From d83b1b789a0dc41868089c510d836ddba8d9f1c1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 18 2009 18:41:01 +0000 Subject: - Add varnishd policy --- diff --git a/policy-20090105.patch b/policy-20090105.patch index f6664c8..5e7f536 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -603,7 +603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_read_user_tmpfs_files(kismet_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.12/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te 2009-05-18 08:21:37.000000000 -0400 @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) @@ -626,6 +626,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(logrotate_t) ') +@@ -189,3 +194,7 @@ + optional_policy(` + squid_domtrans(logrotate_t) + ') ++ ++optional_policy(` ++ varnishlog_manage_log(logrotate_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.12/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-03-20 12:39:40.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/admin/logwatch.te 2009-05-12 15:30:13.000000000 -0400 @@ -5068,7 +5076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2009-05-12 16:34:51.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2009-05-18 09:34:14.000000000 -0400 @@ -1612,6 +1612,24 @@ ######################################## @@ -5121,7 +5129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-23 13:47:10.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2009-05-18 08:21:37.000000000 -0400 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -5225,7 +5233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -173,14 +197,17 @@ +@@ -173,14 +197,18 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5235,6 +5243,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) ++network_port(varnishd, tcp,6081,s0, tcp,6082,s0) +network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(vnc, tcp,5900,s0) network_port(wccp, udp,2048,s0) @@ -5245,7 +5254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -209,6 +236,8 @@ +@@ -209,6 +237,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -5277,7 +5286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-18 09:09:23.000000000 -0400 @@ -2268,6 +2268,25 @@ ######################################## @@ -9152,7 +9161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.12/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/apache.te 2009-05-18 09:16:47.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -11721,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-18 14:39:34.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -11925,8 +11934,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) -@@ -217,17 +264,21 @@ +@@ -215,19 +262,24 @@ + miscfiles_read_localization(cupsd_t) + # invoking ghostscript needs to read fonts miscfiles_read_fonts(cupsd_t) ++miscfiles_setattr_fonts(cupsd_t) seutil_read_config(cupsd_t) +sysnet_exec_ifconfig(cupsd_t) @@ -11950,7 +11962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -244,8 +295,16 @@ +@@ -244,8 +296,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -11967,7 +11979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -261,6 +320,10 @@ +@@ -261,6 +321,10 @@ ') optional_policy(` @@ -11978,7 +11990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -279,7 +342,7 @@ +@@ -279,7 +343,7 @@ # Cups configuration daemon local policy # @@ -11987,7 +11999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -302,8 +365,10 @@ +@@ -302,8 +366,10 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; @@ -12000,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t cupsd_var_run_t:file read_file_perms; -@@ -311,7 +376,7 @@ +@@ -311,7 +377,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -12009,7 +12021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +389,7 @@ +@@ -324,6 +390,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -12017,7 +12029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +407,14 @@ +@@ -341,13 +408,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -12033,7 +12045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -359,14 +426,16 @@ +@@ -359,14 +427,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -12052,7 +12064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -382,6 +451,7 @@ +@@ -382,6 +452,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -12060,7 +12072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -491,7 +561,10 @@ +@@ -491,7 +562,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -12072,7 +12084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -500,6 +573,13 @@ +@@ -500,6 +574,13 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -12086,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -529,7 +609,8 @@ +@@ -529,7 +610,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -12096,7 +12108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +634,9 @@ +@@ -553,7 +635,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -12107,7 +12119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(hplip_t) -@@ -635,3 +718,49 @@ +@@ -635,3 +719,49 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -13663,7 +13675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.12/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/fail2ban.if 2009-05-18 08:59:04.000000000 -0400 @@ -20,6 +20,25 @@ ######################################## @@ -13690,6 +13702,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow the specified domain to read fail2ban's log files. ## ## +@@ -105,7 +124,7 @@ + allow $1 fail2ban_t:process { ptrace signal_perms }; + ps_process_pattern($1, fail2ban_t) + +- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) ++ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; + allow $2 system_r; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.6.12/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fail2ban.te 2009-05-12 15:30:13.000000000 -0400 @@ -14417,7 +14438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-18 13:42:49.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -14434,8 +14455,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -@@ -143,11 +152,16 @@ +@@ -141,13 +150,19 @@ + # hal is now execing pm-suspend + files_create_boot_flag(hald_t) files_getattr_all_dirs(hald_t) ++files_getattr_all_files(hald_t) files_read_kernel_img(hald_t) files_rw_lock_dirs(hald_t) +files_read_generic_pids(hald_t) @@ -14451,7 +14475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_mountpoints(hald_t) mls_file_read_all_levels(hald_t) -@@ -195,6 +209,7 @@ +@@ -195,6 +210,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) @@ -14459,7 +14483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +292,17 @@ +@@ -277,6 +293,17 @@ ') optional_policy(` @@ -14477,7 +14501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -298,7 +324,11 @@ +@@ -298,7 +325,11 @@ ') optional_policy(` @@ -14490,7 +14514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -306,7 +336,7 @@ +@@ -306,7 +337,7 @@ # Hal acl local policy # @@ -14499,7 +14523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -321,6 +351,7 @@ +@@ -321,6 +352,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -14507,7 +14531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -339,6 +370,8 @@ +@@ -339,6 +371,8 @@ storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) @@ -14516,7 +14540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(hald_acl_t) -@@ -346,12 +379,18 @@ +@@ -346,12 +380,18 @@ miscfiles_read_localization(hald_acl_t) @@ -14536,7 +14560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -374,6 +413,8 @@ +@@ -374,6 +414,8 @@ auth_use_nsswitch(hald_mac_t) @@ -14545,7 +14569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(hald_mac_t) ######################################## -@@ -415,6 +456,55 @@ +@@ -415,6 +457,55 @@ dev_rw_input_dev(hald_keymap_t) @@ -14920,8 +14944,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-14 13:29:16.000000000 -0400 -@@ -6,13 +6,14 @@ ++++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc 2009-05-18 13:00:35.000000000 -0400 +@@ -1,3 +1,6 @@ ++HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) ++ + /etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) + /etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) + +@@ -6,13 +9,14 @@ /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) @@ -14937,7 +14968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -@@ -21,7 +22,7 @@ +@@ -21,7 +25,7 @@ /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -14946,9 +14977,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.12/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/kerberos.if 2009-05-18 13:00:14.000000000 -0400 +@@ -128,6 +128,7 @@ + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; ++ allow $1 krb5_home_t:file read_file_perms; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-05-14 13:28:31.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/kerberos.te 2009-05-18 12:59:46.000000000 -0400 @@ -33,6 +33,7 @@ type kpropd_t; type kpropd_exec_t; @@ -14957,7 +14999,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type krb5_conf_t; files_type(krb5_conf_t) -@@ -281,6 +282,7 @@ +@@ -69,6 +70,9 @@ + type krb5kdc_var_run_t; + files_pid_file(krb5kdc_var_run_t) + ++type krb5_home_t; ++userdom_user_home_content(krb5_home_t) ++ + ######################################## + # + # kadmind local policy +@@ -281,6 +285,7 @@ allow kpropd_t krb5_keytab_t:file read_file_perms; @@ -17602,8 +17654,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.12/policy/modules/services/pads.if --- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-05-12 15:30:13.000000000 -0400 -@@ -0,0 +1,10 @@ ++++ serefpolicy-3.6.12/policy/modules/services/pads.if 2009-05-18 08:59:32.000000000 -0400 +@@ -0,0 +1,44 @@ +## SELinux policy for PADS daemon. +## +##

@@ -17614,6 +17666,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +##

+##
