diff --git a/policy-20071130.patch b/policy-20071130.patch index 1edc290..4e6fa77 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -106,12 +106,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsaf +system_r:unconfined_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400 -@@ -0,0 +1,4 @@ ++++ serefpolicy-3.3.1/config/appconfig-mcs/guest_u_default_contexts 2008-08-13 13:50:55.000000000 -0400 +@@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_crond_t:s0 ++system_r:initrc_su_t:s0 guest_r:guest_t:s0 ++guest_r:guest_t:s0 guest_r:guest_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/root_default_contexts 2008-07-15 14:02:51.000000000 -0400 @@ -128,10 +130,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/config/appconfig-mcs/staff_u_default_contexts 2008-08-13 13:50:13.000000000 -0400 +@@ -5,6 +5,8 @@ + system_r:xdm_t:s0 staff_r:staff_t:s0 + staff_r:staff_su_t:s0 staff_r:staff_t:s0 + staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 ++system_r:initrc_su_t:s0 staff_r:staff_t:s0 ++staff_r:staff_t:s0 staff_r:staff_t:s0 + sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 + sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-07-15 14:02:51.000000000 -0400 -@@ -0,0 +1,9 @@ ++++ serefpolicy-3.3.1/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-13 13:49:38.000000000 -0400 +@@ -0,0 +1,11 @@ +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 +system_r:initrc_t:s0 unconfined_r:unconfined_t:s0 +system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 @@ -140,7 +154,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfi +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 +system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 +system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 ++system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 ++unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 +system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts +--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/config/appconfig-mcs/user_u_default_contexts 2008-08-13 13:52:58.000000000 -0400 +@@ -5,4 +5,5 @@ + system_r:xdm_t:s0 user_r:user_t:s0 + user_r:user_su_t:s0 user_r:user_t:s0 + user_r:user_sudo_t:s0 user_r:user_t:s0 +- ++system_r:initrc_su_t:s0 user_r:user_t:s0 ++user_r:user_t:s0 user_r:user_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/userhelper_context 2008-07-15 14:02:51.000000000 -0400 @@ -341,13 +367,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/x_conte +event * system_u:object_r:default_xevent_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400 -@@ -0,0 +1,5 @@ ++++ serefpolicy-3.3.1/config/appconfig-mcs/xguest_u_default_contexts 2008-08-13 13:50:37.000000000 -0400 +@@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 +system_r:sshd_t xguest_r:xguest_t:s0 +system_r:crond_t xguest_r:xguest_crond_t:s0 +system_r:xdm_t xguest_r:xguest_t:s0 ++system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 ++xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/config/appconfig-mls/guest_u_default_contexts 2008-07-15 14:02:51.000000000 -0400 @@ -1718,19 +1746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.3.1/policy/modules/admin/kismet.fc --- nsaserefpolicy/policy/modules/admin/kismet.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-07-15 14:02:51.000000000 -0400 -@@ -0,0 +1,5 @@ -+ -+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) -+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) ++++ serefpolicy-3.3.1/policy/modules/admin/kismet.fc 2008-08-29 16:39:13.000000000 -0400 +@@ -0,0 +1,4 @@ ++/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0) +/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0) +/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) ++/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-07-15 14:02:51.000000000 -0400 -@@ -0,0 +1,275 @@ -+ -+## policy for kismet ++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2008-08-29 16:38:53.000000000 -0400 +@@ -0,0 +1,252 @@ ++## Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. + +######################################## +## @@ -1744,13 +1770,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +# +interface(`kismet_domtrans',` + gen_require(` -+ type kismet_t; -+ type kismet_exec_t; ++ type kismet_t, kismet_exec_t; + ') + -+ domtrans_pattern($1,kismet_exec_t,kismet_t) ++ domtrans_pattern($1, kismet_exec_t, kismet_t) +') + ++######################################## ++## ++## Execute kismet in the kismet domain, and ++## allow the specified role the kismet domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the kismet domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`kismet_run',` ++ gen_require(` ++ type kismet_t; ++ ') ++ ++ kismet_domtrans($1) ++ role $2 types kismet_t; ++ allow kismet_t $3:chr_file rw_term_perms; ++') + +######################################## +## @@ -1767,8 +1822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + type kismet_var_run_t; + ') + -+ files_search_pids($1) + allow $1 kismet_var_run_t:file read_file_perms; ++ files_search_pids($1) +') + +######################################## @@ -1781,17 +1836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +## +## +# -+interface(`kismet_manage_var_run',` ++interface(`kismet_manage_pid_files',` + gen_require(` + type kismet_var_run_t; + ') + -+ manage_dirs_pattern($1,kismet_var_run_t,kismet_var_run_t) -+ manage_files_pattern($1,kismet_var_run_t,kismet_var_run_t) -+ manage_lnk_files_pattern($1,kismet_var_run_t,kismet_var_run_t) ++ allow $1 kismet_var_run_t:file manage_file_perms; ++ files_search_pids($1) +') + -+ +######################################## +## +## Search kismet lib directories. @@ -1847,8 +1900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + type kismet_var_lib_t; + ') + -+ allow $1 kismet_var_lib_t:file manage_file_perms; -+ allow $1 kismet_var_lib_t:dir rw_dir_perms; ++ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) + files_search_var_lib($1) +') + @@ -1862,17 +1914,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +## +## +# -+interface(`kismet_manage_var_lib',` ++interface(`kismet_manage_lib',` + gen_require(` + type kismet_var_lib_t; + ') + -+ manage_dirs_pattern($1,kismet_var_lib_t,kismet_var_lib_t) -+ manage_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t) -+ manage_lnk_files_pattern($1,kismet_var_lib_t,kismet_var_lib_t) ++ manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) ++ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) ++ manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) +') + -+ +######################################## +## +## Allow the specified domain to read kismet's log files. @@ -1899,14 +1950,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +## kismet log files. +## +## -+## ++## +## Domain allowed to transition. -+## ++## +## +# +interface(`kismet_append_log',` + gen_require(` -+ type var_log_t, kismet_log_t; ++ type kismet_log_t; + ') + + logging_search_logs($1) @@ -1928,64 +1979,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + type kismet_log_t; + ') + -+ logging_search_logs($1) -+ manage_dirs_pattern($1,kismet_log_t,kismet_log_t) -+ manage_files_pattern($1,kismet_log_t,kismet_log_t) -+ manage_lnk_files_pattern($1,kismet_log_t,kismet_log_t) -+') -+ -+######################################## -+## -+## Execute kismet in the kismet domain, and -+## allow the specified role the kismet domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the kismet domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`kismet_run',` -+ gen_require(` -+ type kismet_t; -+ ') -+ -+ kismet_domtrans($1) -+ role $2 types kismet_t; -+ allow kismet_t $3:chr_file rw_term_perms; ++ manage_dirs_pattern($1, kismet_log_t, kismet_log_t) ++ manage_files_pattern($1, kismet_log_t, kismet_log_t) ++ manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) ++ logging_search_logs($1) +') + -+ +######################################## +## +## All of the rules required to administrate an kismet environment +## -+## -+## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. -+## -+## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed to manage the kismet domain. -+## -+## +## +# +interface(`kismet_admin',` @@ -1993,23 +2001,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + type kismet_t; + ') + -+ allow $1 kismet_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, kismet_t, kismet_t) -+ -+ -+ kismet_manage_var_run($1) -+ -+ kismet_manage_var_lib($1) ++ ps_process_pattern($1, kismet_t) ++ allow $1 kismet_t:process { ptrace signal_perms }; + ++ kismet_manage_pid_files($1) ++ kismet_manage_lib($1) + kismet_manage_log($1) -+ +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-07-24 13:59:46.000000000 -0400 -@@ -0,0 +1,56 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-08-29 16:38:30.000000000 -0400 +@@ -0,0 +1,57 @@ + -+policy_module(kismet,1.0.0) ++policy_module(kismet, 1.0.2) + +######################################## +# @@ -2036,14 +2040,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +# + +allow kismet_t self:capability { net_admin net_raw setuid setgid }; ++allow kismet_t self:fifo_file rw_file_perms; ++allow kismet_t self:packet_socket create_socket_perms; ++allow kismet_t self:unix_dgram_socket create_socket_perms; ++allow kismet_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) ++allow kismet_t kismet_log_t:dir setattr; ++logging_log_filetrans(kismet_t, kismet_log_t, { file dir }) ++ ++allow kismet_t kismet_var_lib_t:file manage_file_perms; ++allow kismet_t kismet_var_lib_t:dir manage_dir_perms; ++files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) ++ ++allow kismet_t kismet_var_run_t:file manage_file_perms; ++allow kismet_t kismet_var_run_t:dir manage_dir_perms; ++files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) + +corecmd_exec_bin(kismet_t) + -+auth_use_nsswitch(kismet_t) ++kernel_search_debugfs(kismet_t) + -+allow kismet_t self:fifo_file rw_file_perms; -+allow kismet_t self:unix_stream_socket create_stream_socket_perms; -+allow kismet_t self:packet_socket create_socket_perms; ++auth_use_nsswitch(kismet_t) + +files_read_etc_files(kismet_t) + @@ -2051,19 +2069,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +libs_use_shared_libs(kismet_t) + +miscfiles_read_localization(kismet_t) -+ -+allow kismet_t kismet_var_run_t:file manage_file_perms; -+allow kismet_t kismet_var_run_t:dir manage_dir_perms; -+files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir }) -+ -+allow kismet_t kismet_var_lib_t:file manage_file_perms; -+allow kismet_t kismet_var_lib_t:dir manage_dir_perms; -+files_var_lib_filetrans(kismet_t,kismet_var_lib_t, { file dir }) -+ -+allow kismet_t kismet_log_t:file manage_file_perms; -+allow kismet_t kismet_log_t:dir { rw_dir_perms setattr }; -+logging_log_filetrans(kismet_t,kismet_log_t,{ file dir }) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.3.1/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/kudzu.te 2008-07-15 14:02:51.000000000 -0400 @@ -2862,7 +2867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-08-12 12:08:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-08-12 17:05:02.000000000 -0400 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -2881,7 +2886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. -@@ -89,28 +87,16 @@ +@@ -89,28 +87,24 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -2894,17 +2899,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s - domain_role_change_exemption($1_su_t) - domain_subj_id_change_exemption($1_su_t) - domain_obj_id_change_exemption($1_su_t) -- ++ auth_login_pgm_domain($1_su_t) + - selinux_get_fs_mount($1_su_t) - selinux_validate_context($1_su_t) - selinux_compute_access_vector($1_su_t) - selinux_compute_create_context($1_su_t) - selinux_compute_relabel_context($1_su_t) - selinux_compute_user_contexts($1_su_t) -- ++ seutil_read_config($1_su_t) ++ seutil_read_default_contexts($1_su_t) + - seutil_read_config($1_su_t) - seutil_read_default_contexts($1_su_t) -+ auth_login_pgm_domain($1_su_t) ++ # Only allow transitions to unprivileged user domains. ++ userdom_spec_domtrans_unpriv_users($1_su_t) - # Only allow transitions to unprivileged user domains. - userdom_spec_domtrans_unpriv_users($1_su_t) @@ -2912,22 +2921,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s + # Deal with unconfined_terminals. + term_use_all_user_ttys($1_su_t) + term_use_all_user_ptys($1_su_t) ++ term_relabel_all_user_ttys($1_su_t) ++ term_relabel_all_user_ptys($1_su_t) optional_policy(` cron_read_pipes($1_su_t) -@@ -119,11 +105,6 @@ - optional_policy(` +@@ -120,10 +114,17 @@ kerberos_use($1_su_t) ') -- + - ifdef(`TODO',` - # Caused by su - init scripts - dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; - ') dnl end TODO ++ optional_policy(` ++ xserver_domtrans_user_xauth($1, $1_su_t) ++ ') ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs($1_su_t) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs($1_su_t) ++ ') ') ####################################### -@@ -172,14 +153,14 @@ +@@ -172,14 +173,14 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; @@ -2946,7 +2967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) -@@ -188,7 +169,7 @@ +@@ -188,7 +189,7 @@ corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; @@ -2955,7 +2976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +184,15 @@ +@@ -203,15 +204,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) @@ -2974,7 +2995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,12 +207,14 @@ +@@ -226,12 +227,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -2990,7 +3011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) -@@ -295,13 +278,7 @@ +@@ -295,13 +298,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -4559,7 +4580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-07-15 14:02:51.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/java.if 2008-08-15 14:47:26.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -4740,7 +4761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +269,67 @@ +@@ -219,3 +269,84 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -4808,6 +4829,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + allow java_t $3:chr_file rw_term_perms; +') + ++######################################## ++## ++## Execute the java program in the java domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`java_exec',` ++ gen_require(` ++ type java_exec_t; ++ ') ++ ++ ca_exec($1, java_exec_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.3.1/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2008-06-12 23:38:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/apps/java.te 2008-07-15 14:02:51.000000000 -0400 @@ -6212,8 +6250,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-07-29 13:22:00.000000000 -0400 -@@ -0,0 +1,227 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-08-13 13:26:58.000000000 -0400 +@@ -0,0 +1,228 @@ + +policy_module(nsplugin,1.0.0) + @@ -6291,6 +6329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +dev_write_sound(nsplugin_t) +dev_read_video_dev(nsplugin_t) +dev_write_video_dev(nsplugin_t) ++dev_getattr_dri_dev(nsplugin_t) + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) @@ -7357,7 +7396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-08-01 11:18:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-08-15 15:31:02.