From 244b4526c6dcbe447e1c6875a05a7a4808b92c62 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 16 2010 18:25:47 +0000 Subject: - Cleanup of aiccu policy - initial mock policy --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 4363833..4b4483b 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1081,6 +1081,20 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/modules-mls.conf b/modules-mls.conf index 6caf71e..3fc955a 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1012,6 +1012,13 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/modules-targeted.conf b/modules-targeted.conf index 4363833..4b4483b 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1081,6 +1081,20 @@ mysql = module nagios = module # Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin +# Module: ncftool +# +# Tool to modify the network configuration of a system +# +ncftool = module + +# Layer: admin # Module: netutils # # Network analysis utilities diff --git a/policy-F14.patch b/policy-F14.patch index 8545ce1..4c43c1a 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -486,12 +486,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.3/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/admin/consoletype.te 2010-06-08 11:32:10.000000000 -0400 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.8.3/policy/modules/admin/consoletype.te 2010-06-14 18:54:06.000000000 -0400 +@@ -85,6 +85,8 @@ hal_dontaudit_use_fds(consoletype_t) hal_dontaudit_rw_pipes(consoletype_t) hal_dontaudit_rw_dgram_sockets(consoletype_t) + hal_dontaudit_write_log(consoletype_t) ++ hal_dontaudit_read_pid_files(consoletype_t) ') optional_policy(` @@ -592,6 +593,173 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.3/policy/modules/admin/ncftool.fc +--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.fc 2010-06-15 14:59:28.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.3/policy/modules/admin/ncftool.if +--- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.if 2010-06-15 15:00:09.000000000 -0400 +@@ -0,0 +1,74 @@ ++ ++## policy for ncftool ++ ++######################################## ++## ++## Execute a domain transition to run ncftool. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ncftool_domtrans',` ++ gen_require(` ++ type ncftool_t, ncftool_exec_t; ++ ') ++ ++ domtrans_pattern($1, ncftool_exec_t, ncftool_t) ++') ++ ++######################################## ++## ++## Execute ncftool in the ncftool domain, and ++## allow the specified role the ncftool domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the ncftool domain. ++## ++## ++# ++interface(`ncftool_run',` ++ gen_require(` ++ type ncftool_t; ++ ') ++ ++ ncftool_domtrans($1) ++ role $2 types ncftool_t; ++') ++ ++######################################## ++## ++## Role access for ncftool ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`ncftool_role',` ++ gen_require(` ++ type ncftool_t; ++ ') ++ ++ role $1 types ncftool_t; ++ ++ ncftool_domtrans($2) ++ ++ ps_process_pattern($2, ncftool_t) ++ allow $2 ncftool_t:process signal; ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.3/policy/modules/admin/ncftool.te +--- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.8.3/policy/modules/admin/ncftool.te 2010-06-15 15:02:33.000000000 -0400 +@@ -0,0 +1,79 @@ ++ ++policy_module(ncftool, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ncftool_t; ++type ncftool_exec_t; ++application_domain(ncftool_t, ncftool_exec_t) ++domain_obj_id_change_exemption(ncftool_t) ++domain_system_change_exemption(ncftool_t) ++role system_r types ncftool_t; ++ ++permissive ncftool_t; ++ ++######################################## ++# ++# ncftool local policy ++# ++ ++allow ncftool_t self:capability { net_admin sys_ptrace }; ++ ++allow ncftool_t self:process signal; ++ ++allow ncftool_t self:fifo_file manage_fifo_file_perms; ++allow ncftool_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; ++allow ncftool_t self:tcp_socket create_stream_socket_perms; ++ ++kernel_read_kernel_sysctls(ncftool_t) ++kernel_read_modprobe_sysctls(ncftool_t) ++kernel_read_network_state(ncftool_t) ++kernel_read_system_state(ncftool_t) ++kernel_request_load_module(ncftool_t) ++kernel_rw_net_sysctls(ncftool_t) ++ ++corecmd_exec_bin(ncftool_t) ++corecmd_exec_shell(ncftool_t) ++ ++domain_read_all_domains_state(ncftool_t) ++ ++dev_read_sysfs(ncftool_t) ++ ++files_read_etc_files(ncftool_t) ++files_read_etc_runtime_files(ncftool_t) ++files_read_usr_files(ncftool_t) ++ ++term_use_all_terms(ncftool_t) ++ ++miscfiles_read_localization(ncftool_t) ++ ++modutils_read_module_config(ncftool_t) ++modutils_domtrans_insmod(ncftool_t) ++ ++sysnet_delete_dhcpc_pid(ncftool_t) ++sysnet_domtrans_dhcpc(ncftool_t) ++sysnet_domtrans_ifconfig(ncftool_t) ++sysnet_etc_filetrans_config(ncftool_t) ++sysnet_manage_config(ncftool_t) ++sysnet_read_dhcpc_state(ncftool_t) ++sysnet_relabelfrom_net_conf(ncftool_t) ++sysnet_relabelto_net_conf(ncftool_t) ++ ++userdom_read_user_tmp_files(ncftool_t) ++ ++optional_policy(` ++ brctl_domtrans(ncftool_t) ++') ++ ++optional_policy(` ++ consoletype_exec(ncftool_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(ncftool_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.8.3/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-05-25 16:28:22.000000000 -0400 +++ serefpolicy-3.8.3/policy/modules/admin/netutils.fc 2010-06-08 11:32:10.000000000 -0400 @@ -6640,8 +6808,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-06-08 10:35:48.