From 1e86f3f15855f35f12e370f2eef02d9d02eff658 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 04 2010 21:31:54 +0000 Subject: - add usbmon device - Add allow rulse for devicekit_disk --- diff --git a/policy-F13.patch b/policy-F13.patch index 293b678..9cac576 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -231,7 +231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.5/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/admin/logrotate.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/admin/logrotate.te 2010-01-04 11:33:12.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -271,12 +271,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) -@@ -149,6 +155,15 @@ +@@ -149,6 +155,16 @@ ') optional_policy(` + asterisk_exec(logrotate_t) + asterisk_stream_connect(logrotate_t) ++ asterisk_manage_lib_files(logrotate_t) +') + +optional_policy(` @@ -287,7 +288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota consoletype_exec(logrotate_t) ') -@@ -157,6 +172,10 @@ +@@ -157,6 +173,10 @@ ') optional_policy(` @@ -298,7 +299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota hostname_exec(logrotate_t) ') -@@ -183,6 +202,10 @@ +@@ -183,6 +203,10 @@ ') optional_policy(` @@ -2194,7 +2195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.5/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/apps/firewallgui.te 2010-01-04 13:22:20.000000000 -0500 @@ -0,0 +1,64 @@ + +policy_module(firewallgui,1.0.0) @@ -2226,8 +2227,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t) +files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir }) + -+iptables_manage_config(firewallgui_t) -+iptables_etc_filetrans_config(firewallgui_t) ++files_manage_system_conf_files(firewallgui_t) ++files_etc_filetrans_system_conf(firewallgui_t) + +corecmd_exec_shell(firewallgui_t) +corecmd_exec_bin(firewallgui_t) @@ -5772,7 +5773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.5/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-22 08:22:45.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2010-01-04 12:24:32.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5817,7 +5818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-04 12:10:28.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5871,16 +5872,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) -@@ -129,7 +139,7 @@ +@@ -128,8 +138,9 @@ + network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) ++network_port(lirc, tcp,8765,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -network_port(mail, tcp,2000,s0) +network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -138,21 +148,29 @@ +@@ -138,21 +149,29 @@ network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) @@ -5911,7 +5914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -172,30 +190,38 @@ +@@ -172,30 +191,38 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -5953,7 +5956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -224,6 +250,8 @@ +@@ -224,6 +251,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -5964,7 +5967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.5/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/devices.fc 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/devices.fc 2010-01-04 11:56:55.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -5982,9 +5985,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) +@@ -100,6 +103,7 @@ + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) + /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) + /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) + ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.5/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/devices.if 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/devices.if 2010-01-04 12:04:02.000000000 -0500 @@ -801,6 +801,24 @@ ######################################## @@ -6060,6 +6071,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read raw memory devices (e.g. /dev/mem). ## ## +@@ -3515,6 +3569,24 @@ + + ######################################## + ## ++## Read USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_usbmon_dev',` ++ gen_require(` ++ type device_t, usbmon_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, usbmon_device_t) ++') ++ ++######################################## ++## + ## Mount a usbfs filesystem. + ## + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.5/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/devices.te 2010-01-04 12:07:21.000000000 -0500 +@@ -227,6 +227,12 @@ + genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) + + # ++# usb_device_t is the type for /dev/usbmon ++# ++type usbmon_device_t; ++dev_node(usbmon_device_t) ++ ++# + # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ + # + type usb_device_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.5/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/kernel/domain.if 2009-12-21 13:07:09.000000000 -0500 @@ -6294,8 +6346,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2009-12-23 07:50:49.000000000 -0500 -@@ -5,6 +5,13 @@ ++++ serefpolicy-3.7.5/policy/modules/kernel/domain.te 2010-01-04 11:15:20.000000000 -0500 +@@ -5,6 +5,21 @@ # # Declarations # @@ -6306,10 +6358,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +## +# +gen_tunable(allow_domain_fd_use, true) ++ ++## ++##

++## Allow all domains to have the kernel load modules ++##