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.15) @@ -7381,15 +7420,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) -@@ -91,6 +93,7 @@ +@@ -90,7 +92,9 @@ + network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) ++network_port(dogtag, tcp,9080,s0, tcp,9443,s0) network_port(fingerd, tcp,79,s0) +network_port(flash, tcp,1935,s0, udp,1935,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,11 +112,13 @@ +@@ -109,11 +113,13 @@ network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) @@ -7403,7 +7444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -122,6 +127,8 @@ +@@ -122,6 +128,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -7412,7 +7453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,10 +140,13 @@ +@@ -133,10 +141,13 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -7426,7 +7467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,11 +158,11 @@ +@@ -148,11 +159,11 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -7440,11 +7481,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) -@@ -165,12 +175,17 @@ +@@ -165,12 +176,18 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) ++network_port(tomcat, tcp,1701,s0) +network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) network_port(transproxy, tcp,8081,s0) @@ -9621,7 +9663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-08-11 15:42:35.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-08-29 14:16:36.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10059,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1088,3 +1029,169 @@ +@@ -1088,3 +1029,202 @@ allow httpd_t $1:process signal; ') @@ -10229,9 +10271,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + delete_sock_files_pattern($1,httpd_sys_content_rw_t,httpd_sys_content_rw_t) +') + ++######################################## ++## ++## Mark content as being readable by standard apache processes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`apache_ro_content',` ++ gen_require(` ++ attribute httpd_ro_content; ++ ') ++ typeattribute $1 httpd_ro_content; ++') ++ ++######################################## ++## ++## Mark content as being read/write by standard apache processes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`apache_rw_content',` ++ gen_require(` ++ attribute httpd_rw_content; ++ ') ++ typeattribute $1 httpd_rw_content; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-07-29 13:26:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-08-29 14:24:41.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10288,7 +10363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## the terminal. ##

## -@@ -109,14 +125,33 @@ +@@ -109,14 +125,35 @@ ## gen_tunable(httpd_unified,false) @@ -10313,6 +10388,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_sys_script_anon_write,false) + ++attribute httpd_ro_content; ++attribute httpd_rw_content; attribute httpdcontent; -attribute httpd_user_content_type; @@ -10324,7 +10401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # user script domains attribute httpd_script_domains; -@@ -147,6 +182,9 @@ +@@ -147,6 +184,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -10334,17 +10411,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -180,6 +218,9 @@ +@@ -180,6 +220,9 @@ # setup the system domain for system CGI scripts apache_content_template(sys) -+typeattribute httpd_sys_content_t httpdcontent; # customizable -+typeattribute httpd_sys_content_rw_t httpdcontent; # customizable ++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable ++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable +typeattribute httpd_sys_content_ra_t httpdcontent; # customizable type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +243,16 @@ +@@ -202,12 +245,16 @@ prelink_object_file(httpd_modules_t) ') @@ -10362,7 +10439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +294,7 @@ +@@ -249,6 +296,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -10370,7 +10447,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -289,6 +335,7 @@ +@@ -260,9 +308,9 @@ + + allow httpd_t httpd_suexec_exec_t:file { getattr read }; + +-allow httpd_t httpd_sys_content_t:dir list_dir_perms; +-read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) +-read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t) ++allow httpd_t httpd_ro_content:dir list_dir_perms; ++read_files_pattern(httpd_t,httpd_ro_content,httpd_ro_content) ++read_lnk_files_pattern(httpd_t,httpd_ro_content,httpd_ro_content) + + manage_dirs_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) + manage_files_pattern(httpd_t,httpd_tmp_t,httpd_tmp_t) +@@ -289,6 +337,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -10378,7 +10468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -315,9 +362,7 @@ +@@ -315,9 +364,7 @@ auth_use_nsswitch(httpd_t) @@ -10389,7 +10479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -335,6 +380,10 @@ +@@ -335,6 +382,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -10400,7 +10490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,25 +400,50 @@ +@@ -351,25 +402,50 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -10455,7 +10545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) -@@ -382,12 +456,22 @@ +@@ -382,12 +458,22 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -10483,7 +10573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_ftp_server',` -@@ -399,11 +483,21 @@ +@@ -399,11 +485,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -10505,7 +10595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -437,8 +531,13 @@ +@@ -437,8 +533,13 @@ ') optional_policy(` @@ -10521,7 +10611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +549,13 @@ +@@ -450,19 +551,13 @@ ') optional_policy(` @@ -10542,7 +10632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +565,22 @@ +@@ -472,13 +567,22 @@ openca_kill(httpd_t) ') @@ -10569,7 +10659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +588,7 @@ +@@ -486,6 +590,7 @@ ') optional_policy(` @@ -10577,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +624,22 @@ +@@ -521,6 +626,22 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -10600,7 +10690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +669,26 @@ +@@ -550,18 +671,26 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -10630,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +712,8 @@ +@@ -585,6 +714,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -10639,7 +10729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +722,7 @@ +@@ -593,9 +724,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -10650,7 +10740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +755,7 @@ +@@ -628,6 +757,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -10658,7 +10748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +766,12 @@ +@@ -638,6 +768,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -10671,7 +10761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +789,6 @@ +@@ -655,10 +791,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -10682,7 +10772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +798,8 @@ +@@ -668,7 +800,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -10692,7 +10782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +813,44 @@ +@@ -682,15 +815,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -10704,15 +10794,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -10738,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -703,6 +863,10 @@ +@@ -703,6 +865,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -10749,7 +10839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +888,60 @@ +@@ -724,3 +890,68 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -10810,6 +10900,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_dirs(user,httpd_user_script_t) + userdom_search_user_home_dirs(user,httpd_sys_script_t) +') ++ ++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++ ++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.3.1/policy/modules/services/apcupsd.fc --- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/apcupsd.fc 2008-07-15 14:02:51.000000000 -0400 @@ -12500,7 +12598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc --- nsaserefpolicy/policy/modules/services/courier.