From cbedd06c12ecd77739155c940d3d558128dd3986 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 12 2009 20:09:21 +0000 Subject: - Add kdump policy for Miroslav Grepl - Turn off execstack boolean --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index df05051..e42b66c 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # diff --git a/modules-minimum.conf b/modules-minimum.conf index 806f614..25c7f3e 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -557,12 +557,27 @@ gnomeclock = module hal = module # Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services # Module: policykit # # Hardware abstraction layer # policykit = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # diff --git a/modules-targeted.conf b/modules-targeted.conf index 806f614..25c7f3e 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -557,12 +557,27 @@ gnomeclock = module hal = module # Layer: services +# Module: hddtemp +# +# hddtemp hard disk temperature tool running as a daemon +# +hddtemp = module + +# Layer: services # Module: policykit # # Hardware abstraction layer # policykit = module + +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # diff --git a/policy-F12.patch b/policy-F12.patch index bc49842..02c5d8d 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -460,7 +460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.26/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/admin/mrtg.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/admin/mrtg.te 2009-08-11 14:24:37.000000000 -0400 @@ -116,6 +116,9 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -471,6 +471,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) +@@ -139,6 +142,10 @@ + ') + + optional_policy(` ++ hddtemp_domtrans(mrtg_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mrtg_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.26/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/admin/prelink.if 2009-07-30 15:33:08.000000000 -0400 @@ -783,7 +794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.26/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/admin/rpm.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/admin/rpm.te 2009-08-12 15:12:20.000000000 -0400 @@ -31,11 +31,15 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -986,7 +997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -326,13 +370,18 @@ +@@ -326,13 +370,22 @@ ') optional_policy(` @@ -1000,6 +1011,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - unconfined_domain(rpm_script_t) ++ udev_domtrans(rpm_script_t) ++') ++ ++optional_policy(` + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) @@ -3088,6 +3103,77 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.26/policy/modules/apps/ptchown.fc +--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.fc 2009-08-12 14:48:50.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.26/policy/modules/apps/ptchown.if +--- nsaserefpolicy/policy/modules/apps/ptchown.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.if 2009-08-12 14:51:46.000000000 -0400 +@@ -0,0 +1,22 @@ ++ ++## helper function for grantpt(3), changes ownship and permissions of pseudotty ++ ++######################################## ++## ++## Execute a domain transition to run ptchown. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ptchown_domtrans',` ++ gen_require(` ++ type ptchown_t; ++ type ptchown_exec_t; ++ ') ++ ++ domtrans_pattern($1,ptchown_exec_t,ptchown_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.26/policy/modules/apps/ptchown.te +--- nsaserefpolicy/policy/modules/apps/ptchown.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/apps/ptchown.te 2009-08-12 14:55:11.000000000 -0400 +@@ -0,0 +1,35 @@ ++policy_module(ptchown,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ptchown_t; ++type ptchown_exec_t; ++application_domain(ptchown_t, ptchown_exec_t) ++role system_r types ptchown_t; ++ ++permissive ptchown_t; ++ ++######################################## ++# ++# ptchown local policy ++# ++ ++allow ptchown_t self:capability { chown setuid }; ++allow ptchown_t self:process { getcap setcap }; ++ ++# Init script handling ++domain_use_interactive_fds(ptchown_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow ptchown_t self:fifo_file rw_file_perms; ++allow ptchown_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(ptchown_t) ++ ++term_setattr_generic_ptys(ptchown_t) ++term_setattr_all_user_ptys(ptchown_t) ++ ++miscfiles_read_localization(ptchown_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/apps/pulseaudio.te 2009-08-04 05:32:34.000000000 -0400 @@ -4266,8 +4352,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc 2009-07-30 15:33:08.000000000 -0400 -@@ -142,6 +142,9 @@ ++++ serefpolicy-3.6.26/policy/modules/kernel/corecommands.fc 2009-08-11 14:58:11.000000000 -0400 +@@ -125,6 +125,7 @@ + /sbin/.* gen_context(system_u:object_r:bin_t,s0) + /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) + /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) ++/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) + + # + # /opt +@@ -142,6 +143,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4277,7 +4371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -315,3 +318,21 @@ +@@ -315,3 +319,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4312,7 +4406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/corenetwork.te.in 2009-08-11 14:24:37.