user_home_dirs(avahi_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-09-30 16:12:48.000000000 -0400 @@ -13046,7 +13299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive chronyd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.32/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/clamav.te 2009-11-30 10:01:32.000000000 -0500 @@ -117,9 +117,9 @@ logging_send_syslog_msg(clamd_t) @@ -13059,12 +13312,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_use_fds(clamd_t) cron_use_system_job_fds(clamd_t) -@@ -187,15 +187,13 @@ +@@ -187,15 +187,15 @@ files_read_etc_files(freshclam_t) files_read_etc_runtime_files(freshclam_t) -miscfiles_read_localization(freshclam_t) +auth_use_nsswitch(freshclam_t) ++ ++logging_send_syslog_msg(freshclam_t) -sysnet_dns_name_resolve(freshclam_t) +miscfiles_read_localization(freshclam_t) @@ -13078,7 +13333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -247,5 +245,9 @@ +@@ -247,5 +247,9 @@ mta_send_mail(clamscan_t) optional_policy(` @@ -13385,7 +13640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-11-02 09:43:56.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-11-30 08:14:58.000000000 -0500 @@ -21,7 +21,7 @@ # consolekit local policy # @@ -14211,7 +14466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-11-25 15:24:32.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-01 09:24:30.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -14338,7 +14593,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -542,6 +567,8 @@ +@@ -457,6 +482,10 @@ + udev_read_db(cupsd_config_t) + ') + ++optional_policy(` ++ unconfined_stream_connect(cupsd_config_t) ++') ++ + ######################################## + # + # Cups lpd support +@@ -542,6 +571,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -14347,7 +14613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +583,15 @@ +@@ -556,11 +587,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -14363,7 +14629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +632,9 @@ +@@ -601,6 +636,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14373,7 +14639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +661,7 @@ +@@ -627,6 +665,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -14403,7 +14669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-11-24 18:22:22.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-11-30 16:07:08.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -14424,8 +14690,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -91,7 +93,7 @@ - allow $3 $1_dbusd_t:process { sigkill signal }; +@@ -88,10 +90,10 @@ + files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) +- allow $3 $1_dbusd_t:process { sigkill signal }; ++ allow $3 $1_dbusd_t:process { signull sigkill signal }; # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $3) @@ -16249,18 +16519,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_milter_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-11-24 07:19:34.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-11-30 16:18:16.000000000 -0500 @@ -16,7 +16,8 @@ # # ModemManager local policy # - -+allow modemmanager_t self:capability sys_admin; ++allow modemmanager_t self:capability { sys_admin sys_tty_config }; +allow modemmanager_t self:process signal; allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -24,6 +25,7 @@ +@@ -24,9 +25,11 @@ kernel_read_system_state(modemmanager_t) dev_read_sysfs(modemmanager_t) @@ -16268,6 +16538,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(modemmanager_t) ++term_use_generic_ptys(modemmanager_t) + term_use_unallocated_ttys(modemmanager_t) + + miscfiles_read_localization(modemmanager_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.32/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/mta.fc 2009-09-30 16:12:48.000000000 -0400 @@ -17443,7 +17717,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.32/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-10-14 10:11:11.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nscd.te 2009-12-01 11:08:00.000000000 -0500 @@ -5,6 +5,13 @@ class nscd all_nscd_perms; ') @@ -17466,7 +17740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -128,3 +136,12 @@ +@@ -128,3 +136,16 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -17479,6 +17753,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_packet_sockets(nscd_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.32/policy/modules/services/nslcd.if --- nsaserefpolicy/policy/modules/services/nslcd.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/nslcd.if 2009-09-30 16:12:48.000000000 -0400 @@ -17502,6 +17780,65 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.6.32/policy/modules/services/ntop.te +--- nsaserefpolicy/policy/modules/services/ntop.