From 89ad5ea38f18efb6e5e70bfbbfb5ac5488426703 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 14 2010 21:49:18 +0000 Subject: - Turn on puppet policy - Update to dgrift git policy --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 1c43a96..ed1af2d 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -140,7 +140,11 @@ samba_enable_home_dirs = false # Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. # -squid_connect_any = false +squid_connect_any = true + +# Allow privoxy to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +privoxy_connect_any = true # Support NFS home directories # diff --git a/modules-minimum.conf b/modules-minimum.conf index 99288a5..35181dc 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -633,6 +633,12 @@ hddtemp = module # policykit = module +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module # Layer: apps # Module: ptchown diff --git a/modules-targeted.conf b/modules-targeted.conf index 99288a5..35181dc 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -633,6 +633,12 @@ hddtemp = module # policykit = module +# Layer: services +# Module: puppet +# +# A network tool for managing many disparate systems +# +puppet = module # Layer: apps # Module: ptchown diff --git a/policy-F13.patch b/policy-F13.patch index 3c569cd..b3a36ce 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -7601,7 +7601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.7/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/kernel/filesystem.te 2010-01-14 15:44:55.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -9798,7 +9798,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.7/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/roles/xguest.te 2010-01-14 13:49:32.000000000 -0500 +@@ -15,7 +15,7 @@ + + ## + ##

+-## Allow xguest to configure Network Manager ++## Allow xguest to configure Network Manager and connect to apache ports + ##

+ ## + gen_tunable(xguest_connect_network, true) @@ -30,11 +30,29 @@ role xguest_r; @@ -10092,7 +10101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.7/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/abrt.te 2010-01-14 16:10:21.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -14895,7 +14904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.7/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/cups.fc 2010-01-14 09:44:37.000000000 -0500 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -14944,7 +14953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.7/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/cups.te 2010-01-14 09:43:53.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -16180,10 +16189,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.7/policy/modules/services/ftp.if +--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.7/policy/modules/services/ftp.if 2010-01-14 14:06:25.000000000 -0500 +@@ -115,6 +115,44 @@ + role $2 types ftpdctl_t; + ') + ++####################################### ++## ++## Allow domain dyntransition to sftpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ftp_dyntransition_sftpd',` ++ gen_require(` ++ type sftpd_t; ++ ') ++ ++ allow $1 sftpd_t:process dyntransition; ++ allow sftpd_t $1:process sigchld; ++') ++ ++####################################### ++## ++## Allow domain dyntransition to sftpd_anon domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ftp_dyntransition_sftpd_anon',` ++ gen_require(` ++ type sftpd_anon_t; ++ ') ++ ++ allow $1 sftpd_anon_t:process dyntransition; ++ allow sftpd_anon_t $1:process sigchld; ++') ++ + ######################################## + ## + ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.7/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-11 09:53:58.000000000 -0500 -@@ -41,6 +41,13 @@ ++++ serefpolicy-3.7.7/policy/modules/services/ftp.te 2010-01-14 16:27:16.000000000 -0500 +@@ -41,11 +41,51 @@ ## ##

@@ -16197,7 +16254,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ## Allow ftp to read and write files in the user home directories ##

## -@@ -78,12 +85,20 @@ + gen_tunable(ftp_home_dir, false) + ++## ++##

++## Allow anon internal-sftp to upload files, used for ++## public file transfer services. Directories must be labeled ++## public_content_rw_t. ++##

++## ++gen_tunable(sftpd_anon_write, false) ++ ++## ++##

++## Allow sftp-internal to login to local users and ++## read/write all files on the system, governed by DAC. ++##

++## ++gen_tunable(sftpd_full_access, false) ++ ++## ++##

++## Allow interlnal-sftp to read and write files ++## in the user ssh home directories. ++##

++## ++gen_tunable(sftpd_write_ssh_home, false) ++ ++## ++##

++## Allow sftp-internal to read and write files ++## in the user home directories ++##

++## ++gen_tunable(sftpd_enable_homedirs, false) ++ + type ftpd_t; + type ftpd_exec_t; + init_daemon_domain(ftpd_t, ftpd_exec_t) +@@ -78,12 +118,28 @@ type xferlog_t; logging_log_file(xferlog_t) @@ -16209,6 +16304,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh) +') + ++type sftpd_t; ++domain_type(sftpd_t) ++role system_r types sftpd_t; ++ ++type sftpd_anon_t; ++domain_type(sftpd_anon_t) ++role system_r types sftpd_anon_t; ++ ######################################## # # ftpd local policy @@ -16219,7 +16322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process signal_perms; allow ftpd_t self:process { getcap setcap setsched setrlimit }; -@@ -92,6 +107,8 @@ +@@ -92,6 +148,8 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; @@ -16228,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. allow ftpd_t ftpd_etc_t:file read_file_perms; -@@ -121,8 +138,7 @@ +@@ -121,8 +179,7 @@ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; # Create and modify /var/log/xferlog. @@ -16238,7 +16341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) -@@ -160,6 +176,7 @@ +@@ -160,6 +217,7 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) @@ -16246,7 +16349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) -@@ -219,10 +236,14 @@ +@@ -219,10 +277,14 @@ # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -16265,7 +16368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -258,7 +279,26 @@ +@@ -258,7 +320,26 @@ ') optional_policy(` @@ -16293,7 +16396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -@@ -270,6 +310,14 @@ +@@ -270,6 +351,14 @@ ') optional_policy(` @@ -16308,26 +16411,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. seutil_sigchld_newrole(ftpd_t) ') +@@ -294,3 +383,74 @@ + files_read_etc_files(ftpdctl_t) + + userdom_use_user_terminals(ftpdctl_t) ++ ++######################################## ++# ++# sftpd-anon local policy ++# ++files_read_etc_files(sftpd_anon_t) ++ ++miscfiles_read_public_files(sftpd_anon_t) ++ ++tunable_policy(`sftpd_anon_write',` ++ miscfiles_manage_public_files(sftpd_anon_t) ++') ++ ++######################################## ++# ++# sftpd local policy ++# ++files_read_etc_files(sftpd_t) ++ ++# allow read access to /home by default ++userdom_read_user_home_content_files(sftpd_t) ++userdom_read_user_home_content_symlinks(sftpd_t) ++userdom_dontaudit_list_admin_dir(sftpd_t) ++ ++tunable_policy(`sftpd_full_access',` ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ fs_read_noxattr_fs_files(sftpd_t) ++ auth_manage_all_files_except_shadow(sftpd_t) ++') ++ ++tunable_policy(`sftpd_write_ssh_home',` ++ ssh_manage_user_home_files(sftpd_t) ++') ++ ++tunable_policy(`sftpd_enable_homedirs',` ++ allow sftpd_t self:capability { dac_override dac_read_search }; ++ ++ # allow access to /home ++ files_list_home(sftpd_t) ++ userdom_read_user_home_content_files(sftpd_t) ++ userdom_manage_user_home_content(sftpd_t) ++ ++ auth_read_all_dirs_except_shadow(sftpd_t) ++ auth_read_all_files_except_shadow(sftpd_t) ++ auth_read_all_symlinks_except_shadow(sftpd_t) ++', ` ++ # Needed for permissive mode, to make sure everything gets labeled correctly ++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) ++') ++ ++tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(sftpd_t) ++ fs_manage_nfs_files(sftpd_t) ++ fs_manage_nfs_symlinks(sftpd_t) ++') ++ ++tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` ++ fs_manage_cifs_dirs(sftpd_t) ++ fs_manage_cifs_files(sftpd_t) ++ fs_manage_cifs_symlinks(sftpd_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(sftpd_t) ++ fs_read_cifs_symlinks(sftpd_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(sftpd_t) ++ fs_read_nfs_symlinks(ftpd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.7/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-11 09:53:58.000000000 -0500 -@@ -1,3 +1,9 @@ - /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) ++++ serefpolicy-3.7.7/policy/modules/services/git.fc 2010-01-14 15:37:45.000000000 -0500 +@@ -1,3 +1,12 @@ +-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) - /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +-/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:gitd_session_content_t, s0) ++HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:gitd_session_content_t, s0) + -+/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) ++/srv/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0) + +/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0) + -+# Conflict with Fedora cgit fc spec. -+/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0) ++/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) ++/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++ ++/var/lib/git(/.*)? gen_context(system_u:object_r:gitd_system_content_t, s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.7/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-11 09:53:58.000000000 -0500 -@@ -1 +1,285 @@ ++++ serefpolicy-3.7.7/policy/modules/services/git.if 2010-01-14 16:07:07.000000000 -0500 +@@ -1 +1,535 @@ -## GIT revision control system -+## Git daemon is a really simple server for Git repositories. ++## Git - Fast Version Control System. +## +##

+## A really simple TCP git daemon that normally listens on @@ -16335,27 +16518,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## connection asking for a service, and will serve that +## service if it is enabled. +##

-+##

-+## It verifies that the directory has the magic file -+## git-daemon-export-ok, and it will refuse to export any -+## git directory that has not explicitly been marked for -+## export this way (unless the --export-all parameter is -+## specified). If you pass some directory paths as -+## git-daemon arguments, you can further restrict the -+## offers to a whitelist comprising of those. -+##

-+##

-+## By default, only upload-pack service is enabled, which -+## serves git-fetch-pack and git-ls-remote clients, which -+## are invoked from git-fetch, git-pull, and git-clone. -+##

-+##

-+## This is ideally suited for read-only updates, i.e., -+## pulling from git repositories. -+##

-+##

-+## An upload-archive also exists to serve git-archive. -+##

+## + +####################################### @@ -16373,73 +16535,174 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_session_role', ` ++interface(`git_session_role',` + gen_require(` -+ type gitd_session_t, gitd_exec_t, git_home_t; ++ type gitd_session_t, gitd_exec_t; + ') + + ######################################## + # -+ # Git daemon session data declarations. ++ # Git daemon session shared declarations. + # + -+ ## -+ ##

