diff --git a/modules-targeted.conf b/modules-targeted.conf index cedb82c..1bbd635 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1667,4 +1667,4 @@ courier = module # # test package for eparis # -slattach = base +#slattach = base diff --git a/policy-20071130.patch b/policy-20071130.patch index b579eff..89eab31 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1445,7 +1445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.3.1 # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-02 13:05:27.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-10 15:04:15.884188000 -0400 @@ -82,8 +82,7 @@ allow amanda_t amanda_config_t:file { getattr read }; @@ -1465,6 +1465,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) +@@ -220,6 +219,7 @@ + auth_use_nsswitch(amanda_recover_t) + + fstools_domtrans(amanda_t) ++fstools_signal(amanda_t) + + libs_use_ld_so(amanda_recover_t) + libs_use_shared_libs(amanda_recover_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-02-26 08:23:10.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te 2008-06-02 13:05:27.000000000 -0400 @@ -5946,7 +5954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-02 13:05:27.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-10 09:36:52.955480000 -0400 @@ -0,0 +1,210 @@ + +policy_module(nsplugin,1.0.0) @@ -6737,6 +6745,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ') allow $2 $1_userhelper_t:process sigchld; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.if serefpolicy-3.3.1/policy/modules/apps/usernetctl.if +--- nsaserefpolicy/policy/modules/apps/usernetctl.if 2008-02-26 08:23:12.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/usernetctl.if 2008-06-05 15:40:01.000000000 -0400 +@@ -63,4 +63,8 @@ + optional_policy(` + modutils_run_insmod(usernetctl_t,$2,$3) + ') ++ ++ optional_policy(` ++ ppp_run(usernetctl_t,$2,$3) ++ ') + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.3.1/policy/modules/apps/usernetctl.te +--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2008-02-26 08:23:12.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/usernetctl.te 2008-06-05 15:40:47.000000000 -0400 +@@ -49,15 +49,21 @@ + + fs_search_auto_mountpoints(usernetctl_t) + ++auth_use_nsswitch(usernetctl_t) ++ + libs_use_ld_so(usernetctl_t) + libs_use_shared_libs(usernetctl_t) + ++logging_send_syslog_msg(usernetctl_t) ++ + miscfiles_read_localization(usernetctl_t) + + seutil_read_config(usernetctl_t) + + sysnet_read_config(usernetctl_t) + ++term_search_ptys(usernetctl_t) ++ + optional_policy(` + hostname_exec(usernetctl_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.3.1/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-02-26 08:23:12.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/apps/vmware.fc 2008-06-02 13:05:27.000000000 -0400 @@ -6891,6 +6936,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t ') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.3.1/policy/modules/apps/wine.fc +--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-02-26 08:23:12.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/wine.fc 2008-06-10 16:19:37.571466000 -0400 +@@ -1,4 +1,5 @@ + /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) + +-/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +-/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) ++/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) ++/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) ++HOME_DIR/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.3.1/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-02-26 08:23:12.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/apps/wine.if 2008-06-02 13:05:27.000000000 -0400 @@ -8256,7 +8312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.3.1/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2008-02-26 08:23:11.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-06-02 13:05:27.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-06-10 14:33:02.588488000 -0400 @@ -50,11 +50,15 @@ # # etc_t is the type of the system etc directories. @@ -8274,7 +8330,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various -@@ -195,10 +199,7 @@ +@@ -172,6 +176,7 @@ + # + type var_run_t; + files_pid_file(var_run_t) ++files_mountpoint(var_run_t) + + # + # var_spool_t is the type of /var/spool +@@ -195,10 +200,7 @@ # # Rules for all tmp file types # @@ -9204,11 +9268,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav # amavis local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-02 13:05:27.000000000 -0400 -@@ -1,10 +1,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-09 15:29:28.000000000 -0400 +@@ -1,10 +1,8 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) -+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - +- ++HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -9218,7 +9282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -@@ -16,7 +15,6 @@ +@@ -16,7 +14,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -9226,7 +9290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -33,6 +31,7 @@ +@@ -33,6 +30,7 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -9234,7 +9298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -48,11 +47,14 @@ +@@ -48,11 +46,14 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -9249,7 +9313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -66,10 +68,21 @@ +@@ -66,10 +67,21 @@ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -9884,7 +9948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-02 13:05:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-06-05 14:17:18.