diff --git a/policy-F12.patch b/policy-F12.patch index a09c8c7..472a355 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -600,6 +600,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow portage_fetch_t self:process signal; allow portage_fetch_t self:unix_stream_socket create_socket_perms; allow portage_fetch_t self:tcp_socket create_stream_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.32/policy/modules/admin/prelink.fc +--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.fc 2009-11-18 10:29:18.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) + + /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.32/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/prelink.if 2009-09-30 16:12:48.000000000 -0400 @@ -619,8 +627,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-10-28 08:45:40.000000000 -0400 -@@ -80,6 +80,7 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2009-11-18 10:29:18.000000000 -0500 +@@ -21,8 +21,23 @@ + type prelink_tmp_t; + files_tmp_file(prelink_tmp_t) + ++type prelink_tmpfs_t; ++files_tmpfs_file(prelink_tmpfs_t) ++ + type prelink_var_lib_t; +-files_tmp_file(prelink_var_lib_t) ++files_type(prelink_var_lib_t) ++ ++######################################## ++# ++# Prelink Cron system Declarations ++# ++ ++type prelink_cron_system_t; ++type prelink_cron_system_exec_t; ++domain_type(prelink_cron_system_t) ++domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t) ++ ++permissive prelink_cron_system_t; + + ######################################## + # +@@ -35,7 +50,6 @@ + + allow prelink_t prelink_cache_t:file manage_file_perms; + files_etc_filetrans(prelink_t, prelink_cache_t, file) +-files_var_lib_filetrans(prelink_t, prelink_cache_t, file) + + allow prelink_t prelink_log_t:dir setattr; + create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) +@@ -45,10 +59,14 @@ + + allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; + files_tmp_filetrans(prelink_t, prelink_tmp_t, file) +-fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) ++ ++allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; ++fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) + + manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) + manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) ++relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) ++files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) + files_search_var_lib(prelink_t) + + # prelink misc objects that are not system +@@ -80,6 +98,7 @@ selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) @@ -628,7 +685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_manage_ld_so(prelink_t) libs_relabel_ld_so(prelink_t) libs_manage_shared_libs(prelink_t) -@@ -89,6 +90,7 @@ +@@ -89,6 +108,7 @@ miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) @@ -636,7 +693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +101,9 @@ +@@ -99,5 +119,53 @@ ') optional_policy(` @@ -646,6 +703,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` unconfined_domain(prelink_t) ') ++ ++######################################## ++# ++# Prelink Cron system Policy ++# ++ ++allow prelink_cron_system_t self:capability setuid; ++allow prelink_cron_system_t self:process setsched; ++allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; ++allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; ++ ++domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) ++ ++read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) ++ ++# This sucks: can it not just append? ++rw_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t) ++ ++write_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) ++ ++corecmd_exec_bin(prelink_cron_system_t) ++corecmd_exec_shell(prelink_cron_system_t) ++ ++files_read_etc_files(prelink_cron_system_t) ++ ++files_search_var_lib(prelink_cron_system_t) ++files_search_var_log(prelink_cron_system_t) ++ ++init_chat(prelink_cron_system_t) ++init_exec(prelink_cron_system_t) ++ ++kernel_read_system_state(prelink_cron_system_t) ++ ++libs_exec_ld_so(prelink_cron_system_t) ++ ++miscfiles_read_localization(prelink_cron_system_t) ++ ++optional_policy(` ++ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) ++') ++ ++optional_policy(` ++ rpm_read_db(prelink_cron_system_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.32/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/readahead.te 2009-09-30 16:12:48.000000000 -0400 @@ -711,7 +812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-16 10:51:46.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-18 16:19:22.