diff --git a/policy-F14.patch b/policy-F14.patch index e7984de..1357638 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -10,6 +10,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/M net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.8.8/man/man8/ftpd_selinux.8 +--- nsaserefpolicy/man/man8/ftpd_selinux.8 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.8.8/man/man8/ftpd_selinux.8 2010-08-23 13:38:00.000000000 -0400 +@@ -15,7 +15,7 @@ + semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" + .TP + .B +-restorecon -R -v /var/ftp ++restorecon -F -R -v /var/ftp + .TP + Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. + .PP +@@ -23,7 +23,7 @@ + semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" + .TP + .B +-restorecon -R -v /var/ftp/incoming ++restorecon -F -R -v /var/ftp/incoming + + .SH BOOLEANS + .PP diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8 --- nsaserefpolicy/man/man8/git_selinux.8 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-30 14:06:53.000000000 -0400 @@ -3364,8 +3385,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -1,8 +1,28 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-08-23 10:35:05.000000000 -0400 +@@ -1,8 +1,30 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) @@ -3375,8 +3396,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) ++/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) + +/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) ++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) +/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) @@ -3398,7 +3421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-05 09:43:28.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-23 14:05:52.000000000 -0400 @@ -74,6 +74,24 @@ ######################################## @@ -4064,7 +4087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ## Send generic signals to user gpg processes. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-08-23 14:06:23.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations @@ -4127,7 +4150,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s mta_write_config(gpg_t) -@@ -151,10 +167,10 @@ +@@ -142,6 +158,10 @@ + ') + + optional_policy(` ++ gnome_read_config(gpg_t) ++') ++ ++optional_policy(` + mozilla_read_user_home_files(gpg_t) + mozilla_write_user_home_files(gpg_t) + ') +@@ -151,10 +171,10 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -4142,7 +4176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -@@ -205,6 +221,7 @@ +@@ -205,6 +225,7 @@ # # GPG agent local policy # @@ -4150,7 +4184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -@@ -245,6 +262,7 @@ +@@ -245,6 +266,7 @@ ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -4158,7 +4192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ') tunable_policy(`gpg_agent_env_file',` -@@ -332,6 +350,9 @@ +@@ -332,6 +354,9 @@ # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -4168,7 +4202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -347,6 +368,12 @@ +@@ -347,6 +372,12 @@ ') optional_policy(` @@ -4181,7 +4215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +383,25 @@ +@@ -356,4 +387,28 @@ optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -4195,6 +4229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + +allow gpg_web_t self:process setrlimit; + ++dev_read_rand(gpg_web_t) ++dev_read_urand(gpg_web_t) ++ +can_exec(gpg_web_t, gpg_exec_t) + +files_read_usr_files(gpg_web_t) @@ -4798,7 +4835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-19 06:47:05.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-23 17:17:34.000000000 -0400 @@ -25,6 +25,7 @@ type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; @@ -4821,15 +4858,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ######################################## # # Local policy -@@ -89,6 +97,7 @@ +@@ -89,16 +97,20 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) ++corenet_tcp_sendrecv_squid_port(mozilla_t) +corenet_tcp_connect_flash_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) -@@ -238,6 +247,7 @@ + corenet_tcp_connect_http_cache_port(mozilla_t) ++corenet_tcp_connect_squid_port(mozilla_t) + corenet_tcp_connect_ftp_port(mozilla_t) + corenet_tcp_connect_ipp_port(mozilla_t) + corenet_tcp_connect_generic_port(mozilla_t) + corenet_tcp_connect_soundd_port(mozilla_t) + corenet_sendrecv_http_client_packets(mozilla_t) + corenet_sendrecv_http_cache_client_packets(mozilla_t) ++corenet_sendrecv_squid_client_packets(mozilla_t) + corenet_sendrecv_ftp_client_packets(mozilla_t) + corenet_sendrecv_ipp_client_packets(mozilla_t) + corenet_sendrecv_generic_client_packets(mozilla_t) +@@ -238,6 +250,7 @@ optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -4837,7 +4887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -258,6 +268,11 @@ +@@ -258,6 +271,11 @@ ') optional_policy(` @@ -4849,7 +4899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +281,17 @@ +@@ -266,3 +284,17 @@ optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5360,8 +5410,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400 -@@ -0,0 +1,301 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-23 17:18:54.000000000 -0400 +@@ -0,0 +1,306 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -5460,6 +5510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_connect_http_cache_port(nsplugin_t) ++corenet_tcp_connect_squid_port(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_generic_node(nsplugin_t) +corenet_tcp_connect_ipp_port(nsplugin_t) @@ -5554,6 +5605,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + +optional_policy(` ++ sandbox_read_tmpfs_files(nsplugin_t) ++') ++ ++optional_policy(` + gen_require(` + type user_tmpfs_t; + ') @@ -6116,8 +6171,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-18 06:43:23.000000000 -0400 -@@ -0,0 +1,314 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-23 08:34:27.000000000 -0400 +@@ -0,0 +1,333 @@ + +## policy for sandbox + @@ -6325,6 +6380,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +######################################## +## ++## allow domain to read ++## sandbox tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_read_tmpfs_files',` ++ gen_require(` ++ attribute sandbox_tmpfs_type; ++ ') ++ ++ allow $1 sandbox_tmpfs_type:file read_file_perms; ++') ++ ++######################################## ++## +## allow domain to manage +## sandbox tmpfs files +## @@ -6434,8 +6508,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-19 07:46:41.000000000 -0400 -@@ -0,0 +1,397 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 17:16:41.000000000 -0400 +@@ -0,0 +1,400 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6730,10 +6804,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_raw_sendrecv_all_nodes(sandbox_web_type) +corenet_tcp_sendrecv_http_port(sandbox_web_type) +corenet_tcp_sendrecv_http_cache_port(sandbox_web_type) ++corenet_tcp_sendrecv_squid_port(sandbox_web_type) +corenet_tcp_sendrecv_ftp_port(sandbox_web_type) +corenet_tcp_sendrecv_ipp_port(sandbox_web_type) +corenet_tcp_connect_http_port(sandbox_web_type) +corenet_tcp_connect_http_cache_port(sandbox_web_type) ++corenet_tcp_connect_squid_port(sandbox_web_type) +corenet_tcp_connect_flash_port(sandbox_web_type) +corenet_tcp_connect_ftp_port(sandbox_web_type) +corenet_tcp_connect_ipp_port(sandbox_web_type) @@ -6745,6 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_tcp_connect_speech_port(sandbox_web_type) +corenet_sendrecv_http_client_packets(sandbox_web_type) +corenet_sendrecv_http_cache_client_packets(sandbox_web_type) ++corenet_sendrecv_squid_client_packets(sandbox_web_type) +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) @@ -7567,8 +7644,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te --- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-07-30 14:06:53.000000000 -0400 -@@ -6,9 +6,51 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-08-23 08:31:37.000000000 -0400 +@@ -6,9 +6,54 @@ # attribute userhelper_type; @@ -7604,9 +7681,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + +corecmd_exec_bin(consolehelper_domain) + -+files_read_etc_files(consolehelper_domain) ++files_read_config_files(consolehelper_domain) ++files_read_usr_files(consolehelper_domain) + +auth_search_pam_console_data(consolehelper_domain) ++auth_read_pam_pid(consolehelper_domain) + +init_read_utmp(consolehelper_domain) + @@ -7616,6 +7695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + +userdom_use_user_ptys(consolehelper_domain) +userdom_use_user_ttys(consolehelper_domain) ++userdom_search_user_home_content(consolehelper_domain) + +optional_policy(` + xserver_stream_connect(consolehelper_domain) @@ -7943,7 +8023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-04 13:10:54.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-23 17:15:30.000000000 -0400 @@ -24,6 +24,7 @@ # type tun_tap_device_t; @@ -7994,6 +8074,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) +@@ -109,7 +117,7 @@ + network_port(howl, tcp,5335,s0, udp,5353,s0) + network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) + network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port +-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy ++network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy + network_port(i18n_input, tcp,9010,s0) + network_port(imaze, tcp,5323,s0, udp,5323,s0) + network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) @@ -124,29 +132,32 @@ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -8074,7 +8163,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) network_port(speech, tcp,8036,s0) - network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp ++network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) +network_port(streaming, tcp, 1755, s0, udp, 1755, s0) type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict @@ -8134,7 +8224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-16 07:06:37.