diff --git a/policy-F14.patch b/policy-F14.patch index 1035747..40bbee7 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1005,7 +1005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.9.7/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-10-12 20:42:51.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2011-02-25 17:40:38.964548895 +0000 ++++ serefpolicy-3.9.7/policy/modules/admin/logwatch.te 2011-04-11 08:13:10.417000002 +0000 @@ -19,6 +19,9 @@ type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -1026,7 +1026,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -73,6 +79,8 @@ +@@ -58,6 +64,7 @@ + files_read_var_symlinks(logwatch_t) + files_read_etc_files(logwatch_t) + files_read_etc_runtime_files(logwatch_t) ++files_read_system_conf_files(logwatch_t) + files_read_usr_files(logwatch_t) + files_search_spool(logwatch_t) + files_search_mnt(logwatch_t) +@@ -73,6 +80,8 @@ term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) @@ -1035,7 +1043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc auth_use_nsswitch(logwatch_t) auth_dontaudit_read_shadow(logwatch_t) -@@ -92,11 +100,20 @@ +@@ -92,11 +101,20 @@ sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -2720,8 +2728,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.9.7/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2011-02-25 17:40:39.071546259 +0000 -@@ -0,0 +1,50 @@ ++++ serefpolicy-3.9.7/policy/modules/apps/execmem.fc 2011-04-04 18:45:16.701000002 +0000 +@@ -0,0 +1,51 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2772,6 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)?/gimp/2\.0/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.9.7/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1970-01-01 00:00:00.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/apps/execmem.if 2011-03-20 21:09:28.797630001 +0000 @@ -8812,16 +8821,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.9.7/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-02-25 17:40:39.340539639 +0000 -@@ -17,6 +17,7 @@ ++++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2011-04-04 18:47:26.703000001 +0000 +@@ -17,8 +17,10 @@ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) +/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -159,6 +160,7 @@ + /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -159,6 +161,7 @@ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -8829,7 +8841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -176,13 +178,12 @@ +@@ -176,13 +179,12 @@ /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) @@ -8845,7 +8857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +192,8 @@ +@@ -191,3 +193,8 @@ /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -27172,7 +27184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.9.7/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-02-25 17:40:40.186518814 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/mta.if 2011-04-05 17:25:27.561000001 +0000 @@ -37,9 +37,9 @@ ## is the prefix for user_t). ## @@ -27184,7 +27196,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. gen_require(` attribute user_mail_domain; type sendmail_exec_t; -@@ -158,6 +158,7 @@ +@@ -104,6 +104,7 @@ + + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) ++ postfix_rw_master_pipes($1_mail_t) + ') + + optional_policy(` +@@ -158,6 +159,7 @@ ## User domain for the role ## ## @@ -27192,7 +27212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. # interface(`mta_role',` gen_require(` -@@ -169,7 +170,7 @@ +@@ -169,7 +171,7 @@ # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -27201,7 +27221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; -@@ -220,6 +221,25 @@ +@@ -220,6 +222,25 @@ application_executable_file($1) ') @@ -27227,7 +27247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## ## ## Make the specified type by a system MTA. -@@ -306,7 +326,6 @@ +@@ -306,7 +327,6 @@ interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -27235,7 +27255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') typeattribute $1 mailserver_delivery; -@@ -330,12 +349,6 @@ +@@ -330,12 +350,6 @@ ') typeattribute $1 mta_user_agent; @@ -27248,7 +27268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -350,9 +363,8 @@ +@@ -350,9 +364,8 @@ # interface(`mta_send_mail',` gen_require(` @@ -27259,7 +27279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -362,6 +374,10 @@ +@@ -362,6 +375,10 @@ allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; @@ -27270,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -391,12 +407,15 @@ +@@ -391,12 +408,15 @@ # interface(`mta_sendmail_domtrans',` gen_require(` @@ -27288,7 +27308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -409,7 +428,6 @@ +@@ -409,7 +429,6 @@ ## ## # @@ -27296,7 +27316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +438,24 @@ +@@ -420,6 +439,24 @@ ######################################## ## @@ -27321,7 +27341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Execute sendmail in the caller domain. ## ## -@@ -474,7 +510,8 @@ +@@ -474,7 +511,8 @@ type etc_mail_t; ') @@ -27331,7 +27351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -552,7 +589,7 @@ +@@ -552,7 +590,7 @@ ') files_search_etc($1) @@ -27340,7 +27360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### -@@ -646,8 +683,8 @@ +@@ -646,8 +684,8 @@ files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -27351,7 +27371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### -@@ -697,8 +734,8 @@ +@@ -697,8 +735,8 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -27362,7 +27382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +875,7 @@ +@@ -838,7 +876,7 @@ ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -27371,7 +27391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -899,3 +936,50 @@ +@@ -899,3 +937,50 @@ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -28490,7 +28510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.9.7/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-03-04 12:16:25.177413008 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/networkmanager.te 2011-04-11 08:30:43.735000002 +0000 @@ -12,6 +12,12 @@ type NetworkManager_initrc_exec_t; init_script_file(NetworkManager_initrc_exec_t) @@ -28504,16 +28524,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,7 +41,7 @@ +@@ -35,8 +41,10 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; ++#bug in kernel ++dontaudit NetworkManager_t self:capability sys_module; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -44,7 +50,7 @@ + allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +@@ -44,7 +52,7 @@ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; @@ -28522,7 +28545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +58,19 @@ +@@ -52,9 +60,19 @@ can_exec(NetworkManager_t, NetworkManager_exec_t) @@ -28542,7 +28565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -140,23 +156,34 @@ +@@ -140,23 +158,34 @@ sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) @@ -28577,7 +28600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -172,12 +199,14 @@ +@@ -172,12 +201,14 @@ ') optional_policy(` @@ -28593,7 +28616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw optional_policy(` consolekit_dbus_chat(NetworkManager_t) ') -@@ -194,6 +223,10 @@ +@@ -194,6 +225,10 @@ ') optional_policy(` @@ -28604,7 +28627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw hal_write_log(NetworkManager_t) ') -@@ -202,6 +235,13 @@ +@@ -202,6 +237,13 @@ ') optional_policy(` @@ -28618,7 +28641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw iptables_domtrans(NetworkManager_t) ') -@@ -219,6 +259,7 @@ +@@ -219,6 +261,7 @@ ') optional_policy(` @@ -28626,7 +28649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +304,7 @@ +@@ -263,6 +306,7 @@ vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -28940,6 +28963,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc + files_list_pids($1) + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.9.7/policy/modules/services/nslcd.te +--- nsaserefpolicy/policy/modules/services/nslcd.te 2010-10-12 20:42:49.000000000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/nslcd.te 2011-04-05 17:31:41.086000002 +0000 +@@ -16,7 +16,7 @@ + files_pid_file(nslcd_var_run_t) + + type nslcd_conf_t; +-files_type(nslcd_conf_t) ++files_config_file(nslcd_conf_t) + + ######################################## + # +@@ -24,7 +24,7 @@ + # + + allow nslcd_t self:capability { setgid setuid dac_override }; +-allow nslcd_t self:process signal; ++allow nslcd_t self:process { setsched signal }; + allow nslcd_t self:unix_stream_socket create_stream_socket_perms; + + allow nslcd_t nslcd_conf_t:file read_file_perms; +@@ -37,9 +37,13 @@ + kernel_read_system_state(nslcd_t) + + files_read_etc_files(nslcd_t) ++files_read_usr_symlinks(nslcd_t) ++files_list_tmp(nslcd_t) + + auth_use_nsswitch(nslcd_t) + + logging_send_syslog_msg(nslcd_t) + + miscfiles_read_localization(nslcd_t) ++ ++userdom_read_user_tmp_files(nslcd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.9.7/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2010-10-12 20:42:49.