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -759,7 +860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -146,6 +174,40 @@ +@@ -146,6 +174,41 @@ ######################################## ## @@ -793,6 +894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 rpm_tmp_t:file rw_file_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file write_file_perms; ++ dontaudit $1 rpm_script_tmp_t:file write_file_perms; +') + +######################################## @@ -800,7 +902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +229,68 @@ +@@ -167,6 +230,68 @@ ######################################## ## @@ -869,7 +971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +310,24 @@ +@@ -186,6 +311,24 @@ ######################################## ## @@ -894,7 +996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +361,51 @@ +@@ -219,7 +362,51 @@ ') files_search_tmp($1) @@ -946,7 +1048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +427,25 @@ +@@ -241,6 +428,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -972,7 +1074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +470,48 @@ +@@ -265,6 +471,48 @@ ######################################## ## @@ -1021,7 +1123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +530,99 @@ +@@ -283,3 +531,99 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1976,8 +2078,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-11-09 18:12:49.000000000 -0500 -@@ -0,0 +1,72 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-11-18 08:12:16.000000000 -0500 +@@ -0,0 +1,74 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -2028,6 +2130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_rw_user_tmpfs_files(chrome_sandbox_t) +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) ++userdom_dontaudit_use_user_terminals(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) @@ -2043,6 +2146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_append_nfs_files(chrome_sandbox_t) + fs_dontaudit_read_nfs_files(chrome_sandbox_t) ++ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` @@ -2108,8 +2212,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-11-10 08:15:40.000000000 -0500 -@@ -0,0 +1,78 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-11-17 09:07:07.000000000 -0500 +@@ -0,0 +1,80 @@ +## execmem domain + +######################################## @@ -2173,8 +2277,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1_execmem_t self:process { execmem execstack }; + allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; -+ mozilla_execmod_user_home_files($1_execmem_t) -+ + domtrans_pattern($3, execmem_exec_t, $1_execmem_t) + + files_execmod_tmp($1_execmem_t) @@ -2184,6 +2286,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ mozilla_execmod_user_home_files($1_execmem_t) ++ ') ++ ++ optional_policy(` + xserver_common_app($1_execmem_t) + xserver_role($2, $1_execmem_t) + ') @@ -2718,7 +2824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.32/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-10-02 08:53:58.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/java.fc 2009-11-18 10:20:59.000000000 -0500 @@ -2,15 +2,16 @@ # /opt # @@ -2739,7 +2845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,12 @@ +@@ -20,5 +21,16 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2754,6 +2860,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) ++ ++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) ++ ++/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-23 09:22:39.000000000 -0400 @@ -4710,8 +4820,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-21 07:38:35.000000000 -0400 -@@ -0,0 +1,184 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-11-18 16:21:09.000000000 -0500 +@@ -0,0 +1,187 @@ + +## policy for sandbox + @@ -4751,6 +4861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types sandbox_x_domain; + role $2 types sandbox_xserver_t; + allow $1 sandbox_xserver_t:process signal_perms; ++ dontaudit sandbox_xserver_t $1:fifo_file rw_fifo_file_perms; ++ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; ++ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; + + allow sandbox_x_domain $1:process { sigchld signal }; + allow sandbox_x_domain sandbox_x_domain:process signal; @@ -5403,6 +5516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + +Binary files nsaserefpolicy/policy/modules/apps/selinux-policy-3.6.32-41.fc12.noarch.rpm and serefpolicy-3.6.32/policy/modules/apps/selinux-policy-3.6.32-41.fc12.noarch.rpm differ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.32/policy/modules/apps/seunshare.fc --- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/seunshare.fc 2009-09-30 16:12:48.000000000 -0400 @@ -6457,7 +6571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-10-27 11:08:41.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-18 09:37:10.000000000 -0500 @@ -44,34 +44,6 @@ interface(`domain_type',` # start with basic domain @@ -6824,7 +6938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-09 16:26:24.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-18 10:29:18.