diff --git a/modules-minimum.conf b/modules-minimum.conf index 3c06644..28611ef 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -527,6 +527,13 @@ hal = module # polkit = module +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + # Layer: system # Module: hostname # diff --git a/modules-mls.conf b/modules-mls.conf index eea74cd..3577d01 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -527,6 +527,13 @@ hal = module # polkit = module +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + # Layer: system # Module: hostname # @@ -1329,13 +1336,6 @@ ulogd = module # wine = module -# Layer: apps -# Module: wm -# -# X windows window manager -# -#wm = module - # Layer: admin # Module: tzdata # @@ -1767,3 +1767,11 @@ pingd = module # # milter = module + +# Layer: apps +# Module: wm +# +# X windows window manager +# +wm = module + diff --git a/modules-targeted.conf b/modules-targeted.conf index 3c06644..28611ef 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -527,6 +527,13 @@ hal = module # polkit = module +# Layer: services +# Module: psad +# +# Analyze iptables log for hostile traffic +# +psad = module + # Layer: system # Module: hostname # diff --git a/policy-20090105.patch b/policy-20090105.patch index 19d0b5c..df9c30f 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -2194,7 +2194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.3/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-21 12:26:56.000000000 -0500 @@ -21,6 +21,103 @@ ######################################## @@ -3933,8 +3933,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.3/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-19 13:10:02.000000000 -0500 -@@ -0,0 +1,19 @@ ++++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-21 14:33:42.000000000 -0500 +@@ -0,0 +1,108 @@ +## Window Manager. + +######################################## @@ -3954,114 +3954,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + can_exec($1, wm_exec_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te ---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-19 13:10:02.000000000 -0500 -@@ -0,0 +1,104 @@ -+policy_module(wm,0.0.4) + -+######################################## -+# -+# Declarations ++####################################### ++## ++## The role template for the wm module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for wm applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## +# ++template(`wm_role_template',` ++ gen_require(` ++ type wm_exec_t; ++ ') + -+type wm_t; -+type wm_exec_t; -+domain_type(wm_t) -+domain_entry_file(wm_t,wm_exec_t) -+role user_r types wm_t; -+ -+type wm_tmpfs_t; -+ -+files_read_etc_files(wm_t) -+ -+nscd_dontaudit_search_pid(wm_t) -+ -+miscfiles_read_localization(wm_t) -+ -+dev_read_urand(wm_t) -+ -+files_list_tmp(wm_t) ++ type $1_wm_t; ++ domain_type($1_wm_t) ++ domain_entry_file($1_wm_t, wm_exec_t) ++ role $2 types $1_wm_t; + -+allow wm_t proc_t:file { read getattr }; ++ domtrans_pattern($3, wm_exec_t, $1_wm_t) + -+allow wm_t info_xproperty_t:x_property { write create }; ++ corecmd_bin_domtrans($1_wm_t, $1_t) ++ corecmd_shell_domtrans($1_wm_t, $1_t) + -+allow wm_t self:process getsched; -+allow wm_t self:x_drawable blend; ++ ifdef(`enable_mls',` ++ mls_file_read_all_levels($1_wm_t) ++ mls_file_write_all_levels($1_wm_t) ++ mls_xwin_read_all_levels($1_wm_t) ++ mls_xwin_write_all_levels($1_wm_t) ++ mls_fd_use_all_levels($1_wm_t) ++ ') + -+allow wm_t tmpfs_t:file { read write }; ++ files_read_etc_files($1_wm_t) ++ files_read_usr_files($1_wm_t) + -+allow wm_t usr_t:file { read getattr }; -+allow wm_t usr_t:lnk_file read; ++ miscfiles_read_fonts($1_wm_t) ++ miscfiles_read_localization($1_wm_t) + -+allow wm_t user_tmp_t:dir { write search setattr remove_name getattr add_name }; -+allow wm_t user_tmp_t:sock_file { write create unlink }; ++ optional_policy(` ++ gnome_read_config($1_wm_t) ++ gnome_read_gconf_config($1_wm_t) ++ ') + -+allow wm_t user_t:unix_stream_socket connectto; -+allow wm_t self:fifo_file { write read }; ++ auth_use_nsswitch($1_wm_t) + ++ kernel_read_system_state($1_wm_t) + -+allow wm_t client_xevent_t:x_synthetic_event send; -+allow wm_t focus_xevent_t:x_event receive; -+allow wm_t input_xevent_t:x_event receive; -+allow wm_t manage_xevent_t:x_event receive; -+allow wm_t manage_xevent_t:x_synthetic_event { receive send }; -+allow wm_t property_xevent_t:x_event receive; -+allow wm_t xproperty_t:x_property { read write destroy }; -+allow wm_t rootwindow_t:x_colormap { install uninstall use add_color remove_color read }; -+allow wm_t rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override }; -+allow wm_t xproperty_t:x_property { write read }; -+allow wm_t xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write }; -+allow wm_t xserver_t:x_resource { read write }; -+allow wm_t xserver_t:x_screen setattr; -+allow wm_t xselection_t:x_selection setattr; ++ allow $1_wm_t self:fifo_file rw_fifo_file_perms; ++ allow $1_wm_t self:process getsched; ++ allow $1_wm_t self:shm create_shm_perms; + -+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property }; -+allow wm_t $2_t:x_resource { read write }; ++ allow $1_wm_t $1_t:unix_stream_socket connectto; + -+ifdef(`enable_mls',` -+ mls_file_read_all_levels(wm_t) -+ mls_file_write_all_levels(wm_t) -+ mls_xwin_read_all_levels(wm_t) -+ mls_xwin_write_all_levels(wm_t) -+ mls_fd_use_all_levels(wm_t) -+') ++ optional_policy(` ++ dbus_system_bus_client($1_wm_t) ++ ') + -+corecmd_exec_bin(wm_t) -+can_exec(wm_t, { shell_exec_t }) -+domtrans_pattern(wm_t,bin_t,user_t) ++ userdom_unpriv_usertype($1, $1_wm_t) + -+allow user_t wm_t:unix_stream_socket connectto; -+allow user_t wm_t:x_drawable { receive get_property getattr list_child }; ++ userdom_manage_home_role($1_r, $1_wm_t) ++ userdom_manage_tmpfs_role($1_r, $1_wm_t) ++ userdom_manage_tmp_role($1_r, $1_wm_t) + -+allow user_t wm_t:process signal; ++ dev_read_urand($1_wm_t) + -+optional_policy(` -+ dbus_system_bus_client(wm_t) -+ dbus_user_bus_client(user,wm_t) ++ optional_policy(` ++ xserver_role($1_r, $1_wm_t) ++ xserver_use_xdm($1_wm_t) ++ ') +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te +--- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-21 12:37:15.000000000 -0500 +@@ -0,0 +1,9 @@ ++policy_module(wm,0.0.4) + -+allow wm_t user_home_t:dir { search getattr }; -+allow wm_t user_xproperty_t:x_property { read write destroy }; -+allow wm_t default_t:dir search; -+allow wm_t home_root_t:dir search; -+allow wm_t user_home_dir_t:dir search; -+allow wm_t xserver_tmp_t:dir search; -+allow wm_t xserver_tmp_t:lnk_file read; -+allow wm_t user_home_dir_t:dir search_dir_perms; -+manage_files_pattern(wm_t,user_tmp_t,user_tmp_t) -+allow wm_t user_home_t:file { write read getattr }; -+allow wm_t xserver_t:unix_stream_socket connectto; -+allow wm_t xserver_tmp_t:sock_file write; -+manage_lnk_files_pattern(wm_t, xserver_tmp_t, xserver_tmp_t) -+ -+allow wm_t security_xext_t:x_extension { query use }; -+ -+userdom_use_user_terminals(wm_t) -+ ++######################################## ++# ++# Declarations ++# + -+xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t) ++type wm_exec_t; ++corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500 @@ -4962,7 +4956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type power_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.3/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/domain.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/domain.if 2009-01-21 13:16:11.000000000 -0500 @@ -1247,18 +1247,34 @@ ## ## @@ -5452,7 +5446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-20 14:57:41.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-21 13:00:37.000000000 -0500 @@ -534,6 +534,24 @@ ######################################## @@ -9208,7 +9202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.3/policy/modules/services/avahi.if --- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/avahi.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/avahi.if 2009-01-21 15:37:35.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -10129,7 +10123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-20 15:16:32.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-21 15:20:50.000000000 -0500 @@ -12,6 +12,10 @@ ## # @@ -10141,7 +10135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # # Declarations -@@ -31,7 +35,11 @@ +@@ -31,13 +35,18 @@ # dac_override is to create the file in the directory under /tmp allow $1_t self:capability { fowner setuid setgid chown dac_override }; @@ -10154,7 +10148,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_tmp_t:file manage_file_perms; files_tmp_filetrans($1_t,$1_tmp_t,file) -@@ -58,6 +66,12 @@ + + # create files in /var/spool/cron + # cjp: change this to a role transition ++ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) + manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) + files_search_spool($1_t) +@@ -58,6 +67,12 @@ files_dontaudit_search_pids($1_t) logging_send_syslog_msg($1_t) @@ -10167,7 +10168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization($1_t) -@@ -261,6 +275,7 @@ +@@ -261,6 +276,7 @@ allow $1 system_cronjob_t:fifo_file