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ntop.te 2009-11-30 09:46:30.000000000 -0500 +@@ -37,7 +37,9 @@ + allow ntop_t self:fifo_file rw_fifo_file_perms; + allow ntop_t self:tcp_socket create_stream_socket_perms; + allow ntop_t self:udp_socket create_socket_perms; ++allow ntop_t self:unix_dgram_socket create_socket_perms; + allow ntop_t self:packet_socket create_socket_perms; ++allow ntop_t self:socket create_socket_perms; + + allow ntop_t ntop_etc_t:dir list_dir_perms; + read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t) +@@ -57,6 +59,8 @@ + manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) + files_pid_filetrans(ntop_t, ntop_var_run_t, file) + ++kernel_request_load_module(ntop_t) ++kernel_read_system_state(ntop_t) + kernel_read_network_state(ntop_t) + kernel_read_kernel_sysctls(ntop_t) + kernel_list_proc(ntop_t) +@@ -72,12 +76,17 @@ + corenet_raw_sendrecv_generic_node(ntop_t) + corenet_tcp_sendrecv_all_ports(ntop_t) + corenet_udp_sendrecv_all_ports(ntop_t) ++corenet_tcp_bind_ntop_port(ntop_t) ++corenet_tcp_connect_ntop_port(ntop_t) ++corenet_tcp_connect_http_port(ntop_t) + + dev_read_sysfs(ntop_t) ++dev_rw_generic_usb_dev(ntop_t) + + domain_use_interactive_fds(ntop_t) + + files_read_etc_files(ntop_t) ++files_read_usr_files(ntop_t) + + fs_getattr_all_fs(ntop_t) + fs_search_auto_mountpoints(ntop_t) +@@ -85,6 +94,7 @@ + logging_send_syslog_msg(ntop_t) + + miscfiles_read_localization(ntop_t) ++miscfiles_read_fonts(ntop_t) + + sysnet_read_config(ntop_t) + +@@ -92,6 +102,10 @@ + userdom_dontaudit_search_user_home_dirs(ntop_t) + + optional_policy(` ++ apache_read_sys_content(ntop_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ntop_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.32/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/ntp.if 2009-09-30 16:12:48.000000000 -0400 @@ -17870,17 +18207,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-11-23 10:16:36.000000000 -0500 -@@ -1,6 +1,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-01 10:43:41.000000000 -0500 +@@ -1,7 +1,12 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -- +/opt/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) - /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) + +-/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) /opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) ++ ++/usr/NX/home/nx(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.6.32/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/nx.if 2009-11-20 10:16:31.000000000 -0500 @@ -18017,8 +18358,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(openvpn_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.6.32/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/pcscd.if 2009-11-09 09:06:23.000000000 -0500 -@@ -53,6 +53,5 @@ ++++ serefpolicy-3.6.32/policy/modules/services/pcscd.if 2009-12-01 09:58:41.000000000 -0500 +@@ -39,6 +39,25 @@ + + ######################################## + ## ++## Manage pcscd pub files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pcscd_manage_pub_files',` ++ gen_require(` ++ type pcscd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) ++') ++ ++######################################## ++## + ## Connect to pcscd over an unix stream socket. + ## + ## +@@ -53,6 +72,5 @@ ') files_search_pids($1) @@ -18771,6 +19138,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.32/policy/modules/services/portreserve.te +--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/portreserve.te 2009-11-30 17:03:06.000000000 -0500 +@@ -21,6 +21,7 @@ + # Portreserve local policy + # + ++allow portreserve_t self:capability { dac_read_search dac_override }; + allow portreserve_t self:fifo_file rw_fifo_file_perms; + allow portreserve_t self:unix_stream_socket create_stream_socket_perms; + allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.32/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/postfix.fc 2009-09-30 16:12:48.000000000 -0400 @@ -23042,7 +23420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-11-18 09:37:50.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-12-01 09:49:38.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -23179,7 +23557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -234,21 +233,27 @@ +@@ -234,21 +233,28 @@ corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -23187,6 +23565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) ++ files_read_usr_files($1_t) + # Required for FreeNX + files_read_var_lib_symlinks($1_t) @@ -23209,7 +23588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -257,15 +262,11 @@ +@@ -257,15 +263,11 @@ optional_policy(` kerberos_use($1_t) @@ -23227,7 +23606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -337,6 +338,7 @@ +@@ -337,6 +339,7 @@ allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config @@ -23235,7 +23614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($3, home_ssh_t, home_ssh_t) manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) -@@ -446,6 +448,24 @@ +@@ -446,6 +449,24 @@ ######################################## ## @@ -23260,7 +23639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -461,6 +481,23 @@ +@@ -461,6 +482,23 @@ allow $1 sshd_t:fifo_file { getattr read }; ') @@ -23284,7 +23663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -@@ -603,3 +640,104 @@ +@@ -603,3 +641,104 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -23868,6 +24247,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.32/policy/modules/services/tor.te +--- nsaserefpolicy/policy/modules/services/tor.te 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/tor.te 2009-12-01 10:10:46.000000000 -0500 +@@ -89,6 +89,7 @@ + + files_read_etc_files(tor_t) + files_read_etc_runtime_files(tor_t) ++files_read_usr_files(tor_t) + + auth_use_nsswitch(tor_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2009-10-23 09:38:54.000000000 -0400 @@ -24822,8 +25212,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-11-20 10:11:50.000000000 -0500 -@@ -3,12 +3,19 @@ ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-11-30 11:47:36.000000000 -0500 +@@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) @@ -24831,19 +25221,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) +HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0) -+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) ++HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0) ++HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) ++/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev # -@@ -32,11 +39,6 @@ +@@ -32,11 +41,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -24855,7 +25247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -47,10 +49,10 @@ +@@ -47,10 +51,10 @@ # /tmp # @@ -24868,7 +25260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /tmp/\.X11-unix/.