diff --git a/modules-minimum.conf b/modules-minimum.conf index 59f04a0..d1bb917 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -968,6 +968,13 @@ mls = base # mock = module +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + # Layer: system # Module: modutils # diff --git a/modules-mls.conf b/modules-mls.conf index 27eefa3..b99b28a 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -920,6 +920,13 @@ modemmanager = module # modutils = base +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + # Layer: apps # Module: mono # diff --git a/modules-targeted.conf b/modules-targeted.conf index 59f04a0..d1bb917 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -968,6 +968,13 @@ mls = base # mock = module +# Layer: services +# Module: mojomojo +# +# Wiki server +# +mojomojo = module + # Layer: system # Module: modutils # diff --git a/policy-F14.patch b/policy-F14.patch index 70695c6..9eb8862 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -339,8 +339,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te --- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-20 10:46:10.000000000 -0400 -@@ -0,0 +1,62 @@ ++++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-26 13:19:45.000000000 -0400 +@@ -0,0 +1,64 @@ +policy_module(accountsd,1.0.0) + +######################################## @@ -351,6 +351,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account +type accountsd_t; +type accountsd_exec_t; +dbus_system_domain(accountsd_t, accountsd_exec_t) ++init_daemon_domain(accountsd_t, accountsd_exec_t) ++role system_r types accountsd_t; + +type accountsd_var_lib_t; +files_type(accountsd_var_lib_t) @@ -6230,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se dbus_session_bus_client($1_wm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-06-08 10:35:48.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-20 11:36:00.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-07-26 07:56:45.000000000 -0400 @@ -9,8 +9,10 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6252,7 +6254,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -145,6 +150,10 @@ +@@ -126,6 +131,7 @@ + /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) + /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) + ') ++/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) + + # + # /sbin +@@ -145,6 +151,10 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6263,7 +6273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -169,6 +178,7 @@ +@@ -169,6 +179,7 @@ /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6271,7 +6281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +238,8 @@ +@@ -228,6 +239,8 @@ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6280,7 +6290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,6 +326,7 @@ +@@ -314,6 +327,7 @@ /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -6288,7 +6298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ifdef(`distro_suse', ` -@@ -340,3 +353,24 @@ +@@ -340,3 +354,24 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6509,7 +6519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-20 11:30:38.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 14:00:19.000000000 -0400 @@ -606,6 +606,24 @@ ######################################## @@ -6662,7 +6672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device allow devices_unconfined_type mtrr_device_t:file *; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-20 10:46:10.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-23 08:55:47.000000000 -0400 @@ -611,7 +611,7 @@ ######################################## @@ -7014,7 +7024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-20 13:55:05.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-07-26 13:59:34.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7265,7 +7275,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5522,6 +5687,7 @@ +@@ -5505,6 +5670,26 @@ + + ######################################## + ## ++## manage all pidfile directories ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pids_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## + ## Read all process ID files. + ## + ## +@@ -5522,6 +5707,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -7273,7 +7310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5807,3 +5973,229 @@ +@@ -5807,3 +5993,229 @@ typeattribute $1 files_unconfined_type; ') @@ -7537,6 +7574,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc +--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-06-08 10:35:48.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-26 14:44:11.000000000 -0400 +@@ -1,3 +1,3 @@ + /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) + +-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) ++/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 11:43:41.000000000 -0400 @@ -7941,7 +7986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # Unlabeled process local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-20 10:46:10.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-26 13:20:35.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -8001,7 +8046,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-06-04 17:11:28.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-21 10:39:42.