-+ ## Allow transitions to the Git daemon -+ ## session domain. -+ ##

-+ ## -+ gen_tunable(gitd_session_transition, false) -+ + role $1 types gitd_session_t; + + ######################################## + # -+ # Git daemon session data policy. ++ # Git daemon session shared policy. + # + -+ tunable_policy(`gitd_session_transition', ` -+ domtrans_pattern($2, gitd_exec_t, gitd_session_t) -+ ', ` -+ can_exec($2, gitd_exec_t) -+ ') ++ domtrans_pattern($2, gitd_exec_t, gitd_session_t) + + allow $2 gitd_session_t:process { ptrace signal_perms }; + ps_process_pattern($2, gitd_session_t) ++') + -+ exec_files_pattern($2, git_home_t, git_home_t) -+ manage_dirs_pattern($2, git_home_t, git_home_t) -+ manage_files_pattern($2, git_home_t, git_home_t) ++######################################## ++## ++## Create a set of derived types for Git ++## daemon shared repository content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`git_content_template',` + -+ relabel_dirs_pattern($2, git_home_t, git_home_t) -+ relabel_files_pattern($2, git_home_t, git_home_t) ++ gen_require(` ++ attribute gitd_system_content; ++ attribute gitd_content; ++ ') ++ ++ ######################################## ++ # ++ # Git daemon content shared declarations. ++ # ++ ++ type gitd_$1_content_t, gitd_system_content, gitd_content; ++ files_type(gitd_$1_content_t) +') + +######################################## +## -+## Allow the specified domain to execute -+## Git daemon data files. ++## Create a set of derived types for Git ++## daemon shared repository roles. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`git_role_template',` ++ ++ gen_require(` ++ class context contains; ++ role system_r; ++ ') ++ ++ ######################################## ++ # ++ # Git daemon role shared declarations. ++ # ++ ++ attribute $1_usertype; ++ ++ type $1_t; ++ userdom_unpriv_usertype($1, $1_t) ++ domain_type($1_t) ++ ++ role $1_r types $1_t; ++ allow system_r $1_r; ++ ++ ######################################## ++ # ++ # Git daemon role shared policy. ++ # ++ ++ allow $1_t self:context contains; ++ allow $1_t self:fifo_file rw_fifo_file_perms; ++ ++ corecmd_exec_bin($1_t) ++ corecmd_bin_entry_type($1_t) ++ corecmd_shell_entry_type($1_t) ++ ++ domain_interactive_fd($1_t) ++ domain_user_exemption_target($1_t) ++ ++ kernel_read_system_state($1_t) ++ ++ files_read_etc_files($1_t) ++ files_dontaudit_search_home($1_t) ++ ++ miscfiles_read_localization($1_t) ++ ++ git_rwx_generic_system_content($1_t) ++ ++ ssh_rw_stream_sockets($1_t) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_exec_cifs_files($1_t) ++ fs_manage_cifs_dirs($1_t) ++ fs_manage_cifs_files($1_t) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_exec_nfs_files($1_t) ++ fs_manage_nfs_dirs($1_t) ++ fs_manage_nfs_files($1_t) ++ ') ++ ++ optional_policy(` ++ nscd_read_pid($1_t) ++ ') ++') ++ ++####################################### ++## ++## Allow specified domain access to the ++## specified Git daemon content. +## +## +## +## Domain allowed access. +## +## -+## ++## ++## ++## Type of the object that access is allowed to. ++## ++## +# -+interface(`git_execute_data_files', ` ++interface(`git_content_delegation',` + gen_require(` -+ type git_data_t; ++ type $1, $2; + ') + -+ exec_files_pattern($1, git_data_t, git_data_t) ++ exec_files_pattern($1, $2, $2) ++ manage_dirs_pattern($1, $2, $2) ++ manage_files_pattern($1, $2, $2) + files_search_var($1) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_exec_cifs_files($1) ++ fs_manage_cifs_dirs($1) ++ fs_manage_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_exec_nfs_files($1) ++ fs_manage_nfs_dirs($1) ++ fs_manage_nfs_files($1) ++ ') +') + +######################################## +## +## Allow the specified domain to manage -+## Git daemon data content. ++## and execute all Git daemon content. +## +## +## @@ -16448,20 +16711,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_manage_data_content', ` ++interface(`git_rwx_all_content',` + gen_require(` -+ type git_data_t; ++ attribute gitd_content; + ') + -+ manage_dirs_pattern($1, git_data_t, git_data_t) -+ manage_files_pattern($1, git_data_t, git_data_t) ++ exec_files_pattern($1, gitd_content, gitd_content) ++ manage_dirs_pattern($1, gitd_content, gitd_content) ++ manage_files_pattern($1, gitd_content, gitd_content) ++ userdom_search_user_home_dirs($1) + files_search_var($1) ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_exec_nfs_files($1) ++ fs_manage_nfs_dirs($1) ++ fs_manage_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_exec_cifs_files($1) ++ fs_manage_cifs_dirs($1) ++ fs_manage_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_exec_cifs_files($1) ++ fs_manage_cifs_dirs($1) ++ fs_manage_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_exec_nfs_files($1) ++ fs_manage_nfs_dirs($1) ++ fs_manage_nfs_files($1) ++ ') +') + +######################################## +## +## Allow the specified domain to manage -+## Git daemon home content. ++## and execute all Git daemon system content. +## +## +## @@ -16470,20 +16759,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_manage_home_content', ` ++interface(`git_rwx_all_system_content',` + gen_require(` -+ type git_home_t; ++ attribute gitd_system_content; + ') + -+ manage_dirs_pattern($1, git_home_t, git_home_t) -+ manage_files_pattern($1, git_home_t, git_home_t) -+ files_search_home($1) ++ exec_files_pattern($1, gitd_system_content, gitd_system_content) ++ manage_dirs_pattern($1, gitd_system_content, gitd_system_content) ++ manage_files_pattern($1, gitd_system_content, gitd_system_content) ++ files_search_var($1) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_exec_cifs_files($1) ++ fs_manage_cifs_dirs($1) ++ fs_manage_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_exec_nfs_files($1) ++ fs_manage_nfs_dirs($1) ++ fs_manage_nfs_files($1) ++ ') +') + +######################################## +## -+## Allow the specified domain to read -+## Git daemon home content. ++## Allow the specified domain to manage ++## and execute Git daemon generic system content. +## +## +## @@ -16492,20 +16794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_read_home_content', ` ++interface(`git_rwx_generic_system_content',` + gen_require(` -+ type git_home_t; ++ type gitd_system_content_t; + ') + -+ list_dirs_pattern($1, git_home_t, git_home_t) -+ read_files_pattern($1, git_home_t, git_home_t) -+ files_search_home($1) ++ exec_files_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ manage_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ manage_files_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ files_search_var($1) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_exec_cifs_files($1) ++ fs_manage_cifs_dirs($1) ++ fs_manage_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_exec_nfs_files($1) ++ fs_manage_nfs_dirs($1) ++ fs_manage_nfs_files($1) ++ ') +') + +######################################## +## +## Allow the specified domain to read -+## Git daemon data content. ++## all Git daemon content files. +## +## +## @@ -16514,20 +16829,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_read_data_content', ` ++interface(`git_read_all_content_files',` + gen_require(` -+ type git_data_t; ++ attribute gitd_content; + ') + -+ list_dirs_pattern($1, git_data_t, git_data_t) -+ read_files_pattern($1, git_data_t, git_data_t) ++ list_dirs_pattern($1, gitd_content, gitd_content) ++ read_files_pattern($1, gitd_content, gitd_content) ++ userdom_search_user_home_dirs($1) + files_search_var($1) ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ ') +') + +######################################## +## -+## Allow the specified domain to relabel -+## Git daemon data content. ++## Allow the specified domain to read ++## Git daemon session content files. +## +## +## @@ -16536,20 +16872,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_relabel_data_content', ` ++interface(`git_read_session_content_files',` + gen_require(` -+ type git_data_t; ++ type gitd_session_content_t; + ') + -+ relabel_dirs_pattern($1, git_data_t, git_data_t) -+ relabel_files_pattern($1, git_data_t, git_data_t) -+ files_search_var($1) ++ list_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t) ++ read_files_pattern($1, gitd_session_content_t, gitd_session_content_t) ++ userdom_search_user_home_dirs($1) ++ ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ ') ++ ++ tunable_policy(`use_samba_home_dirs',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ ') +') + +######################################## +## -+## Allow the specified domain to relabel -+## Git daemon home content. ++## Allow the specified domain to read ++## all Git daemon system content files. +## +## +## @@ -16558,114 +16904,203 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## +## +# -+interface(`git_relabel_home_content', ` ++interface(`git_read_all_system_content_files',` + gen_require(` -+ type git_home_t; ++ attribute gitd_system_content; + ') + -+ relabel_dirs_pattern($1, git_home_t, git_home_t) -+ relabel_files_pattern($1, git_home_t, git_home_t) -+ files_search_home($1) ++ list_dirs_pattern($1, gitd_system_content, gitd_system_content) ++ read_files_pattern($1, gitd_system_content, gitd_system_content) ++ files_search_var($1) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ ') +') + +######################################## +## -+## All of the rules required to administrate an -+## Git daemon system environment ++## Allow the specified domain to read ++## Git daemon generic system content files. +## -+## ++## +## -+## Prefix of the domain. Example, user would be -+## the prefix for the user_t domain. ++## Domain allowed access. +## +## ++## ++# ++interface(`git_read_generic_system_content_files',` ++ gen_require(` ++ type gitd_system_content_t; ++ ') ++ ++ list_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ read_files_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ files_search_var($1) ++ ++ tunable_policy(`gitd_system_use_cifs',` ++ fs_list_cifs($1) ++ fs_read_cifs_files($1) ++ ') ++ ++ tunable_policy(`gitd_system_use_nfs',` ++ fs_list_nfs($1) ++ fs_read_nfs_files($1) ++ ') ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## all Git daemon content. ++## +## +## +## Domain allowed access. +## +## -+## ++## ++# ++interface(`git_relabel_all_content',` ++ gen_require(` ++ attribute gitd_content; ++ ') ++ ++ relabel_dirs_pattern($1, gitd_content, gitd_content) ++ relabel_files_pattern($1, gitd_content, gitd_content) ++ userdom_search_user_home_dirs($1) ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Allow the specified domain to relabel ++## all Git daemon system content. ++## ++## +## -+## The role to be allowed to manage the Git daemon domain. ++## Domain allowed access. +## +## +## +# -+interface(`git_system_admin', ` ++interface(`git_relabel_all_system_content',` + gen_require(` -+ type gitd_t, gitd_exec_t; ++ attribute gitd_system_content; + ') + -+ allow $1 gitd_t:process { getattr ptrace signal_perms }; -+ ps_process_pattern($1, gitd_t) -+ -+ kernel_search_proc($1) ++ relabel_dirs_pattern($1, gitd_system_content, gitd_system_content) ++ relabel_files_pattern($1, gitd_system_content, gitd_system_content) ++ files_search_var($1) ++') + -+ manage_files_pattern($1, gitd_exec_t, gitd_exec_t) ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon generic system content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_generic_system_content',` ++ gen_require(` ++ type gitd_system_content_t; ++ ') + -+ # This will not work since git-shell needs to execute gitd content thus public content files. -+ # There is currently no clean way to execute public content files. -+ # miscfiles_manage_public_files($1) ++ relabel_dirs_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ relabel_files_pattern($1, gitd_system_content_t, gitd_system_content_t) ++ files_search_var($1) ++') + -+ git_manage_data_content($1) -+ git_relabel_data_content($1) ++######################################## ++## ++## Allow the specified domain to relabel ++## Git daemon session content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`git_relabel_session_content',` ++ gen_require(` ++ type gitd_session_content_t; ++ ') + -+ seutil_domtrans_setfiles($1) ++ relabel_dirs_pattern($1, gitd_session_content_t, gitd_session_content_t) ++ relabel_files_pattern($1, gitd_session_content_t, gitd_session_content_t) ++ userdom_search_user_home_dirs($1) +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.7/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-11 09:53:58.000000000 -0500 -@@ -1,9 +1,173 @@ ++++ serefpolicy-3.7.7/policy/modules/services/git.te 2010-01-14 16:12:14.000000000 -0500 +@@ -1,9 +1,181 @@ - policy_module(git, 1.0) - -+attribute gitd_type; -+attribute git_content_type; -+ -+######################################## -+# -+# Git daemon system private declarations. -+# +-policy_module(git, 1.0) ++policy_module(gitd, 1.0.3) + +## +##