rw_file_perms; allow $1 system_cronjob_t:process sigchld; @@ -10175,7 +10176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; allow $1 crond_t:process sigchld; -@@ -343,6 +358,24 @@ +@@ -343,6 +359,24 @@ ######################################## ## @@ -10200,7 +10201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -361,7 +394,7 @@ +@@ -361,7 +395,7 @@ ######################################## ## @@ -10209,7 +10210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -369,7 +402,7 @@ +@@ -369,7 +403,7 @@ ## ## # @@ -10218,7 +10219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -481,11 +514,14 @@ +@@ -481,11 +515,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -10234,7 +10235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +542,82 @@ +@@ -506,3 +543,82 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -10319,7 +10320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-20 16:52:23.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-21 15:19:17.000000000 -0500 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -11417,7 +11418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.3/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-21 14:05:46.000000000 -0500 @@ -9,14 +9,15 @@ # # Delcarations @@ -11436,7 +11437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -@@ -31,11 +32,23 @@ +@@ -31,11 +32,24 @@ files_tmp_file(system_dbusd_tmp_t) type system_dbusd_var_lib_t; @@ -11456,12 +11457,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mls_rangetrans_target(system_dbusd_t) + mls_file_read_all_levels(system_dbusd_t) + mls_socket_write_all_levels(system_dbusd_t) ++ mls_socket_read_to_clearance(system_dbusd_t) +') + ############################## # # System bus local policy -@@ -45,7 +58,7 @@ +@@ -45,7 +59,7 @@ # cjp: dac_override should probably go in a distro_debian allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; dontaudit system_dbusd_t self:capability sys_tty_config; @@ -11470,7 +11472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_dbusd_t self:fifo_file rw_fifo_file_perms; allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -53,6 +66,8 @@ +@@ -53,6 +67,8 @@ # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -11479,7 +11481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -75,6 +90,8 @@ +@@ -75,6 +91,8 @@ fs_getattr_all_fs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) @@ -11488,7 +11490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) -@@ -91,9 +108,9 @@ +@@ -91,9 +109,9 @@ corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -11499,7 +11501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(system_dbusd_t) files_list_home(system_dbusd_t) -@@ -101,6 +118,8 @@ +@@ -101,6 +119,8 @@ init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -11508,7 +11510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +147,34 @@ +@@ -128,9 +148,34 @@ ') optional_policy(` @@ -14220,9 +14222,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.3/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-19 13:10:02.000000000 -0500 -@@ -1,8 +1,12 @@ ++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-21 12:55:52.000000000 -0500 +@@ -1,8 +1,13 @@ +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -14234,7 +14237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -@@ -10,3 +14,4 @@ +@@ -10,3 +15,4 @@ /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -18369,202 +18372,642 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mailscanner_read_spool(procmail_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.3/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/pyzor.fc 2009-01-19 13:10:02.000000000 -0500 -@@ -1,6 +1,8 @@ - /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) -+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - - HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) -+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - - /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) - /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.3/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/pyzor.if 2009-01-19 13:10:02.000000000 -0500 -@@ -88,3 +88,50 @@ - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.3/policy/modules/services/psad.fc +--- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/psad.fc 2009-01-21 14:22:29.000000000 -0500 +@@ -0,0 +1,17 @@ + -+######################################## -+## -+## All of the rules required to administrate -+## an pyzor environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the pyzor domain. -+## -+## -+## -+# -+interface(`pyzor_admin',` -+ gen_require(` -+ type pyzord_t, pyzor_tmp_t, pyzord_log_t; -+ type pyzor_etc_t, pyzor_var_lib_t; -+ type pyzord_initrc_exec_t; -+ ') + -+ allow $1 pyzord_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pyzord_t) -+ -+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 pyzord_initrc_exec_t system_r; -+ allow $2 system_r; ++/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0) + -+ files_list_tmp($1) -+ admin_pattern($1, pyzor_tmp_t) ++/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0) + -+ logging_list_logs($1) -+ admin_pattern($1, pyzord_log_t) ++/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0) + -+ files_list_etc($1) -+ admin_pattern($1, pyzor_etc_t) ++#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0) + -+ files_list_var_lib($1) -+ admin_pattern($1, pyzor_var_lib_t) -+') ++#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0) + ++/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.3/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/pyzor.te 2009-01-19 13:10:02.000000000 -0500 -@@ -6,6 +6,38 @@ - # Declarations - # - ++/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + -+ifdef(`distro_redhat',` ++/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.3/policy/modules/services/psad.if +--- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/psad.if 2009-01-21 14:22:29.000000000 -0500 +@@ -0,0 +1,304 @@ ++## Psad SELinux policy + ++######################################## ++## ++## Execute a domain transition to run psad. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`psad_domtrans',` + gen_require(` -+ type spamc_t; -+ type spamc_exec_t; -+ type spamd_t; -+ type spamd_initrc_exec_t; -+ type spamd_exec_t; -+ type spamc_tmp_t; -+ type spamd_log_t; -+ type spamd_var_lib_t; -+ type spamd_etc_t; -+ type spamc_tmp_t; -+ type spamc_home_t; ++ type psad_t, psad_exec_t; + ') + -+ typealias spamc_t alias pyzor_t; -+ typealias spamc_exec_t alias pyzor_exec_t; -+ typealias spamd_t alias pyzord_t; -+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; -+ typealias spamd_exec_t alias pyzord_exec_t; -+ typealias spamc_tmp_t alias pyzor_tmp_t; -+ typealias spamd_log_t alias pyzor_log_t; -+ typealias spamd_log_t alias pyzord_log_t; -+ typealias spamd_var_lib_t alias pyzor_var_lib_t; -+ typealias spamd_etc_t alias pyzor_etc_t; -+ typealias spamc_home_t alias pyzor_home_t; -+ typealias spamc_home_t alias user_pyzor_home_t; ++ domtrans_pattern($1, psad_exec_t, psad_t) ++') + -+',` ++######################################## ++## ++## Read and write psad UDP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_rw_udp_sockets',` ++ gen_require(` ++ type psad_t; ++ ') + - type pyzor_t; - type pyzor_exec_t; - typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -@@ -40,6 +72,7 @@ - - type pyzord_log_t; - logging_log_file(pyzord_log_t) ++ allow $1 psad_t:udp_socket { read write }; +') - - ######################################## - # -@@ -83,6 +116,8 @@ - - miscfiles_read_localization(pyzor_t) - -+mta_read_queue(pyzor_t) -+ - userdom_dontaudit_search_user_home_dirs(pyzor_t) - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.3/policy/modules/services/radvd.te ---- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/radvd.te 2009-01-19 13:10:02.000000000 -0500 -@@ -22,7 +22,7 @@ - # - # Local policy - # --allow radvd_t self:capability { setgid setuid net_raw }; -+allow radvd_t self:capability { setgid setuid net_raw net_admin }; - dontaudit radvd_t self:capability sys_tty_config; - allow radvd_t self:process signal_perms; - allow radvd_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.3/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/razor.if 2009-01-19 13:10:02.000000000 -0500 -@@ -157,3 +157,45 @@ - - domtrans_pattern($1, razor_exec_t, razor_t) - ') + +######################################## +## -+## Create, read, write, and delete razor files -+## in a user home subdirectory. ++## Read and write psad packet sockets. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+template(`razor_manage_user_home_files',` -+ gen_require(` -+ type razor_home_t; -+ ') ++interface(`psad_rw_packet_sockets',` ++ gen_require(` ++ type psad_t; ++ ') + -+ files_search_home($1) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, razor_home_t, razor_home_t) -+ read_lnk_files_pattern($1, razor_home_t, razor_home_t) ++ allow $1 psad_t:packet_socket { read write }; +') + +######################################## +## -+## read razor lib files. ++## Send a generic signal to psad +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`razor_read_lib_files',` -+ gen_require(` -+ type razor_var_lib_t; -+ ') ++interface(`psad_signal',` ++ gen_require(` ++ type psad_t; ++ ') + -+ files_search_var_lib($1) -+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) ++ allow $1 psad_t:process signal; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.3/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/razor.te 2009-01-19 13:10:02.000000000 -0500 -@@ -6,6 +6,32 @@ - # Declarations - # - -+ifdef(`distro_redhat',` -+ -+ gen_require(` ++####################################### ++## ++## Send a null signal to psad. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_signull',` ++ gen_require(` ++ type psad_t; ++ ') ++ ++ allow $1 psad_t:process signull; ++') ++ ++######################################## ++## ++## Read psad etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_read_etc',` ++ gen_require(` ++ type psad_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, psad_etc_t, psad_etc_t) ++') ++ ++######################################## ++## ++## Manage psad etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_manage_etc',` ++ gen_require(` ++ type psad_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t) ++ manage_files_pattern($1, psad_etc_t, psad_etc_t) ++ ++') ++ ++######################################## ++## ++## Read psad PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_read_pid_files',` ++ gen_require(` ++ type psad_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, psad_var_run_t, psad_var_run_t) ++') ++ ++######################################## ++## ++## Read psad PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_rw_pid_files',` ++ gen_require(` ++ type psad_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ rw_files_pattern($1, psad_var_run_t, psad_var_run_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`psad_read_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) ++ read_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to append to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`psad_append_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t) ++ append_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ ++######################################## ++## ++## Read and write psad fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_rw_fifo_file',` ++ gen_require(` ++ type psad_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## ++## Read and write psad tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_rw_tmp_files',` ++ gen_require(` ++ type psad_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ rw_files_pattern($1, psad_tmp_t, psad_tmp_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an psad environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++# ++interface(`psad_admin',` ++ gen_require(` ++ type psad_t, psad_var_run_t, psad_var_log_t; ++ type psad_initrc_exec_t, psad_var_lib_t; ++ type psad_tmp_t; ++ ') ++ ++ allow $1 psad_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, psad_t) ++ ++ init_labeled_script_domtrans($1, psad_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 psad_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_etc($1) ++ admin_pattern($1, psad_etc_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, psad_var_run_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, psad_var_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, psad_var_lib_t) ++ ++ files_search_tmp($1) ++ admin_pattern($1, psad_tmp_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.3/policy/modules/services/psad.te +--- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/psad.te 2009-01-21 14:22:29.000000000 -0500 +@@ -0,0 +1,107 @@ ++policy_module(psad,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++type psad_t; ++type psad_exec_t; ++init_daemon_domain(psad_t, psad_exec_t) ++ ++type psad_initrc_exec_t; ++init_script_file(psad_initrc_exec_t) ++ ++# config files ++type psad_etc_t; ++files_config_file(psad_etc_t) ++ ++# var/lib files ++type psad_var_lib_t; ++files_type(psad_var_lib_t) ++ ++# log files ++type psad_var_log_t; ++logging_log_file(psad_var_log_t) ++ ++# pid files ++type psad_var_run_t; ++files_pid_file(psad_var_run_t) ++ ++# tmp files ++type psad_tmp_t; ++files_tmp_file(psad_tmp_t) ++ ++######################################## ++# ++# psad local policy ++# ++ ++allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; ++dontaudit psad_t self:capability { sys_tty_config }; ++allow psad_t self:process signull; ++ ++allow psad_t self:fifo_file rw_fifo_file_perms; ++allow psad_t self:rawip_socket create_socket_perms; ++ ++# config