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7082,7 +7196,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the /var/lib directory. ## ## -@@ -4955,7 +5111,7 @@ +@@ -4288,6 +4444,24 @@ + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + ++######################################## ++## ++## Search the /var/log directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_var_log',` ++ gen_require(` ++ type var_t, var_log_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_log_t) ++') ++ + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -4955,7 +5129,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -7091,7 +7230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5133,15 @@ +@@ -4977,12 +5151,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7108,7 +7247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5162,173 @@ +@@ -5003,3 +5180,173 @@ typeattribute $1 files_unconfined_type; ') @@ -7320,7 +7459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-16 10:42:35.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-18 07:49:22.000000000 -0500 @@ -290,7 +290,7 @@ ######################################## @@ -7427,7 +7566,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -2542,6 +2618,42 @@ +@@ -1993,6 +2069,25 @@ + read_lnk_files_pattern($1, nfs_t, nfs_t) + ') + ++######################################## ++## ++## Dontaudit read symbolic links on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_read_nfs_symlinks',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, nfs_t, nfs_t) ++') ++ + ######################################### + ## + ## Read named sockets on a NFS filesystem. +@@ -2542,6 +2637,42 @@ ######################################## ## @@ -7470,7 +7635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write NFS server files. ## ## -@@ -3971,3 +4083,122 @@ +@@ -3971,3 +4102,122 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -7656,7 +7821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Rules for all filesystem types diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-11-09 11:35:02.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-11-18 17:03:54.000000000 -0500 @@ -485,6 +485,25 @@ ######################################## @@ -8619,7 +8784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-10-02 10:23:36.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-11-17 16:08:26.000000000 -0500 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -9261,8 +9426,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-16 10:01:02.000000000 -0500 -@@ -0,0 +1,429 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-18 16:33:39.000000000 -0500 +@@ -0,0 +1,426 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9379,12 +9544,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute unconfined_usertype; + ') + ++ optional_policy(` ++ abrt_dbus_chat(unconfined_usertype) ++ abrt_run_helper(unconfined_usertype, unconfined_r) ++ ') ++ + nsplugin_role_notrans(unconfined_r, unconfined_usertype) + tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_execmem_t) -+ nsplugin_domtrans_config(unconfined_execmem_t) -+ nsplugin_domtrans(unconfined_t) -+ nsplugin_domtrans_config(unconfined_t) ++ nsplugin_domtrans(unconfined_usertype) ++ nsplugin_domtrans_config(unconfined_usertype) ++ ') ++ ++ optional_policy(` ++ rtkit_daemon_system_domain(unconfined_usertype) ++ ') ++ ++ userdom_execmod_user_home_files(unconfined_usertype) ++ ++ optional_policy(` ++ sandbox_transition(unconfined_usertype, unconfined_r) ++ ') ++ ++ optional_policy(` ++ avahi_dbus_chat(unconfined_usertype) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(unconfined_usertype) + ') +') + @@ -9423,10 +9609,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_stub(unconfined_t) + + optional_policy(` -+ avahi_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` + bluetooth_dbus_chat(unconfined_t) + ') + @@ -9554,11 +9736,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ rtkit_daemon_system_domain(unconfined_t) -+ rtkit_daemon_system_domain(unconfined_execmem_t) -+') -+ -+optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) + samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -9566,10 +9743,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ sandbox_transition(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + sendmail_run_unconfined(unconfined_t, unconfined_r) +') + @@ -9610,29 +9783,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Unconfined Execmem Local policy +# + -+execmem_role_template(unconfined, unconfined_r, unconfined_t) -+typealias unconfined_execmem_t alias execmem_t; -+unconfined_domain_noaudit(unconfined_execmem_t) -+allow unconfined_execmem_t unconfined_t:process transition; -+rpm_transition_script(unconfined_execmem_t) -+ +optional_policy(` -+ sandbox_transition(unconfined_execmem_t, unconfined_r) -+') ++ execmem_role_template(unconfined, unconfined_r, unconfined_t) ++ typealias unconfined_execmem_t alias execmem_t; ++ unconfined_domain_noaudit(unconfined_execmem_t) ++ allow unconfined_execmem_t unconfined_t:process transition; ++ rpm_transition_script(unconfined_execmem_t) + -+optional_policy(` -+ init_dbus_chat_script(unconfined_execmem_t) -+ dbus_system_bus_client(unconfined_execmem_t) -+ unconfined_dbus_chat(unconfined_execmem_t) -+ unconfined_dbus_connect(unconfined_execmem_t) -+') ++ optional_policy(` ++ init_dbus_chat_script(unconfined_execmem_t) ++ dbus_system_bus_client(unconfined_execmem_t) ++ unconfined_dbus_chat(unconfined_execmem_t) ++ unconfined_dbus_connect(unconfined_execmem_t) ++ ') + -+optional_policy(` -+ avahi_dbus_chat(unconfined_execmem_t) -+') ++ optional_policy(` ++ gen_require(` ++ type mplayer_exec_t; ++ type unconfined_execmem_t; ++ ') ++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) ++ ') + -+optional_policy(` -+ hal_dbus_chat(unconfined_execmem_t) ++ optional_policy(` ++ tunable_policy(`allow_unconfined_nsplugin_transition',`', ` ++ gen_require(` ++ type mozilla_exec_t; ++ type unconfined_execmem_t; ++ type nsplugin_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) ++ ') ++ ') ++ ++ optional_policy(` ++ gen_require(` ++ type openoffice_exec_t; ++ type unconfined_execmem_t; ++ ') ++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++ ') +') + +######################################## @@ -9655,35 +9846,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rtkit_daemon_system_domain(unconfined_notrans_t) +') + -+ -+optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ type unconfined_execmem_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') -+ -+optional_policy(` -+tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ type unconfined_execmem_t; -+ type nsplugin_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) -+ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) -+') -+') -+ -+optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ type unconfined_execmem_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) -+') -+ +######################################## +# +# Unconfined mount local policy @@ -10071,7 +10233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-16 10:52:29.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-18 16:55:47.000000000 -0500 @@ -33,12 +33,23 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10144,7 +10306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(abrt_t) -@@ -96,22 +118,59 @@ +@@ -96,22 +118,60 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10209,8 +10371,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +files_read_etc_files(abrt_helper_t) + -+permissive abrt_helper_t; ++userdom_dontaudit_use_user_terminals(abrt_helper_t) + ++permissive abrt_helper_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/afs.fc 2009-09-30 16:12:48.000000000 -0400 @@ -10498,13 +10661,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-11-10 14:50:41.000000000 -0500 -@@ -1,12 +1,15 @@ ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-11-18 10:24:30.000000000 -0500 +@@ -1,12 +1,16 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) -/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) @@ -10518,7 +10682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -21,10 +24,13 @@ +@@ -21,10 +25,13 @@ /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) @@ -10532,7 +10696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,12 +38,19 @@ +@@ -32,12 +39,19 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10552,7 +10716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -46,7 +59,9 @@ +@@ -46,7 +60,9 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -10562,7 +10726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,13 +65,17 @@ +@@ -50,13 +66,17 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10580,7 +10744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +83,33 @@ +@@ -64,11 +84,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -12031,7 +12195,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.32/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apm.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apm.te 2009-11-17 16:28:45.000000000 -0500 @@ -60,7 +60,7 @@ # mknod: controlling an orderly resume of PCMCIA requires creating device # nodes 254,{0,1,2} for some reason. @@ -12041,6 +12205,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:unix_dgram_socket create_socket_perms; +@@ -223,6 +223,10 @@ + unconfined_domain(apmd_t) + ') + ++optional_policy(` ++ vbetool_domtrans(apmd_t) ++') ++ + # cjp: related to sleep/resume (?) + optional_policy(` + xserver_domtrans(apmd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-11-09 12:03:06.000000000 -0500 @@ -12112,7 +12287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.32/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2009-10-24 08:21:35.