From 6f934680a8c1bcfe14cf96a9e4557dffd1951c39 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 07 2010 18:55:49 +0000 Subject: - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr - Update to upstream --- diff --git a/policy-F14.patch b/policy-F14.patch index 7ac41af..a01e1ac 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1,8 +1,8 @@ diff --git a/Makefile b/Makefile -index f802d3b..b8804f7 100644 +index 376acee..c5bb5f8 100644 --- a/Makefile +++ b/Makefile -@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers +@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) @@ -246,7 +246,7 @@ index af90ef2..9fef0f8 100644 # MCS policy for SELinux-enabled databases # diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if -index 69aa742..20d51d0 100644 +index 90d5203..1392679 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -21,6 +21,32 @@ interface(`alsa_domtrans',` @@ -304,11 +304,11 @@ index f76ed8a..9a9526a 100644 optional_policy(` diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if -index 5b43db5..fdb453c 100644 +index 2c2cdb6..b95a47f 100644 --- a/policy/modules/admin/brctl.if +++ b/policy/modules/admin/brctl.if -@@ -17,3 +17,22 @@ interface(`brctl_domtrans',` - +@@ -18,3 +18,22 @@ interface(`brctl_domtrans',` + corecmd_search_bin($1) domtrans_pattern($1, brctl_exec_t, brctl_t) ') + @@ -344,10 +344,10 @@ index a2e9cb5..cec5c56 100644 optional_policy(` apache_exec_modules(certwatch_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index 2b12a37..a370656 100644 +index a768511..c07eff8 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te -@@ -81,10 +81,7 @@ optional_policy(` +@@ -82,10 +82,7 @@ optional_policy(` ') optional_policy(` @@ -400,7 +400,7 @@ index 66e486e..bfda8e9 100644 ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 0b6123e..d64682f 100644 +index 7390b15..a46b249 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t) @@ -687,10 +687,10 @@ index 0000000..eef0c87 + netutils_domtrans(ncftool_t) +') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index b687b5d..4f38995 100644 +index 6a53a18..202c770 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te -@@ -51,6 +51,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) +@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) kernel_read_all_sysctls(netutils_t) @@ -699,7 +699,7 @@ index b687b5d..4f38995 100644 corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) -@@ -67,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t) +@@ -64,6 +66,9 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) @@ -709,7 +709,7 @@ index b687b5d..4f38995 100644 fs_getattr_xattr_fs(netutils_t) -@@ -137,8 +142,6 @@ logging_send_syslog_msg(ping_t) +@@ -134,8 +139,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) @@ -718,7 +718,7 @@ index b687b5d..4f38995 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -148,11 +151,25 @@ ifdef(`hide_broken_symptoms',` +@@ -145,11 +148,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -744,7 +744,7 @@ index b687b5d..4f38995 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -197,6 +214,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -194,6 +211,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -752,7 +752,7 @@ index b687b5d..4f38995 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -207,9 +225,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +222,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -910,17 +910,16 @@ index b206bf6..48922c9 100644 /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if -index 86463e3..ddbb3af 100644 +index d33daa8..cad488d 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if -@@ -13,11 +13,14 @@ +@@ -13,10 +13,13 @@ interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; + attribute rpm_transition_domain; ') - files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, rpm_exec_t, rpm_t) + typeattribute $1 rpm_transition_domain; @@ -928,10 +927,10 @@ index 86463e3..ddbb3af 100644 ') ######################################## -@@ -87,6 +90,11 @@ interface(`rpm_run',` +@@ -83,6 +86,11 @@ interface(`rpm_run',` + rpm_domtrans($1) - role $2 types rpm_t; - role $2 types rpm_script_t; + role $2 types { rpm_t rpm_script_t }; + + domain_system_change_exemption($1) + role_transition $2 rpm_exec_t system_r; @@ -940,7 +939,7 @@ index 86463e3..ddbb3af 100644 seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -185,6 +193,41 @@ interface(`rpm_rw_pipes',` +@@ -181,6 +189,41 @@ interface(`rpm_rw_pipes',` ######################################## ## @@ -982,7 +981,7 @@ index 86463e3..ddbb3af 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -338,7 +381,9 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -992,7 +991,7 @@ index 86463e3..ddbb3af 100644 ') ##################################### -@@ -378,7 +423,9 @@ interface(`rpm_manage_tmp_files',` +@@ -375,7 +420,9 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -1002,7 +1001,7 @@ index 86463e3..ddbb3af 100644 ') ######################################## -@@ -461,6 +508,7 @@ interface(`rpm_read_db',` +@@ -459,6 +506,7 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -1010,7 +1009,7 @@ index 86463e3..ddbb3af 100644 ') ######################################## -@@ -577,3 +625,66 @@ interface(`rpm_pid_filetrans',` +@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',` files_pid_filetrans($1, rpm_var_run_t, file) ') @@ -1078,11 +1077,11 @@ index 86463e3..ddbb3af 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 95dbcf3..bdba9c5 100644 +index 542b820..a91d384 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ - policy_module(rpm, 1.11.1) + policy_module(rpm, 1.11.2) +attribute rpm_transition_domain; + @@ -1094,15 +1093,7 @@ index 95dbcf3..bdba9c5 100644 type debuginfo_exec_t; domain_entry_file(rpm_t, debuginfo_exec_t) -@@ -44,6 +45,7 @@ type rpm_script_exec_t; - domain_obj_id_change_exemption(rpm_script_t) - domain_system_change_exemption(rpm_script_t) - corecmd_shell_entry_type(rpm_script_t) -+corecmd_bin_entry_type(rpm_script_t) - domain_type(rpm_script_t) - domain_entry_file(rpm_t, rpm_script_exec_t) - domain_interactive_fd(rpm_script_t) -@@ -77,6 +79,8 @@ allow rpm_t self:shm create_shm_perms; +@@ -76,6 +77,8 @@ allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -1111,23 +1102,7 @@ index 95dbcf3..bdba9c5 100644 allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -84,6 +88,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file) - manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) - manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) - files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) -+can_exec(rpm_t, rpm_tmp_t) - - manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -91,6 +96,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) - fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+can_exec(rpm_t, rpm_tmpfs_t) - - manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -@@ -100,12 +106,14 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) +@@ -101,13 +104,15 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -1136,6 +1111,7 @@ index 95dbcf3..bdba9c5 100644 -files_pid_filetrans(rpm_t, rpm_var_run_t, file) +files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) + kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) @@ -1143,7 +1119,7 @@ index 95dbcf3..bdba9c5 100644 corecmd_exec_all_executables(rpm_t) -@@ -125,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t) +@@ -127,6 +132,8 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1152,7 +1128,7 @@ index 95dbcf3..bdba9c5 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -205,6 +215,7 @@ optional_policy(` +@@ -207,6 +214,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -1160,7 +1136,7 @@ index 95dbcf3..bdba9c5 100644 ') optional_policy(` -@@ -212,7 +223,7 @@ optional_policy(` +@@ -214,7 +222,7 @@ optional_policy(` ') optional_policy(` @@ -1169,16 +1145,7 @@ index 95dbcf3..bdba9c5 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -242,6 +253,8 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms; - allow rpm_script_t rpm_script_tmp_t:dir mounton; - manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) -+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) - files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) - - manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -254,6 +267,7 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi +@@ -261,6 +269,7 @@ kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -1186,7 +1153,7 @@ index 95dbcf3..bdba9c5 100644 kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -301,6 +315,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) +@@ -308,6 +317,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -1195,7 +1162,7 @@ index 95dbcf3..bdba9c5 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -331,12 +347,15 @@ modutils_domtrans_insmod(rpm_script_t) +@@ -338,12 +349,15 @@ modutils_domtrans_insmod(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1211,7 +1178,7 @@ index 95dbcf3..bdba9c5 100644 ') ') -@@ -366,8 +385,9 @@ optional_policy(` +@@ -377,8 +391,9 @@ optional_policy(` ') optional_policy(` @@ -1350,21 +1317,11 @@ index a22e546..ffc0571 100644 optional_policy(` hostname_exec(shorewall_t) -diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index 9174268..09c3771 100644 ---- a/policy/modules/admin/shutdown.fc -+++ b/policy/modules/admin/shutdown.fc -@@ -3,3 +3,5 @@ - /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - - /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) -+ -+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if -index d2c068d..914e1ac 100644 +index d0604cf..679d61c 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if -@@ -19,10 +19,11 @@ interface(`shutdown_domtrans',` +@@ -20,7 +20,7 @@ interface(`shutdown_domtrans',` ifdef(`hide_broken_symptoms', ` dontaudit shutdown_t $1:socket_class_set { read write }; @@ -1373,11 +1330,7 @@ index d2c068d..914e1ac 100644 ') ') -+ - ######################################## - ## - ## Execute shutdown in the shutdown domain, and -@@ -50,6 +51,73 @@ interface(`shutdown_run',` +@@ -51,6 +51,73 @@ interface(`shutdown_run',` ######################################## ## @@ -1452,10 +1405,10 @@ index d2c068d..914e1ac 100644 ## ## diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te -index 51f7c3a..eb63a79 100644 +index 3863241..5280124 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te -@@ -36,15 +36,17 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) +@@ -38,13 +38,14 @@ domain_use_interactive_fds(shutdown_t) files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) @@ -1469,13 +1422,10 @@ index 51f7c3a..eb63a79 100644 -init_dontaudit_write_utmp(shutdown_t) -init_read_utmp(shutdown_t) +init_rw_utmp(shutdown_t) + init_stream_connect(shutdown_t) init_telinit(shutdown_t) -+logging_search_logs(shutdown_t) - logging_send_audit_msgs(shutdown_t) - - miscfiles_read_localization(shutdown_t) -@@ -55,5 +57,10 @@ optional_policy(` +@@ -59,5 +60,10 @@ optional_policy(` ') optional_policy(` @@ -1637,7 +1587,7 @@ index 6a5004b..50cd538 100644 ') diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te -index aa9636d..7851643 100644 +index 332ba93..e6d3bd9 100644 --- a/policy/modules/admin/tzdata.te +++ b/policy/modules/admin/tzdata.te @@ -15,7 +15,7 @@ application_domain(tzdata_t, tzdata_exec_t) @@ -1650,10 +1600,10 @@ index aa9636d..7851643 100644 fs_getattr_xattr_fs(tzdata_t) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index aecbf1c..0b5e634 100644 +index 81fb26f..cd18ca8 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if -@@ -290,6 +290,9 @@ interface(`usermanage_run_useradd',` +@@ -285,6 +285,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -1664,10 +1614,10 @@ index aecbf1c..0b5e634 100644 optional_policy(` diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index c35d801..b1a841a 100644 +index 65f8143..16a8510 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t) +@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t) # for SSP dev_read_urand(chfn_t) @@ -1678,7 +1628,7 @@ index c35d801..b1a841a 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -293,17 +291,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +289,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -1701,7 +1651,7 @@ index c35d801..b1a841a 100644 domain_use_interactive_fds(passwd_t) -@@ -334,6 +333,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +331,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1709,7 +1659,7 @@ index c35d801..b1a841a 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -428,7 +428,7 @@ optional_policy(` +@@ -426,7 +426,7 @@ optional_policy(` # Useradd local policy # @@ -1718,7 +1668,7 @@ index c35d801..b1a841a 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -500,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,12 +498,8 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2314,7 +2264,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..91737d4 100644 +index f5afe78..8978675 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -2327,7 +2277,7 @@ index f5afe78..91737d4 100644 ## ## ## -@@ -46,37 +45,313 @@ interface(`gnome_role',` +@@ -46,25 +45,282 @@ interface(`gnome_role',` ## ## # @@ -2494,11 +2444,12 @@ index f5afe78..91737d4 100644 +## append to generic cache home files (.cache) +## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_gconf_config',` +interface(`gnome_append_generic_cache_files',` + gen_require(` + type cache_home_t; @@ -2606,21 +2557,16 @@ index f5afe78..91737d4 100644 +## read gconf config files +## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_read_gconf_config',` gen_require(` type gconf_etc_t; ') - - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) -- files_search_etc($1) - ') +@@ -76,7 +332,27 @@ template(`gnome_read_gconf_config',` ####################################### ## @@ -2649,7 +2595,7 @@ index f5afe78..91737d4 100644 ## ## ## -@@ -84,37 +359,40 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +360,40 @@ template(`gnome_read_gconf_config',` ## ## # @@ -2701,7 +2647,7 @@ index f5afe78..91737d4 100644 ## ## ## -@@ -122,12 +400,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +401,13 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -2718,7 +2664,7 @@ index f5afe78..91737d4 100644 ') ######################################## -@@ -151,40 +430,173 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +431,173 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -7442,7 +7388,7 @@ index 9e5c83e..953e0e8 100644 +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 2ecdde8..f15e5ba 100644 +index 36ba519..ba41f1f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -24,6 +24,7 @@ dev_node(ppp_device_t) @@ -7497,7 +7443,7 @@ index 2ecdde8..f15e5ba 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -111,7 +120,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -7506,7 +7452,7 @@ index 2ecdde8..f15e5ba 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0) +@@ -125,30 +134,34 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -7545,7 +7491,7 @@ index 2ecdde8..f15e5ba 100644 network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0) +@@ -156,12 +169,20 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -7566,7 +7512,7 @@ index 2ecdde8..f15e5ba 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -176,24 +197,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -7599,7 +7545,7 @@ index 2ecdde8..f15e5ba 100644 network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -203,16 +228,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -7617,9 +7563,9 @@ index 2ecdde8..f15e5ba 100644 -network_port(xserver, tcp,6000-6020,s0) +network_port(xserver, tcp,6000-6150,s0) +network_port(zarafa, tcp,236,s0) - network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) - network_port(zope, tcp,8021,s0) - + network_port(zookeeper_client, tcp,2181,s0) + network_port(zookeeper_election, tcp,3888,s0) + network_port(zookeeper_leader, tcp,2888,s0) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b2da10..7c29e17 100644 --- a/policy/modules/kernel/devices.fc @@ -8313,7 +8259,7 @@ index 3517db2..bd4c23d 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..a738502 100644 +index 5302dac..2bf2d69 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8666,10 +8612,9 @@ index 5302dac..a738502 100644 # interface(`files_delete_generic_locks',` - gen_require(` -- type var_t, var_lock_t; -- ') + gen_require(` -+ type var_t, var_lock_t; + type var_t, var_lock_t; +- ') + ') - allow $1 var_t:dir search_dir_perms; @@ -10045,10 +9990,10 @@ index ebe6a9c..e3a1987 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 1854002..571c76e 100644 +index e0e2550..3653516 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2) +@@ -8,12 +8,46 @@ policy_module(staff, 2.1.3) role staff_r; userdom_unpriv_user_template(staff) @@ -10095,7 +10040,7 @@ index 1854002..571c76e 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,6 +61,35 @@ optional_policy(` +@@ -27,25 +61,104 @@ optional_policy(` ') optional_policy(` @@ -10128,10 +10073,12 @@ index 1854002..571c76e 100644 +') + +optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) - ') -@@ -36,21 +99,66 @@ optional_policy(` ++ oident_manage_user_content(staff_t) ++ oident_relabel_user_content(staff_t) ++') ++ ++optional_policy(` + postgresql_role(staff_r, staff_t) ') optional_policy(` @@ -10200,7 +10147,7 @@ index 1854002..571c76e 100644 optional_policy(` xserver_role(staff_r, staff_t) -@@ -138,10 +246,6 @@ ifndef(`distro_redhat',` +@@ -133,10 +246,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -10212,7 +10159,7 @@ index 1854002..571c76e 100644 ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2a19751..1a95085 100644 +index 6b54416..bbbc6d0 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,41 @@ ifndef(`enable_mls',` @@ -10293,7 +10240,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -159,6 +184,13 @@ optional_policy(` +@@ -163,6 +188,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -10307,7 +10254,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -166,15 +198,15 @@ optional_policy(` +@@ -170,15 +202,15 @@ optional_policy(` ') optional_policy(` @@ -10326,7 +10273,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -198,14 +230,7 @@ optional_policy(` +@@ -202,14 +234,7 @@ optional_policy(` optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -10342,7 +10289,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -221,6 +246,10 @@ optional_policy(` +@@ -225,6 +250,10 @@ optional_policy(` ') optional_policy(` @@ -10353,7 +10300,7 @@ index 2a19751..1a95085 100644 netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -254,7 +283,7 @@ optional_policy(` +@@ -253,7 +282,7 @@ optional_policy(` ') optional_policy(` @@ -10362,7 +10309,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -266,10 +295,6 @@ optional_policy(` +@@ -265,10 +294,6 @@ optional_policy(` ') optional_policy(` @@ -10373,7 +10320,7 @@ index 2a19751..1a95085 100644 rpc_domtrans_nfsd(sysadm_t) ') -@@ -277,9 +302,6 @@ optional_policy(` +@@ -276,9 +301,6 @@ optional_policy(` rpm_run(sysadm_t, sysadm_r) ') @@ -10383,7 +10330,7 @@ index 2a19751..1a95085 100644 optional_policy(` rsync_exec(sysadm_t) -@@ -304,9 +326,10 @@ optional_policy(` +@@ -303,9 +325,10 @@ optional_policy(` ') optional_policy(` @@ -10395,7 +10342,7 @@ index 2a19751..1a95085 100644 optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -329,10 +352,6 @@ optional_policy(` +@@ -328,10 +351,6 @@ optional_policy(` ') optional_policy(` @@ -10406,7 +10353,7 @@ index 2a19751..1a95085 100644 tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -340,18 +359,10 @@ optional_policy(` +@@ -339,18 +358,10 @@ optional_policy(` ') optional_policy(` @@ -10425,7 +10372,7 @@ index 2a19751..1a95085 100644 unconfined_domtrans(sysadm_t) ') -@@ -364,17 +375,14 @@ optional_policy(` +@@ -363,17 +374,14 @@ optional_policy(` ') optional_policy(` @@ -10445,7 +10392,7 @@ index 2a19751..1a95085 100644 ') optional_policy(` -@@ -386,19 +394,22 @@ optional_policy(` +@@ -385,19 +393,22 @@ optional_policy(` ') optional_policy(` @@ -10471,7 +10418,7 @@ index 2a19751..1a95085 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -445,5 +456,60 @@ ifndef(`distro_redhat',` +@@ -444,5 +455,60 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') @@ -11736,10 +11683,10 @@ index 0000000..31bbe95 + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9b55b00..2932c13 100644 +index 183ea8e..91b4504 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,6 +12,8 @@ role user_r; +@@ -12,15 +12,46 @@ role user_r; userdom_unpriv_user_template(user) @@ -11748,10 +11695,13 @@ index 9b55b00..2932c13 100644 optional_policy(` apache_role(user_r, user_t) ') -@@ -22,10 +24,34 @@ optional_policy(` - ') optional_policy(` ++ oident_manage_user_content(user_t) ++ oident_relabel_user_content(user_t) ++') ++ ++optional_policy(` + mozilla_run_plugin(user_t, user_r) +') + @@ -11783,7 +11733,7 @@ index 9b55b00..2932c13 100644 xserver_role(user_r, user_t) ') -@@ -115,7 +141,7 @@ ifndef(`distro_redhat',` +@@ -110,7 +141,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18119,22 +18069,6 @@ index 9d44538..7e9057e 100644 ## # interface(`cyphesis_domtrans',` -diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te -index 346f926..1f789f8 100644 ---- a/policy/modules/services/cyphesis.te -+++ b/policy/modules/services/cyphesis.te -@@ -36,9 +36,10 @@ logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) - allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) - -+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) - manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) - manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) --files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { file sock_file }) -+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file }) - - kernel_read_system_state(cyphesis_t) - kernel_read_kernel_sysctls(cyphesis_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index e182bf4..f80e725 100644 --- a/policy/modules/services/cyrus.te @@ -19324,164 +19258,33 @@ index 69dcd2a..a9a9116 100644 /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) -diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if -index bc27421..26cc64b 100644 ---- a/policy/modules/services/ftp.if -+++ b/policy/modules/services/ftp.if -@@ -53,25 +53,6 @@ interface(`ftp_read_config',` - - ######################################## - ## --## Execute FTP daemon entry point programs. --## --## --## --## Domain allowed access. --## --## --# --interface(`ftp_check_exec',` -- gen_require(` -- type ftpd_exec_t; -- ') -- -- corecmd_search_bin($1) -- allow $1 ftpd_exec_t:file { getattr execute }; --') -- --######################################## --## - ## Read FTP transfer logs - ## - ## -@@ -171,9 +152,8 @@ interface(`ftp_dyntrans_sftpd',` - interface(`ftp_admin',` - gen_require(` - type ftpd_t, ftpdctl_t, ftpd_tmp_t; -- type ftpd_etc_t, ftpd_lock_t; -+ type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t; - type ftpd_var_run_t, xferlog_t; -- type ftpd_initrc_exec_t; - ') - - allow $1 ftpd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..2284f4e 100644 +index 8a74a83..ce4f73b 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te -@@ -6,70 +6,85 @@ policy_module(ftp, 1.12.0) - # - - ## --##