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-21 06:37:45.000000000 -0400 @@ -461,6 +461,24 @@ ######################################## @@ -8185,7 +8275,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read and write generic character device files. ## ## -@@ -606,6 +642,24 @@ +@@ -515,6 +551,24 @@ + + ######################################## + ## ++## Read and write generic block device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_generic_blk_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ allow $1 device_t:blk_file rw_chr_file_perms; ++') ++ ++######################################## ++## + ## Create generic character device files. + ## + ## +@@ -606,6 +660,24 @@ ######################################## ## @@ -8210,7 +8325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1015,6 +1069,42 @@ +@@ -1015,6 +1087,42 @@ ######################################## ## @@ -8253,7 +8368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -1277,6 +1367,24 @@ +@@ -1277,6 +1385,24 @@ ######################################## ## @@ -8278,7 +8393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -3540,6 +3648,24 @@ +@@ -3540,6 +3666,24 @@ ######################################## ## @@ -8303,7 +8418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of sysfs directories. ## ## -@@ -3851,6 +3977,24 @@ +@@ -3851,6 +3995,24 @@ ######################################## ## @@ -8328,7 +8443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -4161,11 +4305,10 @@ +@@ -4161,11 +4323,10 @@ # interface(`dev_rw_vhost',` gen_require(` @@ -9583,8 +9698,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-07-30 14:06:53.000000000 -0400 -@@ -1977,7 +1977,7 @@ ++++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-08-23 17:02:01.000000000 -0400 +@@ -698,6 +698,26 @@ + + ######################################## + ## ++## Read/Write information from the debugging filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_debugfs',` ++ gen_require(` ++ type debugfs_t; ++ ') ++ ++ rw_files_pattern($1, debugfs_t, debugfs_t) ++ read_lnk_files_pattern($1, debugfs_t, debugfs_t) ++ list_dirs_pattern($1, debugfs_t, debugfs_t) ++') ++ ++######################################## ++## + ## Mount a kernel VM filesystem. + ## + ## +@@ -1977,7 +1997,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -9593,7 +9735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -2845,6 +2845,24 @@ +@@ -2845,6 +2865,24 @@ ######################################## ## @@ -9618,7 +9760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2860,3 +2878,23 @@ +@@ -2860,3 +2898,23 @@ typeattribute $1 kern_unconfined; ') @@ -9706,7 +9848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # Unlabeled process local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-08-23 17:02:47.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -9716,7 +9858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu ') ######################################## -@@ -202,6 +202,7 @@ +@@ -202,10 +202,31 @@ type security_t; ') @@ -9724,7 +9866,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -223,6 +224,7 @@ + ++ ++######################################## ++## ++## Do not audit attempts to write ++## generic selinuxfs entries ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`selinux_dontaudit_write_fs',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ dontaudit $1 security_t:dir write; ++') ++ + ######################################## + ## + ## Allows the caller to get the mode of policy enforcement +@@ -223,6 +244,7 @@ type security_t; ') @@ -9732,7 +9898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -404,6 +406,7 @@ +@@ -404,6 +426,7 @@ ') allow $1 security_t:dir list_dir_perms; @@ -9740,7 +9906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { -@@ -622,3 +625,23 @@ +@@ -622,3 +645,42 @@ typeattribute $1 selinux_unconfined_type; ') @@ -9764,6 +9930,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') ++ ++######################################## ++## ++## Unmount a security filesystem. ++## ++## ++## ++## The type of the domain unmounting the filesystem. ++## ++## ++# ++interface(`selinux_unmount_fs',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ allow $1 security_t:filesystem unmount; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-30 14:06:53.000000000 -0400 @@ -11699,7 +11884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-19 07:42:55.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-23 17:20:22.000000000 -0400 @@ -14,7 +14,7 @@ ## @@ -11758,7 +11943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -76,23 +84,87 @@ +@@ -76,23 +84,90 @@ ') optional_policy(` @@ -11813,10 +11998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + corenet_raw_sendrecv_generic_node(xguest_usertype) + corenet_tcp_sendrecv_http_port(xguest_usertype) + corenet_tcp_sendrecv_http_cache_port(xguest_usertype) ++ corenet_tcp_sendrecv_squid_port(xguest_usertype) + corenet_tcp_sendrecv_ftp_port(xguest_usertype) + corenet_tcp_sendrecv_ipp_port(xguest_usertype) + corenet_tcp_connect_http_port(xguest_usertype) + corenet_tcp_connect_http_cache_port(xguest_usertype) ++ corenet_tcp_connect_squid_port(xguest_usertype) + corenet_tcp_connect_flash_port(xguest_usertype) + corenet_tcp_connect_ftp_port(xguest_usertype) + corenet_tcp_connect_ipp_port(xguest_usertype) @@ -11824,6 +12011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. + corenet_tcp_connect_soundd_port(xguest_usertype) + corenet_sendrecv_http_client_packets(xguest_usertype) + corenet_sendrecv_http_cache_client_packets(xguest_usertype) ++ corenet_sendrecv_squid_client_packets(xguest_usertype) + corenet_sendrecv_ftp_client_packets(xguest_usertype) + corenet_sendrecv_ipp_client_packets(xguest_usertype) + corenet_sendrecv_generic_client_packets(xguest_usertype) @@ -11958,7 +12146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-03 09:01:25.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-23 09:53:21.000000000 -0400 @@ -5,6 +5,14 @@ # Declarations # @@ -12445,7 +12633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-03 09:01:04.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-21 06:54:45.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -12696,7 +12884,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -841,6 +895,74 @@ +@@ -836,11 +890,80 @@ + ') + + files_search_var($1) ++ apache_search_sys_content($1) + manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -12737,7 +12931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + type httpd_sys_rw_content_t; + ') + -+ files_search_var($1) ++ files_search_var($1) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) @@ -12771,7 +12965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +980,11 @@ +@@ -858,6 +981,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -12783,7 +12977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1072,7 @@ +@@ -945,7 +1073,7 @@ type httpd_squirrelmail_t; ') @@ -12792,7 +12986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1086,6 +1213,25 @@ +@@ -1086,6 +1214,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -12818,7 +13012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1248,7 @@ +@@ -1102,7 +1249,7 @@ type httpd_tmp_t; ') @@ -12827,7 +13021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1318,7 @@ +@@ -1172,7 +1319,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -12836,7 +13030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1348,43 @@ +@@ -1202,12 +1349,43 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -12883,7 +13077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-10 11:21:49.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-23 17:21:05.000000000 -0400 @@ -18,6 +18,8 @@ # Declarations # @@ -12928,7 +13122,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -100,6 +123,13 @@ +@@ -71,6 +94,13 @@ + + ## + ##

++## Allow http daemon to check spam ++##

++## ++gen_tunable(httpd_can_check_spam, false) ++ ++## ++##

+ ## Allow Apache to communicate with avahi service via dbus + ##

+ ## +@@ -100,6 +130,13 @@ ## ##

@@ -12942,7 +13150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## -@@ -107,6 +137,13 @@ +@@ -107,6 +144,13 @@ ## ##

@@ -12956,7 +13164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -130,7 +167,7 @@ +@@ -130,7 +174,7 @@ ## ##

@@ -12965,7 +13173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ##

## gen_tunable(httpd_use_gpg, false) -@@ -142,6 +179,13 @@ +@@ -142,6 +186,13 @@ ## gen_tunable(httpd_use_nfs, false) @@ -12979,7 +13187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -216,7 +260,10 @@ +@@ -216,7 +267,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -12991,7 +13199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +273,10 @@ +@@ -226,6 +280,10 @@ apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -13002,7 +13210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +284,7 @@ +@@ -233,6 +291,7 @@ userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -13010,7 +13218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -286,6 +338,7 @@ +@@ -286,6 +345,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -13018,7 +13226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -355,6 +408,7 @@ +@@ -355,6 +415,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -13026,7 +13234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +419,10 @@ +@@ -365,8 +426,10 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -13037,7 +13245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +434,12 @@ +@@ -378,12 +441,12 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -13053,7 +13261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -402,6 +458,10 @@ +@@ -402,6 +465,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -13064,7 +13272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -416,16 +476,31 @@ +@@ -416,16 +483,31 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -13098,16 +13306,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -446,6 +521,16 @@ +@@ -439,13 +521,25 @@ + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) ++ corenet_tcp_connect_squid_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) corenet_sendrecv_http_cache_client_packets(httpd_t) - ') - ++ corenet_sendrecv_squid_client_packets(httpd_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) -+') -+ + ') + +tunable_policy(`allow_httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) +') @@ -13115,7 +13332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') -@@ -456,6 +541,10 @@ +@@ -456,6 +550,10 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -13126,7 +13343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +559,25 @@ +@@ -470,11 +568,25 @@ userdom_read_user_home_content_files(httpd_t) ') @@ -13152,7 +13369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +587,16 @@ +@@ -484,7 +596,16 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -13169,7 +13386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +612,10 @@ +@@ -500,8 +621,10 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -13180,7 +13397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -513,7 +627,13 @@ +@@ -513,7 +636,13 @@ ') optional_policy(` @@ -13195,7 +13412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +648,7 @@ +@@ -528,7 +657,7 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -13204,7 +13421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +657,12 @@ +@@ -537,8 +666,12 @@ ') optional_policy(` @@ -13218,7 +13435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -557,6 +681,7 @@ +@@ -557,6 +690,7 @@ optional_policy(` # Allow httpd to work with mysql @@ -13226,7 +13443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +692,7 @@ +@@ -567,6 +701,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -13234,7 +13451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +703,23 @@ +@@ -577,12 +712,23 @@ ') optional_policy(` @@ -13258,7 +13475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +728,11 @@ +@@ -591,6 +737,11 @@ ') optional_policy(` @@ -13270,7 +13487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +745,10 @@ +@@ -603,6 +754,10 @@ yam_read_content(httpd_t) ') @@ -13281,7 +13498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache helper local policy -@@ -618,6 +764,10 @@ +@@ -618,6 +773,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -13292,7 +13509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +849,18 @@ +@@ -699,17 +858,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -13314,7 +13531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +891,21 @@ +@@ -740,10 +900,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -13337,7 +13554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +931,12 @@ +@@ -769,6 +940,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -13350,7 +13567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -792,9 +960,13 @@ +@@ -792,9 +969,13 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -13364,10 +13581,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +975,22 @@ +@@ -803,6 +984,28 @@ mta_send_mail(httpd_sys_script_t) ') ++optional_policy(` ++ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` ++ spamassassin_domtrans_client(httpd_t) ++ ') ++') ++ +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) @@ -13387,7 +13610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1018,16 @@ +@@ -830,6 +1033,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -13404,7 +13627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1040,7 @@ +@@ -842,6 +1055,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -13412,7 +13635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1090,33 @@ +@@ -891,11 +1105,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13964,8 +14187,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-20 07:29:39.000000000 -0400 -@@ -0,0 +1,146 @@ ++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-23 09:55:03.000000000 -0400 +@@ -0,0 +1,152 @@ +policy_module(boinc,1.0.0) + +######################################## @@ -14004,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +# + +allow boinc_t self:capability { kill }; -+allow boinc_t self:process { setsched }; ++allow boinc_t self:process { setsched sigkill }; + +allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; @@ -14099,6 +14322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_project_t boinc_t:shm rw_shm_perms; +allow boinc_project_t boinc_tmpfs_t:file { read write }; + ++list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + +kernel_read_system_state(boinc_project_t) @@ -14106,10 +14330,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) + ++corecmd_exec_bin(boinc_project_t) ++corecmd_exec_shell(boinc_project_t) ++ +corenet_tcp_connect_boinc_port(boinc_project_t) + +dev_rw_xserver_misc(boinc_project_t) + ++files_read_etc_files(boinc_project_t) ++ +miscfiles_read_localization(boinc_project_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc @@ -14768,7 +14997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro corenet_udp_bind_chronyd_port(chronyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-18 19:16:59.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-23 11:36:59.000000000 -0400 @@ -80,6 +80,7 @@ files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) @@ -14827,6 +15056,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') +@@ -251,6 +261,7 @@ + corenet_tcp_connect_clamd_port(clamscan_t) + + kernel_read_kernel_sysctls(clamscan_t) ++kernel_read_system_state(clamscan_t) + + files_read_etc_files(clamscan_t) + files_read_etc_runtime_files(clamscan_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc --- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-30 14:06:53.000000000 -0400 @@ -16525,7 +16762,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph kernel_read_kernel_sysctls(cyphesis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-08-23 13:57:07.000000000 -0400 +@@ -26,7 +26,7 @@ + # Local policy + # + +-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource }; ++allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource }; + dontaudit cyrus_t self:capability sys_tty_config; + allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow cyrus_t self:process setrlimit; @@ -135,6 +135,7 @@ ') @@ -19801,7 +20047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-17 07:17:58.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-23 10:08:13.000000000 -0400 @@ -20,8 +20,8 @@ type etc_mail_t; files_config_file(etc_mail_t) @@ -19945,7 +20191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,6 +245,10 @@ +@@ -249,11 +245,16 @@ mailman_read_data_symlinks(mailserver_delivery) ') @@ -19956,7 +20202,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## # # User send mail local policy -@@ -292,3 +292,42 @@ + # + ++ + domain_use_interactive_fds(user_mail_t) + + userdom_use_user_terminals(user_mail_t) +@@ -292,3 +293,44 @@ postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -19969,6 +20221,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. +allow user_mail_domain self:fifo_file rw_fifo_file_perms; +allow user_mail_domain mta_exec_type:file entrypoint; + ++read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t) ++ +can_exec(user_mail_domain, mta_exec_type) + +allow system_mail_t user_mail_domain:file read_file_perms; @@ -21697,7 +21951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-11 09:09:19.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-23 13:23:59.000000000 -0400 @@ -24,6 +24,9 @@ type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -21725,7 +21979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli policykit_domtrans_auth(policykit_t) -@@ -56,56 +60,107 @@ +@@ -56,10 +60,16 @@ manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -21741,9 +21995,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli +fs_list_inotifyfs(policykit_t) auth_use_nsswitch(policykit_t) -+auth_read_var_auth(policykit_t) - logging_send_syslog_msg(policykit_t) +@@ -67,45 +77,90 @@ miscfiles_read_localization(policykit_t) @@ -21821,6 +22074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli +fs_search_tmpfs(polkit_auth_t) auth_use_nsswitch(policykit_auth_t) ++auth_read_var_auth(policykit_auth_t) +auth_domtrans_chk_passwd(policykit_auth_t) logging_send_syslog_msg(policykit_auth_t) @@ -22251,7 +22505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-08-23 14:01:01.000000000 -0400 @@ -5,6 +5,15 @@ # Declarations # @@ -22382,7 +22636,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix map local policy -@@ -420,6 +457,7 @@ +@@ -401,6 +438,8 @@ + + domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + ++corecmd_exec_bin(postfix_pipe_t) ++ + optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) + ') +@@ -420,6 +459,7 @@ optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -22390,7 +22653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -588,6 +626,11 @@ +@@ -588,6 +628,11 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -22402,7 +22665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_smtpd_t) optional_policy(` -@@ -630,3 +673,8 @@ +@@ -630,3 +675,8 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -22524,6 +22787,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel kernel_read_system_state(prelude_t) kernel_read_sysctl(prelude_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.8.8/policy/modules/services/privoxy.te +--- nsaserefpolicy/policy/modules/services/privoxy.te 2010-07-27 16:06:06.