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2009-11-18 16:50:59.000000000 -0500 @@ -24,7 +24,7 @@ # Local policy # @@ -12122,6 +12297,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit avahi_t self:capability sys_tty_config; allow avahi_t self:process { setrlimit signal_perms getcap setcap }; allow avahi_t self:fifo_file rw_fifo_file_perms; +@@ -32,6 +32,7 @@ + allow avahi_t self:unix_dgram_socket create_socket_perms; + allow avahi_t self:tcp_socket create_stream_socket_perms; + allow avahi_t self:udp_socket create_socket_perms; ++allow avahi_t self:packet_socket create_socket_perms; + + manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-09-30 16:12:48.000000000 -0400 @@ -14549,12 +14732,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.32/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/fetchmail.te 2009-09-30 16:12:48.000000000 -0400 -@@ -47,6 +47,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/fetchmail.te 2009-11-18 08:45:31.000000000 -0500 +@@ -47,6 +47,9 @@ kernel_read_proc_symlinks(fetchmail_t) kernel_dontaudit_read_system_state(fetchmail_t) +corecmd_exec_shell(fetchmail_t) ++corecmd_exec_bin(fetchmail_t) + corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) @@ -15811,7 +15995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-11-04 07:56:06.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2009-11-17 09:10:05.000000000 -0500 @@ -69,6 +69,7 @@ can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms; @@ -15845,16 +16029,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -376,7 +381,7 @@ +@@ -376,7 +381,8 @@ allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; - allow mta_user_agent $1:fifo_file { read write }; + allow mta_user_agent $1:fifo_file rw_fifo_file_perms; ++ ') ######################################## -@@ -470,7 +475,8 @@ +@@ -470,7 +476,8 @@ type etc_mail_t; ') @@ -15864,7 +16049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -694,7 +700,7 @@ +@@ -694,7 +701,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -15997,12 +16182,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-11-02 09:22:10.000000000 -0500 -@@ -136,7 +136,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-11-18 16:52:05.000000000 -0500 +@@ -136,10 +136,17 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; ++read_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) ++delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + @@ -16011,7 +16197,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) kernel_read_system_state(mysqld_safe_t) -@@ -152,7 +157,7 @@ ++kernel_read_kernel_sysctls(mysqld_safe_t) + + dev_list_sysfs(mysqld_safe_t) + +@@ -152,7 +159,7 @@ miscfiles_read_localization(mysqld_safe_t) @@ -16174,7 +16364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-10-23 09:18:37.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-11-18 16:57:21.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -16304,7 +16494,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -192,6 +204,8 @@ +@@ -183,15 +195,19 @@ + dev_read_urand(nrpe_t) + + domain_use_interactive_fds(nrpe_t) ++domain_read_all_domains_state(nrpe_t) + + files_read_etc_runtime_files(nrpe_t) + ++fs_getattr_all_fs(nrpe_t) + fs_search_auto_mountpoints(nrpe_t) + + logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) @@ -16315,8 +16516,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -1,12 +1,26 @@ ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-11-17 08:38:54.000000000 -0500 +@@ -1,12 +1,27 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -16331,8 +16532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) @@ -22417,7 +22619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-10-08 09:12:21.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-11-18 09:37:50.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -22546,15 +22748,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) -+ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) ++ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) fs_dontaudit_getattr_all_fs($1_t) -@@ -237,18 +236,23 @@ +@@ -234,21 +233,27 @@ + corecmd_getattr_bin_files($1_t) + + domain_interactive_fd($1_t) ++ domain_dyntrans_type($1_t) files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -22580,7 +22786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -257,15 +261,11 @@ +@@ -257,15 +262,11 @@ optional_policy(` kerberos_use($1_t) @@ -22598,7 +22804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -337,6 +337,7 @@ +@@ -337,6 +338,7 @@ allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config @@ -22606,7 +22812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($3, home_ssh_t, home_ssh_t) manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) -@@ -446,6 +447,24 @@ +@@ -446,6 +448,24 @@ ######################################## ## @@ -22631,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -461,6 +480,23 @@ +@@ -461,6 +481,23 @@ allow $1 sshd_t:fifo_file { getattr read }; ') @@ -22655,7 +22861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -@@ -603,3 +639,83 @@ +@@ -603,3 +640,104 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -22720,6 +22926,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_search_user_home_dirs($1) +') + ++###################################### ++## ++## Manage ssh home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ssh_manage_user_home_files',` ++ gen_require(` ++ type home_ssh_t; ++ ') ++ ++ allow $1 home_ssh_t:dir list_dir_perms; ++ manage_dirs_pattern($1, home_ssh_t, home_ssh_t) ++ manage_files_pattern($1, home_ssh_t, home_ssh_t) ++ userdom_search_user_home_dirs($1) ++') ++ +######################################## +## +## Set the attributes of sshd key files. @@ -22741,18 +22968,54 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-10-08 09:12:07.000000000 -0400 -@@ -41,6 +41,9 @@ ++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-11-18 09:27:42.000000000 -0500 +@@ -8,6 +8,31 @@ + + ## + ##

++## Allow sftp to upload files, used for public file ++## transfer services. Directories must be labeled ++## public_content_rw_t. ++##

++## ++gen_tunable(allow_sftpd_anon_write, false) ++ ++## ++##

++## Allow sftp to login to local users and ++## read/write all files on the system, governed by DAC. ++##

++## ++gen_tunable(allow_sftpd_full_access, false) ++ ++## ++##

++## Allow interlnal-sftp to read and write files ++## in the user ssh home directories. ++##

++## ++gen_tunable(sftpd_ssh_home_dir, false) ++ ++## ++##

+ ## allow host key based authentication + ##

+ ## +@@ -41,6 +66,13 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) +type sshd_tmpfs_t; +files_tmpfs_file(sshd_tmpfs_t) + ++type sftpd_t; ++domain_type(sftpd_t) ++role system_r types sftpd_t; ++ ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') -@@ -75,7 +78,7 @@ +@@ -75,7 +107,7 @@ ubac_constrained(ssh_tmpfs_t) type home_ssh_t; @@ -22761,7 +23024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) -@@ -95,8 +98,7 @@ +@@ -95,8 +127,7 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; @@ -22771,7 +23034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; -@@ -115,6 +117,7 @@ +@@ -115,6 +146,7 @@ manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t) manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t) userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) @@ -22779,7 +23042,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -126,11 +129,13 @@ +@@ -126,11 +158,13 @@ read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config @@ -22796,7 +23059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) -@@ -139,6 +144,8 @@ +@@ -139,6 +173,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -22805,7 +23068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(ssh_t) -@@ -160,19 +167,19 @@ +@@ -160,19 +196,19 @@ logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -22828,7 +23091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -194,23 +201,13 @@ +@@ -194,23 +230,13 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) @@ -22854,7 +23117,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -310,16 +307,34 @@ +@@ -294,6 +320,8 @@ + allow sshd_t self:netlink_route_socket r_netlink_socket_perms; + allow sshd_t self:key { search link write }; + ++allow sshd_t self:process setcurrent; ++ + manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) + manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) + manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) +@@ -310,16 +338,34 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -22891,7 +23163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -331,6 +346,10 @@ +@@ -331,6 +377,10 @@ ') optional_policy(` @@ -22902,7 +23174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_script_fds(sshd_t) ') -@@ -341,7 +360,11 @@ +@@ -341,7 +391,11 @@ ') optional_policy(` @@ -22915,7 +23187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -400,15 +423,13 @@ +@@ -400,18 +454,63 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -22933,6 +23205,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ssh_keygen_t) ') + optional_policy(` + udev_read_db(ssh_keygen_t) + ') ++ ++####################################### ++# ++# sftp Local policy ++# ++ ++allow ssh_server sftpd_t:process dyntransition; ++ ++ssh_sigchld(sftpd_t) ++ ++files_read_all_files(sftpd_t) ++files_read_all_symlinks(sftpd_t) ++ ++fs_read_noxattr_fs_files(sftpd_t) ++fs_read_nfs_files(sftpd_t) ++fs_read_cifs_files(sftpd_t) ++ ++# allow access to /home by default ++userdom_manage_user_home_content_dirs(sftpd_t) ++userdom_manage_user_home_content_files(sftpd_t) ++userdom_manage_user_home_content_symlinks(sftpd_t) ++ ++userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ++ ++tunable_policy(`allow_sftpd_anon_write',` ++ miscfiles_manage_public_files(sftpd_t) ++') ++ ++tunable_policy(`allow_sftpd_full_access',` ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ fs_read_noxattr_fs_files(sftpd_t) ++ auth_manage_all_files_except_shadow(sftpd_t) ++') ++ ++tunable_policy(`sftpd_ssh_home_dir',` ++ ssh_manage_user_home_files(sftpd_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(sftpd_t) ++ fs_manage_nfs_files(sftpd_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(sftpd_t) ++ fs_manage_cifs_files(sftpd_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-10-21 10:05:54.000000000 -0400 @@ -23333,8 +23655,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-30 16:12:48.000000000 -0400 -@@ -95,6 +95,8 @@ ++++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-11-17 09:09:36.000000000 -0500 +@@ -90,17 +90,26 @@ + fs_getattr_xattr_fs(uucpd_t) + + corecmd_exec_bin(uucpd_t) ++corecmd_exec_shell(uucpd_t) + + files_read_etc_files(uucpd_t) files_search_home(uucpd_t) files_search_spool(uucpd_t) @@ -23343,18 +23671,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(uucpd_t) logging_send_syslog_msg(uucpd_t) -@@ -102,6 +104,10 @@ + miscfiles_read_localization(uucpd_t) - optional_policy(` ++mta_send_mail(uucpd_t) ++ ++optional_policy(` + cron_system_entry(uucpd_t, uucpd_exec_t) +') + -+optional_policy(` + optional_policy(` kerberos_use(uucpd_t) ') - -@@ -129,6 +135,7 @@ +@@ -129,6 +138,7 @@ optional_policy(` mta_send_mail(uux_t) mta_read_queue(uux_t) @@ -27194,7 +27523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-11-13 08:03:49.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-11-18 16:16:31.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -27378,7 +27707,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Setkey local policy -@@ -347,6 +396,7 @@ +@@ -341,12 +390,15 @@ + read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) + read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) + ++kernel_request_load_module(setkey_t) ++ + # allow setkey utility to set contexts on SA's and policy + domain_ipsec_setcontext_all_domains(setkey_t) + files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -27684,7 +28021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-12 08:52:03.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-18 16:59:43.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -27734,7 +28071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,27 +120,37 @@ +@@ -115,27 +120,38 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27745,6 +28082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27780,7 +28118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +158,8 @@ +@@ -143,11 +159,8 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27792,7 +28130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +180,12 @@ +@@ -168,12 +181,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -27807,7 +28145,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +197,10 @@ +@@ -185,15 +198,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27824,7 +28162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +235,17 @@ +@@ -228,31 +236,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27860,7 +28198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,8 +261,8 @@ +@@ -268,8 +262,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27871,7 +28209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +288,8 @@ +@@ -295,6 +289,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27880,7 +28218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +302,102 @@ +@@ -307,10 +303,101 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -27982,7 +28320,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-20 14:41:55.000000000 -0400 @@ -31376,7 +31713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-16 11:06:46.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-18 17:04:34.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -32294,7 +32631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +950,97 @@ +@@ -865,51 +950,99 @@ userdom_restricted_user_template($1) @@ -32317,6 +32654,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dev_read_sound($1_t) - dev_write_sound($1_t) ++ kernel_dontaudit_list_all_proc($1_usertype) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -32355,14 +32694,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + apache_role($1_r, $1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') - -- xserver_restricted_role($1_r, $1_t) ++ + optional_policy(` + fprintd_dbus_chat($1_t) + ') @@ -32405,7 +32744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1074,8 @@ +@@ -943,8 +1076,8 @@ # Declarations # @@ -32415,7 +32754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1084,67 @@ +@@ -953,58 +1086,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -32513,7 +32852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1180,7 @@ +@@ -1040,7 +1182,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -32522,7 +32861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1189,7 @@ +@@ -1049,8 +1191,7 @@ # # Inherit rules for ordinary users. @@ -32532,7 +32871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1214,9 @@ +@@ -1075,6 +1216,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -32542,7 +32881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1231,7 @@ +@@ -1089,6 +1233,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -32550,7 +32889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1239,6 @@ +@@ -1096,8 +1241,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32559,7 +32898,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,12 +1265,11 @@ +@@ -1124,12 +1267,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -32574,7 +32913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1152,20 +1292,6 @@ +@@ -1152,20 +1294,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32595,7 +32934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1337,7 @@ +@@ -1211,6 +1339,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32603,7 +32942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1403,15 @@ +@@ -1276,11 +1405,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -32619,7 +32958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1522,13 @@ +@@ -1391,12 +1524,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -32634,7 +32973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1561,14 @@ +@@ -1429,6 +1563,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -32649,7 +32988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1584,11 @@ +@@ -1444,9 +1586,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -32661,7 +33000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1645,42 @@ +@@ -1503,6 +1647,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -32704,7 +33043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1755,8 @@ +@@ -1577,6 +1757,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -32713,7 +33052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1619,6 +1799,24 @@ +@@ -1619,6 +1801,24 @@ ######################################## ## @@ -32738,7 +33077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1670,6 +1868,7 @@ +@@ -1670,6 +1870,7 @@ type user_home_dir_t, user_home_t; ') @@ -32746,7 +33085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1686,11 +1885,11 @@ +@@ -1686,11 +1887,11 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32761,7 +33100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1797,19 +1996,32 @@ +@@ -1797,19 +1998,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -32801,7 +33140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2056,7 @@ +@@ -1844,6 +2058,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -32809,7 +33148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,7 +2409,7 @@ +@@ -2196,7 +2411,7 @@ ######################################## ## @@ -32818,7 +33157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary files. ## ## -@@ -2205,31 +2418,50 @@ +@@ -2205,30 +2420,49 @@ ## ## # @@ -32852,7 +33191,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -- allow $1 user_tmp_t:dir list_dir_perms; + dontaudit $1 user_tmp_t:file manage_file_perms; +') + @@ -32872,11 +33210,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) ') - -@@ -2276,6 +2508,46 @@ +@@ -2276,6 +2510,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -32923,7 +33260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary symbolic links. ## ## -@@ -2391,7 +2663,7 @@ +@@ -2391,7 +2665,7 @@ ######################################## ## @@ -32932,7 +33269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2399,19 +2671,20 @@ +@@ -2399,19 +2673,20 @@ ## ## # @@ -32957,7 +33294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2419,15 +2692,14 @@ +@@ -2419,15 +2694,14 @@ ## ## # @@ -32977,7 +33314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2749,7 +3021,7 @@ +@@ -2749,7 +3023,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -32986,7 +33323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3037,32 @@ +@@ -2765,11 +3039,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -33021,7 +33358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3190,43 @@ +@@ -2897,7 +3192,43 @@ type user_tmp_t; ') @@ -33066,7 +33403,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3263,7 @@ +@@ -2934,6 +3265,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -33074,7 +33411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3394,578 @@ +@@ -3064,3 +3396,578 @@ allow $1 userdomain:dbus send_msg; ') @@ -33430,7 +33767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`userdom_manage_user_home_content',` + gen_require(` -+ type user_home_dir_t; ++ type user_home_dir_t, user_home_t; + attribute user_home_type; + ') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 2ea0dc9..dec9df4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,11 @@ exit 0 %endif %changelog +* Tue Nov 17 2009 Dan Walsh 3.6.32-47 +- Make mozilla call in execmem.if optional to fix build of minimum install +- Allow uucpd to execute shells and send mail +- Fix label on libtfmessbsp.so + * Mon Nov 16 2009 Dan Walsh 3.6.32-46 - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files