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-08-26 20:27:44.000000000 -0400 @@ -1,4 +1,5 @@ /etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) @@ -12527,15 +12625,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -@@ -19,3 +28,5 @@ +@@ -19,3 +28,6 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) + +/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) ++/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.3.1/policy/modules/services/courier.if --- nsaserefpolicy/policy/modules/services/courier.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/courier.if 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/courier.if 2008-08-18 06:32:58.000000000 -0400 @@ -123,3 +123,77 @@ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) @@ -12616,7 +12715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.3.1/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/courier.te 2008-08-26 20:28:45.000000000 -0400 @@ -9,7 +9,10 @@ courier_domain_template(authdaemon) @@ -12637,6 +12736,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour courier_domain_template(sqwebmail) typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t; +@@ -69,6 +73,9 @@ + + courier_domtrans_pop(courier_authdaemon_t) + ++files_search_spool(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) ++ + ######################################## + # + # Calendar (PCP) local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:38:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-07-15 14:02:52.000000000 -0400 @@ -12656,7 +12765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-07-28 08:35:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-08-26 20:19:09.000000000 -0400 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -12834,7 +12943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron domtrans_pattern($2, crontab_exec_t, $1_crontab_t) + allow $2 $1_crontab_t:fd use; + -+ auth_domtrans_chk_passwd($1_crontab_t) ++ auth_run_chk_passwd($1_crontab_t, $3, { $1_devpts_t $1_tty_device_t }) # crontab shows up in user ps ps_process_pattern($2,$1_crontab_t) @@ -13500,7 +13609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-08-29 15:20:30.000000000 -0400 @@ -43,14 +43,13 @@ type cupsd_var_run_t; @@ -13724,6 +13833,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) +@@ -281,7 +324,7 @@ + # Cups configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process signal_perms; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; @@ -326,6 +369,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) @@ -15730,7 +15848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.3.1/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/exim.if 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/exim.if 2008-08-14 12:48:28.000000000 -0400 @@ -97,6 +97,26 @@ ######################################## @@ -15758,9 +15876,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## Allow the specified domain to append ## exim log files. ## +@@ -154,3 +174,23 @@ + manage_files_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) + ') ++ ++######################################## ++## ++## Create, read, write, and delete ++## exim spool dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`exim_manage_spool_dirs',` ++ gen_require(` ++ type exim_spool_t; ++ ') ++ ++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ files_search_spool($1) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.3.1/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-08-08 10:12:38.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-08-13 13:26:38.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -15845,7 +15987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim files_read_etc_files(exim_t) auth_use_nsswitch(exim_t) -@@ -92,14 +125,14 @@ +@@ -92,14 +125,15 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) @@ -15856,6 +15998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim -userdom_dontaudit_search_sysadm_home_dirs(exim_t) -userdom_dontaudit_search_generic_user_home_dirs(exim_t) +fs_getattr_xattr_fs(exim_t) ++fs_list_inotifyfs(exim_t) mta_read_aliases(exim_t) -mta_rw_spool(exim_t) @@ -15865,7 +16008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim tunable_policy(`exim_read_user_files',` userdom_read_unpriv_users_home_content_files(exim_t) -@@ -111,3 +144,80 @@ +@@ -111,3 +145,80 @@ userdom_read_unpriv_users_tmp_files(exim_t) userdom_write_unpriv_users_tmp_files(exim_t) ') @@ -18064,7 +18207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-08-11 10:57:59.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-08-28 09:25:02.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -18082,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -+allow mailman_mail_t initrc_t:process signal; ++allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:process signal; +allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + @@ -21068,7 +21211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-08-29 15:46:12.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -21141,7 +21284,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # allow access to deferred queue and allow removing bogus incoming entries manage_dirs_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) manage_files_pattern(postfix_master_t,postfix_spool_t,postfix_spool_t) -@@ -174,6 +195,7 @@ +@@ -135,6 +156,7 @@ + + delete_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) + rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t) ++setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + + kernel_read_all_sysctls(postfix_master_t) + +@@ -174,6 +196,7 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -21149,7 +21300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_master_t) -@@ -248,6 +270,10 @@ +@@ -248,6 +271,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -21160,7 +21311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix local local policy -@@ -273,18 +299,25 @@ +@@ -273,18 +300,25 @@ files_read_etc_files(postfix_local_t) @@ -21186,7 +21337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -295,8 +328,7 @@ +@@ -295,8 +329,7 @@ # # Postfix map local policy # @@ -21196,7 +21347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -346,8 +378,6 @@ +@@ -346,8 +379,6 @@ miscfiles_read_localization(postfix_map_t) @@ -21205,7 +21356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -360,6 +390,11 @@ +@@ -360,6 +391,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -21217,7 +21368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -384,6 +419,7 @@ +@@ -384,6 +420,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -21225,7 +21376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -391,6 +427,12 @@ +@@ -391,6 +428,12 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) @@ -21238,7 +21389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -400,6 +442,10 @@ +@@ -400,6 +443,10 @@ ') optional_policy(` @@ -21249,7 +21400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -436,8 +482,7 @@ +@@ -436,8 +483,7 @@ ') optional_policy(` @@ -21259,7 +21410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -463,6 +508,15 @@ +@@ -463,6 +509,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -21275,7 +21426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -532,9 +586,6 @@ +@@ -532,9 +587,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) @@ -21285,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -557,6 +608,10 @@ +@@ -557,6 +609,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -21296,7 +21447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix virtual local policy -@@ -572,7 +627,7 @@ +@@ -572,7 +628,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -21401,16 +21552,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-07-15 14:02:52.000000000 -0400 -@@ -31,6 +31,7 @@ ++++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-08-13 13:44:31.000000000 -0400 +@@ -6,8 +6,8 @@ + # + # /usr + # +-/usr/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0) +-/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + + /usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) + /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) +@@ -30,11 +30,18 @@ + /var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ++/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) ++ /var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) ++/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) ifdef(`distro_redhat', ` -@@ -38,3 +39,5 @@ + /var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) @@ -21418,14 +21585,290 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.3.1/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/postgresql.if 2008-07-15 14:02:52.000000000 -0400 -@@ -120,3 +120,72 @@ ++++ serefpolicy-3.3.1/policy/modules/services/postgresql.if 2008-08-13 13:44:36.000000000 -0400 +@@ -1,5 +1,205 @@ + ## PostgreSQL relational database + ++####################################### ++## ++## The userdomain template for the SE-PostgreSQL. ++## ++## ++## This template creates a delivered types which are used ++## for given userdomains. ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`postgresql_userdom_template',` ++ gen_require(` ++ class db_database all_db_database_perms; ++ class db_table all_db_table_perms; ++ class db_procedure all_db_procedure_perms; ++ class db_column all_db_column_perms; ++ class db_tuple all_db_tuple_perms; ++ class db_blob all_db_blob_perms; ++ ++ attribute sepgsql_client_type, sepgsql_database_type; ++ attribute sepgsql_sysobj_table_type; ++ ++ type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; ++ ') ++ ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ typeattribute $2 sepgsql_client_type; ++ ++ type $1_sepgsql_blob_t; ++ postgresql_blob_object($1_sepgsql_blob_t) ++ ++ type $1_sepgsql_proc_exec_t; ++ postgresql_procedure_object($1_sepgsql_proc_exec_t) ++ ++ type $1_sepgsql_sysobj_t; ++ postgresql_system_table_object($1_sepgsql_sysobj_t) ++ ++ type $1_sepgsql_table_t; ++ postgresql_table_object($1_sepgsql_table_t) ++ ++ role $3 types sepgsql_trusted_proc_t; ++ ++ ############################## ++ # ++ # Client local policy ++ # ++ ++ tunable_policy(`sepgsql_enable_users_ddl',` ++ allow $2 $1_sepgsql_table_t:db_table { create drop }; ++ type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t; ++ ++ allow $2 $1_sepgsql_table_t:db_column { create drop }; ++ ++ allow $2 $1_sepgsql_sysobj_t:db_tuple { update insert delete }; ++ type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t; ++ ') ++ ++ allow $2 $1_sepgsql_table_t:db_table { getattr setattr use select update insert delete }; ++ allow $2 $1_sepgsql_table_t:db_column { getattr setattr use select update insert }; ++ allow $2 $1_sepgsql_table_t:db_tuple { use select update insert delete }; ++ allow $2 $1_sepgsql_sysobj_t:db_tuple { use select }; ++ ++ allow $2 $1_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; ++ type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_exec_t; ++ ++ allow $2 $1_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; ++ type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t; ++ ++ allow $2 sepgsql_trusted_proc_t:process transition; ++ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL loadable shared library module ++## ++## ++## ++## Type marked as a database object type. ++## ++## ++# ++interface(`postgresql_loadable_module',` ++ gen_require(` ++ attribute sepgsql_module_type; ++ ') ++ ++ typeattribute $1 sepgsql_module_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL database object type ++## ++## ++## ++## Type marked as a database object type. ++## ++## ++# ++interface(`postgresql_database_object',` ++ gen_require(` ++ attribute sepgsql_database_type; ++ ') ++ ++ typeattribute $1 sepgsql_database_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL table/column/tuple object type ++## ++## ++## ++## Type marked as a table/column/tuple object type. ++## ++## ++# ++interface(`postgresql_table_object',` ++ gen_require(` ++ attribute sepgsql_table_type; ++ ') ++ ++ typeattribute $1 sepgsql_table_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL system table/column/tuple object type ++## ++## ++## ++## Type marked as a table/column/tuple object type. ++## ++## ++# ++interface(`postgresql_system_table_object',` ++ gen_require(` ++ attribute sepgsql_table_type, sepgsql_sysobj_table_type; ++ ') ++ ++ typeattribute $1 sepgsql_table_type; ++ typeattribute $1 sepgsql_sysobj_table_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL procedure object type ++## ++## ++## ++## Type marked as a database object type. ++## ++## ++# ++interface(`postgresql_procedure_object',` ++ gen_require(` ++ attribute sepgsql_procedure_type; ++ ') ++ ++ typeattribute $1 sepgsql_procedure_type; ++') ++ ++######################################## ++## ++## Marks as a SE-PostgreSQL binary large object type ++## ++## ++## ++## Type marked as a database binary large object type. ++## ++## ++# ++interface(`postgresql_blob_object',` ++ gen_require(` ++ attribute sepgsql_blob_type; ++ ') ++ ++ typeattribute $1 sepgsql_blob_type; ++') ++ + ######################################## + ## + ## Allow the specified domain to search postgresql's database directory. +@@ -52,7 +252,7 @@ + type postgresql_t, postgresql_exec_t; + ') + +- domtrans_pattern($1,postgresql_exec_t,postgresql_t) ++ domtrans_pattern($1, postgresql_exec_t, postgresql_t) + ') + + ######################################## +@@ -92,7 +292,7 @@ + type postgresql_t; + ') + +- corenet_tcp_recvfrom_labeled($1,postgresql_t) ++ corenet_tcp_recvfrom_labeled($1, postgresql_t) + corenet_tcp_sendrecv_postgresql_port($1) + corenet_tcp_connect_postgresql_port($1) + corenet_sendrecv_postgresql_client_packets($1) +@@ -120,3 +320,122 @@ # Some versions of postgresql put the sock file in /tmp allow $1 postgresql_tmp_t:sock_file write; ') + +######################################## +## ++## Allow the specified domain unprivileged accesses to unifined database objects ++## managed by SE-PostgreSQL, ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_unpriv_client',` ++ gen_require(` ++ class db_table all_db_table_perms; ++ class db_procedure all_db_procedure_perms; ++ class db_blob all_db_blob_perms; ++ ++ attribute sepgsql_client_type; ++ ++ type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t; ++ type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; ++ ') ++ ++ typeattribute $1 sepgsql_client_type; ++ ++ type_transition $1 sepgsql_db_t:db_table sepgsql_table_t; ++ type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_t; ++ type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t; ++ ++ type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; ++ allow $1 sepgsql_trusted_proc_t:process transition; ++') ++ ++######################################## ++## ++## Allow the specified domain unconfined accesses to any database objects ++## managed by SE-PostgreSQL, ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_unconfined',` ++ gen_require(` ++ attribute sepgsql_unconfined_type; ++ ') ++ ++ typeattribute $1 sepgsql_unconfined_type; ++') ++ ++######################################## ++## +## Execute postgresql server in the posgresql domain. +## +## @@ -21439,7 +21882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postgresql_script_exec_t; + ') + -+ init_script_domtrans_spec($1,postgresql_script_exec_t) ++ init_script_domtrans_spec($1, postgresql_script_exec_t) +') + +######################################## @@ -21465,16 +21908,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +# +interface(`postgresql_admin',` + gen_require(` -+ type postgresql_t; -+ type postgresql_var_run_t; -+ type postgresql_tmp_t; -+ type postgresql_db_t; -+ type postgresql_etc_t; -+ type postgresql_log_t; ++ type postgresql_t, postgresql_var_run_t; ++ type postgresql_tmp_t, postgresql_db_t; ++ type postgresql_etc_t, postgresql_log_t; ++ type postgresql_script_exec_t; + ') + -+ allow $1 postgresql_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postgresql_t, postgresql_t) ++ allow $1 postgresql_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postgresql_t) + + # Allow $1 to restart the apache service + postgresql_script_domtrans($1) @@ -21482,37 +21923,301 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role_transition $2 postgresql_script_exec_t system_r; + allow $2 system_r; + -+ manage_all_pattern($1,postgresql_var_run_t) ++ admin_pattern($1, postgresql_var_run_t) + -+ manage_all_pattern($1,postgresql_db_t) ++ admin_pattern($1, postgresql_db_t) + -+ manage_all_pattern($1,postgresql_etc_t) ++ admin_pattern($1, postgresql_etc_t) + -+ manage_all_pattern($1,postgresql_log_t) ++ admin_pattern($1, postgresql_log_t) + -+ manage_all_pattern($1,postgresql_tmp_t) ++ admin_pattern($1, postgresql_tmp_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.3.1/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/postgresql.te 2008-07-15 14:02:52.000000000 -0400 -@@ -27,6 +27,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/postgresql.te 2008-08-18 08:48:30.000000000 -0400 +@@ -1,13 +1,30 @@ + +-policy_module(postgresql,1.5.0) ++policy_module(postgresql, 1.6.0) ++ ++gen_require(` ++ class db_database all_db_database_perms; ++ class db_table all_db_table_perms; ++ class db_procedure all_db_procedure_perms; ++ class db_column all_db_column_perms; ++ class db_tuple all_db_tuple_perms; ++ class db_blob all_db_blob_perms; ++') + + ################################# + # + # Declarations + # ++ ++## ++##

++## Allow unprived users to execute DDL statement ++##

++## ++gen_tunable(sepgsql_enable_users_ddl, true) ++ + type postgresql_t; + type postgresql_exec_t; +-init_daemon_domain(postgresql_t,postgresql_exec_t) ++init_daemon_domain(postgresql_t, postgresql_exec_t) + + type postgresql_db_t; + files_type(postgresql_db_t) +@@ -27,6 +44,61 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) +type postgresql_script_exec_t; +init_script_type(postgresql_script_exec_t) + ++# database clients attribute ++attribute sepgsql_client_type; ++attribute sepgsql_unconfined_type; ++ ++# database objects attribute ++attribute sepgsql_database_type; ++attribute sepgsql_table_type; ++attribute sepgsql_sysobj_table_type; ++attribute sepgsql_procedure_type; ++attribute sepgsql_blob_type; ++attribute sepgsql_module_type; ++ ++# database object types ++type sepgsql_blob_t; ++postgresql_blob_object(sepgsql_blob_t) ++ ++type sepgsql_db_t; ++postgresql_database_object(sepgsql_db_t) ++ ++type sepgsql_fixed_table_t; ++postgresql_table_object(sepgsql_fixed_table_t) ++ ++type sepgsql_proc_t; ++postgresql_procedure_object(sepgsql_proc_t) ++ ++type sepgsql_ro_blob_t; ++postgresql_blob_object(sepgsql_ro_blob_t) ++ ++type sepgsql_ro_table_t; ++postgresql_table_object(sepgsql_ro_table_t) ++ ++type sepgsql_secret_blob_t; ++postgresql_blob_object(sepgsql_secret_blob_t) ++ ++type sepgsql_secret_table_t; ++postgresql_table_object(sepgsql_secret_table_t) ++ ++type sepgsql_sysobj_t; ++postgresql_system_table_object(sepgsql_sysobj_t) ++ ++type sepgsql_table_t; ++postgresql_table_object(sepgsql_table_t) ++ ++type sepgsql_trusted_proc_exec_t; ++postgresql_procedure_object(sepgsql_trusted_proc_exec_t) ++ ++# Trusted Procedure Domain ++type sepgsql_trusted_proc_t; ++domain_type(sepgsql_trusted_proc_t) ++postgresql_unconfined(sepgsql_trusted_proc_t) ++role system_r types sepgsql_trusted_proc_t; ++ ######################################## # # postgresql Local policy -@@ -100,6 +103,7 @@ +@@ -42,17 +114,34 @@ + allow postgresql_t self:udp_socket create_stream_socket_perms; + allow postgresql_t self:unix_dgram_socket create_socket_perms; + allow postgresql_t self:unix_stream_socket create_stream_socket_perms; ++allow postgresql_t self:netlink_selinux_socket create_socket_perms; ++ ++allow postgresql_t sepgsql_database_type:db_database *; ++type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; ++ ++allow postgresql_t sepgsql_module_type:db_database install_module; ++# Database/Loadable module ++allow sepgsql_database_type sepgsql_module_type:db_database load_module; ++ ++allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; ++type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; ++ ++allow postgresql_t sepgsql_procedure_type:db_procedure *; ++type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t; ++ ++allow postgresql_t sepgsql_blob_type:db_blob *; ++type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; + +-manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +-manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +-manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +-manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +-manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) ++manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) ++manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) ++manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) ++manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) ++manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) + files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) + + allow postgresql_t postgresql_etc_t:dir list_dir_perms; +-read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) +-read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t) ++read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) ++read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) + + allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; + can_exec(postgresql_t, postgresql_exec_t ) +@@ -60,20 +149,20 @@ + allow postgresql_t postgresql_lock_t:file manage_file_perms; + files_lock_filetrans(postgresql_t,postgresql_lock_t,file) + +-manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t) +-logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) ++manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) ++logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) + +-manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +-manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +-manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +-manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) +-manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t) ++manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) ++manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) ++manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) ++manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) ++manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) + fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + +-manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) +-manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t) +-files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) ++manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) ++manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) ++files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) + + kernel_read_kernel_sysctls(postgresql_t) + kernel_read_system_state(postgresql_t) +@@ -100,6 +189,13 @@ fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) +fs_rw_hugetlbfs_files(postgresql_t) ++ ++selinux_get_enforce_mode(postgresql_t) ++selinux_validate_context(postgresql_t) ++selinux_compute_access_vector(postgresql_t) ++selinux_compute_create_context(postgresql_t) ++selinux_compute_relabel_context(postgresql_t) term_use_controlling_term(postgresql_t) +@@ -126,14 +222,14 @@ + + miscfiles_read_localization(postgresql_t) + +-seutil_dontaudit_search_config(postgresql_t) ++seutil_libselinux_linked(postgresql_t) + +-userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) +-userdom_dontaudit_use_sysadm_ttys(postgresql_t) + userdom_dontaudit_use_unpriv_user_fds(postgresql_t) + + mta_getattr_spool(postgresql_t) + ++userdom_dontaudit_use_sysadm_terms(postgresql_t) ++ + tunable_policy(`allow_execmem',` + allow postgresql_t self:process execmem; + ') +@@ -166,3 +262,81 @@ + optional_policy(` + udev_read_db(postgresql_t) + ') ++ ++######################################## ++# ++# Rules common to all clients ++# ++ ++allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; ++type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; ++ ++allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert }; ++allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; ++allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; ++ ++allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete }; ++allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; ++allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; ++ ++allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select }; ++allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; ++allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; ++ ++allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; ++allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; ++ ++allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select }; ++allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; ++allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; ++ ++allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute }; ++allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; ++ ++allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; ++allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; ++allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; ++ ++# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs. ++# If a client tries to SELECT a table including violated tuples, these are filtered from ++# the result set as if not exist, but its access denied longs can be recorded within log files. ++# In generally, the number of tuples are much larger than the number of columns, tables and so on. ++# So, it makes a flood of logs when many tuples are violated. ++# ++# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type, ++# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them ++# to access classified tuples and can make a audit record. ++# ++# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. ++dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; ++ ++tunable_policy(`sepgsql_enable_users_ddl',` ++ allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr }; ++ allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr }; ++ allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete }; ++') ++ ++######################################## ++# ++# Unconfined access to this module ++# ++ ++allow sepgsql_unconfined_type sepgsql_database_type:db_database *; ++type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; ++ ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t; ++type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; ++ ++allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; ++ ++# unconfined domain is not allowed to invoke user defined procedure directly. ++# They have to confirm and relabel it at first. ++allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *; ++allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; ++ ++allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; ++ ++allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; ++ ++kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.3.1/policy/modules/services/postgrey.fc --- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/postgrey.fc 2008-07-15 14:02:52.000000000 -0400 @@ -21762,7 +22467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-08-11 16:48:05.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-08-14 16:08:24.000000000 -0400 @@ -71,7 +71,7 @@ # PPPD Local policy # @@ -21772,7 +22477,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process signal; allow pppd_t self:fifo_file rw_fifo_file_perms; -@@ -196,6 +196,12 @@ +@@ -116,7 +116,7 @@ + + kernel_read_kernel_sysctls(pppd_t) + kernel_read_system_state(pppd_t) +-kernel_read_net_sysctls(pppd_t) ++kernel_rw_net_sysctls(pppd_t) + kernel_read_network_state(pppd_t) + kernel_load_module(pppd_t) + +@@ -176,10 +176,9 @@ + sysnet_etc_filetrans_config(pppd_t) + + userdom_dontaudit_use_unpriv_user_fds(pppd_t) +-userdom_dontaudit_search_sysadm_home_dirs(pppd_t) + # for ~/.ppprc - if it actually exists then you need some policy to read it + #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; +-userdom_search_sysadm_home_dirs(pppd_t) ++userdom_dontaudit_search_sysadm_home_dirs(pppd_t) + userdom_search_unpriv_users_home_dirs(pppd_t) + + ppp_exec(pppd_t) +@@ -196,6 +195,12 @@ optional_policy(` mta_send_mail(pppd_t) @@ -21785,19 +22511,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -215,9 +221,9 @@ - # PPTP Local policy - # +@@ -217,7 +222,7 @@ --allow pptp_t self:capability net_raw; -+allow pptp_t self:process signal; + allow pptp_t self:capability net_raw; dontaudit pptp_t self:capability sys_tty_config; -allow pptp_t self:process signal; -+allow pptp_t self:capability net_raw; ++allow pptp_t self:process signal; allow pptp_t self:fifo_file { read write }; allow pptp_t self:unix_dgram_socket create_socket_perms; allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms }; -@@ -287,6 +293,14 @@ +@@ -287,6 +292,14 @@ ') optional_policy(` @@ -21814,28 +22537,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-07-15 14:02:52.000000000 -0400 -@@ -0,0 +1,17 @@ -+ -+/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0) ++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-08-14 10:19:50.000000000 -0400 +@@ -0,0 +1,20 @@ ++/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + +/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) ++/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) + -+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) ++/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) ++ ++/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) + -+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) ++/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) + -+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) -+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) ++/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) ++ +/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0) +/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) + +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) ++/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-08-29 14:42:11.000000000 -0400 @@ -0,0 +1,191 @@ +## Prelude hybrid intrusion detection system + @@ -21914,7 +22640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + +######################################## +## -+## Read/Write to prelude-manager spool files. ++## Manage to prelude-manager