* -s <> # -@@ -61,7 +63,9 @@ +@@ -61,7 +65,9 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -24878,7 +25270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +93,36 @@ +@@ -89,17 +95,36 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -24920,7 +25312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-10 16:23:46.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-30 08:19:30.000000000 -0500 @@ -74,6 +74,12 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -25408,7 +25800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1248,6 +1407,278 @@ +@@ -1248,6 +1407,286 @@ ######################################## ## @@ -25526,7 +25918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type xdm_home_t; + ') + -+ allow $1 xdm_home_t:file rw_file_perms; ++ allow $1 xdm_home_t:file rw_inherited_file_perms; +') + +######################################## @@ -25544,7 +25936,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type xdm_home_t; + ') + -+ dontaudit $1 xdm_home_t:file rw_file_perms; ++ dontaudit $1 xdm_home_t:file rw_inherited_file_perms; ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files($1) ++ ') +') + + @@ -25687,7 +26087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1261,7 +1692,103 @@ +@@ -1261,7 +1700,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -25696,7 +26096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1 xserver_unconfined_type; + typeattribute $1 x_domain; - ') ++') + +######################################## +## @@ -25749,7 +26149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + class x_selection all_x_selection_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; -+') + ') + + # Type attributes + typeattribute $1 x_domain; @@ -25793,7 +26193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-25 06:21:15.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-01 10:33:36.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -25932,7 +26332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,25 +269,30 @@ +@@ -250,25 +269,32 @@ # Xauth local policy # @@ -25958,6 +26358,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - domain_use_interactive_fds(xauth_t) ++dev_rw_xserver_misc(xauth_t) ++ files_read_etc_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) @@ -25967,25 +26369,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -279,6 +303,11 @@ +@@ -278,6 +304,12 @@ + userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) - ++userdom_read_all_users_state(xauth_t) ++ +ifdef(`hide_broken_symptoms', ` + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) +') -+ + xserver_rw_xdm_tmp_files(xauth_t) - tunable_policy(`use_nfs_home_dirs',` -@@ -289,6 +318,15 @@ +@@ -289,6 +321,16 @@ fs_manage_cifs_files(xauth_t) ') +ifdef(`hide_broken_symptoms', ` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) ++ dev_dontaudit_rw_generic_dev_nodes(xauth_t) +') + +optional_policy(` @@ -25995,7 +26399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -300,20 +338,31 @@ +@@ -300,20 +342,31 @@ # XDM Local policy # @@ -26030,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +374,43 @@ +@@ -325,26 +378,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -26081,7 +26485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +424,7 @@ +@@ -358,6 +428,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -26089,7 +26493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +433,14 @@ +@@ -366,10 +437,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -26105,7 +26509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +460,13 @@ +@@ -389,11 +464,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -26119,7 +26523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +474,7 @@ +@@ -401,6 +478,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -26127,7 +26531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +487,17 @@ +@@ -413,14 +491,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -26147,7 +26551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +508,13 @@ +@@ -431,9 +512,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -26161,7 +26565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +523,7 @@ +@@ -442,6 +527,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -26169,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +532,7 @@ +@@ -450,6 +536,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -26177,7 +26581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +543,12 @@ +@@ -460,10 +547,12 @@ logging_read_generic_logs(xdm_t) @@ -26192,7 +26596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +557,10 @@ +@@ -472,6 +561,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26203,7 +26607,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +593,12 @@ +@@ -504,10 +597,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -26216,7 +26620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +606,47 @@ +@@ -515,12 +610,47 @@ ') optional_policy(` @@ -26264,7 +26668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -535,6 +661,7 @@ +@@ -535,6 +665,7 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -26272,7 +26676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -542,6 +669,38 @@ +@@ -542,6 +673,38 @@ ') optional_policy(` @@ -26311,7 +26715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +709,9 @@ +@@ -550,8 +713,9 @@ ') optional_policy(` @@ -26323,7 +26727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +720,6 @@ +@@ -560,7 +724,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -26331,7 +26735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +730,10 @@ +@@ -571,6 +734,10 @@ ') optional_policy(` @@ -26342,7 +26746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +750,9 @@ +@@ -587,10 +754,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -26354,7 +26758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +764,12 @@ +@@ -602,9 +768,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -26367,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +781,14 @@ +@@ -616,13 +785,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -26383,7 +26787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +801,19 @@ +@@ -635,9 +805,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -26403,7 +26807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +847,6 @@ +@@ -671,7 +851,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -26411,7 +26815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +856,12 @@ +@@ -681,9 +860,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -26425,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +876,12 @@ +@@ -698,8 +880,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -26438,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +903,7 @@ +@@ -721,6 +907,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -26446,7 +26850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +926,7 @@ +@@ -743,7 +930,7 @@ ') ifdef(`enable_mls',` @@ -26455,7 +26859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +958,20 @@ +@@ -775,12 +962,20 @@ ') optional_policy(` @@ -26477,7 +26881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +998,12 @@ +@@ -807,12 +1002,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -26494,7 +26898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1019,14 @@ +@@ -828,9 +1023,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -26509,7 +26913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1041,14 @@ +@@ -845,11 +1045,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -26525,7 +26929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1081,8 @@ +@@ -882,6 +1085,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -26534,7 +26938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1107,8 @@ +@@ -906,6 +1111,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -26543,7 +26947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1176,49 @@ +@@ -973,17 +1180,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -26641,14 +27045,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/application.te 2009-09-30 16:12:48.000000000 -0400 -@@ -7,7 +7,18 @@ ++++ serefpolicy-3.6.32/policy/modules/system/application.te 2009-12-01 07:59:06.000000000 -0500 +@@ -7,7 +7,19 @@ # Executables to be run by user attribute application_exec_type; +userdom_append_user_home_content_files(application_domain_type) +userdom_write_user_tmp_files(application_domain_type) +logging_rw_all_logs(application_domain_type) ++userdom_inherit_append_admin_home_files(application_domain_type) + +files_dontaudit_search_all_dirs(application_domain_type) + @@ -26691,7 +27096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-11-13 11:28:16.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-12-01 09:58:26.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -26845,7 +27250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, auth_cache_t, auth_cache_t) ') -@@ -305,19 +381,16 @@ +@@ -305,29 +381,49 @@ dev_read_rand($1) dev_read_urand($1) @@ -26861,16 +27266,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - optional_policy(` - kerberos_use($1) -- ') -- -- optional_policy(` -- nis_use_ypbind($1) + kerberos_read_keytab($1) + kerberos_connect_524($1) ') optional_policy(` -@@ -328,6 +401,29 @@ +- nis_use_ypbind($1) +- ') +- +- optional_policy(` +- pcscd_read_pub_files($1) ++ pcscd_manage_pub_files($1) + pcscd_stream_connect($1) + ') + optional_policy(` samba_stream_connect_winbind($1) ') @@ -27116,7 +27525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /var diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-11-02 13:55:55.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-12-01 09:45:25.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -28510,7 +28919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-25 06:13:58.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-30 17:12:15.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -28607,7 +29016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +159,8 @@ +@@ -143,14 +159,14 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28619,14 +29028,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +181,13 @@ ++/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/cedega/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + ifdef(`distro_debian',` + /usr/lib32 -l gen_context(system_u:object_r:lib_t,s0) +@@ -168,12 +184,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php -/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.*/\.gstreamer-.