diff --git a/policy-20080710.patch b/policy-20080710.patch index 80f7a4f..ce3e305 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -475,14 +475,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(consoletype_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-12-02 11:02:32.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-12-12 09:38:05.000000000 -0500 @@ -25,11 +25,13 @@ # kismet local policy # -allow kismet_t self:capability { net_admin net_raw setuid setgid }; -+allow kismet_t self:capability { kill net_admin net_raw setuid setgid }; -+allow kismet_t self:process signal; ++allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; ++allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; -allow kismet_t self:unix_dgram_socket create_socket_perms; @@ -492,7 +492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; -@@ -43,9 +45,19 @@ +@@ -43,9 +45,20 @@ allow kismet_t kismet_var_run_t:dir manage_dir_perms; files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) @@ -508,13 +508,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_sendrecv_all_ports(kismet_t) +corenet_tcp_bind_all_nodes(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) ++corenet_tcp_connect_kismet_port(kismet_t) + +kernel_search_debugfs(kismet_t) +kernel_read_system_state(kismet_t) auth_use_nsswitch(kismet_t) -@@ -55,3 +67,11 @@ +@@ -55,3 +68,11 @@ libs_use_shared_libs(kismet_t) miscfiles_read_localization(kismet_t) @@ -2233,7 +2234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-12-18 10:34:23.000000000 -0500 @@ -37,6 +37,9 @@ template(`gpg_per_role_template',` gen_require(` @@ -2244,7 +2245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -44,290 +47,60 @@ +@@ -44,290 +47,61 @@ # Declarations # @@ -2560,6 +2561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dontaudit $1_gpg_pinentry_t cifs_t:dir write; - dontaudit $1_gpg_pinentry_t cifs_t:file write; - ') ++ userdom_use_user_terminals($1, gpg_helper_t) + unprivuser_manage_home_content_files(gpg_helper_t) - dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; @@ -2835,13 +2837,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -3,14 +3,15 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-12-17 09:15:53.000000000 -0500 +@@ -2,15 +2,16 @@ + # /opt # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) - /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) ++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -4496,7 +4500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-10 08:53:06.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-15 12:10:17.000000000 -0500 @@ -0,0 +1,279 @@ + +policy_module(nsplugin, 1.0.0) @@ -4695,7 +4699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; ++allow nsplugin_config_t self:process { setsched signal_perms getsched execmem }; +#execing pulseaudio +dontaudit nsplugin_t self:process { getcap setcap }; + @@ -6441,7 +6445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +wm_domain_template(user,xdm) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-05 08:46:59.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-18 09:14:19.000000000 -0500 @@ -129,6 +129,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6465,7 +6469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -222,8 +223,8 @@ +@@ -222,14 +223,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -6476,7 +6480,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -292,3 +293,14 @@ + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) +@@ -292,3 +294,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6819,7 +6830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-12-17 09:31:56.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -8416,7 +8427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-11-25 09:48:18.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-12-12 10:10:49.000000000 -0500 @@ -21,7 +21,7 @@ # Use xattrs for the following filesystem types. @@ -8447,11 +8458,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type vxfs_t; fs_noxattr_type(vxfs_t) -@@ -241,6 +248,7 @@ +@@ -241,6 +248,8 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) ++genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) ######################################## # @@ -13277,17 +13289,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Calendar (PCP) local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -17,6 +17,8 @@ ++++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-12-10 10:09:03.000000000 -0500 +@@ -17,9 +17,9 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/[^/]* -- <> +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + - /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/at/[^/]* -- <> -@@ -45,3 +47,8 @@ ++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) + + /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +@@ -45,3 +45,8 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -13298,8 +13314,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-11-24 10:49:49.000000000 -0500 -@@ -35,39 +35,24 @@ ++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-12-10 10:11:34.000000000 -0500 +@@ -35,39 +35,25 @@ # template(`cron_per_role_template',` gen_require(` @@ -13307,6 +13323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol attribute cron_spool_type; type crond_t, cron_spool_t, crontab_exec_t; - class dbus send_msg; ++ type crond_var_run_t; ') + typealias $1_t alias $1_crond_t; @@ -13344,7 +13361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -75,116 +60,23 @@ +@@ -75,116 +61,23 @@ # for the domain of the user cron job. It # performs an entrypoint permission check # for this purpose. @@ -13468,11 +13485,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_crontab_t local policy -@@ -193,10 +85,13 @@ +@@ -192,23 +85,27 @@ + # dac_override is to create the file in the directory under /tmp allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_crontab_t self:process signal_perms; +- allow $1_crontab_t self:process signal_perms; ++ allow $1_cronjob_t self:process { signal_perms setsched }; + allow $1_crontab_t self:fifo_file rw_fifo_file_perms; ++ allow $1_crontab_t crond_t:process signal; # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, $1_crontab_t) @@ -13482,7 +13502,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # crontab shows up in user ps ps_process_pattern($2, $1_crontab_t) -@@ -206,9 +101,6 @@ ++ init_dontaudit_write_utmp($1_crontab_t) ++ init_read_utmp($1_crontab_t) ++ + # for ^Z + allow $2 $1_crontab_t:process signal; + # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file manage_file_perms; @@ -13492,7 +13517,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # create files in /var/spool/cron manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t) filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file) -@@ -227,27 +119,32 @@ +@@ -216,6 +113,7 @@ + + # crontab signals crond by updating the mtime on the spooldir + allow $1_crontab_t cron_spool_t:dir setattr; ++ read_files_pattern($1_crontab_t, crond_var_run_t,crond_var_run_t) + + kernel_read_system_state($1_crontab_t) + +@@ -227,27 +125,33 @@ # Run helper programs as the user domain corecmd_bin_domtrans($1_crontab_t, $2) corecmd_shell_domtrans($1_crontab_t, $2) @@ -13510,6 +13543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg($1_crontab_t) + logging_send_audit_msgs($1_crontab_t) ++ logging_set_loginuid($1_crontab_t) miscfiles_read_localization($1_crontab_t) @@ -13527,7 +13561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -286,14 +183,12 @@ +@@ -286,14 +190,12 @@ template(`cron_admin_template',` gen_require(` attribute cron_spool_type; @@ -13543,7 +13577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Manipulate other users crontab. selinux_get_fs_mount($1_crontab_t) selinux_validate_context($1_crontab_t) -@@ -421,6 +316,24 @@ +@@ -421,6 +323,24 @@ ######################################## ## @@ -13568,7 +13602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -439,7 +352,7 @@ +@@ -439,7 +359,7 @@ ######################################## ## @@ -13577,7 +13611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -447,7 +360,7 @@ +@@ -447,7 +367,7 @@ ## ## # @@ -13586,7 +13620,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -559,11 +472,14 @@ +@@ -559,11 +479,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -13602,7 +13636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,3 +500,64 @@ +@@ -584,3 +507,64 @@ dontaudit $1 system_crond_tmp_t:file append; ') @@ -13943,9 +13977,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -8,24 +8,35 @@ - /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-18 10:07:31.000000000 -0500 +@@ -5,27 +5,38 @@ + /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -14141,7 +14179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-05 08:56:59.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-15 11:14:05.000000000 -0500 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -14198,7 +14236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:process { setsched signal_perms }; -allow cupsd_t self:fifo_file rw_file_perms; -+allow cupsd_t self:process { setpgid setsched signal_perms }; ++allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; +allow cupsd_t self:fifo_file rw_fifo_file_perms; allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow cupsd_t self:unix_dgram_socket create_socket_perms; @@ -14453,17 +14491,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -500,7 +564,8 @@ +@@ -500,7 +564,11 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; -allow hplip_t cupsd_etc_t:dir search; +allow hplip_t cupsd_etc_t:dir search_dir_perms; -+allow hplip_t cupsd_tmp_t:file