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/ntop.te 2011-02-25 17:40:40.212518174 +0000 @@ -31069,7 +31127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.9.7/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-03-25 10:18:09.630630001 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-04-05 17:25:41.674000001 +0000 @@ -35,7 +35,7 @@ role system_r types postfix_$1_t; @@ -31169,7 +31227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postfix_master_t; + ') + -+ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms; ++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;; +') + ######################################## @@ -32747,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.9.7/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/procmail.te 2011-02-25 17:40:40.400513547 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/procmail.te 2011-04-05 17:26:37.834000001 +0000 @@ -10,6 +10,9 @@ application_domain(procmail_t, procmail_exec_t) role system_r types procmail_t; @@ -32794,17 +32852,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -128,6 +137,10 @@ - ') - - optional_policy(` -+ nagios_search_spool(procmail_t) +@@ -125,6 +134,11 @@ + postfix_read_spool_files(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) ++ postfix_rw_master_pipes(procmail_t) +') + +optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) ++ nagios_search_spool(procmail_t) ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.9.7/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 2010-10-12 20:42:49.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/services/psad.if 2011-02-25 17:40:40.401513522 +0000 @@ -34575,7 +34634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.9.7/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-03-18 14:41:41.637630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/rhcs.te 2011-04-11 08:55:38.770000002 +0000 @@ -6,13 +6,15 @@ # @@ -34665,7 +34724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ') optional_policy(` -@@ -116,11 +129,23 @@ +@@ -116,11 +129,30 @@ ###################################### # @@ -34673,13 +34732,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# + +allow foghorn_t self:process { signal }; ++allow foghorn_t self:udp_socket create_socket_perms; + +files_read_etc_files(foghorn_t) ++files_read_usr_files(foghorn_t) + +optional_policy(` + dbus_connect_system_bus(foghorn_t) +') + ++optional_policy(` ++ snmp_read_snmp_var_lib_files(foghorn_t) ++ snmp_stream_connect(foghorn_t) ++') ++ +###################################### +# # gfs_controld local policy @@ -34690,7 +34756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +164,6 @@ +@@ -139,10 +171,6 @@ init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -34701,7 +34767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,9 +175,10 @@ +@@ -154,9 +182,10 @@ allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -34713,7 +34779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs dev_list_sysfs(groupd_t) files_read_etc_files(groupd_t) -@@ -168,8 +190,7 @@ +@@ -168,8 +197,7 @@ # qdiskd local policy # @@ -34723,7 +34789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -199,6 +220,8 @@ +@@ -199,6 +227,8 @@ files_dontaudit_getattr_all_pipes(qdiskd_t) files_read_etc_files(qdiskd_t) @@ -34732,7 +34798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs storage_raw_read_removable_device(qdiskd_t) storage_raw_write_removable_device(qdiskd_t) storage_raw_read_fixed_disk(qdiskd_t) -@@ -207,10 +230,6 @@ +@@ -207,10 +237,6 @@ auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -34743,7 +34809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +242,28 @@ +@@ -223,18 +249,28 @@ # rhcs domains common policy # @@ -35959,7 +36025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.9.7/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/samba.te 2011-02-25 17:40:40.507510913 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/samba.te 2011-04-04 12:20:36.217000002 +0000 @@ -152,9 +152,6 @@ type winbind_log_t; logging_log_file(winbind_log_t) @@ -35982,7 +36048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -37591,7 +37657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.9.7/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-10-12 20:42:48.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-03-18 14:48:21.552630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-04-04 15:42:53.154000001 +0000 @@ -32,10 +32,10 @@ ## # @@ -37801,7 +37867,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +489,9 @@ +@@ -421,6 +433,10 @@ + ') + + optional_policy(` ++ ssh_run_keygen($3,$2) ++ ') ++ ++ optional_policy(` + xserver_use_xdm_fds($1_ssh_agent_t) + xserver_rw_xdm_pipes($1_ssh_agent_t) + ') +@@ -477,8 +493,9 @@ type sshd_t; ') @@ -37812,7 +37889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +507,7 @@ +@@ -494,7 +511,7 @@ type sshd_t; ') @@ -37821,7 +37898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## -@@ -586,6 +599,24 @@ +@@ -586,6 +603,24 @@ ######################################## ## @@ -37846,7 +37923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +649,7 @@ +@@ -618,7 +653,7 @@ type sshd_key_t; ') @@ -37855,7 +37932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. files_search_pids($1) ') -@@ -680,6 +711,32 @@ +@@ -680,6 +715,32 @@ domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -37888,7 +37965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ######################################## ## ## Read ssh server keys -@@ -695,7 +752,7 @@ +@@ -695,7 +756,7 @@ type sshd_key_t; ') @@ -37897,7 +37974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ###################################### -@@ -735,3 +792,21 @@ +@@ -735,3 +796,21 @@ files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -37921,7 +37998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.9.7/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-03-18 14:47:55.862630000 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-04-11 09:27:44.859000002 +0000 @@ -6,26 +6,32 @@ # @@ -38050,7 +38127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -169,14 +175,18 @@ +@@ -169,14 +175,21 @@ userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -38059,6 +38136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. userdom_read_user_tmp_files(ssh_t) +userdom_write_user_tmp_files(ssh_t) +userdom_read_user_home_content_symlinks(ssh_t) ++# 692457 ++userdom_search_admin_dir(sshd_t) ++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) @@ -38074,7 +38154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') tunable_policy(`use_nfs_home_dirs',` -@@ -209,7 +219,7 @@ +@@ -209,7 +222,7 @@ allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -38083,7 +38163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_keysign_t) -@@ -232,33 +242,44 @@ +@@ -232,33 +245,44 @@ # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -38137,7 +38217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -266,11 +287,24 @@ +@@ -266,11 +290,24 @@ ') optional_policy(` @@ -38163,7 +38243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -284,6 +318,11 @@ +@@ -284,6 +321,11 @@ ') optional_policy(` @@ -38175,7 +38255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +331,26 @@ +@@ -292,26 +334,26 @@ ') ifdef(`TODO',` @@ -38221,7 +38301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') dnl endif TODO ######################################## -@@ -322,14 +361,18 @@ +@@ -322,14 +364,19 @@ # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -38237,11 +38317,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) ++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -353,7 +396,7 @@ +@@ -350,10 +397,12 @@ + + logging_send_syslog_msg(ssh_keygen_t) + ++userdom_search_admin_dir(ssh_keygen_t) ++userdom_search_user_home_dirs(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -39840,7 +39926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-10-12 20:42:49.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-03-04 12:27:33.713412996 +0000 ++++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-04-11 08:31:17.362000002 +0000 @@ -5,80 +5,97 @@ # Declarations # @@ -40038,11 +40124,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt xen_rw_image_files(svirt_t) ') -@@ -174,22 +210,31 @@ +@@ -174,22 +210,33 @@ # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; ++#kernel bug ++dontaudit virtd_t self:capability sys_module; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom @@ -40073,7 +40161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +245,14 @@ +@@ -200,8 +247,14 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -40090,7 +40178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +271,7 @@ +@@ -220,6 +273,7 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -40098,7 +40186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -243,18 +295,27 @@ +@@ -243,18 +297,27 @@ dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -40127,7 +40215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +323,18 @@ +@@ -262,6 +325,18 @@ fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -40146,7 +40234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) -@@ -285,16 +358,31 @@ +@@ -285,16 +360,31 @@ modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -40178,7 +40266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +401,10 @@ +@@ -313,6 +403,10 @@ ') optional_policy(` @@ -40189,7 +40277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dbus_system_bus_client(virtd_t) optional_policy(` -@@ -365,6 +457,8 @@ +@@ -365,6 +459,8 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -40198,7 +40286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -394,14 +488,26 @@ +@@ -394,14 +490,26 @@ # virtual domains common policy # @@ -40227,7 +40315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +528,7 @@ +@@ -422,6 +530,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -40235,7 +40323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +536,12 @@ +@@ -429,10 +538,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -40248,7 +40336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +549,11 @@ +@@ -440,6 +551,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -40260,7 +40348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +571,117 @@ +@@ -457,8 +573,117 @@ ') optional_policy(` @@ -43392,7 +43480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.9.7/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2011-02-25 17:40:40.786504046 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/authlogin.if 2011-04-05 18:00:16.036000001 +0000 @@ -57,6 +57,8 @@ auth_exec_pam($1) auth_use_nsswitch($1) @@ -43548,10 +43636,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +795,25 @@ - allow $1 faillog_t:file rw_file_perms; - ') +@@ -733,7 +792,26 @@ + ') + logging_search_logs($1) +- allow $1 faillog_t:file rw_file_perms; ++ rw_files_pattern($1, faillog_t, faillog_t) ++') ++ +######################################## +## +## Manage the login failure log. @@ -43569,11 +43661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + + logging_search_logs($1) + allow $1 faillog_t:file manage_file_perms; -+') -+ + ') + ####################################### - ## - ## Read the last logins log. @@ -874,6 +952,26 @@ ######################################## @@ -46335,7 +46425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-03-25 09:51:10.512630001 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-04-04 17:55:37.936000002 +0000 @@ -19,6 +19,11 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) @@ -46356,7 +46446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -179,6 +185,8 @@ +@@ -179,10 +185,13 @@ logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -46365,7 +46455,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) -@@ -234,7 +242,12 @@ + mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory ++mls_socket_write_all_levels(auditd_t) + + seutil_dontaudit_read_config(auditd_t) + +@@ -234,7 +243,12 @@ files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -46378,7 +46473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(audisp_t) -@@ -244,14 +257,26 @@ +@@ -244,14 +258,26 @@ optional_policy(` dbus_system_bus_client(audisp_t) @@ -46406,9 +46501,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) -@@ -266,9 +291,16 @@ +@@ -265,10 +291,19 @@ + files_read_etc_files(audisp_remote_t) ++mls_socket_write_all_levels(audisp_remote_t) ++ logging_send_syslog_msg(audisp_remote_t) +logging_send_audit_msgs(audisp_remote_t) + @@ -46423,7 +46521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -338,7 +370,7 @@ +@@ -338,7 +373,7 @@ # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -46432,7 +46530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog # setrlimit for syslog-ng -@@ -369,9 +401,15 @@ +@@ -369,9 +404,15 @@ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -46448,7 +46546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +450,7 @@ +@@ -412,6 +453,7 @@ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -46456,7 +46554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(syslogd_t) -@@ -422,6 +461,7 @@ +@@ -422,6 +464,7 @@ # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) files_read_kernel_symbol_table(syslogd_t) @@ -46464,7 +46562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) -@@ -488,6 +528,10 @@ +@@ -488,6 +531,10 @@ ') optional_policy(` @@ -48003,7 +48101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.9.7/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2011-02-25 17:40:40.927500574 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/selinuxutil.te 2011-04-04 18:44:52.443000002 +0000 @@ -1,4 +1,4 @@ -policy_module(selinuxutil, 1.14.0) +policy_module(selinuxutil, 1.14.1) @@ -48087,7 +48185,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu miscfiles_read_localization(load_policy_t) -@@ -204,7 +218,7 @@ +@@ -183,6 +197,7 @@ + + userdom_use_user_terminals(load_policy_t) + userdom_use_all_users_fds(load_policy_t) ++userdom_dontaudit_read_user_tmp_files(load_policy_t) + + ifdef(`distro_ubuntu',` + optional_policy(` +@@ -204,7 +219,7 @@ # Newrole local policy # @@ -48096,7 +48202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -216,7 +230,7 @@ +@@ -216,7 +231,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -48105,7 +48211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -234,6 +248,7 @@ +@@ -234,6 +249,7 @@ domain_sigchld_interactive_fds(newrole_t) files_read_etc_files(newrole_t) @@ -48113,7 +48219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -260,25 +275,30 @@ +@@ -260,25 +276,30 @@ term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -48150,7 +48256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +332,8 @@ +@@ -312,6 +333,8 @@ kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -48159,7 +48265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +357,8 @@ +@@ -335,6 +358,8 @@ seutil_libselinux_linked(restorecond_t) @@ -48168,7 +48274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +377,7 @@ +@@ -353,7 +378,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -48177,7 +48283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -380,6 +404,8 @@ +@@ -380,6 +405,8 @@ selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -48186,7 +48292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) auth_domtrans_upd_passwd(run_init_t) -@@ -405,6 +431,15 @@ +@@ -405,6 +432,15 @@ ') ') @@ -48202,7 +48308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,190 +455,92 @@ +@@ -420,190 +456,92 @@ # semodule local policy # @@ -49299,8 +49405,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.9.7/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-02-25 17:40:40.949500032 +0000 -@@ -52,6 +52,7 @@ ++++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-04-11 08:34:05.273000002 +0000 +@@ -37,6 +37,8 @@ + # + + allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; ++#kernel bug ++dontaudit udev_t self:capability sys_module; + dontaudit udev_t self:capability sys_tty_config; + allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow udev_t self:process { execmem setfscreate }; +@@ -52,6 +54,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -49308,7 +49423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -72,7 +73,8 @@ +@@ -72,7 +75,8 @@ manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -49318,7 +49433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -111,15 +113,20 @@ +@@ -111,15 +115,20 @@ files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -49340,7 +49455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t mcs_ptrace_all(udev_t) -@@ -186,6 +193,7 @@ +@@ -186,6 +195,7 @@ fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -49348,7 +49463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t term_search_ptys(udev_t) -@@ -216,11 +224,16 @@ +@@ -216,11 +226,16 @@ ') optional_policy(` @@ -49365,7 +49480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') optional_policy(` -@@ -233,6 +246,10 @@ +@@ -233,6 +248,10 @@ ') optional_policy(` @@ -49376,7 +49491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t lvm_domtrans(udev_t) ') -@@ -259,6 +276,10 @@ +@@ -259,6 +278,10 @@ ') optional_policy(` @@ -49387,7 +49502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +294,11 @@ +@@ -273,6 +296,11 @@ ') optional_policy(` @@ -50166,7 +50281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.debug(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 20:42:50.000000000 +0000 -+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-03-20 21:07:58.120630001 +0000 ++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2011-04-04 18:03:36.285000001 +0000 @@ -30,8 +30,9 @@ ') @@ -51799,7 +51914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3135,3 +3493,855 @@ +@@ -3135,3 +3493,873 @@ allow $1 userdomain:dbus send_msg; ') @@ -52655,6 +52770,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + domain_transition_pattern($1, user_tmp_t, $2) + type_transition $1 user_tmp_t:process $2; +') ++ ++####################################### ++## ++## Send kill signals to all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_kill_all_users',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:process sigkill; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.9.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-10-12 20:42:50.000000000 +0000 +++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2011-02-25 17:40:40.957499835 +0000 diff --git a/selinux-policy.spec b/selinux-policy.spec index 3077b1c..30efe56 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,21 @@ exit 0 %endif %changelog +* Mon Apr 11 2011 Miroslav Grepl 3.9.7-39 +- Allow foghor to read snmp lib files +- Other fixes for foghorn policy +- Make sysadm security admin +- Fix ssh_sysadm_login boolean +- Fix seunshare interface +- Add allow_sysadm_manage_security boolean +- Add label for /dev/dlm.* +- Allow auditadm_screen_t and secadm_screen_t dac_override capability +- SSH_USE_STRONG_RNG is 1 which requires /dev/random +- Fix auth_rw_faillog definition +- Allow procmail and system_mail_t to user fifo_file passed into it from postfix_master +- Fixes for nslcd policy +- Allow rgmanager to send the kill signal to all users + * Fri Mar 25 2011 Miroslav Grepl 3.9.7-38 - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of audit