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -4321,7 +4415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,17 +88,21 @@ +@@ -87,25 +88,31 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -4344,7 +4438,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) -@@ -106,6 +111,7 @@ + network_port(gpsd, tcp,2947,s0) ++network_port(hddtemp, tcp,7634,s0) + network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy @@ -4352,7 +4448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -128,7 +134,7 @@ +@@ -128,7 +135,7 @@ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon @@ -4361,7 +4457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -146,6 +152,12 @@ +@@ -146,6 +153,12 @@ network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -4374,7 +4470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -172,27 +184,31 @@ +@@ -172,27 +185,31 @@ network_port(sap, tcp,9875,s0, udp,9875,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -4409,7 +4505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -221,6 +237,8 @@ +@@ -221,6 +238,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -4442,7 +4538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-10 10:05:44.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-11 18:56:44.000000000 -0400 @@ -1655,6 +1655,78 @@ ######################################## @@ -4584,11 +4680,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read the lvm comtrol device. -@@ -2232,6 +2359,24 @@ +@@ -2268,6 +2395,25 @@ ######################################## ## -+## Read and write the the wireless device. ++## Delete the null device (/dev/null). +## +## +## @@ -4596,24 +4692,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_rw_wireless',` ++interface(`dev_delete_null',` + gen_require(` -+ type device_t, wireless_device_t; ++ type device_t, null_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, wireless_device_t) ++ allow $1 device_t:dir del_entry_dir_perms; ++ allow $1 null_device_t:chr_file unlink; +') + +######################################## +## - ## Get the attributes of the null device nodes. + ## Read and write to the null device (/dev/null). ## ## -@@ -2268,6 +2413,25 @@ +@@ -3562,6 +3708,24 @@ ######################################## ## -+## Delete the null device (/dev/null). ++## Read and write the the wireless device. +## +## +## @@ -4621,18 +4718,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_delete_null',` ++interface(`dev_rw_wireless',` + gen_require(` -+ type device_t, null_device_t; ++ type device_t, wireless_device_t; + ') + -+ allow $1 device_t:dir del_entry_dir_perms; -+ allow $1 null_device_t:chr_file unlink; ++ rw_chr_files_pattern($1, device_t, wireless_device_t) +') + +######################################## +## - ## Read and write to the null device (/dev/null). + ## Read and write Xen devices. ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te @@ -5399,7 +5495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.26/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/files.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/files.te 2009-08-12 14:53:21.000000000 -0400 @@ -42,6 +42,7 @@ # type boot_t; @@ -5419,6 +5515,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; +@@ -193,6 +196,7 @@ + fs_associate_noxattr(file_type) + fs_associate_tmpfs(file_type) + fs_associate_ramfs(file_type) ++fs_associate_hugetlbfs(file_type) + + ######################################## + # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.26/policy/modules/kernel/filesystem.fc --- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.fc 2009-07-30 15:33:08.000000000 -0400 @@ -5427,8 +5531,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.26/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-07-30 15:33:08.000000000 -0400 -@@ -3971,3 +3971,23 @@ ++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.if 2009-08-11 16:06:07.000000000 -0400 +@@ -1537,6 +1537,24 @@ + + ######################################## + ## ++## Allow the type to associate to hugetlbfs filesystems. ++## ++## ++## ++## The type of the object to be associated. ++## ++## ++# ++interface(`fs_associate_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:filesystem associate; ++') ++ ++######################################## ++## + ## Search inotifyfs filesystem. + ## + ## +@@ -3971,3 +3989,23 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -5452,6 +5581,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 cifs_t:dir list_dir_perms; +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.26/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/filesystem.te 2009-08-12 11:10:36.000000000 -0400 +@@ -93,7 +93,7 @@ + type hugetlbfs_t; + fs_type(hugetlbfs_t) + files_mountpoint(hugetlbfs_t) +-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) ++fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); + + type ibmasmfs_t; + fs_type(ibmasmfs_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.26/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/kernel/kernel.if 2009-08-10 11:43:18.000000000 -0400 @@ -5671,7 +5812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.26/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/terminal.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/terminal.if 2009-08-12 14:54:39.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -5743,6 +5884,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Read and write the controlling +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.26/policy/modules/kernel/terminal.te +--- nsaserefpolicy/policy/modules/kernel/terminal.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/terminal.te 2009-08-11 14:33:58.000000000 -0400 +@@ -44,6 +44,7 @@ + type ptmx_t; + dev_node(ptmx_t) + mls_trusted_object(ptmx_t) ++allow ptmx_t devpts_t:filesystem associate; + + # + # tty_device_t is the type of /dev/*tty* diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.26/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/roles/guest.te 2009-07-30 15:33:08.000000000 -0400 @@ -8947,7 +9099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.26/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/bind.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/bind.if 2009-08-12 15:14:43.000000000 -0400 @@ -287,6 +287,25 @@ ######################################## @@ -9997,7 +10149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.26/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-06 08:01:02.