rw_file_perms; ++manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) ++ cups_stream_connect(hplip_t) -@@ -509,6 +574,8 @@ +@@ -509,6 +577,8 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14472,7 +14513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +605,8 @@ +@@ -538,7 +608,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -14482,7 +14523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -552,6 +620,8 @@ +@@ -552,6 +623,8 @@ files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -14491,7 +14532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(hplip_t) libs_use_shared_libs(hplip_t) -@@ -564,12 +634,14 @@ +@@ -564,12 +637,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -14507,7 +14548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +723,44 @@ +@@ -651,3 +726,44 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -16623,7 +16664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-10 09:04:13.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-12 09:32:28.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -16642,7 +16683,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -280,6 +284,12 @@ +@@ -197,6 +201,7 @@ + seutil_read_file_contexts(hald_t) + + sysnet_read_config(hald_t) ++sysnet_domtrans_dhcpc(hald_t) + + userdom_dontaudit_use_unpriv_user_fds(hald_t) + +@@ -280,6 +285,12 @@ ') optional_policy(` @@ -16655,7 +16704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -300,12 +310,20 @@ +@@ -300,12 +311,20 @@ vbetool_domtrans(hald_t) ') @@ -16677,7 +16726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -344,13 +362,22 @@ +@@ -344,13 +363,22 @@ libs_use_ld_so(hald_acl_t) libs_use_shared_libs(hald_acl_t) @@ -16700,7 +16749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; allow hald_mac_t hald_t:unix_stream_socket connectto; -@@ -359,6 +386,8 @@ +@@ -359,6 +387,8 @@ manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -16709,7 +16758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(hald_mac_t) dev_read_raw_memory(hald_mac_t) -@@ -366,6 +395,9 @@ +@@ -366,6 +396,9 @@ dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) @@ -16719,7 +16768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -388,6 +420,8 @@ +@@ -388,6 +421,8 @@ manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_sonypic_t) @@ -16728,7 +16777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_files(hald_sonypic_t) libs_use_ld_so(hald_sonypic_t) -@@ -408,6 +442,8 @@ +@@ -408,6 +443,8 @@ manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_keymap_t) @@ -16737,7 +16786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_input_dev(hald_keymap_t) files_read_usr_files(hald_keymap_t) -@@ -419,4 +455,4 @@ +@@ -419,4 +456,4 @@ # This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed @@ -17103,14 +17152,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_type(mailscanner_spool_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-11-25 08:45:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-12-15 09:22:33.000000000 -0500 @@ -1,4 +1,4 @@ -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -@@ -22,7 +22,3 @@ +@@ -9,11 +9,14 @@ + /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) + ') + ++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++ + /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +@@ -22,7 +25,3 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) @@ -17443,7 +17507,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-04 16:13:54.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-18 11:33:10.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -17496,7 +17560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) -@@ -73,30 +82,40 @@ +@@ -73,30 +82,41 @@ corenet_udp_sendrecv_all_nodes(munin_t) corenet_tcp_sendrecv_all_ports(munin_t) corenet_udp_sendrecv_all_ports(munin_t) @@ -17526,6 +17590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_shared_libs(munin_t) logging_send_syslog_msg(munin_t) ++logging_read_all_logs(munin_t) +miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -17539,7 +17604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_search_home_dirs(munin_t) optional_policy(` -@@ -109,7 +128,30 @@ +@@ -109,7 +129,30 @@ ') optional_policy(` @@ -17571,7 +17636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,3 +161,9 @@ +@@ -119,3 +162,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -20837,7 +20902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#domain_use_interactive_fds(portreserve_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-12-18 11:29:44.