+ ++######################################## ++## ++## All of the rules required to administrate ++## an pads environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the pads domain. ++## ++## ++## ++# ++interface(`pads_admin', ` ++ gen_require(` ++ type pads_t, pads_config_t; ++ type pads_var_run_t, pads_initrc_exec_t; ++ ') ++ ++ allow $1 pads_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pads_t) ++ ++ init_labeled_script_domtrans($1, pads_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 pads_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ admin_pattern($1, pads_var_run_t) ++ admin_pattern($1, pads_config_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.12/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/pads.te 2009-05-12 15:30:13.000000000 -0400 @@ -20863,6 +20949,90 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.6.12/policy/modules/services/rlogin.fc +--- nsaserefpolicy/policy/modules/services/rlogin.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rlogin.fc 2009-05-18 12:57:27.000000000 -0400 +@@ -4,3 +4,5 @@ + /usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) + + /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) ++ ++HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.6.12/policy/modules/services/rlogin.if +--- nsaserefpolicy/policy/modules/services/rlogin.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rlogin.if 2009-05-18 12:51:14.000000000 -0400 +@@ -18,3 +18,49 @@ + corecmd_search_bin($1) + domtrans_pattern($1, rlogind_exec_t, rlogind_t) + ') ++ ++######################################## ++## ++## Execute rlogind in the rlogin domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rlogin_domtrans',` ++ gen_require(` ++ type rlogind_t, rlogind_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rlogind_exec_t, rlogind_t) ++') ++ ++######################################## ++## ++## read rlogin homedir content (.config) ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`rlogin_read_config',` ++ gen_require(` ++ type rlogind_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) ++ read_files_pattern($1, rlogind_home_t, rlogind_home_t) ++ read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.12/policy/modules/services/rlogin.te +--- nsaserefpolicy/policy/modules/services/rlogin.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rlogin.te 2009-05-18 12:59:52.000000000 -0400 +@@ -20,6 +20,9 @@ + type rlogind_var_run_t; + files_pid_file(rlogind_var_run_t) + ++type rlogind_home_t; ++userdom_user_home_content(rlogind_home_t) ++ + ######################################## + # + # Local policy +@@ -79,6 +82,8 @@ + + logging_send_syslog_msg(rlogind_t) + ++rlogin_read_config(rlogind_t) ++ + miscfiles_read_localization(rlogind_t) + + seutil_read_config(rlogind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.6.12/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/rpcbind.te 2009-05-12 15:30:13.000000000 -0400 @@ -20978,7 +21148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_user_tmp_files(gssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.12/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rshd.te 2009-05-18 12:52:41.000000000 -0400 @@ -51,7 +51,7 @@ files_list_home(rshd_t) @@ -20988,6 +21158,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) +@@ -84,6 +84,10 @@ + ') + + optional_policy(` ++ rlogin_read_config(rlogind_t) ++') ++ ++optional_policy(` + tcpd_wrapped_domain(rshd_t, rshd_exec_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-05-12 15:30:13.000000000 -0400 @@ -22799,6 +22980,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.6.12/policy/modules/services/snort.if +--- nsaserefpolicy/policy/modules/services/snort.if 2008-10-10 15:53:03.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/snort.if 2009-05-18 08:57:28.000000000 -0400 +@@ -38,6 +38,7 @@ + interface(`snort_admin',` + gen_require(` + type snort_t, snort_var_run_t, snort_log_t; ++ type snort_etc_t; + type snort_initrc_exec_t; + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.12/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/snort.te 2009-05-12 15:30:13.000000000 -0400 @@ -23318,7 +23510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.12/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.fc 2009-05-16 08:22:41.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -23327,7 +23519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-14 14:05:37.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-05-18 12:55:03.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -23466,7 +23658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -245,6 +243,8 @@ +@@ -245,18 +243,23 @@ files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -23475,8 +23667,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs($1_t) -@@ -254,9 +254,14 @@ + miscfiles_read_localization($1_t) +- sysnet_read_config($1_t) +- userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) @@ -23490,20 +23684,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -265,11 +270,7 @@ +@@ -265,15 +268,11 @@ optional_policy(` kerberos_use($1_t) ++ kerberos_manage_host_rcache($1_t) + ') + + optional_policy(` +- # Allow checking users mail at login +- mta_getattr_spool($1_t) - ') - - optional_policy(` -- # Allow checking users mail at login -- mta_getattr_spool($1_t) -+ kerberos_manage_host_rcache($1_t) +- nscd_socket_use($1_t) ++ rlogin_read_config($1_t) ') optional_policy(` -@@ -345,6 +346,7 @@ +@@ -345,6 +344,7 @@ allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config @@ -23511,7 +23710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($3, home_ssh_t, home_ssh_t) manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) -@@ -454,6 +456,24 @@ +@@ -454,6 +454,24 @@ ######################################## ## @@ -23536,7 +23735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -469,6 +489,23 @@ +@@ -469,6 +487,23 @@ allow $1 sshd_t:fifo_file { getattr read }; ') @@ -23560,7 +23759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -@@ -611,3 +648,42 @@ +@@ -611,3 +646,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -23605,7 +23804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-18 12:53:20.