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-23 09:57:06.000000000 -0400 +@@ -5,7 +5,7 @@ + /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) + /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) +-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/[shmvx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) @@ -77,3 +77,6 @@ /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -10478,13 +10532,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-22 11:54:47.000000000 -0400 -@@ -20,11 +20,11 @@ - /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - - /usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) ++++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-07-23 06:10:20.000000000 -0400 +@@ -24,7 +24,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -10492,7 +10541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -43,10 +43,10 @@ +@@ -43,7 +42,6 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10500,11 +10549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -@@ -74,6 +74,7 @@ +@@ -74,6 +72,7 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -10512,7 +10557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -@@ -86,7 +87,6 @@ +@@ -86,7 +85,6 @@ /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -10520,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +109,17 @@ +@@ -109,3 +107,16 @@ /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -10532,7 +10577,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -10540,7 +10584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-21 11:17:41.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-07-23 08:55:49.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -12025,8 +12069,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if --- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-20 10:46:10.000000000 -0400 -@@ -0,0 +1,39 @@ ++++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-23 06:11:39.000000000 -0400 +@@ -0,0 +1,81 @@ +## Bugzilla server + +######################################## @@ -12066,6 +12110,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz + + dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an bugzilla environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the bugzilla domain. ++## ++## ++## ++# ++interface(`bugzilla_admin',` ++ gen_require(` ++ type httpd_bugzilla_script_t; ++ type httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; ++ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t; ++ type httpd_bugzilla_script_exec_t, httpd_bugzilla_htaccess_t; ++ ') ++ ++ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, httpd_bugzilla_script_t) ++ ++ files_list_tmps($1) ++ admin_pattern($1, httpd_bugzilla_tmp_t) ++ ++ files_search_var_lib(httpd_bugzilla_script_t) ++ ++ apache_search_sys_content($1) ++ admin_pattern($1, httpd_bugzilla_script_exec_t) ++ admin_pattern($1, httpd_bugzilla_script_t) ++ admin_pattern($1, httpd_bugzilla_content_t) ++ admin_pattern($1, httpd_bugzilla_htaccess_t) ++ admin_pattern($1, httpd_bugzilla_rw_content_t) ++ admin_pattern($1, httpd_bugzilla_ra_content_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te --- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-20 10:46:10.000000000 -0400 @@ -13130,7 +13216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-20 10:46:10.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-22 16:37:05.000000000 -0400 @@ -1,3 +1,4 @@ + policy_module(cobbler, 1.1.0) @@ -13225,7 +13311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -52,39 +92,92 @@ +@@ -52,39 +92,93 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) @@ -13268,6 +13354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +files_read_etc_runtime_files(cobblerd_t) files_read_usr_files(cobblerd_t) files_list_boot(cobblerd_t) ++files_read_boot_files(cobblerd_t) files_list_tmp(cobblerd_t) -# read /etc/nsswitch.conf -files_read_etc_files(cobblerd_t) @@ -13322,7 +13409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb optional_policy(` bind_read_config(cobblerd_t) bind_write_config(cobblerd_t) -@@ -95,6 +188,10 @@ +@@ -95,6 +189,10 @@ ') optional_policy(` @@ -13333,7 +13420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) ') -@@ -110,12 +207,20 @@ +@@ -110,12 +208,20 @@ ') optional_policy(` @@ -13357,7 +13444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') ######################################## -@@ -123,6 +228,18 @@ +@@ -123,6 +229,18 @@ # Cobbler web local policy. # @@ -13594,7 +13681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-21 08:55:04.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-23 08:29:53.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -13637,7 +13724,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -154,27 +164,14 @@ +@@ -106,6 +116,8 @@ + interface(`cron_role',` + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; ++ type user_cron_spool_t; ++ type crond_t; + ') + + role $1 types { cronjob_t crontab_t }; +@@ -116,6 +128,12 @@ + # Transition from the user domain to the derived domain. + domtrans_pattern($2, crontab_exec_t, crontab_t) + ++ allow crond_t $2:process transition; ++ allow $2 crond_t:process sigchld; ++ ++ # needs to be authorized SELinux context for cron ++ allow $2 user_cron_spool_t:file entrypoint; ++ + # crontab shows up in user ps + ps_process_pattern($2, crontab_t) + allow $2 crontab_t:process signal; +@@ -154,27 +172,14 @@ # interface(`cron_unconfined_role',` gen_require(` @@ -13667,7 +13776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` gen_require(` class dbus send_msg; -@@ -408,7 +405,43 @@ +@@ -408,7 +413,43 @@ type crond_t; ') @@ -13712,7 +13821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -554,7 +587,7 @@ +@@ -554,7 +595,7 @@ type system_cronjob_t; ') @@ -13721,7 +13830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -587,11 +620,14 @@ +@@ -587,11 +628,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -13737,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -627,7 +663,48 @@ +@@ -627,7 +671,48 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -15958,6 +16067,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-23 06:51:35.000000000 -0400 +@@ -8,7 +8,7 @@ + /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) + /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + +-/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2010-06-18 13:07:19.