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10188,16 +10252,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +559,14 @@ - openca_kill(httpd_t) +@@ -473,12 +560,15 @@ ') + optional_policy(` +tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) + postgresql_tcp_connect(httpd_sys_script_t) +') ++') + - optional_policy(` ++optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) - @@ -10207,7 +10272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +574,7 @@ +@@ -486,6 +576,7 @@ ') optional_policy(` @@ -10215,7 +10280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +610,22 @@ +@@ -521,6 +612,22 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -10238,7 +10303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +655,24 @@ +@@ -550,18 +657,26 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10257,6 +10322,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mysqld_client_packets(httpd_t) + corenet_tcp_connect_mysqld_port(httpd_sys_script_t) + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_mysqld_port(httpd_suexec_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ') optional_policy(` @@ -10266,7 +10333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +696,8 @@ +@@ -585,6 +700,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -10275,7 +10342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +706,7 @@ +@@ -593,9 +710,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10286,7 +10353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +739,7 @@ +@@ -628,6 +743,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10294,7 +10361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +750,12 @@ +@@ -638,6 +754,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10307,7 +10374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +773,6 @@ +@@ -655,10 +777,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10318,7 +10385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +782,8 @@ +@@ -668,7 +786,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -10328,7 +10395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +797,44 @@ +@@ -682,15 +801,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10340,15 +10407,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -10374,15 +10441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +844,15 @@ - clamav_domtrans_clamscan(httpd_sys_script_t) - ') - -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_mysqld_port(httpd_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_t) -+') -+ +@@ -703,6 +851,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10390,7 +10449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +874,60 @@ +@@ -724,3 +873,60 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -12093,8 +12152,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc --- nsaserefpolicy/policy/modules/services/courier.fc 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-02 13:48:21.000000000 -0400 -@@ -19,3 +19,5 @@ ++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-10 16:00:43.285817000 -0400 +@@ -1,4 +1,5 @@ + /etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) ++/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) + + /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + +@@ -6,11 +7,18 @@ + /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) + ++/usr/libexec/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) + /usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) ++/usr/lib(64)?/courier/bin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0) ++/usr/lib(64)?/courier/sbin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0) + /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) ++/usr/lib(64)?/courier/libexec/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) ++/usr/lib(64)?/courier/courier/libexec/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib(64)?/courier/courier/libexec/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib(64)?/courier/courier/libexec/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) + /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) + /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +@@ -19,3 +27,5 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) @@ -24010,13 +24094,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.fc serefpolicy-3.3.1/policy/modules/services/slattach.fc --- nsaserefpolicy/policy/modules/services/slattach.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/slattach.fc 2008-06-04 09:21:54.419020000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/slattach.fc 2008-06-04 09:21:54.000000000 -0400 @@ -0,0 +1,2 @@ + +/sbin/slattach -- gen_context(system_u:object_r:slattach_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.if serefpolicy-3.3.1/policy/modules/services/slattach.if --- nsaserefpolicy/policy/modules/services/slattach.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/slattach.if 2008-06-04 09:21:54.426013000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/slattach.if 2008-06-04 09:21:54.000000000 -0400 @@ -0,0 +1,22 @@ + +## policy for slattach @@ -24042,7 +24126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slat + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/slattach.te serefpolicy-3.3.1/policy/modules/services/slattach.te --- nsaserefpolicy/policy/modules/services/slattach.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/slattach.te 2008-06-04 09:21:54.429013000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/slattach.te 2008-06-04 09:21:54.000000000 -0400 @@ -0,0 +1,31 @@ +policy_module(slattach,1.0.0) + @@ -25069,7 +25153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-02-26 08:23:10.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-06-02 13:05:29.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-06-10 14:58:24.317719000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -25199,7 +25283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -212,3 +260,214 @@ +@@ -212,3 +260,215 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -25294,6 +25378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + corenet_udp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) ++ corenet_udp_bind_generic_port(spamassassin_t) + + sysnet_read_config(spamassassin_t) +') @@ -28629,7 +28714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-02 13:05:29.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-10 15:02:19.035613000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29004,20 +29089,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.3.1/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-06-02 13:05:29.000000000 -0400 -@@ -81,10 +81,10 @@ - # - interface(`fstools_read_pipes',` - gen_require(` -- type fsadm_t; -+ type fstools_t; - ') ++++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-06-10 15:03:47.642923000 -0400 +@@ -142,3 +142,21 @@ -- allow $1 fsadm_t:fifo_file read_fifo_file_perms; -+ allow $1 fstools_t:fifo_file read_fifo_file_perms; + allow $1 swapfile_t:file getattr; ') - - ######################################## ++ ++######################################## ++## ++## Send signal to fsadm process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fstools_signal',` ++ gen_require(` ++ type fsadm_t; ++ ') ++ ++ allow $1 fsadm_t:process signal; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-26 08:23:09.