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -23764,7 +23963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +424,8 @@ +@@ -408,15 +424,13 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -23773,6 +23972,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) + + optional_policy(` +- nscd_socket_use(ssh_keygen_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.12/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/sssd.fc 2009-05-12 15:30:13.000000000 -0400 @@ -24384,6 +24592,377 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.fc serefpolicy-3.6.12/policy/modules/services/varnishd.fc +--- nsaserefpolicy/policy/modules/services/varnishd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/varnishd.fc 2009-05-18 08:21:37.000000000 -0400 +@@ -0,0 +1,20 @@ ++ ++/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0) ++ ++/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0) ++ ++/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0) ++/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0) ++ ++/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0) ++ ++/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0) ++ ++/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) ++ ++/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) ++/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) ++/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.12/policy/modules/services/varnishd.if +--- nsaserefpolicy/policy/modules/services/varnishd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/varnishd.if 2009-05-18 08:21:37.000000000 -0400 +@@ -0,0 +1,202 @@ ++## Varnishd http accelerator daemon ++ ++####################################### ++## ++## Execute varnishd in the varnishd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`varnishd_domtrans',` ++ gen_require(` ++ type varnishd_t, varnishd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, varnishd_exec_t, varnishd_t) ++') ++ ++####################################### ++## ++## Execute varnishd ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`varnishd_exec',` ++ gen_require(` ++ type varnishd_exec_t; ++ ') ++ ++ can_exec($1, varnishd_exec_t) ++') ++ ++###################################### ++## ++## Read varnishd configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnishd_read_config',` ++ gen_require(` ++ type varnishd_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) ++') ++ ++####################################### ++## ++## Read varnish logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnish_read_log',` ++ gen_require(` ++ type varnishlog_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) ++') ++ ++###################################### ++## ++## Append varnish logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnishlog_append_log',` ++ gen_require(` ++ type varnishlog_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) ++') ++ ++##################################### ++## ++## Manage varnish logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnishlog_manage_log',` ++ gen_require(` ++ type varnishlog_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) ++') ++ ++####################################### ++## ++## All of the rules required to administrate ++## an varnishd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the varnishd domain. ++## ++## ++## ++# ++interface(`varnishd_admin',` ++ gen_require(` ++ type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; ++ type varnishd_var_run_t, varnishd_tmp_t; ++ type varnishd_initrc_exec_t; ++ ') ++ ++ allow $1 varnishd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, varnishd_t) ++ ++ init_labeled_script_domtrans($1, varnishd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 varnishd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, varnishd_var_lib_t) ++ ++ files_search_etc($1) ++ admin_pattern($1, varnishd_etc_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, varnishd_var_run_t) ++ ++ files_search_tmp($1) ++ admin_pattern($1, varnishd_tmp_t) ++ ++') ++ ++###################################### ++## ++## All of the rules required to administrate ++## an varnishlog environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the varnishlog domain. ++## ++## ++## ++# ++interface(`varnishlog_admin',` ++ gen_require(` ++ type varnishlog_t; ++ type varnishlog_var_run_t, varnishlog_log_t; ++ type varnishlog_initrc_exec_t; ++ ') ++ ++ allow $1 varnishlog_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, varnishlog_t) ++ ++ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 varnishlog_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, varnishlog_var_run_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, varnishlog_log_t) ++ ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.6.12/policy/modules/services/varnishd.te +--- nsaserefpolicy/policy/modules/services/varnishd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/varnishd.te 2009-05-18 08:21:37.000000000 -0400 +@@ -0,0 +1,137 @@ ++policy_module(varnishd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Allow varnishd to connect to all ports, ++## not just HTTP. ++##