--## Allow ftp servers to upload files, used for public file --## transfer services. Directories must be labeled --## public_content_rw_t. --##

-+##

-+## Allow ftp servers to upload files, used for public file -+## transfer services. Directories must be labeled -+## public_content_rw_t. -+##

- ## - gen_tunable(allow_ftpd_anon_write, false) - - ## --##

--## Allow ftp servers to login to local users and --## read/write all files on the system, governed by DAC. --##

-+##

-+## Allow ftp servers to login to local users and -+## read/write all files on the system, governed by DAC. -+##

- ## - gen_tunable(allow_ftpd_full_access, false) +@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) ## --##

--## Allow ftp servers to use cifs --## used for public file transfer services. --##

-+##

-+## Allow ftp servers to use cifs -+## used for public file transfer services. -+##

- ## - gen_tunable(allow_ftpd_use_cifs, false) - - ## --##

--## Allow ftp servers to use nfs --## used for public file transfer services. --##

-+##

-+## Allow ftp servers to use nfs -+## used for public file transfer services. -+##

- ## - gen_tunable(allow_ftpd_use_nfs, false) - - ## --##

--## Allow ftp to read and write files in the user home directories --##

-+##

-+## Allow ftp servers to use connect to mysql database -+##

+ ##

++## Allow ftp servers to use connect to mysql database ++##

+## +gen_tunable(ftpd_connect_db, false) + +## -+##

-+## Allow ftp to read and write files in the user home directories -+##

- ## - gen_tunable(ftp_home_dir, false) - - ## --##

--## Allow anon internal-sftp to upload files, used for --## public file transfer services. Directories must be labeled --## public_content_rw_t. --##

-+##

-+## Allow anon internal-sftp to upload files, used for -+## public file transfer services. Directories must be labeled -+## public_content_rw_t. -+##

- ## - gen_tunable(sftpd_anon_write, false) - - ## --##

--## Allow sftp-internal to read and write files --## in the user home directories --##

-+##

-+## Allow sftp-internal to read and write files -+## in the user home directories -+##

++##

+ ## Allow ftp to read and write files in the user home directories + ##

## - gen_tunable(sftpd_enable_homedirs, false) - - ## --##

--## Allow sftp-internal to login to local users and --## read/write all files on the system, governed by DAC. --##

-+##

-+## Allow sftp-internal to login to local users and -+## read/write all files on the system, governed by DAC. -+##

+@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false) ## gen_tunable(sftpd_full_access, false) +## -+##

-+## Allow interlnal-sftp to read and write files -+## in the user ssh home directories. -+##

++##

++## Allow interlnal-sftp to read and write files ++## in the user ssh home directories. ++##

+## +gen_tunable(sftpd_write_ssh_home, false) + @@ -20387,21 +20190,9 @@ index 462de63..a8ce02e 100644 +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if -index 671d8fd..b1f8f93 100644 +index 671d8fd..25c7ab8 100644 --- a/policy/modules/services/gnomeclock.if +++ b/policy/modules/services/gnomeclock.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run gnomeclock. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`gnomeclock_domtrans',` @@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',` allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; @@ -20483,35 +20274,10 @@ index 03742d8..7b9c543 100644 ') diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if -index 7cf6763..26de57a 100644 +index 7cf6763..ce32fe5 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if -@@ -20,24 +20,6 @@ interface(`hal_domtrans',` - - ######################################## - ## --## Get the attributes of a hal process. --## --## --## --## Domain allowed access. --## --## --# --interface(`hal_getattr',` -- gen_require(` -- type hald_t; -- ') -- -- allow $1 hald_t:process getattr; --') -- --######################################## --## - ## Read hal system state - ## - ## -@@ -51,6 +33,7 @@ interface(`hal_read_state',` +@@ -51,6 +51,7 @@ interface(`hal_read_state',` type hald_t; ') @@ -20519,7 +20285,7 @@ index 7cf6763..26de57a 100644 ps_process_pattern($1, hald_t) ') -@@ -87,7 +70,7 @@ interface(`hal_use_fds',` +@@ -87,7 +88,7 @@ interface(`hal_use_fds',` type hald_t; ') @@ -20528,7 +20294,7 @@ index 7cf6763..26de57a 100644 ') ######################################## -@@ -105,7 +88,7 @@ interface(`hal_dontaudit_use_fds',` +@@ -105,7 +106,7 @@ interface(`hal_dontaudit_use_fds',` type hald_t; ') @@ -20537,7 +20303,7 @@ index 7cf6763..26de57a 100644 ') ######################################## -@@ -124,7 +107,7 @@ interface(`hal_rw_pipes',` +@@ -124,7 +125,7 @@ interface(`hal_rw_pipes',` type hald_t; ') @@ -20546,7 +20312,7 @@ index 7cf6763..26de57a 100644 ') ######################################## -@@ -143,7 +126,7 @@ interface(`hal_dontaudit_rw_pipes',` +@@ -143,7 +144,7 @@ interface(`hal_dontaudit_rw_pipes',` type hald_t; ') @@ -20555,7 +20321,7 @@ index 7cf6763..26de57a 100644 ') ######################################## -@@ -377,6 +360,25 @@ interface(`hal_read_pid_files',` +@@ -377,6 +378,25 @@ interface(`hal_read_pid_files',` ######################################## ## @@ -20581,7 +20347,7 @@ index 7cf6763..26de57a 100644 ## Read/Write hald PID files. ## ## -@@ -431,3 +433,25 @@ interface(`hal_manage_pid_files',` +@@ -431,3 +451,25 @@ interface(`hal_manage_pid_files',` files_search_pids($1) manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ') @@ -38467,7 +38233,7 @@ index 9775375..b338481 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index f6aafe7..666a58f 100644 +index 8419a01..5865dba 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -38591,7 +38357,7 @@ index f6aafe7..666a58f 100644 ') ######################################## -@@ -669,19 +733,24 @@ interface(`init_telinit',` +@@ -687,19 +751,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -38617,7 +38383,7 @@ index f6aafe7..666a58f 100644 ') ') -@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',` +@@ -772,18 +841,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -38641,7 +38407,7 @@ index f6aafe7..666a58f 100644 ') ') -@@ -781,23 +851,45 @@ interface(`init_spec_domtrans_script',` +@@ -799,23 +869,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -38691,7 +38457,7 @@ index f6aafe7..666a58f 100644 ## Execute a init script in a specified domain. ## ## -@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',` +@@ -867,8 +959,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -38704,7 +38470,7 @@ index f6aafe7..666a58f 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1111,12 +1207,7 @@ interface(`init_read_script_state',` +@@ -1129,12 +1225,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -38718,7 +38484,7 @@ index f6aafe7..666a58f 100644 ') ######################################## -@@ -1338,6 +1429,27 @@ interface(`init_dbus_send_script',` +@@ -1356,6 +1447,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -38746,7 +38512,7 @@ index f6aafe7..666a58f 100644 ## init scripts over dbus. ## ## -@@ -1424,6 +1536,25 @@ interface(`init_getattr_script_status_files',` +@@ -1442,6 +1554,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -38772,7 +38538,7 @@ index f6aafe7..666a58f 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1637,7 +1768,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1655,7 +1786,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -38781,7 +38547,7 @@ index f6aafe7..666a58f 100644 ') ######################################## -@@ -1712,3 +1843,94 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1730,3 +1861,74 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -38838,26 +38604,6 @@ index f6aafe7..666a58f 100644 + init_dontaudit_use_script_fds($1) +') + -+ -+######################################## -+## -+## Allow the specified domain to connect to -+## the init process with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_stream_connect',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_stream_socket connectto; -+') -+ +######################################## +## +## Allow the specified domain to read/write to @@ -43863,15 +43609,14 @@ index 416e668..c6e8ffe 100644 - allow $1 unconfined_t:dbus acquire_svc; -') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index f976344..4474379 100644 +index 8a4ee77..f0dca4c 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -4,227 +4,5 @@ policy_module(unconfined, 3.2.0) +@@ -4,231 +4,4 @@ policy_module(unconfined, 3.2.1) # # Declarations # -+attribute unconfined_services; - +- -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types @@ -43985,6 +43730,10 @@ index f976344..4474379 100644 -') - -optional_policy(` +- hadoop_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` - inn_domtrans(unconfined_t) -') - @@ -44095,6 +43844,7 @@ index f976344..4474379 100644 - hal_dbus_chat(unconfined_execmem_t) - ') -') ++attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index db75976..392d1ee 100644 --- a/policy/modules/system/userdomain.fc @@ -44119,7 +43869,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 2aa8928..54365f8 100644 +index 35f1476..8d157ff 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -44685,12 +44435,14 @@ index 2aa8928..54365f8 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,65 +645,108 @@ template(`userdom_common_user_template',` +@@ -574,67 +645,110 @@ template(`userdom_common_user_template',` ') optional_policy(` -- alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) + alsa_manage_home_files($1_t) +- alsa_read_rw_config($1_t) + alsa_relabel_home_files($1_t) ') optional_policy(` @@ -44812,7 +44564,7 @@ index 2aa8928..54365f8 100644 ') optional_policy(` -@@ -643,41 +757,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +764,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -44874,7 +44626,7 @@ index 2aa8928..54365f8 100644 ') ####################################### -@@ -705,13 +828,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +835,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -44906,7 +44658,7 @@ index 2aa8928..54365f8 100644 userdom_change_password_template($1) -@@ -729,72 +865,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +872,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -45015,7 +44767,7 @@ index 2aa8928..54365f8 100644 ') ') -@@ -826,6 +961,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +968,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -45025,7 +44777,7 @@ index 2aa8928..54365f8 100644 ############################## # # Local policy -@@ -867,45 +1005,105 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1012,105 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -45142,7 +44894,7 @@ index 2aa8928..54365f8 100644 ') ') -@@ -940,7 +1138,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1145,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -45151,7 +44903,7 @@ index 2aa8928..54365f8 100644 userdom_common_user_template($1) ############################## -@@ -949,54 +1147,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1154,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -45259,7 +45011,7 @@ index 2aa8928..54365f8 100644 ') ') -@@ -1032,7 +1253,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1260,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -45268,7 +45020,7 @@ index 2aa8928..54365f8 100644 ') ############################## -@@ -1067,6 +1288,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1295,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -45278,7 +45030,7 @@ index 2aa8928..54365f8 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1081,6 +1305,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1312,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -45286,7 +45038,7 @@ index 2aa8928..54365f8 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1112,10 +1337,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1344,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -45300,7 +45052,7 @@ index 2aa8928..54365f8 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1135,6 +1363,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1370,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -45308,7 +45060,7 @@ index 2aa8928..54365f8 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1203,6 +1432,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1439,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -45317,7 +45069,7 @@ index 2aa8928..54365f8 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1230,6 +1461,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1468,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -45325,7 +45077,7 @@ index 2aa8928..54365f8 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1268,12 +1500,15 @@ template(`userdom_security_admin_template',` +@@ -1275,12 +1507,15 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -45342,7 +45094,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1384,6 +1619,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1391,6 +1626,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -45350,7 +45102,7 @@ index 2aa8928..54365f8 100644 files_search_home($1) ') -@@ -1430,6 +1666,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1437,6 +1673,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -45365,7 +45117,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1445,9 +1689,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1452,9 +1696,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -45377,7 +45129,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1504,6 +1750,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1511,6 +1757,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45420,7 +45172,7 @@ index 2aa8928..54365f8 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1578,6 +1860,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1585,6 +1867,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -45429,7 +45181,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1592,10 +1876,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1599,10 +1883,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45444,7 +45196,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1638,34 +1924,53 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1645,34 +1931,53 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -45506,7 +45258,7 @@ index 2aa8928..54365f8 100644 gen_require(` type user_home_dir_t, user_home_t; ') -@@ -1689,12 +1994,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1696,12 +2001,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -45539,7 +45291,7 @@ index 2aa8928..54365f8 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1705,11 +2030,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1712,11 +2037,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -45557,7 +45309,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1799,8 +2127,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1806,8 +2134,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45567,7 +45319,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -1816,20 +2143,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1823,20 +2150,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45592,7 +45344,7 @@ index 2aa8928..54365f8 100644 ######################################## ## -@@ -2171,7 +2492,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2178,7 +2499,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45601,7 +45353,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -2424,13 +2745,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2431,13 +2752,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45617,7 +45369,7 @@ index 2aa8928..54365f8 100644 ## ## ## -@@ -2451,26 +2773,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2458,26 +2780,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45644,7 +45396,7 @@ index 2aa8928..54365f8 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2804,7 +3106,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2811,7 +3113,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -45653,7 +45405,7 @@ index 2aa8928..54365f8 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2820,11 +3122,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2827,11 +3129,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -45669,7 +45421,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -2906,7 +3210,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2913,7 +3217,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -45678,7 +45430,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -2961,7 +3265,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2968,7 +3272,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -45725,7 +45477,7 @@ index 2aa8928..54365f8 100644 ') ######################################## -@@ -2998,6 +3340,7 @@ interface(`userdom_read_all_users_state',` +@@ -3005,6 +3347,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -45733,7 +45485,7 @@ index 2aa8928..54365f8 100644 kernel_search_proc($1) ') -@@ -3128,3 +3471,854 @@ interface(`userdom_dbus_send_all_users',` +@@ -3135,3 +3478,854 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -46589,7 +46341,7 @@ index 2aa8928..54365f8 100644 + type_transition $1 user_tmp_t:process $2; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 60937f0..0aa5ce3 100644 +index a7088c6..5119d1e 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false) diff --git a/selinux-policy.spec b/selinux-policy.spec index de35d49..ba856b0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,8 +20,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.5 -Release: 12%{?dist} +Version: 3.9.6 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,9 +470,10 @@ exit 0 %endif %changelog -* Thu Oct 7 2010 Dan Walsh 3.9.5-12 +* Thu Oct 7 2010 Dan Walsh 3.9.6-1 - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr +- Update to upstream * Wed Oct 6 2010 Dan Walsh 3.9.5-11 - Fix fusefs handling diff --git a/sources b/sources index 1e6d985..d834e79 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -92b67fbf7e35e89cd46d04881966d2ae serefpolicy-3.9.5.tgz +21e517616738920ab9db791eec691b00 serefpolicy-3.9.6.tgz