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -20853,7 +20918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-18 11:31:38.000000000 -0500 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -20901,10 +20966,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -508,6 +526,25 @@ +@@ -461,10 +479,10 @@ + # + interface(`postfix_search_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') - ######################################## - ## +- allow $1 postfix_spool_t:dir search_dir_perms; ++ allow $1 postfix_spool_type:dir search_dir_perms; + files_search_spool($1) + ') + +@@ -480,10 +498,10 @@ + # + interface(`postfix_list_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + +- allow $1 postfix_spool_t:dir list_dir_perms; ++ allow $1 postfix_spool_type:dir list_dir_perms; + files_search_spool($1) + ') + +@@ -499,11 +517,30 @@ + # + interface(`postfix_read_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, postfix_spool_type, postfix_spool_type) ++') ++ ++######################################## ++## +## Manage postfix mail spool files. +## +## @@ -20915,18 +21016,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`postfix_manage_spool_files',` + gen_require(` -+ type postfix_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -+') -+ -+######################################## -+## - ## Execute postfix user mail programs - ## in their respective domains. - ## ++ attribute postfix_spool_type; + ') + + files_search_spool($1) +- read_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) + ') + + ######################################## @@ -524,3 +561,23 @@ typeattribute $1 postfix_user_domtrans; @@ -20953,8 +21051,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-25 08:33:46.000000000 -0500 -@@ -6,6 +6,14 @@ ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-18 11:30:38.000000000 -0500 +@@ -6,6 +6,15 @@ # Declarations # @@ -20966,10 +21064,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_postfix_local_write_mail_spool, false) + ++attribute postfix_spool_type; attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -19,7 +27,7 @@ +@@ -13,13 +22,13 @@ + + postfix_server_domain_template(bounce) + +-type postfix_spool_bounce_t; ++type postfix_spool_bounce_t, postfix_spool_type; + files_type(postfix_spool_bounce_t) + postfix_server_domain_template(cleanup) type postfix_etc_t; @@ -20978,7 +21084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_exec_t; application_executable_file(postfix_exec_t) -@@ -27,6 +35,12 @@ +@@ -27,6 +36,12 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) @@ -20991,7 +21097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) -@@ -34,6 +48,7 @@ +@@ -34,6 +49,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) @@ -20999,7 +21105,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -103,6 +118,7 @@ +@@ -68,13 +84,13 @@ + + postfix_server_domain_template(smtpd) + +-type postfix_spool_t; ++type postfix_spool_t, postfix_spool_type; + files_type(postfix_spool_t) + +-type postfix_spool_maildrop_t; ++type postfix_spool_maildrop_t, postfix_spool_type; + files_type(postfix_spool_maildrop_t) + +-type postfix_spool_flush_t; ++type postfix_spool_flush_t, postfix_spool_type; + files_type(postfix_spool_flush_t) + + type postfix_public_t; +@@ -103,6 +119,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -21007,7 +21130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -142,6 +158,7 @@ +@@ -142,6 +159,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -21015,7 +21138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -170,6 +187,8 @@ +@@ -170,6 +188,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -21024,7 +21147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_search_ptys(postfix_master_t) -@@ -181,15 +200,14 @@ +@@ -181,15 +201,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -21044,7 +21167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -202,9 +220,29 @@ +@@ -202,9 +221,29 @@ ') optional_policy(` @@ -21074,7 +21197,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix bounce local policy -@@ -245,6 +283,10 @@ +@@ -245,6 +284,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -21085,7 +21208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -270,18 +312,25 @@ +@@ -270,18 +313,25 @@ files_read_etc_files(postfix_local_t) @@ -21111,7 +21234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +341,7 @@ +@@ -292,8 +342,7 @@ # # Postfix map local policy # @@ -21121,7 +21244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -343,8 +391,6 @@ +@@ -343,8 +392,6 @@ miscfiles_read_localization(postfix_map_t) @@ -21130,7 +21253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -357,6 +403,11 @@ +@@ -357,6 +404,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -21142,7 +21265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -381,6 +432,7 @@ +@@ -381,6 +433,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -21150,7 +21273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -388,6 +440,12 @@ +@@ -388,6 +441,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -21163,7 +21286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -397,6 +455,15 @@ +@@ -397,6 +456,15 @@ ') optional_policy(` @@ -21179,7 +21302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -433,8 +500,11 @@ +@@ -433,8 +501,11 @@ ') optional_policy(` @@ -21193,7 +21316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -460,6 +530,15 @@ +@@ -460,6 +531,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -21209,7 +21332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -540,9 +619,18 @@ +@@ -540,9 +620,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -21228,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -569,7 +657,7 @@ +@@ -569,7 +658,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -23672,7 +23795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-08 15:15:16.