From bae2e9888eee9eb2a8a81cefe53798454da75ca6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 22 2008 19:35:46 +0000 Subject: - Add missing alias for home directory content --- diff --git a/policy-20081111.patch b/policy-20081111.patch index 90f3b13..f52dfd7 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -240,6 +240,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.1/man/man8/httpd_selinux.8 +--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400 ++++ serefpolicy-3.6.1/man/man8/httpd_selinux.8 2008-12-22 11:16:09.000000000 -0500 +@@ -41,7 +41,7 @@ + - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. + + .SH NOTE +-With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. ++With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. + + .SH SHARING FILES + If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: +@@ -75,7 +75,7 @@ + .EE + + .PP +-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. ++httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. + + .EX + setsebool -P httpd_tty_comm 1 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.1/man/man8/kerberos_selinux.8 +--- nsaserefpolicy/man/man8/kerberos_selinux.8 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.6.1/man/man8/kerberos_selinux.8 2008-12-22 11:16:22.000000000 -0500 +@@ -12,7 +12,7 @@ + .SH "DESCRIPTION" + + Security-Enhanced Linux secures the system via flexible mandatory access +-control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network. ++control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. + .SH BOOLEANS + .PP + You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.1/man/man8/nfs_selinux.8 +--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400 ++++ serefpolicy-3.6.1/man/man8/nfs_selinux.8 2008-12-22 11:17:18.000000000 -0500 +@@ -26,5 +26,5 @@ + .SH AUTHOR + This manual page was written by Dan Walsh . + +-.SH "SEE ALSpppO" ++.SH "SEE ALSO" + selinux(8), chcon(1), setsebool(8) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.1/man/man8/samba_selinux.8 --- nsaserefpolicy/man/man8/samba_selinux.8 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.1/man/man8/samba_selinux.8 2008-11-25 09:45:43.000000000 -0500 @@ -1690,7 +1733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.1/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/apps/gpg.te 2008-12-18 10:33:48.000000000 -0500 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; @@ -1749,7 +1792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for helper programs (which automatically fetch keys) # Note: this is only tested with the hkp interface. If you use eg the # mail interface you will likely need additional permissions. -@@ -136,13 +141,11 @@ +@@ -136,13 +141,13 @@ corenet_udp_bind_all_nodes(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) @@ -1763,10 +1806,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_list_inotifyfs(gpg_helper_t) + +auth_use_nsswitch(gpg_helper_t) ++ ++userdom_use_user_terminals(gpg_helper_t) tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -157,6 +160,17 @@ +@@ -157,6 +162,17 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -3879,7 +3924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-05 08:55:39.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.fc 2008-12-18 09:12:40.000000000 -0500 @@ -128,6 +128,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3902,7 +3947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -221,8 +221,8 @@ +@@ -221,14 +221,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3913,7 +3958,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -291,3 +291,12 @@ + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) +@@ -291,3 +292,12 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -3928,7 +3980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.1/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/corecommands.if 2008-12-19 15:12:15.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -3995,7 +4047,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-11-12 09:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:19.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/corenetwork.te.in 2008-12-19 17:15:49.000000000 -0500 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -4009,7 +4061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) -@@ -79,11 +81,13 @@ +@@ -79,26 +81,33 @@ network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict @@ -4022,8 +4074,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) ++network_port(dccm, tcp,5679,s0, udp,5679,s0) network_port(dbskkd, tcp,1178,s0) -@@ -92,13 +96,16 @@ +-network_port(dhcpc, udp,68,s0) ++network_port(dhcpc, udp,68,s0, tcp,68,s0) + network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -4032,6 +4087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) ++network_port(ftps, tcp,990,s0, udp,990,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) @@ -4040,7 +4096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -@@ -118,6 +125,8 @@ +@@ -118,6 +127,8 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -4049,7 +4105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -127,6 +136,7 @@ +@@ -127,6 +138,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -4057,7 +4113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -137,12 +147,21 @@ +@@ -137,12 +149,21 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -4079,7 +4135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -160,9 +179,11 @@ +@@ -160,9 +181,11 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -4092,7 +4148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -171,14 +192,17 @@ +@@ -171,14 +194,17 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -7816,7 +7872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/apache.if 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/apache.if 2008-12-19 10:59:07.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -8048,7 +8104,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -579,7 +517,7 @@ +@@ -504,6 +442,47 @@ + ######################################## + ## + ## Allow the specified domain to read ++## apache tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_tmp',` ++ gen_require(` ++ type httpd_config_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ++') ++ ++######################################## ++## ++## Dontaudit attempts ti write ++## apache tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_dontaudit_write_tmp',` ++ gen_require(` ++ type httpd_config_t; ++ ') ++ ++ dontaudit $1 httpd_tmp_t:file write; ++') ++ ++######################################## ++## ++## Allow the specified domain to read + ## apache configuration files. + ## + ## +@@ -579,7 +558,7 @@ ## ## ## @@ -8057,7 +8161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -715,6 +653,7 @@ +@@ -715,6 +694,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -8065,7 +8169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -782,6 +721,32 @@ +@@ -782,6 +762,32 @@ ######################################## ## @@ -8098,7 +8202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute all web scripts in the system ## script domain. ## -@@ -791,16 +756,18 @@ +@@ -791,16 +797,18 @@ ## ## # @@ -8121,7 +8225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -859,6 +826,8 @@ +@@ -859,6 +867,8 @@ ## ## # @@ -8130,7 +8234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol interface(`apache_run_all_scripts',` gen_require(` attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +853,7 @@ +@@ -884,7 +894,7 @@ type httpd_squirrelmail_t; ') @@ -8139,7 +8243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1040,3 +1009,160 @@ +@@ -1040,3 +1050,160 @@ allow httpd_t $1:process signal; ') @@ -10365,9 +10469,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.1/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-11-25 09:45:43.000000000 -0500 -@@ -8,24 +8,35 @@ - /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++++ serefpolicy-3.6.1/policy/modules/services/cups.fc 2008-12-19 11:42:21.000000000 -0500 +@@ -5,27 +5,38 @@ + /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -10414,13 +10522,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +54,18 @@ +@@ -43,10 +54,19 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) @@ -11162,7 +11271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-03 14:17:27.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/dbus.te 2008-12-17 16:46:31.000000000 -0500 @@ -9,14 +9,15 @@ # # Delcarations @@ -11233,15 +11342,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) -@@ -91,7 +108,6 @@ +@@ -91,9 +108,9 @@ corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) -corecmd_exec_bin(system_dbusd_t) domain_use_interactive_fds(system_dbusd_t) ++domain_read_all_domains_state(system_dbusd_t) -@@ -101,6 +117,8 @@ + files_read_etc_files(system_dbusd_t) + files_list_home(system_dbusd_t) +@@ -101,6 +118,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -11250,7 +11362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +146,34 @@ +@@ -128,9 +147,34 @@ ') optional_policy(` @@ -12177,6 +12289,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_read_lib(gnomeclock_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.1/policy/modules/services/hal.fc +--- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/hal.fc 2008-12-19 17:06:38.000000000 -0500 +@@ -5,6 +5,7 @@ + /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) + + /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) ++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) + /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) + /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) + /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.1/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/hal.if 2008-11-25 09:45:43.000000000 -0500 @@ -12194,18 +12317,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-12 09:32:41.000000000 -0500 -@@ -49,6 +49,9 @@ ++++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-19 17:16:25.000000000 -0500 +@@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + ++type hald_dccm_t; ++type hald_dccm_exec_t; ++domain_type(hald_dccm_t) ++domain_entry_file(hald_dccm_t, hald_dccm_exec_t) ++role system_r types hald_dccm_t; ++ ######################################## # # Local policy -@@ -143,6 +146,7 @@ +@@ -143,6 +152,7 @@ files_getattr_all_dirs(hald_t) files_read_kernel_img(hald_t) files_rw_lock_dirs(hald_t) @@ -12213,7 +12342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -195,6 +199,7 @@ +@@ -195,6 +205,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) @@ -12221,7 +12350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +282,12 @@ +@@ -277,6 +288,12 @@ ') optional_policy(` @@ -12234,7 +12363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -301,12 +312,16 @@ +@@ -301,12 +318,16 @@ virt_manage_images(hald_t) ') @@ -12252,7 +12381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -346,12 +361,17 @@ +@@ -346,12 +367,17 @@ miscfiles_read_localization(hald_acl_t) @@ -12271,7 +12400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -418,3 +438,7 @@ +@@ -418,3 +444,49 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -12279,6 +12408,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# This is caused by a bug in hald and PolicyKit. +# Should be removed when this is fixed +cron_read_system_job_lib_files(hald_t) ++ ++######################################## ++# ++# Local hald dccm policy ++# ++allow hald_dccm_t self:capability { net_bind_service }; ++allow hald_dccm_t self:process getsched; ++allow hald_dccm_t self:tcp_socket create_stream_socket_perms; ++allow hald_dccm_t self:udp_socket create_socket_perms; ++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) ++allow hald_t hald_dccm_t:process signal; ++allow hald_dccm_t hald_t:unix_stream_socket connectto; ++ ++corenet_all_recvfrom_unlabeled(hald_dccm_t) ++corenet_all_recvfrom_netlabel(hald_dccm_t) ++corenet_tcp_sendrecv_all_if(hald_dccm_t) ++corenet_udp_sendrecv_all_if(hald_dccm_t) ++corenet_tcp_sendrecv_all_nodes(hald_dccm_t) ++corenet_udp_sendrecv_all_nodes(hald_dccm_t) ++corenet_tcp_sendrecv_all_ports(hald_dccm_t) ++corenet_udp_sendrecv_all_ports(hald_dccm_t) ++corenet_tcp_bind_all_nodes(hald_dccm_t) ++corenet_udp_bind_all_nodes(hald_dccm_t) ++corenet_udp_bind_dhcpc_port(hald_dccm_t) ++corenet_tcp_bind_ftps_port(hald_dccm_t) ++corenet_tcp_bind_dccm_port(hald_dccm_t) ++ ++kernel_search_network_sysctl(hald_dccm_t) ++ ++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++files_search_var_lib(hald_dccm_t) ++ ++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) ++ ++files_read_usr_files(hald_dccm_t) ++ ++miscfiles_read_localization(hald_dccm_t) ++ ++permissive hald_dccm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.1/policy/modules/services/ifplugd.fc --- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/ifplugd.fc 2008-11-25 09:45:43.000000000 -0500 @@ -13299,7 +13470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.1/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-04 16:14:16.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/munin.te 2008-12-18 11:36:14.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -16469,7 +16640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.1/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-02 15:09:03.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/postfix.if 2008-12-18 11:31:37.000000000 -0500 @@ -174,9 +174,8 @@ type postfix_etc_t; ') @@ -16517,10 +16688,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -465,6 +483,25 @@ +@@ -418,10 +436,10 @@ + # + interface(`postfix_search_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') - ######################################## - ## +- allow $1 postfix_spool_t:dir search_dir_perms; ++ allow $1 postfix_spool_type:dir search_dir_perms; + files_search_spool($1) + ') + +@@ -437,10 +455,10 @@ + # + interface(`postfix_list_spool',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; + ') + +- allow $1 postfix_spool_t:dir list_dir_perms; ++ allow $1 postfix_spool_type:dir list_dir_perms; + files_search_spool($1) + ') + +@@ -456,11 +474,30 @@ + # + interface(`postfix_read_spool_files',` + gen_require(` +- type postfix_spool_t; ++ attribute postfix_spool_type; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, postfix_spool_type, postfix_spool_type) ++') ++ ++######################################## ++## +## Manage postfix mail spool files. +## +## @@ -16531,18 +16738,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +interface(`postfix_manage_spool_files',` + gen_require(` -+ type postfix_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t) -+') -+ -+######################################## -+## - ## Execute postfix user mail programs - ## in their respective domains. - ## ++ attribute postfix_spool_type; + ') + + files_search_spool($1) +- read_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type) + ') + + ######################################## @@ -481,3 +518,23 @@ typeattribute $1 postfix_user_domtrans; @@ -16569,8 +16773,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/postfix.te 2008-11-25 09:45:43.000000000 -0500 -@@ -1,11 +1,19 @@ ++++ serefpolicy-3.6.1/policy/modules/services/postfix.te 2008-12-22 10:48:45.000000000 -0500 +@@ -1,11 +1,20 @@ -policy_module(postfix, 1.9.2) +policy_module(postfix, 1.9.1) @@ -16588,10 +16792,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_postfix_local_write_mail_spool, false) + ++attribute postfix_spool_type; attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -19,7 +27,7 @@ +@@ -13,13 +22,13 @@ + + postfix_server_domain_template(bounce) + +-type postfix_spool_bounce_t; ++type postfix_spool_bounce_t, postfix_spool_type; + files_type(postfix_spool_bounce_t) + postfix_server_domain_template(cleanup) type postfix_etc_t; @@ -16600,7 +16812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_exec_t; application_executable_file(postfix_exec_t) -@@ -27,6 +35,12 @@ +@@ -27,6 +36,12 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) @@ -16613,7 +16825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) -@@ -34,6 +48,7 @@ +@@ -34,6 +49,7 @@ type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) @@ -16621,7 +16833,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -103,6 +118,7 @@ +@@ -68,13 +84,13 @@ + + postfix_server_domain_template(smtpd) + +-type postfix_spool_t; ++type postfix_spool_t, postfix_spool_type; + files_type(postfix_spool_t) + +-type postfix_spool_maildrop_t; ++type postfix_spool_maildrop_t, postfix_spool_type; + files_type(postfix_spool_maildrop_t) + +-type postfix_spool_flush_t; ++type postfix_spool_flush_t, postfix_spool_type; + files_type(postfix_spool_flush_t) + + type postfix_public_t; +@@ -103,6 +119,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -16629,7 +16858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -142,6 +158,7 @@ +@@ -142,6 +159,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -16637,7 +16866,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -170,6 +187,8 @@ +@@ -153,6 +171,9 @@ + corenet_udp_sendrecv_all_nodes(postfix_master_t) + corenet_tcp_sendrecv_all_ports(postfix_master_t) + corenet_udp_sendrecv_all_ports(postfix_master_t) ++corenet_udp_bind_all_nodes(postfix_master_t) ++corenet_udp_bind_all_unreserved_ports(postfix_master_t) ++corenet_dontaudit_udp_bind_all_ports(postfix_master_t) + corenet_tcp_bind_all_nodes(postfix_master_t) + corenet_tcp_bind_amavisd_send_port(postfix_master_t) + corenet_tcp_bind_smtp_port(postfix_master_t) +@@ -170,6 +191,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -16646,7 +16885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_search_ptys(postfix_master_t) -@@ -181,15 +200,14 @@ +@@ -181,15 +204,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -16666,7 +16905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -202,9 +220,29 @@ +@@ -202,9 +224,29 @@ ') optional_policy(` @@ -16696,7 +16935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix bounce local policy -@@ -245,6 +283,10 @@ +@@ -245,6 +287,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -16707,7 +16946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -270,18 +312,29 @@ +@@ -270,18 +316,29 @@ files_read_etc_files(postfix_local_t) @@ -16737,7 +16976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +345,7 @@ +@@ -292,8 +349,7 @@ # # Postfix map local policy # @@ -16747,7 +16986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,10 +392,6 @@ +@@ -340,10 +396,6 @@ miscfiles_read_localization(postfix_map_t) @@ -16758,7 +16997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -356,6 +404,11 @@ +@@ -356,6 +408,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -16770,7 +17009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -380,6 +433,7 @@ +@@ -380,6 +437,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -16778,7 +17017,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -387,6 +441,12 @@ +@@ -387,6 +445,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -16791,7 +17030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -396,6 +456,15 @@ +@@ -396,6 +460,15 @@ ') optional_policy(` @@ -16807,7 +17046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -432,8 +501,11 @@ +@@ -432,8 +505,11 @@ ') optional_policy(` @@ -16821,7 +17060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -459,6 +531,15 @@ +@@ -459,6 +535,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -16837,7 +17076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -543,9 +624,18 @@ +@@ -543,9 +628,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -16856,7 +17095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -572,7 +662,7 @@ +@@ -572,7 +666,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -18606,7 +18845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-15 12:23:46.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/samba.te 2008-12-22 10:23:30.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -18708,7 +18947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # smbd Local policy # -allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -19520,7 +19759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.1/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.1/policy/modules/services/snmp.fc 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/snmp.fc 2008-12-18 09:13:35.000000000 -0500 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) @@ -19536,6 +19775,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +@@ -15,5 +19,5 @@ + + /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) + +-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) + /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.6.1/policy/modules/services/snmp.if --- nsaserefpolicy/policy/modules/services/snmp.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/snmp.if 2008-11-25 09:45:43.000000000 -0500 @@ -20356,13 +20602,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.1/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-09 14:28:14.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/ssh.te 2008-12-18 10:03:59.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) type home_ssh_t; -typealias home_ssh_t alias { user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; -+typealias home_ssh_t alias { ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; ++typealias home_ssh_t alias { ssh_home_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) @@ -20392,7 +20638,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(ssh_t) -@@ -202,6 +205,7 @@ +@@ -173,6 +176,7 @@ + userdom_use_user_terminals(ssh_t) + # needs to read krb tgt + userdom_read_user_tmp_files(ssh_t) ++userdom_read_user_home_content_symlinks(ssh_t) + + tunable_policy(`allow_ssh_keysign',` + domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) +@@ -202,6 +206,7 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) @@ -20400,7 +20654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -318,6 +322,10 @@ +@@ -318,6 +323,10 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -20411,7 +20665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +339,14 @@ +@@ -331,6 +340,14 @@ ') optional_policy(` @@ -20426,7 +20680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -349,7 +365,11 @@ +@@ -349,7 +366,11 @@ ') optional_policy(` @@ -20439,7 +20693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +428,8 @@ +@@ -408,6 +429,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -21473,7 +21727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## display. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-11 14:53:37.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/xserver.te 2008-12-17 16:39:38.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -21510,8 +21764,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +-typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xguest_fonts_t unconfined_fonts_t }; - typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; ++typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t user_fonts_home_t }; userdom_user_home_content(user_fonts_t) type user_fonts_cache_t; @@ -23581,7 +23836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-11-18 18:57:21.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-09 14:23:42.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/logging.if 2008-12-18 11:32:40.000000000 -0500 @@ -707,6 +707,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) @@ -26131,7 +26386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-11 15:08:45.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-18 10:02:36.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 00f4307..0c8fc80 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Thu Dec 18 2008 Dan Walsh 3.6.1-12 +- Add missing alias for home directory content + * Wed Dec 17 2008 Dan Walsh 3.6.1-11 - Fixes for IBM java location