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc 2010-06-08 11:32:10.000000000 -0400 -@@ -145,6 +145,10 @@ ++++ serefpolicy-3.8.3/policy/modules/kernel/corecommands.fc 2010-06-16 11:44:23.000000000 -0400 +@@ -101,6 +101,9 @@ + /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0) ++/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) + /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -145,6 +148,10 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6652,7 +6830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +232,8 @@ +@@ -228,6 +235,8 @@ /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6661,10 +6839,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -340,3 +346,21 @@ +@@ -340,3 +349,22 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') ++/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -7238,7 +7417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +dontaudit can_change_object_identity can_change_object_identity:key link; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.3/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/kernel/files.fc 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/kernel/files.fc 2010-06-16 13:20:15.000000000 -0400 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7292,7 +7471,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -170,12 +179,6 @@ +@@ -157,6 +166,10 @@ + /proc -d <> + /proc/.* <> + ++ifdef(`distro_redhat',` ++/rhev -d gen_context(system_u:object_r:mnt_t,s0) ++') ++ + # + # /selinux + # +@@ -170,12 +183,6 @@ /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -7305,7 +7495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -205,15 +208,19 @@ +@@ -205,15 +212,19 @@ /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/local/lost\+found/.* <> @@ -7325,7 +7515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> -@@ -229,6 +236,8 @@ +@@ -229,6 +240,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -7334,7 +7524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -254,3 +263,5 @@ +@@ -254,3 +267,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -8231,7 +8421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.3/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-06-08 10:35:48.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/kernel/filesystem.if 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/kernel/filesystem.if 2010-06-16 13:24:53.000000000 -0400 @@ -1207,7 +1207,7 @@ type cifs_t; ') @@ -9018,7 +9208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.3/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.8.3/policy/modules/roles/sysadm.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/roles/sysadm.te 2010-06-14 18:23:23.000000000 -0400 @@ -28,17 +28,29 @@ corecmd_exec_shell(sysadm_t) @@ -9215,7 +9405,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) -@@ -308,8 +353,14 @@ +@@ -275,6 +320,10 @@ + ') + + optional_policy(` ++ ncftool_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + netutils_run(sysadm_t, sysadm_r) + netutils_run_ping(sysadm_t, sysadm_r) + netutils_run_traceroute(sysadm_t, sysadm_r) +@@ -308,8 +357,14 @@ ') optional_policy(` @@ -9230,7 +9431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` quota_run(sysadm_t, sysadm_r) -@@ -319,9 +370,11 @@ +@@ -319,9 +374,11 @@ raid_domtrans_mdadm(sysadm_t) ') @@ -9242,7 +9443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rpc_domtrans_nfsd(sysadm_t) -@@ -331,9 +384,11 @@ +@@ -331,9 +388,11 @@ rpm_run(sysadm_t, sysadm_r) ') @@ -9254,7 +9455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -358,8 +413,14 @@ +@@ -358,8 +417,14 @@ ') optional_policy(` @@ -9269,7 +9470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -382,9 +443,11 @@ +@@ -382,9 +447,11 @@ sysnet_run_dhcpc(sysadm_t, sysadm_r) ') @@ -9281,7 +9482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +456,21 @@ +@@ -393,17 +460,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -9303,7 +9504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +484,11 @@ +@@ -417,9 +488,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -9315,7 +9516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +496,15 @@ +@@ -427,9 +500,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -9331,7 +9532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +515,30 @@ +@@ -440,13 +519,30 @@ ') optional_policy(` @@ -10047,8 +10248,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te 2010-06-08 11:32:10.000000000 -0400 -@@ -0,0 +1,439 @@ ++++ serefpolicy-3.8.3/policy/modules/roles/unconfineduser.te 2010-06-14 18:23:51.000000000 -0400 +@@ -0,0 +1,443 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10365,6 +10566,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') + +optional_policy(` ++ ncftool_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + @@ -10773,7 +10978,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-09 15:57:41.