+## Allow Git daemon system to search home directories. +##

+## -+gen_tunable(git_system_enable_homedirs, false) ++gen_tunable(gitd_system_enable_homedirs, false) + +## +##

+## Allow Git daemon system to access cifs file systems. +##

+## -+gen_tunable(git_system_use_cifs, false) ++gen_tunable(gitd_system_use_cifs, false) + +## +##

+## Allow Git daemon system to access nfs file systems. +##

+## -+gen_tunable(git_system_use_nfs, false) ++gen_tunable(gitd_system_use_nfs, false) + +######################################## +# +# Git daemon global private declarations. +# ++ ++attribute gitd_domains; ++attribute gitd_system_content; ++attribute gitd_content; ++ +type gitd_exec_t; + -+type gitd_t, gitd_type; -+inetd_service_domain(gitd_t, gitd_exec_t) -+role system_r types gitd_t; ++######################################## ++# ++# Git daemon system private declarations. ++# + -+type git_data_t, git_content_type; -+files_type(git_data_t) ++type gitd_system_t, gitd_domains; ++inetd_service_domain(gitd_system_t, gitd_exec_t) ++role system_r types gitd_system_t; + -+permissive gitd_t; ++type gitd_system_content_t, gitd_system_content, gitd_content; ++files_type(gitd_system_content_t) ++typealias gitd_system_content_t alias git_data_t; + +######################################## +# -+# Git daemon session session private declarations. ++# Git daemon session private declarations. +# + +## @@ -16674,87 +17109,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +## tcp sockets to all unreserved ports. +##

+## -+gen_tunable(git_session_bind_all_unreserved_ports, false) ++gen_tunable(gitd_session_bind_all_unreserved_ports, false) + -+type gitd_session_t, gitd_type; ++type gitd_session_t, gitd_domains; +application_domain(gitd_session_t, gitd_exec_t) +ubac_constrained(gitd_session_t) + -+type git_home_t, git_content_type; -+userdom_user_home_content(git_home_t) -+ -+permissive gitd_session_t; ++type gitd_session_content_t, gitd_content; ++userdom_user_home_content(gitd_session_content_t) + +######################################## +# +# Git daemon global private policy. +# + -+allow gitd_type self:fifo_file rw_fifo_file_perms; -+allow gitd_type self:tcp_socket create_socket_perms; -+allow gitd_type self:udp_socket create_socket_perms; -+allow gitd_type self:unix_dgram_socket create_socket_perms; ++allow gitd_domains self:fifo_file rw_fifo_file_perms; ++allow gitd_domains self:netlink_route_socket create_netlink_socket_perms; ++allow gitd_domains self:tcp_socket { create_socket_perms listen }; ++allow gitd_domains self:udp_socket create_socket_perms; ++allow gitd_domains self:unix_dgram_socket create_socket_perms; ++ ++corenet_all_recvfrom_netlabel(gitd_domains) ++corenet_all_recvfrom_unlabeled(gitd_domains) + -+corenet_all_recvfrom_netlabel(gitd_type) -+corenet_all_recvfrom_unlabeled(gitd_type) ++corenet_tcp_bind_generic_node(gitd_domains) + -+corenet_tcp_sendrecv_all_if(gitd_type) -+corenet_tcp_sendrecv_all_nodes(gitd_type) -+corenet_tcp_sendrecv_all_ports(gitd_type) ++corenet_tcp_sendrecv_generic_if(gitd_domains) ++corenet_tcp_sendrecv_generic_node(gitd_domains) ++corenet_tcp_sendrecv_generic_port(gitd_domains) + -+corenet_tcp_bind_all_nodes(gitd_type) -+corenet_tcp_bind_git_port(gitd_type) ++corenet_tcp_bind_git_port(gitd_domains) ++corenet_sendrecv_git_server_packets(gitd_domains) + -+corecmd_exec_bin(gitd_type) ++corecmd_exec_bin(gitd_domains) + -+files_read_etc_files(gitd_type) -+files_read_usr_files(gitd_type) ++files_read_etc_files(gitd_domains) ++files_read_usr_files(gitd_domains) + -+fs_search_auto_mountpoints(gitd_type) ++fs_search_auto_mountpoints(gitd_domains) + -+kernel_read_system_state(gitd_type) ++kernel_read_system_state(gitd_domains) + -+logging_send_syslog_msg(gitd_type) ++auth_use_nsswitch(gitd_domains) + -+auth_use_nsswitch(gitd_type) ++logging_send_syslog_msg(gitd_domains) + -+miscfiles_read_localization(gitd_type) ++miscfiles_read_localization(gitd_domains) + +######################################## +# +# Git daemon system repository private policy. +# + -+list_dirs_pattern(gitd_t, git_content_type, git_content_type) -+read_files_pattern(gitd_t, git_content_type, git_content_type) -+files_search_var(gitd_t) ++list_dirs_pattern(gitd_system_t, gitd_content, gitd_content) ++read_files_pattern(gitd_system_t, gitd_content, gitd_content) ++files_search_var(gitd_system_t) + -+# This will not work since git-shell needs to execute gitd content thus public content files. -+# There is currently no clean way to execute public content files. -+# miscfiles_read_public_files(gitd_t) -+ -+tunable_policy(`git_system_enable_homedirs', ` -+ userdom_search_user_home_dirs(gitd_t) ++tunable_policy(`gitd_system_enable_homedirs', ` ++ userdom_search_user_home_dirs(gitd_system_t) +') + -+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', ` -+ fs_list_nfs(gitd_t) -+ fs_read_nfs_files(gitd_t) ++tunable_policy(`gitd_system_enable_homedirs && use_nfs_home_dirs', ` ++ fs_list_nfs(gitd_system_t) ++ fs_read_nfs_files(gitd_system_t) +') + -+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', ` -+ fs_list_cifs(gitd_t) -+ fs_read_cifs_files(gitd_t) ++tunable_policy(`gitd_system_enable_homedirs && use_samba_home_dirs', ` ++ fs_list_cifs(gitd_system_t) ++ fs_read_cifs_files(gitd_system_t) +') + -+tunable_policy(`git_system_use_cifs', ` -+ fs_list_cifs(gitd_t) -+ fs_read_cifs_files(gitd_t) ++tunable_policy(`gitd_system_use_cifs', ` ++ fs_list_cifs(gitd_system_t) ++ fs_read_cifs_files(gitd_system_t) +') + -+tunable_policy(`git_system_use_nfs', ` -+ fs_list_nfs(gitd_t) -+ fs_read_nfs_files(gitd_t) ++tunable_policy(`gitd_system_use_nfs', ` ++ fs_list_nfs(gitd_system_t) ++ fs_read_nfs_files(gitd_system_t) +') + +######################################## @@ -16762,13 +17194,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +# Git daemon session repository private policy. +# + -+list_dirs_pattern(gitd_session_t, git_home_t, git_home_t) -+read_files_pattern(gitd_session_t, git_home_t, git_home_t) ++list_dirs_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t) ++read_files_pattern(gitd_session_t, gitd_session_content_t, gitd_session_content_t) +userdom_search_user_home_dirs(gitd_session_t) + +userdom_use_user_terminals(gitd_session_t) + -+tunable_policy(`git_session_bind_all_unreserved_ports', ` ++tunable_policy(`gitd_session_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(gitd_session_t) +') + @@ -16782,14 +17214,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + fs_read_cifs_files(gitd_session_t) +') + ++######################################## ++# ++# cgi git Declarations ++# ++ ++optional_policy(` ++ apache_content_template(git) ++ git_read_session_content_files(httpd_git_script_t) ++') + ######################################## # -# Declarations -+# cgi git Declarations ++# Git-shell private policy. # - apache_content_template(git) -+git_read_data_content(httpd_git_script_t) +-apache_content_template(git) ++git_role_template(git_shell) ++gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.7/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 +++ serefpolicy-3.7.7/policy/modules/services/gpsd.te 2010-01-11 09:53:58.000000000 -0500 @@ -21251,6 +21694,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.7/policy/modules/services/puppet.te +--- nsaserefpolicy/policy/modules/services/puppet.te 2009-11-12 12:51:51.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/puppet.te 2010-01-14 10:36:57.000000000 -0500 +@@ -17,6 +17,7 @@ + type puppet_t; + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) ++permissive puppet_t; + + type puppet_etc_t; + files_config_file(puppet_etc_t) +@@ -39,6 +40,7 @@ + type puppetmaster_t; + type puppetmaster_exec_t; + init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) ++permissive puppetmaster_t; + + type puppetmaster_initrc_exec_t; + init_script_file(puppetmaster_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.7/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.7/policy/modules/services/pyzor.fc 2010-01-11 09:53:58.000000000 -0500 @@ -24969,54 +25431,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.7/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/ssh.te 2010-01-11 09:53:58.000000000 -0500 -@@ -8,6 +8,31 @@ - - ## - ##

