diff --git a/policy-20070525.patch b/policy-20070525.patch index 205f655..213e104 100644 --- a/policy-20070525.patch +++ b/policy-20070525.patch @@ -129,7 +129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .TP diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.1/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-06-19 16:23:34.000000000 -0400 -+++ serefpolicy-3.0.1/policy/flask/access_vectors 2007-06-22 14:07:33.000000000 -0400 ++++ serefpolicy-3.0.1/policy/flask/access_vectors 2007-06-26 16:20:20.000000000 -0400 @@ -598,6 +598,8 @@ shmempwd shmemgrp @@ -2350,7 +2350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-06-19 17:06:27.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-06-27 10:04:58.000000000 -0400 @@ -1096,6 +1096,24 @@ ######################################## @@ -2660,7 +2660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te attribute privrangetrans; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.1/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if 2007-06-19 17:06:27.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if 2007-06-27 10:07:44.000000000 -0400 @@ -51,6 +51,44 @@ ######################################## @@ -2706,6 +2706,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu ## Search selinuxfs. ## ## +@@ -101,6 +139,7 @@ + type security_t; + ') + ++ selinux_dontaudit_getattr_fs($1) + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file { getattr read }; + ') +@@ -122,6 +161,7 @@ + type security_t; + ') + ++ selinux_get_fs_mount($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file { getattr read }; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.1/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2007-06-15 14:54:30.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/kernel/storage.if 2007-06-19 17:06:27.000000000 -0400 @@ -3467,7 +3483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.1/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te 2007-06-19 17:06:27.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te 2007-06-27 08:33:56.000000000 -0400 @@ -16,6 +16,9 @@ type apcupsd_log_t; logging_log_file(apcupsd_log_t) @@ -3603,6 +3619,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto dev_read_urand(automount_t) domain_use_interactive_fds(automount_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2007-06-15 14:54:33.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/services/avahi.te 2007-06-27 10:05:15.000000000 -0400 +@@ -56,6 +56,7 @@ + + fs_getattr_all_fs(avahi_t) + fs_search_auto_mountpoints(avahi_t) ++fs_list_inotifyfs(avahi_t) + + domain_use_interactive_fds(avahi_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.1/policy/modules/services/bind.fc --- nsaserefpolicy/policy/modules/services/bind.fc 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/services/bind.fc 2007-06-19 17:06:27.000000000 -0400 @@ -6337,8 +6364,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-06-11 16:05:30.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/services/rpc.te 2007-06-20 06:34:45.000000000 -0400 -@@ -79,6 +79,7 @@ ++++ serefpolicy-3.0.1/policy/modules/services/rpc.te 2007-06-27 10:08:39.000000000 -0400 +@@ -76,9 +76,11 @@ + miscfiles_read_certs(rpcd_t) + + seutil_dontaudit_search_config(rpcd_t) ++selinux_dontaudit_read_fs(rpcd_t) optional_policy(` nis_read_ypserv_config(rpcd_t) @@ -6346,7 +6377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -91,6 +92,9 @@ +@@ -91,6 +93,9 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -6356,7 +6387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) -@@ -123,6 +127,7 @@ +@@ -123,6 +128,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -6364,7 +6395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -158,6 +163,11 @@ +@@ -158,6 +164,11 @@ miscfiles_read_certs(gssd_t) @@ -7740,7 +7771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.1/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-05-29 14:10:58.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/system/fstools.if 2007-06-19 17:06:27.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/system/fstools.if 2007-06-27 08:13:43.000000000 -0400 @@ -124,3 +124,22 @@ allow $1 swapfile_t:file getattr; @@ -9262,7 +9293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/system/udev.te 2007-06-22 11:39:51.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/system/udev.te 2007-06-27 08:08:02.000000000 -0400 @@ -68,8 +68,9 @@ allow udev_t udev_tbl_t:file manage_file_perms; dev_filetrans(udev_t,udev_tbl_t,file) @@ -9314,7 +9345,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t userdom_dontaudit_search_all_users_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -188,5 +202,24 @@ +@@ -178,6 +192,10 @@ + ') + + optional_policy(` ++ fstools_domtrans(udev_t) ++') ++ ++optional_policy(` + hal_dgram_send(udev_t) + ') + +@@ -188,5 +206,24 @@ ') optional_policy(`