++##
++# ++gen_tunable(domain_kernel_load_modules, false) # Mark process types as domains attribute domain; -@@ -15,6 +22,8 @@ +@@ -15,6 +30,8 @@ # Domains that are unconfined attribute unconfined_domain_type; @@ -6318,7 +6378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Domains that can mmap low memory. attribute mmap_low_domain_type; neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; -@@ -80,6 +89,8 @@ +@@ -80,6 +97,8 @@ allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -6327,17 +6387,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -97,6 +108,9 @@ +@@ -97,6 +116,13 @@ # list the root directory files_list_root(domain) +# All executables should be able to search the directory they are in +corecmd_search_bin(domain) + ++tunable_policy(`domain_kernel_load_modules',` ++ kernel_request_load_module(domain) ++') ++ tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs -@@ -106,6 +120,10 @@ +@@ -106,6 +132,10 @@ ') optional_policy(` @@ -6348,7 +6412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain libs_use_ld_so(domain) libs_use_shared_libs(domain) ') -@@ -118,6 +136,7 @@ +@@ -118,6 +148,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -6356,7 +6420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') ######################################## -@@ -136,6 +155,8 @@ +@@ -136,6 +167,8 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -6365,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +174,73 @@ +@@ -153,3 +186,73 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -6441,7 +6505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.5/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/kernel/files.fc 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/files.fc 2010-01-04 13:22:20.000000000 -0500 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -6464,7 +6528,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -229,6 +232,8 @@ +@@ -62,6 +65,10 @@ + /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + ++/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) ++ + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) + + /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) +@@ -229,6 +236,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -6475,7 +6550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2009-12-29 18:04:05.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-04 15:43:02.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6585,7 +6660,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3496,6 +3555,32 @@ +@@ -3311,6 +3370,64 @@ + allow $1 readable_t:sock_file read_sock_file_perms; + ') + ++####################################### ++## ++## Read manageable system configuration files in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_system_conf_files',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ allow $1 etc_t:dir list_dir_perms; ++ read_files_pattern($1, etc_t, system_conf_t) ++ read_lnk_files_pattern($1, etc_t, system_conf_t) ++') ++ ++###################################### ++## ++## Manage manageable system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_system_conf_files',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) ++') ++ ++################################### ++## ++## Create files in /etc with the type used for ++## the manageable system config files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`files_etc_filetrans_system_conf',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ filetrans_pattern($1, etc_t, system_conf_t, file) ++') ++ + ######################################## + ## + ## Allow the specified type to associate +@@ -3496,6 +3613,32 @@ ######################################## ## @@ -6618,7 +6758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3709,6 +3794,8 @@ +@@ -3709,6 +3852,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6627,7 +6767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3817,7 +3904,12 @@ +@@ -3817,7 +3962,12 @@ type usr_t; ') @@ -6641,7 +6781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3856,6 +3948,7 @@ +@@ -3856,6 +4006,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -6649,7 +6789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3880,6 +3973,24 @@ +@@ -3880,6 +4031,24 @@ ######################################## ## @@ -6674,7 +6814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -4500,6 +4611,24 @@ +@@ -4500,6 +4669,24 @@ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -6699,7 +6839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -4772,6 +4901,25 @@ +@@ -4772,6 +4959,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -6725,7 +6865,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -4880,6 +5028,24 @@ +@@ -4831,6 +5037,24 @@ + + ######################################## + ## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:fifo_file write; ++') ++ ++######################################## ++## + ## Create an object in the process ID directory, with a private + ## type using a type transition. + ## +@@ -4880,6 +5104,24 @@ ######################################## ## @@ -6750,7 +6915,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -5001,6 +5167,24 @@ +@@ -4933,6 +5175,7 @@ + + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## +@@ -5001,6 +5244,24 @@ ######################################## ## @@ -6775,7 +6948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5189,12 +5373,15 @@ +@@ -5189,12 +5450,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6792,7 +6965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5215,3 +5402,192 @@ +@@ -5215,3 +5479,192 @@ typeattribute $1 files_unconfined_type; ') @@ -6987,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.5/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/kernel/files.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/kernel/files.te 2010-01-04 13:22:20.000000000 -0500 @@ -12,6 +12,7 @@ attribute mountpoint; attribute pidfile; @@ -7004,7 +7177,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # default_t is the default type for files that do not # match any specification in the file_contexts configuration -@@ -194,6 +196,7 @@ +@@ -59,6 +61,15 @@ + typealias etc_t alias automount_etc_t; + typealias etc_t alias snmpd_etc_t; + ++# system_conf_t is a new type of various ++# files in /etc/ that can be managed and ++# created by several domains. ++# ++type system_conf_t, configfile; ++files_type(system_conf_t) ++# compatibility aliases for removed type: ++typealias system_conf_t alias iptables_conf_t; ++ + # + # etc_runtime_t is the type of various + # files in /etc that are automatically +@@ -194,6 +205,7 @@ fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) fs_associate_ramfs(file_type) @@ -9777,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-29 19:58:38.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2010-01-04 12:40:17.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -9862,7 +10051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -96,22 +129,94 @@ +@@ -96,22 +129,97 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -9939,6 +10128,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) + ++read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) ++read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) ++ +files_read_etc_files(abrt_helper_t) +files_dontaudit_all_non_security_leaks(abrt_helper_t) + @@ -11898,8 +12090,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw kernel_read_proc_symlinks(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.5/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/asterisk.if 2009-12-21 13:07:09.000000000 -0500 -@@ -2,27 +2,27 @@ ++++ serefpolicy-3.7.5/policy/modules/services/asterisk.if 2010-01-04 11:33:56.000000000 -0500 +@@ -2,8 +2,28 @@ ##################################### ## @@ -11907,28 +12099,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste -## stream socket. +## Connect to asterisk over a unix domain +## stream socket. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # - interface(`asterisk_stream_connect',` -- gen_require(` -- type asterisk_t, asterisk_var_run_t; -- ') ++## ++# ++interface(`asterisk_stream_connect',` + gen_require(` + type asterisk_t, asterisk_var_run_t; + ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## asterisk lib files. + ## + ## + ## +@@ -11,18 +31,18 @@ + ## + ## + # +-interface(`asterisk_stream_connect',` ++interface(`asterisk_manage_lib_files',` + gen_require(` +- type asterisk_t, asterisk_var_run_t; ++ type asterisk_var_lib_t; + ') - files_search_pids($1) - stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -+ files_search_pids($1) -+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) ++ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t) ++ files_search_var_lib($1) ') ######################################## @@ -11938,7 +12146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ## an asterisk environment ## ## -@@ -71,3 +71,22 @@ +@@ -71,3 +91,22 @@ files_list_pids($1) admin_pattern($1, asterisk_var_run_t) ') @@ -11963,7 +12171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.5/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/asterisk.te 2009-12-30 08:24:30.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/asterisk.te 2010-01-04 15:26:15.000000000 -0500 @@ -34,18 +34,21 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12004,12 +12212,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) -@@ -104,10 +111,12 @@ +@@ -104,10 +111,13 @@ corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_connect_postgresql_port(asterisk_t) ++dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -12017,7 +12226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste domain_use_interactive_fds(asterisk_t) -@@ -120,17 +129,29 @@ +@@ -120,17 +130,29 @@ fs_getattr_all_fs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) @@ -12050,7 +12259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ') optional_policy(` -@@ -138,10 +159,11 @@ +@@ -138,10 +160,11 @@ ') optional_policy(` @@ -12134,7 +12343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.5/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/bind.if 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-04 16:21:41.000000000 -0500 @@ -235,7 +235,7 @@ ######################################## @@ -12185,10 +12394,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind +# +interface(`bind_initrc_domtrans',` + gen_require(` -+ type bind_initrc_exec_t; ++ type named_initrc_exec_t; + ') + -+ init_labeled_script_domtrans($1, bind_initrc_exec_t) ++ init_labeled_script_domtrans($1, named_initrc_exec_t) +') + +######################################## @@ -12196,6 +12405,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind ## All of the rules required to administrate ## an bind environment ## +@@ -319,7 +357,7 @@ + + bind_run_ndc($1, $2) + +- init_labeled_script_domtrans($1, bind_initrc_exec_t) ++ init_labeled_script_domtrans($1, named_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 named_initrc_exec_t system_r; + allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.7.5/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/services/bluetooth.if 2009-12-21 13:07:09.000000000 -0500 @@ -13735,7 +13953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.7.5/policy/modules/services/courier.te --- nsaserefpolicy/policy/modules/services/courier.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/courier.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/courier.te 2010-01-04 09:35:48.000000000 -0500 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -14227,7 +14445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.5/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/cups.te 2009-12-30 08:05:46.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/cups.te 2010-01-04 16:23:36.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -14314,7 +14532,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -317,6 +331,10 @@ +@@ -285,8 +299,10 @@ + hal_dbus_chat(cupsd_t) + ') + ++ # talk to processes that do not have policy + optional_policy(` + unconfined_dbus_chat(cupsd_t) ++ files_write_generic_pid_pipes(cupsd_t) + ') + ') + +@@ -317,6 +333,10 @@ ') optional_policy(` @@ -14325,7 +14554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups udev_read_db(cupsd_t) ') -@@ -327,7 +345,7 @@ +@@ -327,7 +347,7 @@ allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -14334,7 +14563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -378,6 +396,8 @@ +@@ -378,6 +398,8 @@ dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -14343,7 +14572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -407,6 +427,7 @@ +@@ -407,6 +429,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -14351,7 +14580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cups_stream_connect(cupsd_config_t) -@@ -419,12 +440,15 @@ +@@ -419,12 +442,15 @@ ') optional_policy(` @@ -14369,7 +14598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +470,10 @@ +@@ -446,6 +472,10 @@ ') optional_policy(` @@ -14380,7 +14609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups rpm_read_db(cupsd_config_t) ') -@@ -457,6 +485,10 @@ +@@ -457,6 +487,10 @@ udev_read_db(cupsd_config_t) ') @@ -14391,7 +14620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # Cups lpd support -@@ -542,6 +574,8 @@ +@@ -542,6 +576,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -14400,7 +14629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +590,15 @@ +@@ -556,11 +592,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -14416,7 +14645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +639,9 @@ +@@ -601,6 +641,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14426,7 +14655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +668,7 @@ +@@ -627,6 +670,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -14923,7 +15152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.5/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/devicekit.if 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/devicekit.if 2010-01-04 12:18:22.000000000 -0500 @@ -139,6 +139,26 @@ ######################################## @@ -14953,7 +15182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.5/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/devicekit.te 2009-12-29 19:15:17.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/devicekit.te 2010-01-04 12:47:46.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -14963,18 +15192,93 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi miscfiles_read_localization(devicekit_t) optional_policy(` -@@ -60,8 +62,9 @@ +@@ -60,8 +62,10 @@ # DeviceKit disk local policy # -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_admin sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:process signal_perms; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -110,6 +113,7 @@ +@@ -71,29 +75,55 @@ + manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) + files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) + ++allow devicekit_disk_t devicekit_var_run_t:dir mounton; ++manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) ++manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) ++files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) ++ ++kernel_getattr_message_if(devicekit_disk_t) ++kernel_read_fs_sysctls(devicekit_disk_t) + kernel_read_software_raid_state(devicekit_disk_t) ++kernel_read_system_state(devicekit_disk_t) ++kernel_request_load_module(devicekit_disk_t) + kernel_setsched(devicekit_disk_t) + + corecmd_exec_bin(devicekit_disk_t) ++corecmd_exec_shell(devicekit_disk_t) ++corecmd_getattr_all_executables(devicekit_disk_t) + + dev_rw_sysfs(devicekit_disk_t) + dev_read_urand(devicekit_disk_t) + dev_getattr_usbfs_dirs(devicekit_disk_t) ++dev_manage_generic_files(devicekit_disk_t) ++dev_getattr_all_chr_files(devicekit_disk_t) + ++domain_getattr_all_pipes(devicekit_disk_t) ++domain_getattr_all_sockets(devicekit_disk_t) ++domain_getattr_all_stream_sockets(devicekit_disk_t) ++domain_read_all_domains_state(devicekit_disk_t) ++ ++files_getattr_all_sockets(devicekit_disk_t) ++files_getattr_all_mountpoints(devicekit_disk_t) ++files_getattr_all_files(devicekit_disk_t) ++files_manage_isid_type_dirs(devicekit_disk_t) + files_manage_mnt_dirs(devicekit_disk_t) + files_read_etc_files(devicekit_disk_t) + files_read_etc_runtime_files(devicekit_disk_t) + files_read_usr_files(devicekit_disk_t) + ++fs_list_inotifyfs(devicekit_disk_t) ++fs_manage_fusefs_dirs(devicekit_disk_t) + fs_mount_all_fs(devicekit_disk_t) + fs_unmount_all_fs(devicekit_disk_t) +-fs_manage_fusefs_dirs(devicekit_disk_t) ++fs_search_all(devicekit_disk_t) + + storage_raw_read_fixed_disk(devicekit_disk_t) + storage_raw_write_fixed_disk(devicekit_disk_t) + storage_raw_read_removable_device(devicekit_disk_t) + storage_raw_write_removable_device(devicekit_disk_t) + ++term_use_all_terms(devicekit_disk_t) ++ + auth_use_nsswitch(devicekit_disk_t) + + miscfiles_read_localization(devicekit_disk_t) +@@ -102,6 +132,16 @@ + userdom_search_user_home_dirs(devicekit_disk_t) + + optional_policy(` ++ dbus_system_bus_client(devicekit_disk_t) ++ ++ allow devicekit_disk_t devicekit_t:dbus send_msg; ++ ++ optional_policy(` ++ consolekit_dbus_chat(devicekit_disk_t) ++ ') ++') ++ ++optional_policy(` + fstools_domtrans(devicekit_disk_t) + ') + +@@ -110,6 +150,7 @@ ') optional_policy(` @@ -14982,7 +15286,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -139,9 +143,10 @@ +@@ -120,18 +161,12 @@ + ') + + optional_policy(` +- dbus_system_bus_client(devicekit_disk_t) +- +- allow devicekit_disk_t devicekit_t:dbus send_msg; +- +- optional_policy(` +- consolekit_dbus_chat(devicekit_disk_t) +- ') ++ udev_domtrans(devicekit_disk_t) ++ udev_read_db(devicekit_disk_t) + ') + + optional_policy(` +- udev_domtrans(devicekit_disk_t) +- udev_read_db(devicekit_disk_t) ++ virt_manage_images(devicekit_disk_t) + ') + + ######################################## +@@ -139,9 +174,10 @@ # DeviceKit-Power local policy # @@ -14994,7 +15320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +156,7 @@ +@@ -151,6 +187,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15002,7 +15328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +165,7 @@ +@@ -159,6 +196,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15010,7 +15336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +174,17 @@ +@@ -167,12 +205,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15028,7 +15354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,8 +192,13 @@ +@@ -180,6 +223,10 @@ ') optional_policy(` @@ -15038,11 +15364,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` dbus_system_bus_client(devicekit_power_t) -+ allow devicekit_disk_t devicekit_t:dbus send_msg; allow devicekit_power_t devicekit_t:dbus send_msg; - - optional_policy(` -@@ -203,17 +220,23 @@ +@@ -203,17 +250,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -16574,7 +16897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.5/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/lircd.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/lircd.te 2010-01-04 12:13:46.000000000 -0500 @@ -16,13 +16,9 @@ type lircd_etc_t; files_type(lircd_etc_t) @@ -16590,7 +16913,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc ######################################## # # lircd local policy -@@ -34,15 +30,27 @@ +@@ -30,19 +26,41 @@ + + allow lircd_t self:process signal; + allow lircd_t self:unix_dgram_socket create_socket_perms; ++allow lircd_t self:fifo_file rw_file_perms; ++allow lircd_t self:tcp_socket create_stream_socket_perms; + # etc file read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) @@ -16600,6 +16929,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc +manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) ++corenet_tcp_bind_generic_node(lircd_t) ++corenet_tcp_bind_lirc_port(lircd_t) ++corenet_tcp_connect_lirc_port(lircd_t) ++corenet_tcp_sendrecv_all_ports(lircd_t) ++corenet_tcp_sendrecv_generic_if(lircd_t) ++ # /dev/lircd socket -manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) -dev_filetrans(lircd_t, lircd_sock_t, sock_file ) @@ -16610,17 +16945,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) + -+term_use_ptmx(lircd_t) - - logging_send_syslog_msg(lircd_t) - -+files_read_etc_files(lircd_t) +files_list_var(lircd_t) +files_manage_generic_locks(lircd_t) +files_read_all_locks(lircd_t) ++files_read_etc_files(lircd_t) + ++term_use_ptmx(lircd_t) + + logging_send_syslog_msg(lircd_t) + miscfiles_read_localization(lircd_t) + ++sysnet_dns_name_resolve(lircd_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.5/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/services/mailman.fc 2009-12-30 08:22:07.000000000 -0500 @@ -16966,7 +17303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ## Send a generic signal to MySQL. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.5/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2009-12-29 09:05:51.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/mysql.te 2010-01-04 10:36:36.000000000 -0500 @@ -1,6 +1,13 @@ policy_module(mysql, 1.11.1) @@ -16993,12 +17330,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ifdef(`distro_redhat',` # because Fedora has the sock_file in the database directory type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -@@ -131,20 +143,24 @@ +@@ -131,20 +143,25 @@ # Local mysqld_safe policy # -allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:capability { chown dac_override fowner kill }; ++dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -22661,7 +22999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/samba.te 2009-12-29 19:05:08.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-04 16:03:08.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -22824,7 +23162,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -638,6 +673,10 @@ +@@ -618,7 +653,7 @@ + # SWAT Local policy + # + +-allow swat_t self:capability { setuid setgid sys_resource }; ++allow swat_t self:capability { dac_override setuid setgid sys_resource }; + allow swat_t self:process { setrlimit signal_perms }; + allow swat_t self:fifo_file rw_fifo_file_perms; + allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +@@ -638,11 +673,13 @@ allow swat_t smbd_var_run_t:file { lock unlink }; @@ -22835,7 +23182,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -657,7 +696,7 @@ +-append_files_pattern(swat_t, samba_log_t, samba_log_t) +- + allow swat_t smbd_exec_t:file mmap_file_perms ; + + allow swat_t smbd_t:process signull; +@@ -657,7 +694,7 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -22844,7 +23196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -700,6 +739,8 @@ +@@ -700,6 +737,8 @@ miscfiles_read_localization(swat_t) @@ -22853,7 +23205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +754,23 @@ +@@ -713,12 +752,23 @@ kerberos_use(swat_t) ') @@ -22861,7 +23213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +init_dontaudit_write_utmp(swat_t) + +manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -+create_files_pattern(swat_t, samba_log_t, samba_log_t) ++manage_files_pattern(swat_t, samba_log_t, samba_log_t) + +manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) + @@ -22878,7 +23230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -866,6 +918,18 @@ +@@ -866,6 +916,18 @@ # optional_policy(` @@ -22897,7 +23249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +940,12 @@ +@@ -876,9 +938,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -23701,7 +24053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dev_read_sysfs(snmpd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.5/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/services/snort.te 2009-12-27 08:04:35.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/snort.te 2010-01-04 12:03:35.000000000 -0500 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -23726,6 +24078,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor corenet_all_recvfrom_unlabeled(snort_t) corenet_all_recvfrom_netlabel(snort_t) +@@ -76,6 +78,7 @@ + dev_read_sysfs(snort_t) + dev_read_rand(snort_t) + dev_read_urand(snort_t) ++dev_read_usbmon_dev(snort_t) + + domain_use_interactive_fds(snort_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.5/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/services/spamassassin.fc 2009-12-21 13:07:09.000000000 -0500 @@ -25798,7 +26158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.5/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/services/virt.te 2009-12-29 16:41:45.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-04 13:22:20.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -25972,7 +26332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +files_read_usr_src_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall -+iptables_manage_config(virtd_t) ++files_manage_system_conf_files(virtd_t) +files_manage_etc_files(virtd_t) fs_list_auto_mountpoints(virtd_t) @@ -29045,7 +29405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.5/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/system/ipsec.te 2009-12-29 17:01:28.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/ipsec.te 2010-01-04 09:23:53.000000000 -0500 @@ -29,9 +29,15 @@ type ipsec_key_file_t; files_type(ipsec_key_file_t) @@ -29082,7 +29442,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) -@@ -171,8 +181,9 @@ +@@ -99,6 +109,7 @@ + allow ipsec_mgmt_t ipsec_t:fd use; + allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; + allow ipsec_mgmt_t ipsec_t:process sigchld; ++sysnet_domtrans_ifconfig(ipsec_t) + + kernel_read_kernel_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) +@@ -171,8 +182,9 @@ # ipsec_mgmt Local policy # @@ -29094,7 +29462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +193,9 @@ +@@ -182,6 +194,9 @@ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -29104,7 +29472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) -@@ -259,6 +273,7 @@ +@@ -259,6 +274,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -29112,7 +29480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. logging_send_syslog_msg(ipsec_mgmt_t) -@@ -323,6 +338,7 @@ +@@ -323,6 +339,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -29120,7 +29488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) -@@ -362,6 +378,8 @@ +@@ -362,6 +379,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -29129,7 +29497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -380,12 +398,15 @@ +@@ -380,12 +399,15 @@ read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -29145,19 +29513,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -397,3 +418,4 @@ +@@ -397,3 +419,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.5/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/system/iptables.fc 2009-12-21 13:07:09.000000000 -0500 -@@ -1,13 +1,17 @@ ++++ serefpolicy-3.7.5/policy/modules/system/iptables.fc 2010-01-04 13:35:59.000000000 -0500 +@@ -1,13 +1,16 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) - /etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) - /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -- +-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) + /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -29175,8 +29543,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.5/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.5/policy/modules/system/iptables.te 2009-12-21 13:07:09.000000000 -0500 -@@ -30,6 +30,7 @@ ++++ serefpolicy-3.7.5/policy/modules/system/iptables.te 2010-01-04 13:22:20.000000000 -0500 +@@ -14,9 +14,6 @@ + type iptables_initrc_exec_t; + init_script_file(iptables_initrc_exec_t) + +-type iptables_conf_t; +-files_config_file(iptables_conf_t) +- + type iptables_tmp_t; + files_tmp_file(iptables_tmp_t) + +@@ -30,11 +27,12 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; @@ -29184,7 +29562,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; -@@ -63,6 +64,7 @@ +-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) +-files_etc_filetrans(iptables_t, iptables_conf_t, file) ++files_manage_system_conf_files(iptables_t) ++files_etc_filetrans_system_conf(iptables_t) + + manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) + files_pid_filetrans(iptables_t, iptables_var_run_t, file) +@@ -63,6 +61,7 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -29192,7 +29577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) -@@ -89,6 +91,7 @@ +@@ -89,6 +88,7 @@ optional_policy(` fail2ban_append_log(iptables_t) @@ -29200,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -@@ -122,5 +125,10 @@ +@@ -122,5 +122,10 @@ ') optional_policy(` @@ -29244,7 +29629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. +permissive kdump_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-31 08:59:50.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2010-01-04 11:01:42.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -29460,7 +29845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,10 +316,127 @@ +@@ -307,10 +316,129 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -29588,6 +29973,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500 @@ -30194,7 +30581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.5/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-22 09:40:26.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/mount.if 2010-01-04 11:29:01.000000000 -0500 @@ -16,6 +16,7 @@ ') @@ -30203,7 +30590,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -84,9 +85,11 @@ +@@ -44,6 +45,8 @@ + mount_domtrans($1) + role $2 types mount_t; + ++ fstools_run(mount_t, $2) ++ + optional_policy(` + samba_run_smbmount($1, $2) + ') +@@ -84,9 +87,11 @@ interface(`mount_signal',` gen_require(` type mount_t; @@ -30215,7 +30611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -177,3 +180,57 @@ +@@ -177,3 +182,57 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') @@ -30275,7 +30671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.5/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/mount.te 2009-12-21 13:07:09.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/mount.te 2010-01-04 12:19:08.000000000 -0500 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -30412,7 +30808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,6 +171,10 @@ +@@ -132,6 +171,12 @@ ') ') @@ -30420,10 +30816,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + +modutils_domtrans_insmod(mount_t) + ++fstools_domtrans(mount_t) ++ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) auth_read_all_files_except_shadow(mount_t) -@@ -165,6 +208,8 @@ +@@ -165,6 +210,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -30432,7 +30830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +217,25 @@ +@@ -172,6 +219,25 @@ ') optional_policy(` @@ -30458,7 +30856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +243,11 @@ +@@ -179,6 +245,11 @@ ') ') @@ -30470,7 +30868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +255,7 @@ +@@ -186,6 +257,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -30478,7 +30876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -195,5 +265,8 @@ +@@ -195,5 +267,9 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -30486,6 +30884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + unconfined_domain_noaudit(unconfined_mount_t) + + rpc_domtrans_rpcd(unconfined_mount_t) ++ devicekit_dbus_chat_disk(unconfined_mount_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.5/policy/modules/system/raid.te @@ -32561,7 +32960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.5/policy/modules/system/userdomain.if 2009-12-31 08:43:59.000000000 -0500 ++++ serefpolicy-3.7.5/policy/modules/system/userdomain.if 2009-12-31 09:27:43.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index cd887d4..26f9afe 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.5 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,10 @@ exit 0 %endif %changelog +* Mon Jan 4 2010 Dan Walsh 3.7.5-6 +- add usbmon device +- Add allow rulse for devicekit_disk + * Wed Dec 30 2009 Dan Walsh 3.7.5-5 - Lots of fixes found in F12, fixes from Tom London