-+## Allow sftp to upload files, used for public file -+## transfer services. Directories must be labeled -+## public_content_rw_t. -+##

-+## -+gen_tunable(allow_sftpd_anon_write, false) -+ -+## -+##

-+## Allow sftp to login to local users and -+## read/write all files on the system, governed by DAC. -+##

-+## -+gen_tunable(allow_sftpd_full_access, false) -+ -+## -+##

-+## Allow interlnal-sftp to read and write files -+## in the user ssh home directories. -+##

-+## -+gen_tunable(sftpd_ssh_home_dir, false) -+ -+## -+##

- ## allow host key based authentication - ##

- ## -@@ -41,6 +66,13 @@ ++++ serefpolicy-3.7.7/policy/modules/services/ssh.te 2010-01-14 14:12:19.000000000 -0500 +@@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) +type sshd_tmpfs_t; +files_tmpfs_file(sshd_tmpfs_t) + -+type sftpd_t; -+domain_type(sftpd_t) -+role system_r types sftpd_t; -+ ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') -@@ -75,7 +107,7 @@ +@@ -75,7 +78,7 @@ ubac_constrained(ssh_tmpfs_t) type home_ssh_t; @@ -25025,7 +25451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) -@@ -95,8 +127,7 @@ +@@ -95,8 +98,7 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; @@ -25035,7 +25461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; -@@ -115,6 +146,7 @@ +@@ -115,6 +117,7 @@ manage_dirs_pattern(ssh_t, home_ssh_t, home_ssh_t) manage_sock_files_pattern(ssh_t, home_ssh_t, home_ssh_t) userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) @@ -25043,7 +25469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -126,11 +158,13 @@ +@@ -126,11 +129,13 @@ read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config @@ -25060,7 +25486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) -@@ -139,6 +173,8 @@ +@@ -139,6 +144,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -25069,7 +25495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -160,19 +196,19 @@ +@@ -160,19 +167,19 @@ logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -25092,7 +25518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -194,18 +230,7 @@ +@@ -194,18 +201,7 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) @@ -25112,7 +25538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -294,6 +319,8 @@ +@@ -294,6 +290,8 @@ allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -25121,7 +25547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -310,16 +337,30 @@ +@@ -310,27 +308,50 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -25140,21 +25566,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. - userdom_spec_domtrans_all_users(sshd_t) userdom_signal_all_users(sshd_t) -',` -+') +- userdom_spec_domtrans_unpriv_users(sshd_t) +- userdom_signal_unpriv_users(sshd_t) + ') + ++userdom_spec_domtrans_unpriv_users(sshd_t) ++userdom_signal_unpriv_users(sshd_t) + - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) + optional_policy(` + daemontools_service_domain(sshd_t, sshd_exec_t) + ') + + optional_policy(` ++ kerberos_keytab_template(sshd, sshd_t) ++') + +optional_policy(` -+ kerberos_keytab_template(sshd, sshd_t) ++ ftp_dyntransition_sftpd(sshd_t) ++ ftp_dyntransition_sftpd_anon(sshd_t) +') + +optional_policy(` + gitosis_manage_var_lib(sshd_t) - ') - - optional_policy(` -@@ -331,6 +372,10 @@ ++') ++ ++optional_policy(` + inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') optional_policy(` @@ -25165,7 +25602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -341,10 +386,18 @@ +@@ -341,10 +362,18 @@ ') optional_policy(` @@ -25185,7 +25622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -@@ -400,18 +453,63 @@ +@@ -400,15 +429,13 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -25203,56 +25640,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_sigchld_newrole(ssh_keygen_t) ') - optional_policy(` - udev_read_db(ssh_keygen_t) - ') -+ -+####################################### -+# -+# sftp Local policy -+# -+ -+allow ssh_server sftpd_t:process dyntransition; -+ -+ssh_sigchld(sftpd_t) -+ -+files_read_all_files(sftpd_t) -+files_read_all_symlinks(sftpd_t) -+ -+fs_read_noxattr_fs_files(sftpd_t) -+fs_read_nfs_files(sftpd_t) -+fs_read_cifs_files(sftpd_t) -+ -+# allow access to /home by default -+userdom_manage_user_home_content_dirs(sftpd_t) -+userdom_manage_user_home_content_files(sftpd_t) -+userdom_manage_user_home_content_symlinks(sftpd_t) -+ -+userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file }) -+ -+tunable_policy(`allow_sftpd_anon_write',` -+ miscfiles_manage_public_files(sftpd_t) -+') -+ -+tunable_policy(`allow_sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ auth_manage_all_files_except_shadow(sftpd_t) -+') -+ -+tunable_policy(`sftpd_ssh_home_dir',` -+ ssh_manage_user_home_files(sftpd_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(sftpd_t) -+ fs_manage_nfs_files(sftpd_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(sftpd_t) -+ fs_manage_cifs_files(sftpd_t) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.7/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 +++ serefpolicy-3.7.7/policy/modules/services/sssd.if 2010-01-11 09:53:58.000000000 -0500 @@ -25849,8 +26236,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.7/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/virt.fc 2010-01-11 09:53:58.000000000 -0500 -@@ -8,5 +8,18 @@ ++++ serefpolicy-3.7.7/policy/modules/services/virt.fc 2010-01-12 10:28:03.000000000 -0500 +@@ -4,9 +4,26 @@ + /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) + ++/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) ++/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) @@ -26574,7 +26969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.7/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/services/xserver.fc 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/xserver.fc 2010-01-14 09:21:39.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -26609,16 +27004,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /opt # -@@ -47,8 +51,6 @@ +@@ -47,21 +51,22 @@ # /tmp # -/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix/.* -s <> /tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) - /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) - /tmp/\.X11-unix/.* -s <> -@@ -58,10 +60,14 @@ +-/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.X11-unix/.