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-20 10:46:10.000000000 -0400 @@ -16702,6 +16823,111 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode +optional_policy(` udev_read_db(modemmanager_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc +--- nsaserefpolicy/policy/modules/services/mojomojo.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-23 06:06:40.000000000 -0400 +@@ -0,0 +1,5 @@ ++/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) ++ ++/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) ++ ++/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if +--- nsaserefpolicy/policy/modules/services/mojomojo.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-23 06:39:20.000000000 -0400 +@@ -0,0 +1,43 @@ ++## Mojomojo server ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mojomojo environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the mojomojo domain. ++## ++## ++## ++# ++interface(`mojomojo_admin',` ++ gen_require(` ++ type httpd_mojomojo_script_t; ++ type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; ++ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t; ++ type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; ++ ') ++ ++ allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, httpd_mojomojo_script_t) ++ ++ files_list_tmp($1) ++ admin_pattern($1, httpd_mojomojo_tmp_t) ++ ++ files_search_var_lib(httpd_mojomojo_script_t) ++ ++ apache_search_sys_content($1) ++ admin_pattern($1, httpd_mojomojo_script_exec_t) ++ admin_pattern($1, httpd_mojomojo_script_t) ++ admin_pattern($1, httpd_mojomojo_content_t) ++ admin_pattern($1, httpd_mojomojo_htaccess_t) ++ admin_pattern($1, httpd_mojomojo_rw_content_t) ++ admin_pattern($1, httpd_mojomojo_ra_content_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te +--- nsaserefpolicy/policy/modules/services/mojomojo.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-23 06:08:31.000000000 -0400 +@@ -0,0 +1,45 @@ ++policy_module(mojomojo, 1.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++apache_content_template(mojomojo) ++ ++type httpd_mojomojo_tmp_t; ++files_tmp_file(httpd_mojomojo_tmp_t) ++ ++######################################## ++# ++# mojomojo local policy ++# ++ ++allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; ++ ++manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) ++manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) ++files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) ++ ++corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) ++corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) ++ ++corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) ++corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) ++ ++corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) ++corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) ++ ++files_search_var_lib(httpd_mojomojo_script_t) ++ ++mta_send_mail(httpd_mojomojo_script_t) ++ ++sysnet_dns_name_resolve(httpd_mojomojo_script_t) ++ ++optional_policy(` ++ mysql_stream_connect(httpd_mojomojo_script_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(httpd_mojomojo_script_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc --- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-20 10:46:10.000000000 -0400 @@ -17749,7 +17975,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-20 10:46:10.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-23 09:52:27.000000000 -0400 +@@ -1,5 +1,5 @@ + /etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) @@ -11,6 +11,7 @@ /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) @@ -22976,6 +23209,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn ####################################### ## ## Read varnish logs. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te +--- nsaserefpolicy/policy/modules/services/varnishd.te 2010-06-18 13:07:19.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-26 07:45:50.000000000 -0400 +@@ -50,7 +50,7 @@ + # varnishd local policy + # + +-allow varnishd_t self:capability { dac_override ipc_lock setuid setgid }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; + allow varnishd_t self:process signal; + allow varnishd_t self:fifo_file rw_fifo_file_perms; + allow varnishd_t self:tcp_socket create_stream_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-03-29 15:04:22.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-21 11:07:39.000000000 -0400 @@ -26448,7 +26693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-22 12:34:15.