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-14 18:29:51.000000000 -0400 +@@ -51,7 +51,7 @@ + + allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; + dontaudit abrt_t self:capability sys_rawio; +-allow abrt_t self:process { signal signull setsched getsched }; ++allow abrt_t self:process { sigkill signal signull setsched getsched }; + + allow abrt_t self:fifo_file rw_fifo_file_perms; + allow abrt_t self:tcp_socket create_stream_socket_perms; @@ -70,16 +70,19 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -11189,7 +11403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-09 16:00:04.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-15 16:54:36.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -12133,7 +12347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.3/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/asterisk.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/asterisk.te 2010-06-16 13:34:52.000000000 -0400 @@ -100,6 +100,7 @@ corenet_tcp_bind_generic_node(asterisk_t) corenet_udp_bind_generic_node(asterisk_t) @@ -13388,7 +13602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.3/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-11 11:31:01.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/corosync.te 2010-06-16 10:50:34.000000000 -0400 @@ -33,8 +33,8 @@ # corosync local policy # @@ -13436,7 +13650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro userdom_rw_user_tmpfs_files(corosync_t) optional_policy(` -@@ -91,12 +97,12 @@ +@@ -91,12 +97,13 @@ ') optional_policy(` @@ -13451,6 +13665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +optional_policy(` + # to communication with RHCS + rhcs_rw_cluster_shm(corosync_t) ++ rhcs_rw_cluster_semaphores(corosync_t) ') optional_policy(` @@ -16065,8 +16280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.3/policy/modules/services/mock.te --- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-09 17:44:30.000000000 -0400 -@@ -0,0 +1,94 @@ ++++ serefpolicy-3.8.3/policy/modules/services/mock.te 2010-06-16 11:45:16.000000000 -0400 +@@ -0,0 +1,93 @@ +policy_module(mock,1.0.0) + +######################################## @@ -16132,7 +16347,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock + +dev_read_urand(mock_t) + -+domain_poly(mock_t) +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + @@ -16602,7 +16816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.3/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/mta.if 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/mta.if 2010-06-14 19:03:36.000000000 -0400 @@ -220,6 +220,25 @@ application_executable_file($1) ') @@ -16629,15 +16843,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## ## ## Make the specified type by a system MTA. -@@ -335,6 +354,7 @@ - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) -+ apache_append_log($1) +@@ -330,12 +349,6 @@ ') + + typeattribute $1 mta_user_agent; +- +- optional_policy(` +- # apache should set close-on-exec +- apache_dontaudit_rw_stream_sockets($1) +- apache_dontaudit_rw_sys_script_stream_sockets($1) +- ') ') -@@ -362,6 +382,10 @@ + ######################################## +@@ -362,6 +375,10 @@ allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; @@ -16648,7 +16867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -474,7 +498,8 @@ +@@ -474,7 +491,8 @@ type etc_mail_t; ') @@ -16658,7 +16877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -698,7 +723,7 @@ +@@ -698,7 +716,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -16669,7 +16888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.3/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/mta.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/mta.te 2010-06-14 19:01:55.000000000 -0400 @@ -71,10 +71,10 @@ dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) @@ -16693,15 +16912,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -93,6 +96,7 @@ +@@ -93,6 +96,12 @@ apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_write_tmp_files(system_mail_t) ++ ++ # apache should set close-on-exec ++ apache_dontaudit_rw_stream_sockets(mta_user_agent) ++ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) ++ apache_append_log(mta_user_agent) ') optional_policy(` -@@ -104,6 +108,11 @@ +@@ -104,6 +113,11 @@ ') optional_policy(` @@ -16713,7 +16937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -131,6 +140,7 @@ +@@ -131,6 +145,7 @@ optional_policy(` fail2ban_append_log(system_mail_t) @@ -16721,7 +16945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -147,6 +157,10 @@ +@@ -147,6 +162,10 @@ ') optional_policy(` @@ -16732,7 +16956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. nagios_read_tmp_files(system_mail_t) ') -@@ -190,6 +204,10 @@ +@@ -190,6 +209,10 @@ ') optional_policy(` @@ -16743,7 +16967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -221,6 +239,7 @@ +@@ -221,6 +244,7 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -18534,7 +18758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.3/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/postfix.