files ++read_files_pattern(psad_t,psad_etc_t,psad_etc_t) ++list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t) ++ ++# pid file ++manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) ++manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t) ++files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file }) ++ ++# log files ++manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) ++manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) ++logging_log_filetrans(psad_t,psad_var_log_t, { file dir }) ++ ++# tmp files ++manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t) ++manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t) ++files_tmp_filetrans(psad_t, psad_tmp_t, { file dir }) ++ ++# /var/lib files ++search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) ++manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t) ++ ++kernel_read_system_state(psad_t) ++kernel_read_network_state(psad_t) ++#kernel_read_kernel_sysctls(psad_t) ++kernel_read_net_sysctls(psad_t) ++ ++corecmd_exec_shell(psad_t) ++corecmd_exec_bin(psad_t) ++ ++auth_use_nsswitch(psad_t) ++ ++corenet_tcp_connect_whois_port(psad_t) ++ ++dev_read_urand(psad_t) ++ ++files_read_etc_runtime_files(psad_t) ++ ++fs_getattr_all_fs(psad_t) ++ ++libs_use_ld_so(psad_t) ++libs_use_shared_libs(psad_t) ++ ++miscfiles_read_localization(psad_t) ++ ++logging_read_generic_logs(psad_t) ++logging_read_syslog_config(psad_t) ++logging_send_syslog_msg(psad_t) ++ ++#sysnet_domtrans_ifconfig(psad_t) ++sysnet_exec_ifconfig(psad_t) ++iptables_domtrans(psad_t) ++ ++optional_policy(` ++ mta_send_mail(psad_t) ++ mta_read_queue(psad_t) ++') ++ ++permissive psad_t; ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.3/policy/modules/services/pyzor.fc +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/pyzor.fc 2009-01-19 13:10:02.000000000 -0500 +@@ -1,6 +1,8 @@ + /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) ++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) + + HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) ++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) + + /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) + /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.3/policy/modules/services/pyzor.if +--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/pyzor.if 2009-01-19 13:10:02.000000000 -0500 +@@ -88,3 +88,50 @@ + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) + ') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pyzor environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the pyzor domain. ++## ++## ++## ++# ++interface(`pyzor_admin',` ++ gen_require(` ++ type pyzord_t, pyzor_tmp_t, pyzord_log_t; ++ type pyzor_etc_t, pyzor_var_lib_t; ++ type pyzord_initrc_exec_t; ++ ') ++ ++ allow $1 pyzord_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pyzord_t) ++ ++ init_labeled_script_domtrans($1, pyzord_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 pyzord_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, pyzor_tmp_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, pyzord_log_t) ++ ++ files_list_etc($1) ++ admin_pattern($1, pyzor_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, pyzor_var_lib_t) ++') ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.3/policy/modules/services/pyzor.te +--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/pyzor.te 2009-01-19 13:10:02.000000000 -0500 +@@ -6,6 +6,38 @@ + # Declarations + # + ++ ++ifdef(`distro_redhat',` ++ ++ gen_require(` ++ type spamc_t; ++ type spamc_exec_t; ++ type spamd_t; ++ type spamd_initrc_exec_t; ++ type spamd_exec_t; ++ type spamc_tmp_t; ++ type spamd_log_t; ++ type spamd_var_lib_t; ++ type spamd_etc_t; ++ type spamc_tmp_t; ++ type spamc_home_t; ++ ') ++ ++ typealias spamc_t alias pyzor_t; ++ typealias spamc_exec_t alias pyzor_exec_t; ++ typealias spamd_t alias pyzord_t; ++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; ++ typealias spamd_exec_t alias pyzord_exec_t; ++ typealias spamc_tmp_t alias pyzor_tmp_t; ++ typealias spamd_log_t alias pyzor_log_t; ++ typealias spamd_log_t alias pyzord_log_t; ++ typealias spamd_var_lib_t alias pyzor_var_lib_t; ++ typealias spamd_etc_t alias pyzor_etc_t; ++ typealias spamc_home_t alias pyzor_home_t; ++ typealias spamc_home_t alias user_pyzor_home_t; ++ ++',` ++ + type pyzor_t; + type pyzor_exec_t; + typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; +@@ -40,6 +72,7 @@ + + type pyzord_log_t; + logging_log_file(pyzord_log_t) ++') + + ######################################## + # +@@ -83,6 +116,8 @@ + + miscfiles_read_localization(pyzor_t) + ++mta_read_queue(pyzor_t) ++ + userdom_dontaudit_search_user_home_dirs(pyzor_t) + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.3/policy/modules/services/radvd.te +--- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/radvd.te 2009-01-19 13:10:02.000000000 -0500 +@@ -22,7 +22,7 @@ + # + # Local policy + # +-allow radvd_t self:capability { setgid setuid net_raw }; ++allow radvd_t self:capability { setgid setuid net_raw net_admin }; + dontaudit radvd_t self:capability sys_tty_config; + allow radvd_t self:process signal_perms; + allow radvd_t self:unix_dgram_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.3/policy/modules/services/razor.if +--- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/razor.if 2009-01-19 13:10:02.000000000 -0500 +@@ -157,3 +157,45 @@ + + domtrans_pattern($1, razor_exec_t, razor_t) + ') ++ ++######################################## ++## ++## Create, read, write, and delete razor files ++## in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`razor_manage_user_home_files',` ++ gen_require(` ++ type razor_home_t; ++ ') ++ ++ files_search_home($1) ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, razor_home_t, razor_home_t) ++ read_lnk_files_pattern($1, razor_home_t, razor_home_t) ++') ++ ++######################################## ++## ++## read razor lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`razor_read_lib_files',` ++ gen_require(` ++ type razor_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.3/policy/modules/services/razor.te +--- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/razor.te 2009-01-19 13:10:02.000000000 -0500 +@@ -6,6 +6,32 @@ + # Declarations + # + ++ifdef(`distro_redhat',` ++ ++ gen_require(` + type spamc_t; + type spamc_exec_t; + type spamd_log_t; @@ -21365,7 +21808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-20 14:57:03.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 13:00:55.000000000 -0500 @@ -53,7 +53,7 @@ # virtd local policy # @@ -21384,7 +21827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -110,6 +110,7 @@ +@@ -110,11 +110,13 @@ files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) @@ -21392,16 +21835,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_list_kernel_modules(virtd_t) -@@ -129,6 +130,8 @@ + + fs_list_auto_mountpoints(virtd_t) ++fs_getattr_xattr_fs(virtd_t) + + storage_raw_write_removable_device(virtd_t) + storage_raw_read_removable_device(virtd_t) +@@ -129,7 +131,10 @@ logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) + userdom_read_all_users_state(virtd_t) ++userdom_dontaudit_list_admin_dir(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -173,16 +176,17 @@ + fs_manage_nfs_dirs(virtd_t) +@@ -173,16 +178,17 @@ iptables_domtrans(virtd_t) ') @@ -21447,8 +21898,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.3/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.fc 2009-01-19 13:10:02.000000000 -0500 -@@ -3,11 +3,14 @@ ++++ serefpolicy-3.6.3/policy/modules/services/xserver.fc 2009-01-21 12:59:03.000000000 -0500 +@@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) @@ -21461,9 +21912,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) ++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) # # /dev -@@ -32,11 +35,6 @@ + # +@@ -32,11 +36,6 @@ /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -21475,7 +21928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -61,6 +59,7 @@ +@@ -61,6 +60,7 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -21483,7 +21936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +88,26 @@ +@@ -89,16 +89,26 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -21514,8 +21967,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 11:14:55.000000000 -0500 -@@ -116,6 +116,7 @@ ++++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 15:37:51.000000000 -0500 +@@ -90,7 +90,8 @@ + allow $2 xauth_home_t:file manage_file_perms; + allow $2 xauth_home_t:file { relabelfrom relabelto }; + +- xserver_common_x_domain_template(user, $2) ++ xserver_common_app($2) ++ xserver_use_xdm($2) + + ############################## + # +@@ -116,6 +117,7 @@ # setattr: gnome-settings-daemon X11:GrabKey # manage: metacity X11:ChangeWindowAttributes allow $2 rootwindow_t:x_drawable { read write manage setattr }; @@ -21523,7 +21986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # setattr: metacity X11:InstallColormap allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr }; -@@ -156,7 +157,7 @@ +@@ -156,7 +158,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -21532,7 +21995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Client