From 6c91189762d1e1db1377afecceca119eeb567200 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 15 2007 16:54:18 +0000 Subject: trunk: 8 patches from dan. --- diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te index 8a83908..6fdd7ae 100644 --- a/policy/modules/admin/vbetool.te +++ b/policy/modules/admin/vbetool.te @@ -1,5 +1,5 @@ -policy_module(vbetool,1.2.0) +policy_module(vbetool,1.2.1) ######################################## # @@ -33,4 +33,5 @@ miscfiles_read_localization(vbetool_t) optional_policy(` hal_rw_pid_files(vbetool_t) hal_write_log(vbetool_t) + hal_dontaudit_append_lib_files(vbetool_t) ') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 888d0c5..9709025 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -1,5 +1,5 @@ -policy_module(asterisk,1.3.1) +policy_module(asterisk,1.3.2) ######################################## # @@ -98,6 +98,7 @@ corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) dev_read_sysfs(asterisk_t) diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index d9762bf..5387955 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -1,5 +1,5 @@ -policy_module(cpucontrol,1.2.1) +policy_module(cpucontrol,1.2.2) ######################################## # @@ -63,6 +63,10 @@ optional_policy(` ') optional_policy(` + rhgb_use_ptys(cpucontrol_t) +') + +optional_policy(` seutil_sigchld_newrole(cpucontrol_t) ') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 099c435..9405d17 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs,1.5.0) +policy_module(cvs,1.5.1) ######################################## # @@ -16,6 +16,7 @@ gen_tunable(allow_cvs_read_shadow,false) type cvs_t; type cvs_exec_t; inetd_tcp_service_domain(cvs_t,cvs_exec_t) +application_executable_file(cvs_exec_t) role system_r types cvs_t; type cvs_data_t; # customizable @@ -81,6 +82,7 @@ libs_use_ld_so(cvs_t) libs_use_shared_libs(cvs_t) logging_send_syslog_msg(cvs_t) +logging_send_audit_msgs(cvs_t) miscfiles_read_localization(cvs_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index e56328d..c85f4ef 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -1,5 +1,5 @@ -policy_module(fetchmail,1.4.1) +policy_module(fetchmail,1.4.2) ######################################## # @@ -86,6 +86,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t) optional_policy(` + procmail_domtrans(fetchmail_t) +') + +optional_policy(` seutil_sigchld_newrole(fetchmail_t) ') diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 80e2098..19848bb 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -61,3 +61,22 @@ interface(`munin_search_lib',` allow $1 munin_var_lib_t:dir search_dir_perms; files_search_var_lib($1) ') + +####################################### +## +## Do not audit attempts to search +## munin library directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`munin_dontaudit_search_lib',` + gen_require(` + type munin_var_lib_t; + ') + + dontaudit $1 munin_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index c6bb997..713e9df 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -1,5 +1,5 @@ -policy_module(munin,1.3.1) +policy_module(munin,1.3.2) ######################################## # diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 01c76d5..6f0d50a 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -1,5 +1,5 @@ -policy_module(portmap,1.5.1) +policy_module(portmap,1.5.2) ######################################## # @@ -66,7 +66,7 @@ corenet_udp_bind_generic_port(portmap_t) corenet_tcp_bind_reserved_port(portmap_t) corenet_udp_bind_reserved_port(portmap_t) corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t) -corenet_dontaudit_udp_bind_all_reserved_ports(portmap_t) +corenet_dontaudit_udp_bind_all_ports(portmap_t) dev_read_sysfs(portmap_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index afe1f3a..b4cb86d 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.8.1) +policy_module(udev,1.8.2) ######################################## # @@ -132,6 +132,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) +init_getattr_initctl(udev_t) libs_use_ld_so(udev_t) libs_use_shared_libs(udev_t) @@ -184,6 +185,11 @@ ifdef(`distro_redhat',` ') optional_policy(` + alsa_domtrans(udev_t) + alsa_read_rw_config(udev_t) +') + +optional_policy(` brctl_domtrans(udev_t) ') @@ -220,6 +226,10 @@ optional_policy(` ') optional_policy(` + raid_domtrans_mdadm(udev_t) +') + +optional_policy(` kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t)