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/dbus.if 2009-08-12 16:08:16.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -10027,16 +10179,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -146,6 +148,8 @@ +@@ -146,6 +148,9 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) + term_use_all_terms($1_dbusd_t) + ++ userdom_dontaudit_search_admin_dir($1_dbusd_t) userdom_read_user_home_content_files($1_dbusd_t) ifdef(`hide_broken_symptoms', ` -@@ -153,12 +157,15 @@ +@@ -153,12 +158,15 @@ ') optional_policy(` @@ -10054,7 +10207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -178,10 +185,12 @@ +@@ -178,10 +186,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -10068,7 +10221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -190,6 +199,10 @@ +@@ -190,6 +200,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -10079,7 +10232,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -256,7 +269,7 @@ +@@ -256,7 +270,7 @@ ######################################## ## @@ -10257,7 +10410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-10 11:51:36.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-11 13:59:10.000000000 -0400 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -10302,9 +10455,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) - -+domain_read_all_domains_state(devicekit_disk_t) + ++domain_read_all_domains_state(devicekit_disk_t) + +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) @@ -10383,7 +10536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,6 +201,8 @@ +@@ -167,12 +201,16 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -10392,7 +10545,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(devicekit_power_t) auth_use_nsswitch(devicekit_power_t) -@@ -180,8 +216,11 @@ + + miscfiles_read_localization(devicekit_power_t) + ++sysnet_read_dhcp_config(devicekit_power_t) ++ + userdom_read_all_users_state(devicekit_power_t) + + optional_policy(` +@@ -180,8 +218,11 @@ ') optional_policy(` @@ -10405,7 +10566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +242,23 @@ +@@ -203,17 +244,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -11017,6 +11178,100 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive hald_dccm_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.26/policy/modules/services/hddtemp.fc +--- nsaserefpolicy/policy/modules/services/hddtemp.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.fc 2009-08-11 14:24:37.000000000 -0400 +@@ -0,0 +1,4 @@ ++ ++/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) ++ ++/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.26/policy/modules/services/hddtemp.if +--- nsaserefpolicy/policy/modules/services/hddtemp.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.if 2009-08-11 14:26:32.000000000 -0400 +@@ -0,0 +1,38 @@ ++## hddtemp hard disk temperature tool running as a daemon ++ ++####################################### ++## ++## Execute hddtemp in the hddtemp domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`hddtemp_domtrans',` ++ gen_require(` ++ type hddtemp_t, hddtemp_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) ++') ++ ++###################################### ++## ++## Execute hddtemp ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`hddtemp_exec',` ++ gen_require(` ++ type hddtemp_exec_t; ++ ') ++ ++ can_exec($1, hddtemp_exec_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.26/policy/modules/services/hddtemp.te +--- nsaserefpolicy/policy/modules/services/hddtemp.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.26/policy/modules/services/hddtemp.te 2009-08-11 14:24:37.000000000 -0400 +@@ -0,0 +1,40 @@ ++policy_module(hddtemp,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type hddtemp_t; ++type hddtemp_exec_t; ++init_daemon_domain(hddtemp_t,hddtemp_exec_t) ++ ++type hddtemp_initrc_exec_t; ++init_script_file(hddtemp_initrc_exec_t) ++ ++######################################## ++# ++# hddtemp local policy ++# ++ ++allow hddtemp_t self:capability sys_rawio; ++dontaudit hddtemp_t self:capability sys_admin; ++ ++allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms; ++allow hddtemp_t self:tcp_socket create_stream_socket_perms; ++allow hddtemp_t self:udp_socket create_socket_perms; ++ ++corenet_tcp_bind_all_nodes(hddtemp_t) ++corenet_tcp_bind_hddtemp_port(hddtemp_t) ++ ++storage_raw_read_fixed_disk(hddtemp_t) ++ ++# read hddtemp db file ++files_read_usr_files(hddtemp_t) ++ ++logging_send_syslog_msg(hddtemp_t) ++ ++miscfiles_read_localization(hddtemp_t) ++ ++permissive hddtemp_t; ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.26/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/kerberos.te 2009-07-30 15:33:08.000000000 -0400 @@ -12812,7 +13067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-10 10:24:17.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-11 14:14:45.000000000 -0400 @@ -38,9 +38,10 @@ allow policykit_t self:capability { setgid setuid }; @@ -12852,11 +13107,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -77,12 +90,15 @@ +@@ -76,13 +89,16 @@ + # allow policykit_auth_t self:capability setgid; - allow policykit_auth_t self:process getattr; +-allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; ++allow policykit_auth_t self:process { getattr getsched }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; + allow policykit_auth_t self:unix_dgram_socket create_socket_perms; @@ -12889,7 +13146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -116,6 +136,13 @@ +@@ -116,6 +136,14 @@ hal_read_state(policykit_auth_t) ') @@ -12898,12 +13155,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_xdm_append_log(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) + xserver_search_xdm_lib(policykit_auth_t) ++ xserver_create_xdm_tmp_sockets(policykit_auth_t) +') + ######################################## # # polkit_grant local policy -@@ -123,7 +150,8 @@ +@@ -123,7 +151,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -12913,7 +13171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -153,9 +181,12 @@ +@@ -153,9 +182,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -12927,7 +13185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,7 +198,8 @@ +@@ -167,7 +199,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -14184,7 +14442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_manage_cache(gssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.26/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-08-12 07:48:31.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -14199,7 +14457,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow rsync to export any files/directories read only. ##

## -@@ -126,4 +133,19 @@ +@@ -24,7 +31,6 @@ + + type rsync_t; + type rsync_exec_t; +-init_daemon_domain(rsync_t, rsync_exec_t) + application_executable_file(rsync_exec_t) + role system_r types rsync_t; + +@@ -126,4 +132,19 @@ auth_read_all_symlinks_except_shadow(rsync_t) auth_tunable_read_shadow(rsync_t) ') @@ -16746,7 +17012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-05 16:59:48.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-12 16:06:07.000000000 -0400 @@ -103,7 +103,7 @@ ######################################## @@ -16844,7 +17110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an virt environment ## -@@ -327,3 +364,56 @@ +@@ -327,3 +364,76 @@ virt_manage_log($1) ') @@ -16901,9 +17167,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + ++######################################## ++## ++## Create, read, write, and delete ++## svirt cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_manage_svirt_cache',` ++ gen_require(` ++ type svirt_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, svirt_cache_t, svirt_cache_t) ++ manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.26/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-05 15:13:13.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.te 2009-08-12 16:05:46.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -16989,7 +17275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -68,6 +115,12 @@ +@@ -68,6 +115,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -16997,12 +17283,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow virtd_t virt_image_type:file { relabelfrom relabelto }; +allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; + ++mcs_process_set_categories(virtd_t) ++ +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +139,7 @@ +@@ -86,6 +141,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -17010,7 +17298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,30 +150,51 @@ +@@ -96,30 +152,51 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -17065,7 +17353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -129,7 +204,14 @@ +@@ -129,7 +206,14 @@ logging_send_syslog_msg(virtd_t) @@ -17080,7 +17368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -167,22 +249,35 @@ +@@ -167,22 +251,35 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -17121,7 +17409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +290,155 @@ +@@ -195,8 +292,161 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -17232,6 +17520,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; + ++stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) ++ +kernel_read_system_state(virt_domain) + +corenet_all_recvfrom_unlabeled(virt_domain) @@ -17272,6 +17562,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(virt_domain) + +optional_policy(` ++ ptchown_domtrans(virt_domain) ++') ++ ++optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) @@ -17374,7 +17668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-05 07:48:30.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-11 14:14:49.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -19549,7 +19843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.26/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-07-30 09:44:08.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-10 13:12:20.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/init.te 2009-08-12 16:06:54.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -19907,19 +20201,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +837,11 @@ - uml_setattr_util_sockets(initrc_t) +@@ -755,6 +838,15 @@ ') + optional_policy(` ++ virt_manage_svirt_cache(initrc_t) ++') ++ +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) +') + - optional_policy(` ++optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +853,13 @@ + ifdef(`distro_redhat',` +@@ -765,6 +857,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -19933,7 +20231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +885,31 @@ +@@ -790,3 +889,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -20860,7 +21158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.26/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/logging.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/logging.if 2009-08-12 15:17:48.000000000 -0400 @@ -623,7 +623,7 @@ ') @@ -22206,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.26/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/sysnetwork.if 2009-08-11 13:58:43.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -22591,7 +22889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.26/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-10 10:36:14.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/system/udev.te 2009-08-11 14:30:39.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -22697,7 +22995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +270,10 @@ +@@ -242,6 +270,14 @@ ') optional_policy(` @@ -22705,6 +23003,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ vbetool_domtrans(udev_t) ++') ++ ++optional_policy(` kernel_write_xen_state(udev_t) kernel_read_xen_state(udev_t) xen_manage_log(udev_t)