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-06-02 13:05:29.000000000 -0400 @@ -33537,7 +33631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-02 13:05:29.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-05 15:28:32.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -34108,7 +34202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -@@ -692,183 +672,201 @@ +@@ -692,187 +672,201 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -34342,21 +34436,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) +- ') + optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) + ') + ') -+ -+ tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_usertype) - ') - optional_policy(` +- optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) ++ tunable_policy(`user_ttyfile_stat',` ++ term_getattr_all_user_ttys($1_usertype) ') optional_policy(` @@ -34364,34 +34455,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) - ') -+ pcscd_read_pub_files($1_usertype) -+ pcscd_stream_connect($1_usertype) ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ resmgr_stream_connect($1_usertype) ++ pcscd_read_pub_files($1_usertype) ++ pcscd_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) ++ resmgr_stream_connect($1_usertype) + ') + + optional_policy(` +- samba_stream_connect_winbind($1_t) + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` -- samba_stream_connect_winbind($1_t) +- slrnpull_search_spool($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` -- slrnpull_search_spool($1_t) +- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + slrnpull_search_spool($1_usertype) ') + ') - optional_policy(` -@@ -895,6 +893,8 @@ +@@ -895,6 +889,8 @@ ## # template(`userdom_login_user_template', ` @@ -34400,7 +34497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_base_user_template($1) userdom_manage_home_template($1) -@@ -923,70 +923,73 @@ +@@ -923,70 +919,73 @@ allow $1_t self:context contains; @@ -34507,7 +34604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1020,9 +1023,6 @@ +@@ -1020,9 +1019,6 @@ domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; @@ -34517,7 +34614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typeattribute $1_tty_device_t user_ttynode; ############################## -@@ -1031,16 +1031,29 @@ +@@ -1031,16 +1027,29 @@ # # privileged home directory writers @@ -34554,7 +34651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1068,6 +1081,13 @@ +@@ -1068,6 +1077,13 @@ userdom_restricted_user_template($1) @@ -34568,7 +34665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_xwindows_client_template($1) ############################## -@@ -1076,14 +1096,16 @@ +@@ -1076,14 +1092,16 @@ # authlogin_per_role_template($1, $1_t, $1_r) @@ -34590,7 +34687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1091,32 +1113,29 @@ +@@ -1091,32 +1109,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -34634,7 +34731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1127,10 +1146,10 @@ +@@ -1127,10 +1142,10 @@ ## ## ##

@@ -34649,7 +34746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1164,7 +1183,6 @@ +@@ -1164,7 +1179,6 @@ # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) @@ -34657,7 +34754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1182,32 +1200,45 @@ +@@ -1182,32 +1196,45 @@ ') ') @@ -34715,7 +34812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1284,8 +1315,6 @@ +@@ -1284,8 +1311,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -34724,7 +34821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1307,8 +1336,6 @@ +@@ -1307,8 +1332,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -34733,7 +34830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1363,13 +1390,6 @@ +@@ -1363,13 +1386,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -34747,7 +34844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1422,6 +1442,7 @@ +@@ -1422,6 +1438,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -34755,7 +34852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1787,10 +1808,14 @@ +@@ -1787,10 +1804,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -34771,7 +34868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1886,11 +1911,11 @@ +@@ -1886,11 +1907,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -34785,7 +34882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1920,11 +1945,11 @@ +@@ -1920,11 +1941,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -34799,7 +34896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1968,12 +1993,12 @@ +@@ -1968,12 +1989,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -34815,7 +34912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2003,10 +2028,11 @@ +@@ -2003,10 +2024,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -34829,7 +34926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2038,11 +2064,48 @@ +@@ -2038,11 +2060,48 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -34880,7 +34977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2074,10 +2137,10 @@ +@@ -2074,10 +2133,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -34893,7 +34990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2107,11 +2170,11 @@ +@@ -2107,11 +2166,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -34907,7 +35004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2141,11 +2204,11 @@ +@@ -2141,11 +2200,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -34922,7 +35019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2175,10 +2238,14 @@ +@@ -2175,10 +2234,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -34939,7 +35036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2208,11 +2275,11 @@ +@@ -2208,11 +2271,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -34953,7 +35050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2242,11 +2309,11 @@ +@@ -2242,11 +2305,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -34967,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2276,10 +2343,10 @@ +@@ -2276,10 +2339,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -34980,7 +35077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2311,12 +2378,12 @@ +@@ -2311,12 +2374,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -34996,7 +35093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2348,10 +2415,10 @@ +@@ -2348,10 +2411,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -35009,7 +35106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2383,12 +2450,12 @@ +@@ -2383,12 +2446,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -35025,7 +35122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2420,12 +2487,12 @@ +@@ -2420,12 +2483,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -35041,7 +35138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2457,12 +2524,12 @@ +@@ -2457,12 +2520,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -35057,7 +35154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2507,11 +2574,11 @@ +@@ -2507,11 +2570,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -35071,7 +35168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2556,11 +2623,11 @@ +@@ -2556,11 +2619,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -35085,7 +35182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2600,11 +2667,11 @@ +@@ -2600,11 +2663,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -35099,7 +35196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2634,11 +2701,11 @@ +@@ -2634,11 +2697,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -35113,7 +35210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2668,11 +2735,11 @@ +@@ -2668,11 +2731,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -35127,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2704,10 +2771,10 @@ +@@ -2704,10 +2767,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -35140,7 +35237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2739,10 +2806,10 @@ +@@ -2739,10 +2802,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -35153,7 +35250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2772,12 +2839,12 @@ +@@ -2772,12 +2835,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -35169,7 +35266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2809,10 +2876,10 @@ +@@ -2809,10 +2872,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -35182,7 +35279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2844,10 +2911,48 @@ +@@ -2844,10 +2907,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -35233,7 +35330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2877,12 +2982,12 @@ +@@ -2877,12 +2978,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -35249,7 +35346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2914,10 +3019,10 @@ +@@ -2914,10 +3015,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -35262,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2949,12 +3054,12 @@ +@@ -2949,12 +3050,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -35278,7 +35375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2986,11 +3091,11 @@ +@@ -2986,11 +3087,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -35292,7 +35389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3022,11 +3127,11 @@ +@@ -3022,11 +3123,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -35306,7 +35403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3058,11 +3163,11 @@ +@@ -3058,11 +3159,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -35320,7 +35417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3094,11 +3199,11 @@ +@@ -3094,11 +3195,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -35334,7 +35431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3130,11 +3235,11 @@ +@@ -3130,11 +3231,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -35348,7 +35445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3179,10 +3284,10 @@ +@@ -3179,10 +3280,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -35361,7 +35458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3223,10 +3328,10 @@ +@@ -3223,10 +3324,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -35374,7 +35471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3254,24 +3359,24 @@ +@@ -3254,24 +3355,24 @@ ## ## # @@ -35403,7 +35500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3290,17 +3395,89 @@ +@@ -3290,12 +3391,84 @@ ## ## # @@ -35419,11 +35516,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $2 $1_tmpfs_t:dir list_dir_perms; + rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) + read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t) - ') - - ######################################## - ##

--## Do not audit attempts to list user ++') ++ ++######################################## ++## +## Unlink user tmpfs files. +## +## @@ -35489,15 +35585,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + allow $2 $1_untrusted_content_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to list user - ## untrusted directories. - ## - ## -@@ -3962,6 +4139,24 @@ + ') + + ######################################## +@@ -3962,6 +4135,24 @@ ######################################## ## @@ -35522,7 +35613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Manage unpriviledged user SysV shared ## memory segments. ## -@@ -4231,11 +4426,11 @@ +@@ -4231,11 +4422,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -35536,7 +35627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4251,10 +4446,10 @@ +@@ -4251,10 +4442,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -35549,7 +35640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4270,11 +4465,11 @@ +@@ -4270,11 +4461,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -35563,7 +35654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4289,16 +4484,16 @@ +@@ -4289,16 +4480,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -35583,7 +35674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4307,12 +4502,35 @@ +@@ -4307,12 +4498,35 @@ ## ## # @@ -35622,7 +35713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4327,13 +4545,13 @@ +@@ -4327,13 +4541,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -35640,7 +35731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4531,10 +4749,10 @@ +@@ -4531,10 +4745,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -35653,7 +35744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4551,10 +4769,10 @@ +@@ -4551,10 +4765,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -35666,7 +35757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4569,10 +4787,10 @@ +@@ -4569,10 +4783,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -35679,7 +35770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4588,10 +4806,10 @@ +@@ -4588,10 +4802,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -35692,7 +35783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4606,10 +4824,10 @@ +@@ -4606,10 +4820,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -35705,7 +35796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4625,10 +4843,10 @@ +@@ -4625,10 +4839,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -35718,7 +35809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4644,12 +4862,11 @@ +@@ -4644,12 +4858,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -35734,7 +35825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4676,10 +4893,10 @@ +@@ -4676,10 +4889,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -35747,7 +35838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4694,10 +4911,10 @@ +@@ -4694,10 +4907,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -35760,7 +35851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4712,13 +4929,13 @@ +@@ -4712,13 +4925,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -35778,7 +35869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4754,11 +4971,49 @@ +@@ -4754,11 +4967,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -35829,7 +35920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4778,6 +5033,14 @@ +@@ -4778,6 +5029,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -35844,7 +35935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4839,6 +5102,26 @@ +@@ -4839,6 +5098,26 @@ ######################################## ## @@ -35871,7 +35962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4859,6 +5142,25 @@ +@@ -4859,6 +5138,25 @@ ######################################## ## @@ -35897,7 +35988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4879,6 +5181,26 @@ +@@ -4879,6 +5177,26 @@ ######################################## ## @@ -35924,7 +36015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5115,7 +5437,7 @@ +@@ -5115,7 +5433,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -35933,7 +36024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5304,6 +5626,63 @@ +@@ -5304,6 +5622,63 @@ ######################################## ## @@ -35997,7 +36088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5509,7 +5888,7 @@ +@@ -5509,7 +5884,7 @@ ######################################## ## @@ -36006,7 +36097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5517,18 +5896,17 @@ +@@ -5517,18 +5892,17 @@ ## ## # @@ -36029,13 +36120,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -5536,7 +5914,44 @@ +@@ -5536,9 +5910,46 @@ ## ## # -interface(`userdom_dontaudit_use_unpriv_users_ttys',` +interface(`userdom_manage_unpriv_users_tmp_symlinks',` -+ gen_require(` + gen_require(` +- attribute user_ttynode; + type user_tmp_t; + ') + @@ -36072,10 +36164,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +# +interface(`userdom_dontaudit_use_unpriv_users_ttys',` - gen_require(` - attribute user_ttynode; ++ gen_require(` ++ attribute user_ttynode; ') -@@ -5559,7 +5974,7 @@ + + dontaudit $1 user_ttynode:chr_file rw_file_perms; +@@ -5559,7 +5970,7 @@ attribute userdomain; ') @@ -36084,7 +36178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -5674,6 +6089,42 @@ +@@ -5674,6 +6085,42 @@ ######################################## ## @@ -36127,7 +36221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5704,3 +6155,408 @@ +@@ -5704,3 +6151,408 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -37451,7 +37545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2008-02-26 08:23:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-06-02 13:05:29.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-06-10 14:35:09.018062000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -37562,7 +37656,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; -@@ -257,7 +264,7 @@ +@@ -245,6 +252,8 @@ + + files_read_usr_files(xenconsoled_t) + ++fs_list_tmpfs(xenconsoled_t) ++ + term_create_pty(xenconsoled_t,xen_devpts_t); + term_use_generic_ptys(xenconsoled_t) + term_use_console(xenconsoled_t) +@@ -257,7 +266,7 @@ miscfiles_read_localization(xenconsoled_t) @@ -37571,7 +37674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te xen_stream_connect_xenstore(xenconsoled_t) ######################################## -@@ -265,7 +272,7 @@ +@@ -265,7 +274,7 @@ # Xen store local policy # @@ -37580,7 +37683,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; -@@ -318,12 +325,13 @@ +@@ -310,6 +319,10 @@ + + xen_append_log(xenstored_t) + ++optional_policy(` ++ unconfined_domain(xenstored_t) ++') ++ + ######################################## + # + # xm local policy +@@ -318,12 +331,13 @@ allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; # internal communication is often done using fifo and unix sockets. @@ -37595,7 +37709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; -@@ -336,6 +344,7 @@ +@@ -336,6 +350,7 @@ kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) @@ -37603,7 +37717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -351,8 +360,11 @@ +@@ -351,8 +366,11 @@ storage_raw_read_fixed_disk(xm_t) @@ -37615,7 +37729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) -@@ -363,6 +375,23 @@ +@@ -363,6 +381,23 @@ sysnet_read_config(xm_t) @@ -37808,8 +37922,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-06-02 13:05:29.000000000 -0400 -@@ -0,0 +1,25 @@ ++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-06-05 15:29:01.000000000 -0400 +@@ -0,0 +1,29 @@ +policy_module(staff,1.0.1) +userdom_admin_login_user_template(staff) + @@ -37829,6 +37943,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t + cron_per_role_template(staff, staff_t, staff_r) +') + ++optional_policy(` ++ usernetctl_run(staff_t,staff_r,{ staff_devpts_t staff_tty_device_t }) ++') ++ +ifndef(`enable_mls',` +optional_policy(` +userdom_role_change_template(staff, unconfined) diff --git a/selinux-policy.spec b/selinux-policy.spec index feeb362..b064423 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz