diff --git a/booleans-targeted.conf b/booleans-targeted.conf index f2994aa..5bcb6f9 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -274,3 +274,7 @@ allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # allow_unconfined_nsplugin_transition=false + +# Allow unconfined domains mmap low kernel memory +# +allow_unconfined_mmap_low = true diff --git a/policy-20071130.patch b/policy-20071130.patch index 47d05fd..1bc968c 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -8,106 +8,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/ - Label /proc/kallsyms with system_map_t. - 64-bit capabilities from Stephen Smalley. - Labeled networking peer object class updates. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile ---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 -@@ -235,7 +235,7 @@ - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -@@ -309,20 +309,22 @@ - - # parse-rolemap modulename,outputfile - define parse-rolemap -- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 -+ echo "" >> $2 -+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ -+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 - endef - - # perrole-expansion modulename,outputfile - define perrole-expansion -- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -- $(call parse-rolemap,$1,$2) -- $(verbose) echo "')" >> $2 -- -- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -- $(call parse-rolemap-compat,$1,$2) -- $(verbose) echo "')" >> $2 -+ echo "No longer doing perrole-expansion" -+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 -+# $(call parse-rolemap,$1,$2) -+# $(verbose) echo "')" >> $2 -+ -+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 -+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 -+# $(call parse-rolemap-compat,$1,$2) -+# $(verbose) echo "')" >> $2 - endef - - # create-base-per-role-tmpl modulenames,outputfile -@@ -521,6 +523,10 @@ - @mkdir -p $(appdir)/users - $(verbose) $(INSTALL) -m 644 $^ $@ - -+$(appdir)/initrc_context: $(tmpdir)/initrc_context -+ @mkdir -p $(appdir) -+ $(verbose) $(INSTALL) -m 644 $< $@ -+ - $(appdir)/%: $(appconf)/% - @mkdir -p $(appdir) - $(verbose) $(INSTALL) -m 644 $< $@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular ---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 -@@ -73,8 +73,8 @@ - $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) -- $(call perrole-expansion,$(basename $(@F)),$@.role) -- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call perrole-expansion,$(basename $(@F)),$@.role) -+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - - $(tmpdir)/%.mod.fc: $(m4support) %.fc -@@ -129,7 +129,7 @@ - @test -d $(tmpdir) || mkdir -p $(tmpdir) - # define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ -- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) -+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - - $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -@@ -147,7 +147,7 @@ - $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ -- $(call parse-rolemap,base,$@) -+# $(call parse-rolemap,base,$@) - - $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy - $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic ---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 -+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 -@@ -96,7 +96,7 @@ - # - # Load the binary policy - # --reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) -+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-21 11:02:47.859787000 -0400 @@ -791,6 +691,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile +--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500 ++++ serefpolicy-3.3.1/Makefile 2008-04-21 11:02:47.842805000 -0400 +@@ -235,7 +235,7 @@ + appdir := $(contextpath) + user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) + user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) +-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names) + net_contexts := $(builddir)net_contexts + + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -309,20 +309,22 @@ + + # parse-rolemap modulename,outputfile + define parse-rolemap +- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ +- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 ++ echo "" >> $2 ++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \ ++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2 + endef + + # perrole-expansion modulename,outputfile + define perrole-expansion +- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 +- $(call parse-rolemap,$1,$2) +- $(verbose) echo "')" >> $2 +- +- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 +- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 +- $(call parse-rolemap-compat,$1,$2) +- $(verbose) echo "')" >> $2 ++ echo "No longer doing perrole-expansion" ++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 ++# $(call parse-rolemap,$1,$2) ++# $(verbose) echo "')" >> $2 ++ ++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 ++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 ++# $(call parse-rolemap-compat,$1,$2) ++# $(verbose) echo "')" >> $2 + endef + + # create-base-per-role-tmpl modulenames,outputfile +@@ -521,6 +523,10 @@ + @mkdir -p $(appdir)/users + $(verbose) $(INSTALL) -m 644 $^ $@ + ++$(appdir)/initrc_context: $(tmpdir)/initrc_context ++ @mkdir -p $(appdir) ++ $(verbose) $(INSTALL) -m 644 $< $@ ++ + $(appdir)/%: $(appconf)/% + @mkdir -p $(appdir) + $(verbose) $(INSTALL) -m 644 $< $@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8 --- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-21 11:02:47.931714000 -0400 @@ -1431,25 +1387,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.3.1 # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.3.1/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-01-02 12:57:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te 2008-04-21 11:02:47.961686000 -0400 -@@ -31,16 +31,13 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/anaconda.te 2008-04-25 15:25:33.174422000 -0400 +@@ -31,15 +31,14 @@ modutils_domtrans_insmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +- +-unconfined_domain(anaconda_t) +- +-userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) +seutil_domtrans_setsebool(anaconda_t) - unconfined_domain(anaconda_t) - - userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) - optional_policy(` - dmesg_domtrans(anaconda_t) --') -- --optional_policy(` - kudzu_domtrans(anaconda_t) ++ unconfined_domain(anaconda_t) ') ++userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) ++ + optional_policy(` + kudzu_domtrans(anaconda_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.3.1/policy/modules/admin/bootloader.te --- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/bootloader.te 2008-04-21 11:02:47.966681000 -0400 @@ -1499,8 +1457,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.3.1/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/firstboot.te 2008-04-21 11:02:47.984660000 -0400 -@@ -120,6 +120,10 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/firstboot.te 2008-04-25 16:46:46.000277000 -0400 +@@ -35,9 +35,6 @@ + + allow firstboot_t firstboot_etc_t:file { getattr read }; + +-# The big hammer +-unconfined_domain(firstboot_t) +- + kernel_read_system_state(firstboot_t) + kernel_read_kernel_sysctls(firstboot_t) + +@@ -110,6 +107,8 @@ + + optional_policy(` + unconfined_domtrans(firstboot_t) ++ # The big hammer ++ unconfined_domain(firstboot_t) + ') + + optional_policy(` +@@ -120,6 +119,10 @@ usermanage_domtrans_admin_passwd(firstboot_t) ') @@ -1511,7 +1488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ifdef(`TODO',` allow firstboot_t proc_t:file write; -@@ -132,7 +136,4 @@ +@@ -132,7 +135,4 @@ domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t) ') @@ -2577,6 +2554,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te usermanage_domtrans_groupadd(rpm_script_t) usermanage_domtrans_useradd(rpm_script_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 +@@ -55,7 +55,7 @@ + # + + # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; ++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; + allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_sudo_t self:process { setexec setrlimit }; + allow $1_sudo_t self:fd use; +@@ -68,33 +68,35 @@ + allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; + allow $1_sudo_t self:unix_dgram_socket sendto; + allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; ++ allow $1_sudo_t self:key manage_key_perms; ++ allow $1_sudo_t $1_t:key search; + + # Enter this derived domain from the user domain + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t,$2) ++ corecmd_bin_domtrans($1_sudo_t,$2) + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_file_perms; + allow $2 $1_sudo_t:process sigchld; + + kernel_read_kernel_sysctls($1_sudo_t) + kernel_read_system_state($1_sudo_t) +- kernel_search_key($1_sudo_t) ++ kernel_link_key($1_sudo_t) + + dev_read_urand($1_sudo_t) + + fs_search_auto_mountpoints($1_sudo_t) + fs_getattr_xattr_fs($1_sudo_t) + +- auth_domtrans_chk_passwd($1_sudo_t) ++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) + # sudo stores a token in the pam_pid directory + auth_manage_pam_pid($1_sudo_t) + auth_use_nsswitch($1_sudo_t) + + corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_getattr_all_executables($1_sudo_t) ++ corecmd_exec_all_executables($1_sudo_t) + + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) +@@ -106,32 +108,42 @@ + files_getattr_usr_files($1_sudo_t) + # for some PAM modules and for cwd + files_dontaudit_search_home($1_sudo_t) ++ files_list_tmp($1_sudo_t) + + init_rw_utmp($1_sudo_t) + + libs_use_ld_so($1_sudo_t) + libs_use_shared_libs($1_sudo_t) + ++ logging_send_audit_msgs($1_sudo_t) + logging_send_syslog_msg($1_sudo_t) + + miscfiles_read_localization($1_sudo_t) + ++ mta_per_role_template($1, $1_sudo_t, $3) ++ + userdom_manage_user_home_content_files($1,$1_sudo_t) + userdom_manage_user_home_content_symlinks($1,$1_sudo_t) + userdom_manage_user_tmp_files($1,$1_sudo_t) + userdom_manage_user_tmp_symlinks($1,$1_sudo_t) ++ userdom_exec_user_home_content_files($1,$1_sudo_t) + userdom_use_user_terminals($1,$1_sudo_t) + userdom_use_unpriv_users_fds($1_sudo_t) + # for some PAM modules and for cwd ++ userdom_search_sysadm_home_content_dirs($1_sudo_t) + userdom_dontaudit_search_all_users_home_content($1_sudo_t) + +- ifdef(`TODO',` +- # for when the network connection is killed +- dontaudit unpriv_userdomain $1_sudo_t:process signal; +- +- ifdef(`mta.te', ` +- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) +- ') ++ domain_role_change_exemption($1_sudo_t) ++ userdom_spec_domtrans_all_users($1_sudo_t) + +- ') dnl end TODO ++ selinux_validate_context($1_sudo_t) ++ selinux_compute_relabel_context($1_sudo_t) ++ selinux_getattr_fs($1_sudo_t) ++ seutil_read_config($1_sudo_t) ++ seutil_search_default_contexts($1_sudo_t) ++ ++ term_use_all_user_ttys($1_sudo_t) ++ term_use_all_user_ptys($1_sudo_t) ++ term_relabel_all_user_ttys($1_sudo_t) ++ term_relabel_all_user_ptys($1_sudo_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-21 11:02:48.064582000 -0400 @@ -2707,109 +2787,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ') ####################################### -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-21 11:02:48.070575000 -0400 -@@ -55,7 +55,7 @@ - # - - # Use capabilities. -- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource }; -+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; -@@ -68,33 +68,35 @@ - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; -- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read }; -+ allow $1_sudo_t self:key manage_key_perms; -+ allow $1_sudo_t $1_t:key search; - - # Enter this derived domain from the user domain - domtrans_pattern($2, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t,$2) -+ corecmd_bin_domtrans($1_sudo_t,$2) - allow $2 $1_sudo_t:fd use; - allow $2 $1_sudo_t:fifo_file rw_file_perms; - allow $2 $1_sudo_t:process sigchld; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) -- kernel_search_key($1_sudo_t) -+ kernel_link_key($1_sudo_t) - - dev_read_urand($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - -- auth_domtrans_chk_passwd($1_sudo_t) -+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t }) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) -- corecmd_getattr_all_executables($1_sudo_t) -+ corecmd_exec_all_executables($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) -@@ -106,32 +108,42 @@ - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) -+ files_list_tmp($1_sudo_t) - - init_rw_utmp($1_sudo_t) - - libs_use_ld_so($1_sudo_t) - libs_use_shared_libs($1_sudo_t) - -+ logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - -+ mta_per_role_template($1, $1_sudo_t, $3) -+ - userdom_manage_user_home_content_files($1,$1_sudo_t) - userdom_manage_user_home_content_symlinks($1,$1_sudo_t) - userdom_manage_user_tmp_files($1,$1_sudo_t) - userdom_manage_user_tmp_symlinks($1,$1_sudo_t) -+ userdom_exec_user_home_content_files($1,$1_sudo_t) - userdom_use_user_terminals($1,$1_sudo_t) - userdom_use_unpriv_users_fds($1_sudo_t) - # for some PAM modules and for cwd -+ userdom_search_sysadm_home_content_dirs($1_sudo_t) - userdom_dontaudit_search_all_users_home_content($1_sudo_t) - -- ifdef(`TODO',` -- # for when the network connection is killed -- dontaudit unpriv_userdomain $1_sudo_t:process signal; -- -- ifdef(`mta.te', ` -- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t) -- ') -+ domain_role_change_exemption($1_sudo_t) -+ userdom_spec_domtrans_all_users($1_sudo_t) - -- ') dnl end TODO -+ selinux_validate_context($1_sudo_t) -+ selinux_compute_relabel_context($1_sudo_t) -+ selinux_getattr_fs($1_sudo_t) -+ seutil_read_config($1_sudo_t) -+ seutil_search_default_contexts($1_sudo_t) -+ -+ term_use_all_user_ttys($1_sudo_t) -+ term_use_all_user_ptys($1_sudo_t) -+ term_relabel_all_user_ttys($1_sudo_t) -+ term_relabel_all_user_ptys($1_sudo_t) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-21 11:02:48.075572000 -0400 @@ -2913,11 +2890,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.3.1/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te 2008-04-21 11:02:48.089558000 -0400 -@@ -23,6 +23,8 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/vbetool.te 2008-04-25 14:02:32.453140000 -0400 +@@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) ++domain_mmap_low_type(vbetool_t) +domain_mmap_low(vbetool_t) + term_use_unallocated_ttys(vbetool_t) @@ -6666,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.3.1/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/wine.te 2008-04-21 11:02:48.426377000 -0400 ++++ serefpolicy-3.3.1/policy/modules/apps/wine.te 2008-04-25 14:01:56.903068000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -6675,10 +6653,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ######################################## # -@@ -17,10 +18,16 @@ +@@ -17,10 +18,17 @@ optional_policy(` allow wine_t self:process { execstack execmem execheap }; ++ domain_mmap_low_type(wine_t) + domain_mmap_low(wine_t) unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) @@ -7441,6 +7420,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # Type for /dev/mapper/control # type lvm_control_t; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if +--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-11-29 13:29:34.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if 2008-04-25 13:52:39.743424000 -0400 +@@ -1242,18 +1242,34 @@ + ## + ## + # +-interface(`domain_mmap_low',` ++interface(`domain_mmap_low_type',` + gen_require(` + attribute mmap_low_domain_type; + ') + +- allow $1 self:memprotect mmap_zero; +- + typeattribute $1 mmap_low_domain_type; + ') + + ######################################## + ## ++## Ability to mmap a low area of the address space, ++## as configured by /proc/sys/kernel/mmap_min_addr. ++## Preventing such mappings helps protect against ++## exploiting null deref bugs in the kernel. ++## ++## ++## ++## Domain allowed to mmap low memory. ++## ++## ++# ++interface(`domain_mmap_low',` ++ ++ allow $1 self:memprotect mmap_zero; ++') ++ ++######################################## ++## + ## Allow specified type to receive labeled + ## networking packets from all domains, over + ## all protocols (TCP, UDP, etc) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-04-21 11:02:48.491312000 -0400 @@ -15395,8 +15415,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-21 11:02:49.165637000 -0400 -@@ -0,0 +1,53 @@ ++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-25 09:00:31.943716000 -0400 +@@ -0,0 +1,55 @@ +policy_module(gnomeclock,1.0.0) +######################################## +# @@ -15420,6 +15440,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + +corecmd_exec_bin(gnomeclock_t) + ++userdom_ptrace_all_users(gnomeclock_t) ++ +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) + @@ -18950,8 +18972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-21 11:02:49.565394000 -0400 -@@ -0,0 +1,157 @@ ++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-04-25 08:52:28.305342000 -0400 +@@ -0,0 +1,158 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -18989,7 +19011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +allow polkit_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(polkit_t, polkit_exec_t) -+corecmd_search_bin(polkit_t) ++corecmd_exec_bin(polkit_t) + +domain_use_interactive_fds(polkit_t) + @@ -19099,6 +19121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +polkit_domtrans_auth(polkit_grant_t) + +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) ++userdom_read_all_users_state(polkit_grant_t) + +optional_policy(` + dbus_system_bus_client_template(polkit_grant, polkit_grant_t) @@ -19214,6 +19237,100 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 +@@ -3,3 +3,5 @@ + /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) + + /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) ++ ++/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 +@@ -1 +1,68 @@ + ## Postfix policy server ++ ++######################################## ++## ++## Execute postfixpolicyd server in the postfixpolicyd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`postfixpolicyd_script_domtrans',` ++ gen_require(` ++ type postfix_policyd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an postfixpolicyd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the postfixpolicyd domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`postfixpolicyd_admin',` ++ gen_require(` ++ type postfix_policyd_t; ++ type postfix_policyd_script_exec_t; ++ type postfix_policyd_conf_t; ++ type postfix_policyd_var_run_t; ++ ') ++ ++ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) ++ ++ # Allow postfix_policyd_t to restart the apache service ++ postfixpolicyd_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 postfix_policyd_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ manage_all_pattern($1,postfix_policyd_conf_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,postfix_policyd_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 +@@ -16,6 +16,9 @@ + type postfix_policyd_var_run_t; + files_pid_file(postfix_policyd_var_run_t) + ++type postfix_policyd_script_exec_t; ++init_script_type(postfix_policyd_script_exec_t) ++ + ######################################## + # + # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-23 15:05:37.257075000 -0400 @@ -19406,100 +19523,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-21 11:02:49.588372000 -0400 -@@ -3,3 +3,5 @@ - /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) - - /var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) -+ -+/etc/rc.d/init.d/postfixpolicyd -- gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if 2008-04-21 11:02:49.593367000 -0400 -@@ -1 +1,68 @@ - ## Postfix policy server -+ -+######################################## -+## -+## Execute postfixpolicyd server in the postfixpolicyd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`postfixpolicyd_script_domtrans',` -+ gen_require(` -+ type postfix_policyd_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,postfix_policyd_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an postfixpolicyd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the postfixpolicyd domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`postfixpolicyd_admin',` -+ gen_require(` -+ type postfix_policyd_t; -+ type postfix_policyd_script_exec_t; -+ type postfix_policyd_conf_t; -+ type postfix_policyd_var_run_t; -+ ') -+ -+ allow $1 postfix_policyd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_policyd_t, postfix_policyd_t) -+ -+ # Allow postfix_policyd_t to restart the apache service -+ postfixpolicyd_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 postfix_policyd_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ manage_all_pattern($1,postfix_policyd_conf_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,postfix_policyd_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te ---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te 2008-04-21 11:02:49.598362000 -0400 -@@ -16,6 +16,9 @@ - type postfix_policyd_var_run_t; - files_pid_file(postfix_policyd_var_run_t) - -+type postfix_policyd_script_exec_t; -+init_script_type(postfix_policyd_script_exec_t) -+ - ######################################## - # - # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-21 11:02:49.603357000 -0400 @@ -21187,6 +21210,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun ######################################## # # Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 +@@ -5,3 +5,5 @@ + /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) + /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) ++ ++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if +--- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 +@@ -95,3 +95,70 @@ + manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_search_var_lib($1) + ') ++ ++######################################## ++## ++## Execute rpcbind server in the rpcbind domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`rpcbind_script_domtrans',` ++ gen_require(` ++ type rpcbind_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,rpcbind_script_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rpcbind environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rpcbind domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`rpcbind_admin',` ++ gen_require(` ++ type rpcbind_t; ++ type rpcbind_script_exec_t; ++ type rpcbind_var_lib_t; ++ type rpcbind_var_run_t; ++ ') ++ ++ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, rpcbind_t, rpcbind_t) ++ ++ # Allow rpcbind_t to restart the apache service ++ rpcbind_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rpcbind_script_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_var_lib($1) ++ manage_all_pattern($1,rpcbind_var_lib_t) ++ ++ files_list_pids($1) ++ manage_all_pattern($1,rpcbind_var_run_t) ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 +@@ -16,16 +16,21 @@ + type rpcbind_var_lib_t; + files_type(rpcbind_var_lib_t) + ++type rpcbind_script_exec_t; ++init_script_type(rpcbind_script_exec_t) ++ + ######################################## + # + # rpcbind local policy + # + +-allow rpcbind_t self:capability setuid; ++allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; + allow rpcbind_t self:fifo_file rw_file_perms; + allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; + allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; + allow rpcbind_t self:udp_socket create_socket_perms; ++# BROKEN ... ++dontaudit rpcbind_t self:udp_socket listen; + allow rpcbind_t self:tcp_socket create_stream_socket_perms; + + manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +42,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-04-21 11:02:49.875087000 -0400 @@ -21323,123 +21463,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-21 11:02:49.886076000 -0400 -@@ -5,3 +5,5 @@ - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) - /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0) -+ -+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-21 11:02:49.891070000 -0400 -@@ -95,3 +95,70 @@ - manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_search_var_lib($1) - ') -+ -+######################################## -+## -+## Execute rpcbind server in the rpcbind domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`rpcbind_script_domtrans',` -+ gen_require(` -+ type rpcbind_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,rpcbind_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an rpcbind environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the rpcbind domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`rpcbind_admin',` -+ gen_require(` -+ type rpcbind_t; -+ type rpcbind_script_exec_t; -+ type rpcbind_var_lib_t; -+ type rpcbind_var_run_t; -+ ') -+ -+ allow $1 rpcbind_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, rpcbind_t, rpcbind_t) -+ -+ # Allow rpcbind_t to restart the apache service -+ rpcbind_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 rpcbind_script_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_var_lib($1) -+ manage_all_pattern($1,rpcbind_var_lib_t) -+ -+ files_list_pids($1) -+ manage_all_pattern($1,rpcbind_var_run_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-21 11:02:49.897064000 -0400 -@@ -16,16 +16,21 @@ - type rpcbind_var_lib_t; - files_type(rpcbind_var_lib_t) - -+type rpcbind_script_exec_t; -+init_script_type(rpcbind_script_exec_t) -+ - ######################################## - # - # rpcbind local policy - # - --allow rpcbind_t self:capability setuid; -+allow rpcbind_t self:capability { dac_override setuid sys_tty_config }; - allow rpcbind_t self:fifo_file rw_file_perms; - allow rpcbind_t self:unix_stream_socket create_stream_socket_perms; - allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms; - allow rpcbind_t self:udp_socket create_socket_perms; -+# BROKEN ... -+dontaudit rpcbind_t self:udp_socket listen; - allow rpcbind_t self:tcp_socket create_stream_socket_perms; - - manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) -@@ -37,6 +42,7 @@ - manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) - files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) - -+kernel_read_system_state(rpcbind_t) - kernel_read_network_state(rpcbind_t) - - corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-04-21 11:02:49.902059000 -0400 @@ -24873,8 +24896,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.3.1/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/tor.te 2008-04-21 11:02:50.163796000 -0400 -@@ -26,6 +26,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/tor.te 2008-04-25 15:19:54.047888000 -0400 +@@ -26,11 +26,15 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) @@ -24884,6 +24907,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. ######################################## # # tor local policy + # + ++allow tor_t self:capability { setgid setuid }; + allow tor_t self:fifo_file { read write }; + allow tor_t self:unix_stream_socket create_stream_socket_perms; + allow tor_t self:netlink_route_socket r_netlink_socket_perms; +@@ -86,13 +90,13 @@ + files_read_etc_files(tor_t) + files_read_etc_runtime_files(tor_t) + ++auth_use_nsswitch(tor_t) ++ + libs_use_ld_so(tor_t) + libs_use_shared_libs(tor_t) + + miscfiles_read_localization(tor_t) + +-sysnet_dns_name_resolve(tor_t) +- + optional_policy(` + seutil_sigchld_newrole(tor_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.3.1/policy/modules/services/uucp.if --- nsaserefpolicy/policy/modules/services/uucp.if 2008-02-15 09:52:56.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/uucp.if 2008-04-21 11:02:50.168791000 -0400 @@ -25044,7 +25089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-21 11:02:50.208767000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-25 13:53:23.721317000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -25103,7 +25148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state($1_xserver_t) kernel_read_device_sysctls($1_xserver_t) kernel_read_modprobe_sysctls($1_xserver_t) -@@ -115,18 +129,23 @@ +@@ -115,18 +129,24 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -25123,13 +25168,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + dev_rw_generic_usb_dev($1_xserver_t) + dev_rw_generic_usb_pipes($1_xserver_t) ++ domain_mmap_low_type($1_xserver_t) domain_mmap_low($1_xserver_t) + domain_read_all_domains_state($1_xserver_t) + domain_dontaudit_ptrace_all_domains($1_xserver_t) files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,26 +159,37 @@ +@@ -140,26 +160,37 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -25169,7 +25215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow $1_xserver_t self:process { execmem execheap execstack }; -@@ -169,6 +199,46 @@ +@@ -169,6 +200,46 @@ allow $1_xserver_t self:process { execmem execheap execstack }; ') @@ -25216,7 +25262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` apm_stream_connect($1_xserver_t) ') -@@ -223,8 +293,10 @@ +@@ -223,8 +294,10 @@ template(`xserver_per_role_template',` gen_require(` @@ -25229,7 +25275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -232,189 +304,119 @@ +@@ -232,189 +305,119 @@ # Declarations # @@ -25483,7 +25529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -521,19 +523,18 @@ +@@ -521,19 +524,18 @@ ## # template(`xserver_user_client_template',` @@ -25511,7 +25557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,26 +543,535 @@ +@@ -542,26 +544,535 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -26053,7 +26099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -593,26 +1103,44 @@ +@@ -593,26 +1104,44 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -26105,7 +26151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -638,10 +1166,77 @@ +@@ -638,10 +1167,77 @@ # template(`xserver_domtrans_user_xauth',` gen_require(` @@ -26185,7 +26231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -671,10 +1266,10 @@ +@@ -671,10 +1267,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -26198,7 +26244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +1355,7 @@ +@@ -760,7 +1356,7 @@ type xconsole_device_t; ') @@ -26207,7 +26253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +1455,25 @@ +@@ -860,6 +1456,25 @@ ######################################## ## @@ -26233,7 +26279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1528,7 @@ +@@ -914,6 +1529,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -26241,7 +26287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -932,7 +1547,7 @@ +@@ -932,7 +1548,7 @@ ') files_search_pids($1) @@ -26250,7 +26296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -955,6 +1570,24 @@ +@@ -955,6 +1571,24 @@ ######################################## ## @@ -26275,7 +26321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -965,15 +1598,47 @@ +@@ -965,15 +1599,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -26324,7 +26370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1788,7 @@ +@@ -1123,7 +1789,7 @@ type xdm_xserver_tmp_t; ') @@ -26333,7 +26379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1977,83 @@ +@@ -1312,3 +1978,83 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -31003,7 +31049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-21 11:02:50.553564000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-25 13:52:57.017888000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -31038,15 +31084,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -40,6 +40,7 @@ +@@ -40,10 +40,16 @@ domain_unconfined($1) domain_dontaudit_read_all_domains_state($1) domain_dontaudit_ptrace_all_domains($1) -+ domain_mmap_low($1) ++ files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) -@@ -70,6 +71,7 @@ + ++ domain_mmap_low_type($1) ++ tunable_policy(`allow_unconfined_mmap_low',` ++ domain_mmap_low($1) ++ ') ++ + tunable_policy(`allow_execheap',` + # Allow making the stack executable via mprotect. + allow $1 self:process execheap; +@@ -70,6 +76,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -31054,7 +31109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -95,6 +97,10 @@ +@@ -95,6 +102,10 @@ optional_policy(` storage_unconfined($1) ') @@ -31065,7 +31120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -372,6 +378,24 @@ +@@ -372,6 +383,24 @@ ######################################## ## @@ -31090,7 +31145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## Send generic signals to the unconfined domain. ## ## -@@ -581,7 +605,6 @@ +@@ -581,7 +610,6 @@ interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; @@ -31098,19 +31153,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') allow $1 unconfined_t:dbus acquire_svc; -@@ -589,49 +612,209 @@ +@@ -589,7 +617,7 @@ ######################################## ## -## Read files in unconfined users home directories. +## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -597,20 +625,53 @@ + ## + ## + # +-interface(`unconfined_read_home_content_files',` +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; @@ -31148,34 +31204,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## +# +interface(`unconfined_execmem_rw_shm',` -+ gen_require(` + gen_require(` +- type unconfined_home_dir_t, unconfined_home_t; + type unconfined_execmem_t; -+ ') -+ + ') + +- files_search_home($1) +- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; +- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) +- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + allow $1 unconfined_execmem_t:shm rw_shm_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read unconfined users temporary files. +## Transition to the unconfined_execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -618,20 +679,58 @@ + ## + ## + # +-interface(`unconfined_read_tmp_files',` +interface(`unconfined_execmem_domtrans',` + -+ gen_require(` + gen_require(` +- type unconfined_tmp_t; + type unconfined_execmem_t, unconfined_execmem_exec_t; -+ ') -+ + ') + +- files_search_tmp($1) +- allow $1 unconfined_tmp_t:dir list_dir_perms; +- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) +- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) + domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write unconfined users temporary files. +## allow attempts to use unconfined ttys and ptys. +## +## @@ -31217,15 +31286,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +######################################## +## +## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -639,10 +738,99 @@ + ## + ## + # +-interface(`unconfined_write_tmp_files',` +interface(`unconfined_set_rlimitnh',` -+ gen_require(` + gen_require(` +- type unconfined_tmp_t; + type unconfined_t; + ') + @@ -31254,83 +31325,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +######################################## +## +## Read/write unconfined tmpfs files. - ## ++## +## +##

+## Read/write unconfined tmpfs files. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`unconfined_read_home_content_files',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_rw_tmpfs_files',` - gen_require(` -- type unconfined_home_dir_t, unconfined_home_t; ++ gen_require(` + type unconfined_tmpfs_t; - ') - -- files_search_home($1) -- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; -- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) -- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) ++ ') ++ + fs_search_tmpfs($1) + allow $1 unconfined_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) + read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) - ') - - ######################################## - ## --## Read unconfined users temporary files. ++') ++ ++######################################## ++## +## Delete unconfined tmpfs files. - ## ++## +## +##

+## Read/write unconfined tmpfs files. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`unconfined_read_tmp_files',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_delete_tmpfs_files',` - gen_require(` -- type unconfined_tmp_t; ++ gen_require(` + type unconfined_tmpfs_t; - ') - -- files_search_tmp($1) -- allow $1 unconfined_tmp_t:dir list_dir_perms; -- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) -- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ++ ') ++ + fs_search_tmpfs($1) + allow $1 unconfined_tmpfs_t:dir list_dir_perms; + delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) + read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) - ') - - ######################################## - ## --## Write unconfined users temporary files. ++') ++ ++######################################## ++## +## Get the process group of unconfined. - ## - ## - ## -@@ -639,10 +822,10 @@ - ## - ## - # --interface(`unconfined_write_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_getpgid',` - gen_require(` -- type unconfined_tmp_t; ++ gen_require(` + type unconfined_t; ') @@ -31339,8 +31394,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-24 16:57:46.339086000 -0400 -@@ -6,35 +6,67 @@ ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-25 14:52:17.887753000 -0400 +@@ -6,35 +6,74 @@ # Declarations # @@ -31353,6 +31408,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +## +##

++## Allow unconfined domain to map low memory in the kernel ++##

++## ++gen_tunable(allow_unconfined_mmap_low,false) ++ ++## ++##

+## Transition to confined qemu domains from unconfined user +##

+## @@ -31412,7 +31474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,37 +74,44 @@ +@@ -42,37 +81,44 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -31467,7 +31529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -101,12 +140,24 @@ +@@ -101,12 +147,24 @@ ') optional_policy(` @@ -31492,7 +31554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +169,7 @@ +@@ -118,11 +176,7 @@ ') optional_policy(` @@ -31505,7 +31567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,82 +181,97 @@ +@@ -134,82 +188,97 @@ ') optional_policy(` @@ -31628,7 +31690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +281,35 @@ +@@ -219,14 +288,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -31684,7 +31746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-24 15:08:40.156331000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-25 08:59:40.282820000 -0400 @@ -29,9 +29,14 @@ ') @@ -35308,8 +35370,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400 -@@ -0,0 +1,174 @@ ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-25 08:55:03.831022000 -0400 +@@ -0,0 +1,176 @@ + +policy_module(virt,1.0.0) + @@ -35383,6 +35445,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir } ) + ++read_files_pattern(virtd_t, virt_image_t, virt_image_t) ++ +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + @@ -36159,3 +36223,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular +--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.modular 2008-04-21 11:02:47.848797000 -0400 +@@ -73,8 +73,8 @@ + $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te + @echo "Compliling $(NAME) $(@F) module" + @test -d $(tmpdir) || mkdir -p $(tmpdir) +- $(call perrole-expansion,$(basename $(@F)),$@.role) +- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++# $(call perrole-expansion,$(basename $(@F)),$@.role) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + + $(tmpdir)/%.mod.fc: $(m4support) %.fc +@@ -129,7 +129,7 @@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + # define all available object classes + $(verbose) $(genperm) $(avs) $(secclass) > $@ +- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) ++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) + $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true + + $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy +@@ -147,7 +147,7 @@ + $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/rolemap.conf: $(rolemap) + $(verbose) echo "" > $@ +- $(call parse-rolemap,base,$@) ++# $(call parse-rolemap,base,$@) + + $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy + $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic +--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500 ++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-21 11:02:47.854791000 -0400 +@@ -96,7 +96,7 @@ + # + # Load the binary policy + # +-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) ++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles) + @echo "Loading $(NAME) $(loadpath)" + $(verbose) $(LOADPOLICY) -q $(loadpath) + @touch $(tmpdir)/load diff --git a/selinux-policy.spec b/selinux-policy.spec index ed2863c..9e5a016 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 41%{?dist} +Release: 42%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,6 +385,11 @@ exit 0 %endif %changelog +* Fri Apr 25 2008 Dan Walsh 3.3.1-42 +- Add boolean to mmap_zero +- allow tor setgid +- Allow gnomeclock to set clock + * Thu Apr 24 2008 Dan Walsh 3.3.1-41 - Don't run crontab from unconfined_t