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/postfix.te 2010-06-14 19:02:47.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -18586,7 +18810,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post postfix_server_domain_template(pickup) postfix_server_domain_template(pipe) -@@ -66,13 +87,13 @@ +@@ -50,6 +71,7 @@ + mta_mailserver_user_agent(postfix_postdrop_t) + + postfix_user_domain_template(postqueue) ++mta_mailserver_user_agent(postfix_postqueue_t) + + type postfix_private_t; + files_type(postfix_private_t) +@@ -66,13 +88,13 @@ postfix_server_domain_template(smtpd) @@ -18603,7 +18835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_type(postfix_spool_flush_t) type postfix_public_t; -@@ -151,6 +172,9 @@ +@@ -151,6 +173,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -18613,7 +18845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -168,6 +192,8 @@ +@@ -168,6 +193,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -18622,7 +18854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post term_dontaudit_search_ptys(postfix_master_t) -@@ -305,6 +331,10 @@ +@@ -305,6 +332,10 @@ ') optional_policy(` @@ -18633,7 +18865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_local_t) ') -@@ -421,6 +451,7 @@ +@@ -421,6 +452,7 @@ optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -18641,7 +18873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -589,6 +620,11 @@ +@@ -589,6 +621,11 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -18653,7 +18885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_smtpd_t) optional_policy(` -@@ -631,3 +667,8 @@ +@@ -631,3 +668,8 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -18743,6 +18975,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.3/policy/modules/services/psad.if +--- nsaserefpolicy/policy/modules/services/psad.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/psad.if 2010-06-16 13:11:38.000000000 -0400 +@@ -176,6 +176,26 @@ + + ######################################## + ## ++## Allow the specified domain to write to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_write_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ write_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## + ## Read and write psad fifo files. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.3/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.8.3/policy/modules/services/psad.te 2010-06-08 11:32:10.000000000 -0400 @@ -19475,7 +19737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.3/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-11 11:30:32.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/rhcs.if 2010-06-16 10:51:03.000000000 -0400 @@ -14,6 +14,7 @@ template(`rhcs_domain_template',` gen_require(` @@ -19493,7 +19755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs files_tmpfs_file($1_tmpfs_t) type $1_var_log_t; -@@ -335,6 +336,28 @@ +@@ -335,6 +336,46 @@ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') @@ -19519,10 +19781,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + ++#################################### ++## ++## Read and write access to cluster domains semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_rw_cluster_semaphores',` ++ gen_require(` ++ type cluster_domain; ++ ') ++ ++ allow $1 cluster_domain:sem { rw_sem_perms destroy }; ++') ++ ###################################### ## ## Execute a domain transition to run qdiskd. -@@ -353,3 +376,21 @@ +@@ -353,3 +394,21 @@ corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') @@ -21991,7 +22271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.3/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/w3c.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/w3c.te 2010-06-15 16:55:19.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -22011,6 +22291,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +@@ -23,3 +30,5 @@ + miscfiles_read_certs(httpd_w3c_validator_script_t) + + sysnet_dns_name_resolve(httpd_w3c_validator_script_t) ++ ++apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.3/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.8.3/policy/modules/services/xserver.fc 2010-06-08 11:32:10.000000000 -0400 @@ -22737,7 +23023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/services/xserver.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/services/xserver.te 2010-06-16 13:35:02.