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 14:00:27.000000000 -0400 @@ -16,6 +16,27 @@ ## gen_tunable(init_upstart, false) @@ -26560,7 +26805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,61 @@ +@@ -185,15 +216,64 @@ sysadm_shell_domtrans(init_t) ') @@ -26580,10 +26825,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + + dev_write_kmsg(init_t) + dev_rw_autofs(init_t) -+ dev_rw_generic_chr_files(init_t) -+ dev_create_generic_dirs(init_t) ++ dev_manage_generic_dirs(init_t) + + files_mounton_all_mountpoints(init_t) ++ files_manage_all_pids_dirs(init_t) + + fs_manage_cgroup_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) @@ -26593,8 +26838,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + fs_write_cgroup_files(init_t) + + selinux_compute_create_context(init_t) ++ selinux_validate_context(init_t) + + init_read_script_state(init_t) ++ ++ seutil_read_file_contexts(init_t) +') + optional_policy(` @@ -26622,7 +26870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -211,7 +288,7 @@ +@@ -211,7 +291,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -26631,7 +26879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +317,7 @@ +@@ -240,6 +320,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -26639,7 +26887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +335,22 @@ +@@ -257,11 +338,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -26662,7 +26910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -297,11 +386,13 @@ +@@ -297,11 +389,13 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -26676,7 +26924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +411,10 @@ +@@ -320,8 +414,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -26688,7 +26936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,6 +430,8 @@ +@@ -337,6 +433,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -26697,7 +26945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) -@@ -350,6 +445,8 @@ +@@ -350,6 +448,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -26706,7 +26954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -362,6 +459,7 @@ +@@ -362,6 +462,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -26714,7 +26962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -393,13 +491,14 @@ +@@ -393,13 +494,14 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -26730,7 +26978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -472,7 +571,7 @@ +@@ -472,7 +574,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -26739,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -518,6 +617,19 @@ +@@ -518,6 +620,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -26759,7 +27007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -525,10 +637,17 @@ +@@ -525,10 +640,17 @@ rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -26777,7 +27025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -543,6 +662,35 @@ +@@ -543,6 +665,35 @@ ') ') @@ -26813,7 +27061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -555,6 +703,8 @@ +@@ -555,6 +706,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -26822,7 +27070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -571,6 +721,7 @@ +@@ -571,6 +724,7 @@ optional_policy(` cgroup_stream_connect(initrc_t) @@ -26830,7 +27078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -583,6 +734,11 @@ +@@ -583,6 +737,11 @@ ') optional_policy(` @@ -26842,7 +27090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -599,6 +755,7 @@ +@@ -599,6 +758,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -26850,7 +27098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -700,7 +857,12 @@ +@@ -700,7 +860,12 @@ ') optional_policy(` @@ -26863,7 +27111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -723,6 +885,10 @@ +@@ -723,6 +888,10 @@ ') optional_policy(` @@ -26874,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -765,8 +931,6 @@ +@@ -765,8 +934,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -26883,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -779,10 +943,12 @@ +@@ -779,10 +946,12 @@ squid_manage_logs(initrc_t) ') @@ -26896,7 +27144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -804,11 +970,19 @@ +@@ -804,11 +973,19 @@ ') optional_policy(` @@ -26917,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -818,6 +992,25 @@ +@@ -818,6 +995,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -26943,7 +27191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -843,3 +1036,55 @@ +@@ -843,3 +1039,55 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -27900,7 +28148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-20 10:46:11.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-07-26 07:54:12.000000000 -0400 @@ -60,6 +60,7 @@ type syslogd_t; type syslogd_exec_t; @@ -27971,7 +28219,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -372,6 +394,11 @@ +@@ -369,9 +391,15 @@ + manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) + ++manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) @@ -27983,7 +28235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +439,7 @@ +@@ -412,6 +440,7 @@ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -27991,7 +28243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(syslogd_t) -@@ -488,6 +516,10 @@ +@@ -488,6 +517,10 @@ ') optional_policy(` @@ -28480,7 +28732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-06-18 13:07:19.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-20 10:46:11.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-22 16:44:21.000000000 -0400 @@ -17,8 +17,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -28521,7 +28773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -+allow mount_t self:process { getcap getsched ptrace setcap signal }; ++allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; @@ -28830,7 +29082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-20 10:46:11.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-26 13:21:09.000000000 -0400 @@ -361,6 +361,27 @@ ######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 4cd1bc8..d533ce5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.8 -Release: 3%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,13 @@ exit 0 %endif %changelog +* Mon Jul 26 2010 Dan Walsh 3.8.8-5 +- New permissions for syslog +- New labels for /lib/upstart + +* Fri Jul 23 2010 Dan Walsh 3.8.8-4 +- Add mojomojo policy + * Thu Jul 22 2010 Dan Walsh 3.8.8-3 - Allow systemd to setsockcon on sockets to immitate other services