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-15 12:24:35.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -23725,7 +23848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Samba net local policy # - -+allow samba_net_t self:capability { dac_read_search dac_override }; ++allow samba_net_t self:capability { sys_nice dac_read_search dac_override }; +allow samba_net_t self:process { getsched setsched }; allow samba_net_t self:unix_dgram_socket create_socket_perms; allow samba_net_t self:unix_stream_socket create_stream_socket_perms; @@ -23744,15 +23867,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(samba_net_t) corenet_all_recvfrom_netlabel(samba_net_t) -@@ -190,6 +205,7 @@ +@@ -190,8 +205,10 @@ domain_use_interactive_fds(samba_net_t) files_read_etc_files(samba_net_t) +files_read_usr_symlinks(samba_net_t) auth_use_nsswitch(samba_net_t) ++auth_read_cache(samba_net_t) -@@ -200,7 +216,14 @@ + libs_use_ld_so(samba_net_t) + libs_use_shared_libs(samba_net_t) +@@ -200,7 +217,14 @@ miscfiles_read_localization(samba_net_t) @@ -23767,7 +23893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_use(samba_net_t) -@@ -210,7 +233,7 @@ +@@ -210,7 +234,7 @@ # # smbd Local policy # @@ -23776,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -228,10 +251,8 @@ +@@ -228,10 +252,8 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr }; @@ -23788,7 +23914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow smbd_t samba_net_tmp_t:file getattr; -@@ -241,6 +262,7 @@ +@@ -241,6 +263,7 @@ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -23796,7 +23922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -258,7 +280,7 @@ +@@ -258,7 +281,7 @@ manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, file) @@ -23805,7 +23931,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -314,20 +336,24 @@ +@@ -300,6 +323,7 @@ + + auth_use_nsswitch(smbd_t) + auth_domtrans_chk_passwd(smbd_t) ++auth_domtrans_upd_passwd(smbd_t) + + domain_use_interactive_fds(smbd_t) + domain_dontaudit_list_all_domains_state(smbd_t) +@@ -314,20 +338,24 @@ init_rw_utmp(smbd_t) @@ -23833,7 +23967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -348,6 +374,25 @@ +@@ -348,6 +376,25 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -23859,7 +23993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -360,6 +405,11 @@ +@@ -360,6 +407,11 @@ ') optional_policy(` @@ -23871,7 +24005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(smbd_t) ') -@@ -379,8 +429,10 @@ +@@ -379,8 +431,10 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -23882,7 +24016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -452,6 +504,7 @@ +@@ -452,6 +506,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -23890,7 +24024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -536,6 +589,7 @@ +@@ -536,6 +591,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -23898,7 +24032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_list_bin(smbmount_t) -@@ -547,32 +601,46 @@ +@@ -547,32 +603,46 @@ auth_use_nsswitch(smbmount_t) @@ -23951,7 +24085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -592,6 +660,9 @@ +@@ -592,6 +662,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -23961,7 +24095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -616,10 +687,12 @@ +@@ -616,10 +689,12 @@ dev_read_urand(swat_t) @@ -23974,7 +24108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -628,6 +701,7 @@ +@@ -628,6 +703,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -23982,7 +24116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -645,6 +719,17 @@ +@@ -645,15 +721,26 @@ kerberos_use(swat_t) ') @@ -24000,16 +24134,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Winbind local policy -@@ -653,7 +738,7 @@ + # + - allow winbind_t self:capability { dac_override ipc_lock setuid }; +-allow winbind_t self:capability { dac_override ipc_lock setuid }; ++allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; -allow winbind_t self:process signal_perms; -+allow winbind_t self:process { signal_perms getsched }; ++allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -694,9 +779,10 @@ +@@ -694,9 +781,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -24022,7 +24158,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) -@@ -724,6 +810,7 @@ +@@ -720,10 +808,12 @@ + + auth_domtrans_chk_passwd(winbind_t) + auth_use_nsswitch(winbind_t) ++auth_rw_cache(winbind_t) + domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) @@ -24030,7 +24171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(winbind_t) libs_use_shared_libs(winbind_t) -@@ -780,8 +867,13 @@ +@@ -780,8 +870,13 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(` @@ -24044,7 +24185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -790,6 +882,16 @@ +@@ -790,6 +885,16 @@ # optional_policy(` @@ -24061,7 +24202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -800,9 +902,46 @@ +@@ -800,9 +905,46 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -24629,7 +24770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.13/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-12-18 09:13:48.000000000 -0500 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) @@ -24645,6 +24786,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +@@ -15,5 +19,5 @@ + + /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) + /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.13/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2008-10-17 08:49:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/snmp.if 2008-11-24 10:49:49.000000000 -0500 @@ -25769,7 +25917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-05 11:39:29.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-18 10:02:59.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25895,16 +26043,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t) -@@ -254,6 +249,8 @@ +@@ -254,6 +249,9 @@ userdom_use_unpriv_users_fds($1_ssh_t) userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t) userdom_search_user_home_dirs($1,$1_ssh_t) + userdom_write_user_tmp_sockets(user,$1_ssh_t) ++ userdom_read_user_home_content_symlinks($1_ssh_t) + # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_t) # needs to read krb tgt -@@ -279,24 +276,14 @@ +@@ -279,24 +277,15 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port($1_ssh_t) @@ -25915,6 +26064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) +# xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t) xserver_domtrans_user_xauth($1, $1_ssh_t) ++ xserver_stream_connect_xdm_xserver($1_ssh_t) ') - ifdef(`TODO',` @@ -25931,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_agent_t local policy -@@ -381,12 +368,9 @@ +@@ -381,12 +370,9 @@ optional_policy(` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) @@ -25945,7 +26095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # $1_ssh_keysign_t local policy -@@ -413,6 +397,25 @@ +@@ -413,6 +399,25 @@ ') ') @@ -25971,7 +26121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## The template to define a ssh server. -@@ -443,13 +446,14 @@ +@@ -443,13 +448,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -25987,7 +26137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -478,7 +482,12 @@ +@@ -478,7 +484,12 @@ corenet_udp_bind_all_nodes($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -26000,7 +26150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -506,9 +515,14 @@ +@@ -506,9 +517,14 @@ userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) userdom_search_all_users_home_dirs($1_t) @@ -26015,7 +26165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -517,11 +531,7 @@ +@@ -517,11 +533,7 @@ optional_policy(` kerberos_use($1_t) @@ -26028,7 +26178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -710,3 +720,22 @@ +@@ -710,3 +722,22 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -26820,7 +26970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-12-02 15:46:34.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-12-15 12:15:34.000000000 -0500 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -28848,7 +28998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-08 15:05:47.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-15 12:01:46.000000000 -0500 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -30023,7 +30173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-09 10:22:43.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-15 11:28:03.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -30147,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +332,21 @@ +@@ -310,3 +332,20 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -30164,9 +30314,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 447fadc..db606b3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -459,6 +459,9 @@ exit 0 %endif %changelog +* Tue Dec 9 2008 Dan Walsh 3.5.13-35 +- Allow staff_t to execute at jobs + * Tue Dec 9 2008 Dan Walsh 3.5.13-34 - Allow semanage to send signals to itself