* -s <> ++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) + + # + # /usr # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -26633,7 +27031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +95,37 @@ +@@ -89,17 +94,37 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -26676,7 +27074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.7/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.7/policy/modules/services/xserver.if 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/services/xserver.if 2010-01-14 14:21:14.000000000 -0500 @@ -19,7 +19,7 @@ interface(`xserver_restricted_role',` gen_require(` @@ -26686,7 +27084,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; ') -@@ -56,6 +56,13 @@ +@@ -45,6 +45,7 @@ + manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) + + stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) ++ allow $2 xserver_tmp_t:sock_file unlink; + files_search_tmp($2) + + # Communicate via System V shared memory. +@@ -56,6 +57,13 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -26700,7 +27106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +78,10 @@ +@@ -71,9 +79,10 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -26713,7 +27119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $2 xserver_t:fd use; -@@ -96,7 +104,6 @@ +@@ -96,7 +105,6 @@ miscfiles_read_fonts($2) xserver_common_x_domain_template(user, $2) @@ -26721,7 +27127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -104,6 +111,7 @@ +@@ -104,6 +112,7 @@ xserver_read_xdm_pid($2) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($2) @@ -26729,7 +27135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) -@@ -162,7 +170,6 @@ +@@ -162,7 +171,6 @@ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -26737,7 +27143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -197,7 +204,7 @@ +@@ -197,7 +205,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -26746,7 +27152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -260,12 +267,12 @@ +@@ -260,12 +268,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -26762,7 +27168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -445,6 +452,7 @@ +@@ -445,6 +453,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -26770,7 +27176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -514,6 +522,12 @@ +@@ -514,6 +523,12 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -26783,7 +27189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -567,6 +581,7 @@ +@@ -567,6 +582,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -26791,7 +27197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -774,7 +789,7 @@ +@@ -774,7 +790,7 @@ ') files_search_pids($1) @@ -26800,7 +27206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,3 +1234,329 @@ +@@ -1219,3 +1235,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -28404,6 +28810,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.7/policy/modules/system/hotplug.te +--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.7/policy/modules/system/hotplug.te 2010-01-14 09:14:35.000000000 -0500 +@@ -125,6 +125,10 @@ + ') + + optional_policy(` ++ brctl_domtrans(hotplug_t) ++') ++ ++optional_policy(` + consoletype_exec(hotplug_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.7/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.7/policy/modules/system/init.fc 2010-01-11 09:53:58.000000000 -0500 @@ -28432,7 +28852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.7/policy/modules/system/init.if 2010-01-11 10:12:28.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/system/init.if 2010-01-14 10:25:44.000000000 -0500 @@ -162,6 +162,7 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -28690,7 +29110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.7/policy/modules/system/init.te 2010-01-11 10:27:23.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/system/init.te 2010-01-14 15:15:41.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -28756,7 +29176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -189,6 +208,18 @@ +@@ -189,6 +208,22 @@ ') optional_policy(` @@ -28764,6 +29184,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +') + +optional_policy(` ++ dbus_system_bus_client(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -28775,7 +29199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -202,9 +233,10 @@ +@@ -202,9 +237,10 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28787,7 +29211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # Allow IPC with self allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +249,8 @@ +@@ -217,7 +253,8 @@ term_create_pty(initrc_t, initrc_devpts_t) # Going to single user mode @@ -28797,7 +29221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, init_script_file_type) -@@ -230,10 +263,16 @@ +@@ -230,10 +267,16 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28816,7 +29240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) -@@ -246,13 +285,19 @@ +@@ -246,13 +289,19 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28838,7 +29262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -272,16 +317,66 @@ +@@ -272,16 +321,66 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -28906,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -291,7 +386,7 @@ +@@ -291,7 +390,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28915,7 +29339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -306,14 +401,15 @@ +@@ -306,14 +405,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28933,7 +29357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -324,48 +420,16 @@ +@@ -324,48 +424,16 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28986,7 +29410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -374,19 +438,22 @@ +@@ -374,19 +442,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -29010,7 +29434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -422,16 +489,12 @@ +@@ -422,16 +493,12 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -29028,7 +29452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` arpwatch_manage_data_files(initrc_t) -@@ -450,11 +513,9 @@ +@@ -450,11 +517,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -29041,7 +29465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -464,6 +525,7 @@ +@@ -464,6 +529,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -29049,7 +29473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -492,15 +554,26 @@ +@@ -492,15 +558,26 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -29076,7 +29500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -515,6 +588,33 @@ +@@ -515,6 +592,33 @@ ') ') @@ -29110,7 +29534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -567,10 +667,19 @@ +@@ -567,10 +671,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29130,7 +29554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -590,6 +699,10 @@ +@@ -590,6 +703,10 @@ ') optional_policy(` @@ -29141,7 +29565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +759,20 @@ +@@ -646,20 +763,20 @@ ') optional_policy(` @@ -29168,7 +29592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +781,7 @@ +@@ -668,6 +785,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -29176,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -700,7 +814,6 @@ +@@ -700,7 +818,6 @@ ') optional_policy(` @@ -29184,7 +29608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -722,8 +835,6 @@ +@@ -722,8 +839,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29193,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,13 +847,16 @@ +@@ -736,13 +851,16 @@ squid_manage_logs(initrc_t) ') @@ -29210,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -751,6 +865,7 @@ +@@ -751,6 +869,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -29218,7 +29642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -758,7 +873,17 @@ +@@ -758,7 +877,17 @@ ') optional_policy(` @@ -29236,7 +29660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -768,6 +893,21 @@ +@@ -768,6 +897,21 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -29258,7 +29682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +933,31 @@ +@@ -793,3 +937,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -31384,7 +31808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.7/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/system/selinuxutil.te 2010-01-14 10:26:10.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -31442,7 +31866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Checkpolicy local policy -@@ -191,15 +204,6 @@ +@@ -177,6 +190,7 @@ + + init_use_script_fds(load_policy_t) + init_use_script_ptys(load_policy_t) ++init_write_script_pipes(load_policy_t) + + miscfiles_read_localization(load_policy_t) + +@@ -191,15 +205,6 @@ ') ') @@ -31458,7 +31890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Newrole local policy -@@ -217,7 +221,7 @@ +@@ -217,7 +222,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -31467,7 +31899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -270,12 +274,14 @@ +@@ -270,12 +275,14 @@ init_rw_utmp(newrole_t) init_use_fds(newrole_t) @@ -31482,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) -@@ -313,6 +319,8 @@ +@@ -313,6 +320,8 @@ kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -31491,7 +31923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -336,6 +344,8 @@ +@@ -336,6 +345,8 @@ seutil_libselinux_linked(restorecond_t) @@ -31500,7 +31932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -354,7 +364,7 @@ +@@ -354,7 +365,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -31509,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -383,7 +393,6 @@ +@@ -383,7 +394,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -31517,7 +31949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -406,6 +415,10 @@ +@@ -406,6 +416,10 @@ ') ') @@ -31528,7 +31960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -421,61 +434,22 @@ +@@ -421,61 +435,22 @@ # semodule local policy # @@ -31598,7 +32030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +458,23 @@ +@@ -484,12 +459,23 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -31622,7 +32054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,111 +484,43 @@ +@@ -499,111 +485,43 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -32288,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.7/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/system/unconfined.if 2010-01-13 14:39:35.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -32360,7 +32792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -111,16 +123,16 @@ +@@ -111,16 +123,15 @@ ## # interface(`unconfined_domain',` @@ -32373,7 +32805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf tunable_policy(`allow_execheap',` auditallow $1 self:process execheap; ') - +- -# Turn off this audit for FC5 -# tunable_policy(`allow_execmem',` -# auditallow $1 self:process execmem; @@ -32381,7 +32813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -173,411 +185,3 @@ +@@ -173,411 +184,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') @@ -33027,12 +33459,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.7/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-11 09:53:58.000000000 -0500 -@@ -1,4 +1,10 @@ ++++ serefpolicy-3.7.7/policy/modules/system/userdomain.fc 2010-01-14 09:22:34.000000000 -0500 +@@ -1,4 +1,11 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - ++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) @@ -35549,7 +35982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.7/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/modules/system/xen.te 2010-01-12 10:27:16.000000000 -0500 @@ -85,6 +85,7 @@ type xenconsoled_t; type xenconsoled_exec_t; @@ -35602,7 +36035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xenstored_t) storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) -@@ -421,6 +431,12 @@ +@@ -421,7 +431,14 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` @@ -35613,9 +36046,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te + +optional_policy(` virt_manage_images(xm_t) ++ virt_manage_config(xm_t) virt_stream_connect(xm_t) ') -@@ -438,6 +454,8 @@ + +@@ -438,6 +455,8 @@ fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) @@ -35626,7 +36061,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_search_mnt(xend_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.7/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-11 09:53:58.000000000 -0500 ++++ serefpolicy-3.7.7/policy/support/obj_perm_sets.spt 2010-01-14 09:16:41.000000000 -0500 +@@ -28,7 +28,7 @@ + # + # All socket classes. + # +-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') ++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') + + + # @@ -199,12 +199,14 @@ # define(`getattr_file_perms',`{ getattr }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 91386ed..0b0225e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.7 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -455,6 +455,10 @@ exit 0 %endif %changelog +* Thu Jan 7 2010 Dan Walsh 3.7.7-2 +- Turn on puppet policy +- Update to dgrift git policy + * Mon Jan 7 2010 Dan Walsh 3.7.7-1 - Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t