*/plugins/*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +- +HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - +/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28635,7 +29050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +199,10 @@ +@@ -185,15 +201,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28652,7 +29067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +237,17 @@ +@@ -228,31 +239,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28688,7 +29103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,9 +262,10 @@ +@@ -267,9 +264,10 @@ /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28701,7 +29116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +291,8 @@ +@@ -295,6 +293,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -28710,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +305,108 @@ +@@ -307,10 +307,106 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -28812,8 +29227,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -30843,7 +31256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2009-12-01 09:38:51.000000000 -0500 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -32186,7 +32599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-25 12:24:26.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-01 07:56:40.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -33884,7 +34297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3396,619 @@ +@@ -3064,3 +3396,638 @@ allow $1 userdomain:dbus send_msg; ') @@ -34182,10 +34595,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`userdom_execmod_user_home_files',` + gen_require(` -+ type user_home_t; ++ attribute user_home_type; + ') + -+ allow $1 user_home_t:file execmod; ++ allow $1 user_home_type:file execmod; +') + +######################################## @@ -34312,6 +34725,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Append files inherited ++## in the /root directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_inherit_append_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:file { getattr append }; ++') ++ ++######################################## ++## +## Send signull to unprivileged user domains. +## +## @@ -34980,17 +35412,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-09-30 16:12:48.000000000 -0400 -@@ -201,7 +201,7 @@ ++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2009-11-30 15:49:46.000000000 -0500 +@@ -181,7 +181,7 @@ + # + define(`getattr_dir_perms',`{ getattr }') + define(`setattr_dir_perms',`{ setattr }') +-define(`search_dir_perms',`{ getattr search }') ++define(`search_dir_perms',`{ getattr search open }') + define(`list_dir_perms',`{ getattr search open read lock ioctl }') + define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }') + define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }') +@@ -199,12 +199,14 @@ + # + define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') - define(`read_file_perms',`{ getattr open read lock ioctl }') +-define(`read_file_perms',`{ getattr open read lock ioctl }') ++define(`read_inherited_file_perms',`{ getattr read ioctl lock }') ++define(`read_file_perms',`{ open read_inherited_file_perms }') define(`mmap_file_perms',`{ getattr open read execute ioctl }') -define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') +define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') define(`append_file_perms',`{ getattr open append lock ioctl }') define(`write_file_perms',`{ getattr open write append lock ioctl }') - define(`rw_file_perms',`{ getattr open read write append ioctl lock }') -@@ -225,7 +225,7 @@ +-define(`rw_file_perms',`{ getattr open read write append ioctl lock }') ++define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') ++define(`rw_file_perms',`{ open rw_inherited_file_perms }') + define(`create_file_perms',`{ getattr create open }') + define(`rename_file_perms',`{ getattr rename }') + define(`delete_file_perms',`{ getattr unlink }') +@@ -225,7 +227,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -34999,11 +35449,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -312,3 +312,13 @@ +@@ -312,3 +314,19 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') + ++# ++# Keys ++# ++define(`manage_key_perms', `{ create link read search setattr view write } ') ++ ++# ++# All ++# +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } +') + @@ -35011,8 +35469,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -+ -+define(`manage_key_perms', `{ create link read search setattr view write } ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users --- nsaserefpolicy/policy/users 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/users 2009-09-30 16:12:48.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 2646cb3..6a8b615 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 51%{?dist} +Release: 52%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,20 @@ exit 0 %endif %changelog +* Tue Dec 1 2009 Dan Walsh 3.6.32-52 +- Major fixup of ntop policy +- Fix label on /usr/lib/xorg/modules/extensions/libglx.so.195.22 +- Allow xdm to signal session bus +- Allow modemmanager to use generic ptys, and sys_tty_config capability +- Allow abrt_helper chown access, dontaudit leaks +- Allow logwatch to list cifs and nfs file systems +- Allow kismet to read network state +- Allow cupsd_config_t to connecto unconfined unix_stream +- Fix avahi labeling and allow avahi to manage /etc/resolv.conf +- Allow sshd to read usr_t files +- Allow login programs to manage pcscd_var_run_t files +- Allow tor to read usr_t files + * Wed Nov 25 2009 Dan Walsh 3.6.32-51 - Mark google shared libraries as requiring textrel_shlib - Allow svirt to bind/connect to network ports