spool files. +## +## +## @@ -21922,14 +22648,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +## +## +# -+interface(`prelude_rw_spool',` ++interface(`prelude_manage_spool',` + gen_require(` + type prelude_spool_t; + ') + + files_search_spool($1) -+ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t) -+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t) ++ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) ++ manage_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + +######################################## @@ -22030,8 +22756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-07-15 14:02:52.000000000 -0400 -@@ -0,0 +1,251 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-08-14 10:18:48.000000000 -0400 +@@ -0,0 +1,257 @@ + +policy_module(prelude, 1.0.0) + @@ -22047,6 +22773,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +type prelude_spool_t; +files_type(prelude_spool_t) + ++type prelude_log_t; ++logging_log_file(prelude_log_t) ++ +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + @@ -22102,6 +22831,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, file) + ++manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t) ++logging_log_filetrans(prelude_t, prelude_log_t, file) ++ +corecmd_search_bin(prelude_t) + +corenet_all_recvfrom_unlabeled(prelude_t) @@ -22202,17 +22934,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +allow prelude_lml_t self:unix_stream_socket connectto; + +files_list_tmp(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t) -+manage_files_pattern(prelude_lml_t,prelude_lml_tmp_t,prelude_lml_tmp_t) ++manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) ++manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t) +files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir }) + +files_search_spool(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t) -+manage_files_pattern(prelude_lml_t,prelude_spool_t,prelude_spool_t) ++manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) ++manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) + +files_search_var_lib(prelude_lml_t) -+manage_dirs_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t) -+manage_files_pattern(prelude_lml_t,prelude_var_lib_t,prelude_var_lib_t) ++manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) ++manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) + +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) @@ -22270,10 +23002,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + + auth_use_nsswitch(httpd_prewikka_script_t) + -+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) -+ + logging_send_syslog_msg(httpd_prewikka_script_t) + ++ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) ++ + optional_policy(` + mysql_search_db(httpd_prewikka_script_t) + mysql_stream_connect(httpd_prewikka_script_t) @@ -24197,7 +24929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-08-04 14:37:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-08-13 13:57:39.000000000 -0400 @@ -59,6 +59,13 @@ ## gen_tunable(samba_share_nfs,false) @@ -24518,7 +25250,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -790,3 +867,40 @@ +@@ -784,9 +861,49 @@ + allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; + allow smbd_t samba_unconfined_script_exec_t:file ioctl; + +- unconfined_domain(samba_unconfined_script_t) ++ ++ optional_policy(` ++ unconfined_domain(samba_unconfined_script_t) ++ ') + + tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -25525,7 +26267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.3.1/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/snort.te 2008-08-29 14:41:05.000000000 -0400 @@ -8,10 +8,13 @@ type snort_t; @@ -25567,7 +26309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor userdom_dontaudit_search_sysadm_home_dirs(snort_t) optional_policy(` -+ prelude_rw_spool(snort_t) ++ prelude_manage_spool(snort_t) +') + +optional_policy(` @@ -26341,7 +27083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-08-14 12:48:08.000000000 -0400 @@ -21,8 +21,10 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -26420,7 +27162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -149,11 +172,31 @@ +@@ -149,11 +172,36 @@ userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dirs(spamd_t) @@ -26436,6 +27178,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + evolution_home_filetrans(user,spamd_t,spamd_tmp_t,{ file sock_file }) +') + ++optional_policy(` ++ exim_manage_spool_dirs(spamd_t) ++ exim_manage_spool_files(spamd_t) ++') ++ +tunable_policy(`spamd_enable_home_dirs',` + userdom_manage_user_home_content_dirs(user,spamd_t) + userdom_manage_user_home_content_files(user,spamd_t) @@ -26452,7 +27199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -171,6 +214,7 @@ +@@ -171,6 +219,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -26460,7 +27207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') -@@ -198,6 +242,11 @@ +@@ -198,6 +247,11 @@ optional_policy(` razor_domtrans(spamd_t) @@ -26472,7 +27219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -212,3 +261,216 @@ +@@ -212,3 +266,216 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -27641,7 +28388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-07-29 15:14:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-08-12 17:02:07.000000000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -31314,12 +32061,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-07-15 14:02:52.000000000 -0400 -@@ -29,7 +29,7 @@ ++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-08-29 15:31:37.000000000 -0400 +@@ -28,8 +28,8 @@ + # iscsid local policy # - allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; +-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; -allow iscsid_t self:process { setrlimit setsched }; ++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_nice sys_resource }; +allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file { read write }; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -31602,7 +32351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-08-29 16:21:41.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -31698,7 +32447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -804,3 +838,129 @@ +@@ -804,3 +838,128 @@ logging_admin_audit($1, $2, $3) logging_admin_syslog($1, $2, $3) ') @@ -31804,8 +32553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + role system_r types $1; + + domtrans_pattern(audisp_t,$2,$1) -+ allow $1 audisp_t:process signal; -+ ++ allow audisp_t $1:process { sigkill sigstop signull signal } + allow audisp_t $2:file getattr; + allow $1 audisp_t:unix_stream_socket rw_socket_perms; +') @@ -34821,7 +35569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-07-29 16:49:30.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-08-12 17:31:13.000000000 -0400 @@ -6,35 +6,72 @@ # Declarations # @@ -35116,7 +35864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +281,36 @@ +@@ -219,14 +281,38 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -35140,11 +35888,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) - ') ++') + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) -+') + ') + +######################################## +# @@ -35158,6 +35906,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +rpm_transition_script(unconfined_notrans_t) +domain_ptrace_all_domains(unconfined_notrans_t) + ++allow unconfined_t self:process transition; ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-07-15 14:02:52.000000000 -0400 @@ -39820,7 +40570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-07-15 14:02:52.000000000 -0400 ++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-08-29 16:21:06.000000000 -0400 @@ -315,3 +315,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')