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/privoxy.te 2010-08-23 17:21:38.000000000 -0400 +@@ -58,10 +58,12 @@ + corenet_tcp_bind_http_cache_port(privoxy_t) + corenet_tcp_connect_http_port(privoxy_t) + corenet_tcp_connect_http_cache_port(privoxy_t) ++corenet_tcp_connect_squid_port(privoxy_t) + corenet_tcp_connect_ftp_port(privoxy_t) + corenet_tcp_connect_pgpkeyserver_port(privoxy_t) + corenet_tcp_connect_tor_port(privoxy_t) + corenet_sendrecv_http_cache_client_packets(privoxy_t) ++corenet_sendrecv_squid_client_packets(privoxy_t) + corenet_sendrecv_http_cache_server_packets(privoxy_t) + corenet_sendrecv_http_client_packets(privoxy_t) + corenet_sendrecv_ftp_client_packets(privoxy_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-30 14:06:53.000000000 -0400 @@ -26480,16 +26759,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-17 06:53:12.000000000 -0400 -@@ -31,6 +31,7 @@ ++++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-23 09:53:33.000000000 -0400 +@@ -31,6 +31,9 @@ allow ulogd_t self:capability net_admin; allow ulogd_t self:netlink_nflog_socket create_socket_perms; +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms; ++allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; ++allow ulogd_t self:udp_socket create_socket_perms; # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -43,6 +44,15 @@ +@@ -43,6 +46,18 @@ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) @@ -26499,12 +26780,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog miscfiles_read_localization(ulogd_t) + ++sysnet_dns_name_resolve(ulogd_t) ++ +optional_policy(` + mysql_stream_connect(ulogd_t) +') + +optional_policy(` + postgresql_stream_connect(ulogd_t) ++ postgresql_tcp_connect(ulogd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400 @@ -29335,7 +29619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-23 08:32:56.000000000 -0400 @@ -91,9 +91,12 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -29788,8 +30072,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-07-30 14:06:53.000000000 -0400 -@@ -117,6 +117,8 @@ ++++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-23 08:25:15.000000000 -0400 +@@ -55,6 +55,7 @@ + + kernel_read_system_state(fsadm_t) + kernel_read_kernel_sysctls(fsadm_t) ++kernel_request_load_module(fsadm_t) + # Allow console log change (updfstab) + kernel_change_ring_buffer_level(fsadm_t) + # mkreiserfs needs this +@@ -117,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -29798,7 +30090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -147,7 +149,7 @@ +@@ -147,7 +150,7 @@ seutil_read_config(fsadm_t) @@ -29807,7 +30099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +168,14 @@ +@@ -166,6 +169,14 @@ ') optional_policy(` @@ -30301,7 +30593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-17 09:55:08.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-23 17:03:04.000000000 -0400 @@ -16,6 +16,27 @@ ## gen_tunable(init_upstart, false) @@ -30413,7 +30705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,68 @@ +@@ -185,15 +216,70 @@ sysadm_shell_domtrans(init_t) ') @@ -30430,6 +30722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + + kernel_list_unlabeled(init_t) + kernel_read_network_state(init_t) ++ kernel_unmount_debugfs(init_t) + + dev_write_kmsg(init_t) + dev_rw_autofs(init_t) @@ -30451,6 +30744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + + selinux_compute_create_context(init_t) + selinux_validate_context(init_t) ++ selinux_unmount_fs(init_t) + + init_read_script_state(init_t) + @@ -30482,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -202,6 +286,10 @@ +@@ -202,6 +288,10 @@ ') optional_policy(` @@ -30493,7 +30787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t unconfined_domain(init_t) ') -@@ -211,7 +299,7 @@ +@@ -211,7 +301,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30502,7 +30796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +328,7 @@ +@@ -240,6 +330,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30510,7 +30804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +346,22 @@ +@@ -257,11 +348,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30533,7 +30827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -297,11 +397,13 @@ +@@ -297,11 +399,13 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30547,7 +30841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +422,10 @@ +@@ -320,8 +424,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30559,7 +30853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,6 +441,8 @@ +@@ -337,6 +443,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30568,7 +30862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_delete_cgroup_dirs(initrc_t) fs_list_cgroup_dirs(initrc_t) -@@ -350,6 +456,8 @@ +@@ -350,6 +458,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30577,7 +30871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -362,6 +470,7 @@ +@@ -362,6 +472,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30585,7 +30879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -393,13 +502,14 @@ +@@ -393,13 +504,14 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -30601,7 +30895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -472,7 +582,7 @@ +@@ -472,7 +584,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -30610,7 +30904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -518,6 +628,19 @@ +@@ -518,6 +630,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -30630,7 +30924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -525,10 +648,17 @@ +@@ -525,10 +650,17 @@ rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30648,7 +30942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -543,6 +673,35 @@ +@@ -543,6 +675,35 @@ ') ') @@ -30684,7 +30978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -555,6 +714,8 @@ +@@ -555,6 +716,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30693,7 +30987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -571,6 +732,7 @@ +@@ -571,6 +734,7 @@ optional_policy(` cgroup_stream_connect(initrc_t) @@ -30701,7 +30995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -583,6 +745,11 @@ +@@ -583,6 +747,11 @@ ') optional_policy(` @@ -30713,7 +31007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -599,6 +766,7 @@ +@@ -599,6 +768,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30721,7 +31015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -700,7 +868,12 @@ +@@ -700,7 +870,12 @@ ') optional_policy(` @@ -30734,7 +31028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -723,6 +896,10 @@ +@@ -723,6 +898,10 @@ ') optional_policy(` @@ -30745,7 +31039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -744,6 +921,10 @@ +@@ -744,6 +923,10 @@ ') optional_policy(` @@ -30756,7 +31050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -765,8 +946,6 @@ +@@ -765,8 +948,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30765,7 +31059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -775,14 +954,21 @@ +@@ -775,14 +956,21 @@ ') optional_policy(` @@ -30787,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -804,11 +990,19 @@ +@@ -804,11 +992,19 @@ ') optional_policy(` @@ -30808,7 +31102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -818,6 +1012,25 @@ +@@ -818,6 +1014,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -30834,7 +31128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -843,3 +1056,55 @@ +@@ -843,3 +1058,55 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -32739,7 +33033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-08-23 16:56:51.000000000 -0400 @@ -17,8 +17,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -32787,7 +33081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,30 +68,51 @@ +@@ -46,30 +68,54 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -32805,7 +33099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) -kernel_dontaudit_getattr_core_if(mount_t) -+kernel_search_debugfs(mount_t) ++kernel_rw_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) +kernel_request_load_module(mount_t) @@ -32823,6 +33117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) ++ifdef(`hide_broken_symptoms',` ++ dev_rw_generic_blk_files(mount_t) ++') domain_use_interactive_fds(mount_t) +domain_dontaudit_search_all_domains_state(mount_t) @@ -32841,7 +33138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -79,15 +122,20 @@ +@@ -79,25 +125,32 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -32865,7 +33162,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -98,6 +146,7 @@ + + selinux_get_enforce_mode(mount_t) ++selinux_dontaudit_write_fs(mount_t) + + storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -32873,7 +33174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -106,6 +155,8 @@ +@@ -106,6 +159,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32882,7 +33183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -116,6 +167,12 @@ +@@ -116,6 +171,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -32895,7 +33196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -131,10 +188,17 @@ +@@ -131,10 +192,17 @@ ') ') @@ -32913,7 +33214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -164,6 +228,8 @@ +@@ -164,6 +232,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -32922,7 +33223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -171,6 +237,25 @@ +@@ -171,6 +241,25 @@ ') optional_policy(` @@ -32948,7 +33249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +263,11 @@ +@@ -178,6 +267,11 @@ ') ') @@ -32960,7 +33261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +275,19 @@ +@@ -185,6 +279,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -32980,7 +33281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -193,6 +296,42 @@ +@@ -193,6 +300,42 @@ # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index c8087f0..b22ba70 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.8 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Mon Aug 23 2010 Dan Walsh 3.8.8-18 +- Allow clamscan to read proc_t +- Allow mount_t to write to debufs_t dir +- Dontaudit mount_t trying to write to security_t dir + * Thu Aug 18 2010 Dan Walsh 3.8.8-17 - Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container