++##
++gen_tunable(varnishd_connect_any, false) ++ ++ ++type varnishd_t; ++type varnishd_exec_t; ++init_daemon_domain(varnishd_t, varnishd_exec_t) ++ ++type varnishd_initrc_exec_t; ++init_script_file(varnishd_initrc_exec_t) ++ ++# etc files ++type varnishd_etc_t; ++files_type(varnishd_etc_t) ++ ++# tmp files ++type varnishd_tmp_t; ++files_tmp_file(varnishd_tmp_t) ++ ++# var/lib files ++type varnishd_var_lib_t; ++files_type(varnishd_var_lib_t) ++ ++# pid files ++type varnishd_var_run_t; ++files_pid_file(varnishd_var_run_t) ++ ++ ++type varnishlog_t; ++type varnishlog_exec_t; ++init_daemon_domain(varnishlog_t, varnishlog_exec_t) ++ ++type varnishlog_initrc_exec_t; ++init_script_file(varnishlog_initrc_exec_t) ++ ++# pid files ++type varnishlog_var_run_t; ++files_pid_file(varnishlog_var_run_t) ++ ++# log files ++type varnishlog_log_t; ++files_type(varnishlog_log_t) ++ ++######################################## ++# ++# varnishd local policy ++# ++ ++allow varnishd_t self:capability { dac_override ipc_lock setuid setgid }; ++allow varnishd_t self:process signal; ++allow varnishd_t self:fifo_file rw_fifo_file_perms; ++allow varnishd_t self:tcp_socket create_stream_socket_perms; ++allow varnishd_t self:udp_socket create_socket_perms; ++ ++# etc file ++read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) ++list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t) ++ ++# var/lib files for varnishd ++exec_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t) ++manage_dirs_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t) ++manage_files_pattern(varnishd_t,varnishd_var_lib_t,varnishd_var_lib_t) ++files_var_lib_filetrans(varnishd_t,varnishd_var_lib_t, { dir file }) ++ ++# tmp files for varnishd ++manage_dirs_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t) ++manage_files_pattern(varnishd_t,varnishd_tmp_t,varnishd_tmp_t) ++files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir }) ++ ++# pid files ++manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) ++files_pid_filetrans(varnishd_t,varnishd_var_run_t,{ file }) ++ ++kernel_read_system_state(varnishd_t) ++ ++corenet_tcp_bind_all_nodes(varnishd_t) ++corenet_tcp_bind_http_port(varnishd_t) ++corenet_tcp_bind_http_cache_port(varnishd_t) ++corenet_tcp_bind_varnishd_port(varnishd_t) ++corenet_tcp_connect_http_cache_port(varnishd_t) ++corenet_tcp_connect_http_port(varnishd_t) ++ ++sysnet_read_config(varnishd_t) ++ ++auth_use_nsswitch(varnishd_t) ++ ++corecmd_exec_bin(varnishd_t) ++corecmd_exec_shell(varnishd_t) ++ ++dev_read_urand(varnishd_t) ++ ++fs_getattr_all_fs(varnishd_t) ++ ++libs_use_ld_so(varnishd_t) ++libs_use_shared_libs(varnishd_t) ++ ++logging_send_syslog_msg(varnishd_t) ++ ++miscfiles_read_localization(varnishd_t) ++ ++tunable_policy(`varnishd_connect_any',` ++ corenet_tcp_connect_all_ports(varnishd_t) ++ corenet_tcp_bind_all_ports(varnishd_t) ++') ++ ++permissive varnishd_t; ++ ++####################################### ++# ++# varnishlog local policy ++# ++ ++# pid files ++manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) ++files_pid_filetrans(varnishlog_t,varnishlog_var_run_t,{ file }) ++ ++# log files ++manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) ++manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) ++logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) ++ ++files_search_var_lib(varnishlog_t) ++read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) ++ ++permissive varnishlog_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.12/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/virt.fc 2009-05-12 15:30:13.000000000 -0400 @@ -28105,7 +28684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-05-12 15:30:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-05-18 09:09:12.000000000 -0400 @@ -623,7 +623,7 @@ ') @@ -28458,6 +29037,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.12/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-03-20 12:39:40.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/miscfiles.if 2009-05-18 14:39:11.000000000 -0400 +@@ -87,6 +87,25 @@ + + ######################################## + ## ++## Allow domaint ot setattr on fonts dir ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_setattr_fonts',` ++ gen_require(` ++ type fonts_t; ++ ') ++ ++ allow $1 fonts_t:dir setattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to write fonts. + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-05-12 15:30:13.000000000 -0400