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -23127,7 +23413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,15 +505,21 @@ +@@ -371,15 +505,22 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -23146,11 +23432,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) ++kernel_request_load_module(xdm_t) +kernel_stream_connect(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -394,11 +534,14 @@ +@@ -394,11 +535,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23165,7 +23452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +549,7 @@ +@@ -406,6 +550,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -23173,7 +23460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +558,22 @@ +@@ -414,18 +559,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -23199,7 +23486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +584,17 @@ +@@ -436,9 +585,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23217,7 +23504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +603,19 @@ +@@ -447,14 +604,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23237,7 +23524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +626,12 @@ +@@ -465,10 +627,12 @@ logging_read_generic_logs(xdm_t) @@ -23252,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +640,11 @@ +@@ -477,6 +641,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23264,7 +23551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -508,11 +676,17 @@ +@@ -508,11 +677,17 @@ ') optional_policy(` @@ -23282,7 +23569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +694,50 @@ +@@ -520,12 +695,50 @@ ') optional_policy(` @@ -23333,7 +23620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +755,59 @@ +@@ -543,20 +756,59 @@ ') optional_policy(` @@ -23395,7 +23682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +816,6 @@ +@@ -565,7 +817,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -23403,7 +23690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +826,10 @@ +@@ -576,6 +827,10 @@ ') optional_policy(` @@ -23414,7 +23701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +854,9 @@ +@@ -600,10 +855,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23426,7 +23713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +868,18 @@ +@@ -615,6 +869,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23445,7 +23732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +899,19 @@ +@@ -634,12 +900,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23467,7 +23754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +945,6 @@ +@@ -673,7 +946,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23475,7 +23762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +954,12 @@ +@@ -683,9 +955,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23489,7 +23776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +974,13 @@ +@@ -700,8 +975,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23503,7 +23790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +1002,14 @@ +@@ -723,11 +1003,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23518,7 +23805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1061,28 @@ +@@ -779,12 +1062,28 @@ ') optional_policy(` @@ -23548,7 +23835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -808,10 +1106,10 @@ +@@ -808,10 +1107,10 @@ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23561,7 +23848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1130,14 @@ +@@ -832,9 +1131,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23576,7 +23863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1152,14 @@ +@@ -849,11 +1153,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23593,7 +23880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1305,33 @@ +@@ -999,3 +1306,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -24068,7 +24355,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.3/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/hotplug.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/hotplug.te 2010-06-16 13:23:05.000000000 -0400 +@@ -24,7 +24,7 @@ + # + + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; ++dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit hotplug_t self:capability { dac_override dac_read_search }; + allow hotplug_t self:process { setpgid getsession getattr signal_perms }; @@ -46,6 +46,7 @@ kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) @@ -24092,7 +24388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 17:42:17.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-14 18:39:46.000000000 -0400 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -24185,7 +24481,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -682,6 +728,8 @@ +@@ -669,6 +715,8 @@ + type initctl_t; + ') + ++ corecmd_exec_bin($1) ++ + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file rw_fifo_file_perms; + +@@ -682,6 +730,8 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; @@ -24194,7 +24499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -754,18 +802,19 @@ +@@ -754,18 +804,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -24218,7 +24523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -781,19 +830,41 @@ +@@ -781,23 +832,45 @@ # interface(`init_domtrans_script',` gen_require(` @@ -24241,11 +24546,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -24258,13 +24563,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -849,8 +920,10 @@ ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -849,8 +922,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -24275,7 +24584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1637,7 +1710,7 @@ +@@ -1637,7 +1712,7 @@ type initrc_var_run_t; ') @@ -24284,7 +24593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1712,3 +1785,56 @@ +@@ -1712,3 +1787,56 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -24785,6 +25094,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.3/policy/modules/system/ipsec.fc +--- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/ipsec.fc 2010-06-16 13:06:56.000000000 -0400 +@@ -25,6 +25,7 @@ + /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.3/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2010-03-18 06:48:09.000000000 -0400 +++ serefpolicy-3.8.3/policy/modules/system/ipsec.if 2010-06-09 16:06:08.000000000 -0400 @@ -24903,8 +25223,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +userdom_read_user_tmp_files(setkey_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.3/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.8.3/policy/modules/system/iptables.fc 2010-06-08 11:32:10.000000000 -0400 -@@ -1,13 +1,18 @@ ++++ serefpolicy-3.8.3/policy/modules/system/iptables.fc 2010-06-14 18:22:08.000000000 -0400 +@@ -1,12 +1,14 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -24921,10 +25241,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+ -+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.3/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 +++ serefpolicy-3.8.3/policy/modules/system/iptables.if 2010-06-08 11:32:10.000000000 -0400 @@ -24941,7 +25257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.3/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/iptables.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/iptables.te 2010-06-16 13:11:44.000000000 -0400 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -25017,6 +25333,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` +@@ -113,6 +122,7 @@ + + optional_policy(` + psad_rw_tmp_files(iptables_t) ++ psad_write_log(iptables_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.3/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2009-11-25 11:47:19.000000000 -0500 +++ serefpolicy-3.8.3/policy/modules/system/iscsi.if 2010-06-08 11:32:10.000000000 -0400 @@ -25056,7 +25380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. domain_dontaudit_read_all_domains_state(iscsid_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-16 13:32:10.000000000 -0400 @@ -131,13 +131,13 @@ /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25073,7 +25397,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +208,7 @@ +@@ -151,6 +151,7 @@ + /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -208,6 +209,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25081,7 +25413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -247,6 +248,7 @@ +@@ -247,6 +249,7 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25089,7 +25421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -@@ -302,13 +304,8 @@ +@@ -302,13 +305,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -25105,7 +25437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +316,148 @@ +@@ -319,14 +317,148 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -25516,7 +25848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_system_change_exemption($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-09 16:35:41.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-16 11:55:48.000000000 -0400 @@ -61,6 +61,7 @@ type syslogd_t; type syslogd_exec_t; @@ -25546,7 +25878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(audisp_t) -@@ -245,6 +252,10 @@ +@@ -245,14 +252,22 @@ optional_policy(` dbus_system_bus_client(audisp_t) @@ -25557,28 +25889,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -252,6 +263,7 @@ + # # Audit remote logger local policy # - +- ++allow audisp_remote_t self:capability { setuid setpcap }; +allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; ++allow audisp_remote_t var_log_t:dir search_dir_perms; ++ ++corecmd_exec_bin(audisp_remote_t) corenet_all_recvfrom_unlabeled(audisp_remote_t) -@@ -268,8 +280,12 @@ + corenet_all_recvfrom_netlabel(audisp_remote_t) +@@ -267,9 +282,16 @@ + files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) - -+auth_use_nsswitch(audisp_remote_t) ++logging_send_audit_msgs(audisp_remote_t) + ++auth_use_nsswitch(audisp_remote_t) + miscfiles_read_localization(audisp_remote_t) +init_telinit(audisp_remote_t) ++init_read_utmp(audisp_remote_t) ++init_dontaudit_write_utmp(audisp_remote_t) + sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -373,8 +389,10 @@ +@@ -373,8 +395,10 @@ manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) @@ -25591,7 +25932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -@@ -492,6 +510,10 @@ +@@ -492,6 +516,10 @@ ') optional_policy(` @@ -25724,6 +26065,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.3/policy/modules/system/modutils.if +--- nsaserefpolicy/policy/modules/system/modutils.if 2009-12-04 09:43:33.000000000 -0500 ++++ serefpolicy-3.8.3/policy/modules/system/modutils.if 2010-06-14 18:25:54.000000000 -0400 +@@ -39,6 +39,26 @@ + + ######################################## + ## ++## list the configuration options used when ++## loading modules. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`modutils_list_module_config',` ++ gen_require(` ++ type modules_conf_t; ++ ') ++ ++ list_dirs_pattern($1, modules_conf_t, modules_conf_t) ++') ++ ++######################################## ++## + ## Read the configuration options used when + ## loading modules. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.3/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-05-25 16:28:22.000000000 -0400 +++ serefpolicy-3.8.3/policy/modules/system/modutils.te 2010-06-08 11:32:10.000000000 -0400 @@ -26025,7 +26396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.3/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/mount.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/mount.te 2010-06-16 13:27:43.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -26126,7 +26497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +122,18 @@ +@@ -80,15 +122,19 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -26145,10 +26516,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) ++fs_read_nfs_symlinks(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +144,7 @@ +@@ -99,6 +145,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -26156,7 +26528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +153,8 @@ +@@ -107,6 +154,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -26165,7 +26537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +165,12 @@ +@@ -117,6 +166,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -26178,7 +26550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +186,17 @@ +@@ -132,10 +187,17 @@ ') ') @@ -26196,7 +26568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +226,8 @@ +@@ -165,6 +227,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -26205,7 +26577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +235,25 @@ +@@ -172,6 +236,25 @@ ') optional_policy(` @@ -26231,7 +26603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +261,11 @@ +@@ -179,6 +262,11 @@ ') ') @@ -26243,7 +26615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +273,19 @@ +@@ -186,6 +274,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -26263,7 +26635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +294,42 @@ +@@ -194,6 +295,42 @@ # optional_policy(` @@ -27447,7 +27819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.3/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.if 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.if 2010-06-15 15:03:31.000000000 -0400 @@ -60,25 +60,24 @@ netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) @@ -27533,7 +27905,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ####################################### ## ## Set the attributes of network config files. -@@ -403,11 +439,8 @@ +@@ -270,6 +306,44 @@ + + ####################################### + ## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelfrom_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelfrom; ++') ++ ++###################################### ++## ++## Allow caller to relabel net_conf files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_relabelto_net_conf',` ++ ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ allow $1 net_conf_t:file relabelto; ++') ++ ++####################################### ++## + ## Read network config files. + ## + ## +@@ -403,11 +477,8 @@ type net_conf_t; ') @@ -27547,7 +27964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -464,6 +497,10 @@ +@@ -464,6 +535,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -27558,7 +27975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -534,6 +571,25 @@ +@@ -534,6 +609,25 @@ ######################################## ## @@ -27584,7 +28001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ## Read the DHCP configuration files. ## ## -@@ -677,7 +733,10 @@ +@@ -677,7 +771,10 @@ corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) @@ -27596,7 +28013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -709,5 +768,52 @@ +@@ -709,5 +806,52 @@ corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) @@ -27652,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.3/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.te 2010-06-08 11:32:10.000000000 -0400 ++++ serefpolicy-3.8.3/policy/modules/system/sysnetwork.te 2010-06-14 18:53:49.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -27699,15 +28116,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -172,6 +183,7 @@ +@@ -172,6 +183,8 @@ optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) ++ hal_dontaudit_read_pid_files(dhcpc_t) + hal_dontaudit_write_log(dhcpc_t) ') optional_policy(` -@@ -193,6 +205,12 @@ +@@ -193,6 +206,12 @@ ') optional_policy(` @@ -27720,7 +28138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet nis_read_ypbind_pid(dhcpc_t) ') -@@ -214,6 +232,7 @@ +@@ -214,6 +233,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -27728,7 +28146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -277,8 +296,11 @@ +@@ -277,8 +297,11 @@ domain_use_interactive_fds(ifconfig_t) @@ -27740,7 +28158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -306,6 +328,8 @@ +@@ -306,6 +329,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -27749,7 +28167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -328,6 +352,8 @@ +@@ -328,6 +353,8 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t)