read xserver shm allow $1 xserver_t:fd use; -@@ -219,12 +220,12 @@ +@@ -219,12 +221,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -21548,7 +22011,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -397,11 +398,12 @@ +@@ -278,7 +280,6 @@ + type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; + type xevent_t, client_xevent_t; + +- attribute x_domain; + attribute xproperty_type; + attribute xevent_type; + attribute input_xevent_type; +@@ -287,6 +288,8 @@ + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; ++ class x_selection all_x_selection_perms; ++ type xselection_t; + ') + + ############################## +@@ -294,20 +297,11 @@ + # Local Policy + # + +- # Type attributes +- typeattribute $2 x_domain; +- + # X Properties + # can read and write client properties + allow $2 $1_xproperty_t:x_property { create destroy read write append }; + type_transition $2 xproperty_t:x_property $1_xproperty_t; + +- # X Windows +- # new windows have the domain type +- type_transition $2 rootwindow_t:x_drawable $2; +- +- # X Input +- # can receive own events + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive; +@@ -320,8 +315,10 @@ + type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t; + type_transition $2 client_xevent_t:x_event $1_client_xevent_t; + type_transition $2 xevent_t:x_event $1_default_xevent_t; +- # can send ICCCM events to myself ++ + allow $2 $1_manage_xevent_t:x_synthetic_event send; ++ ++ xserver_common_app($2) + ') + + ####################################### +@@ -397,11 +394,12 @@ gen_require(` type xdm_t, xdm_tmp_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; @@ -21564,7 +22077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; -@@ -409,7 +411,7 @@ +@@ -409,7 +407,7 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -21573,7 +22086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $2 xdm_tmp_t:dir search_dir_perms; allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; -@@ -437,6 +439,10 @@ +@@ -437,6 +435,10 @@ allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -21584,7 +22097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -639,7 +645,7 @@ +@@ -639,7 +641,7 @@ type xdm_t; ') @@ -21593,7 +22106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -738,6 +744,7 @@ +@@ -738,6 +740,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -21601,7 +22114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -756,7 +763,26 @@ +@@ -756,7 +759,26 @@ ') files_search_pids($1) @@ -21629,7 +22142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -779,6 +805,31 @@ +@@ -779,6 +801,31 @@ ######################################## ## @@ -21661,7 +22174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1018,10 +1069,11 @@ +@@ -1018,10 +1065,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -21674,7 +22187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1211,272 @@ +@@ -1159,6 +1207,275 @@ ######################################## ## @@ -21829,6 +22342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`xserver_use_xdm',` + gen_require(` + type xdm_t, xdm_tmp_t; ++ type xdm_xproperty_t; + class x_client all_x_client_perms; + class x_drawable all_x_drawable_perms; + class x_property all_x_property_perms; @@ -21846,6 +22360,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 xdm_t:x_client { getattr destroy }; + allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; ++ allow $1 xdm_xproperty_t:x_property { write read }; ++ +') + +######################################## @@ -21947,9 +22463,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. +@@ -1172,7 +1489,99 @@ + interface(`xserver_unconfined',` + gen_require(` + attribute xserver_unconfined_type; ++ attribute x_domain; + ') + + typeattribute $1 xserver_unconfined_type; ++ typeattribute $1 x_domain; ++') ++ ++######################################## ++## ++## Rules required for using the X Windows server ++## and environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_communicate',` ++ gen_require(` ++ type xdm_t, xdm_tmp_t; ++ class x_client all_x_client_perms; ++ class x_drawable all_x_drawable_perms; ++ class x_property all_x_property_perms; ++ class x_resource all_x_resource_perms; + ') ++ ++ allow $1 $2:x_drawable all_x_drawable_perms; ++ allow $1 $2:x_resource all_x_resource_perms; ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## Client domain allowed access. ++## ++## ++# ++interface(`xserver_common_app',` ++ ++ gen_require(` ++ attribute x_domain; ++ attribute xevent_type; ++ type xselection_t, rootwindow_t; ++ type user_xproperty_t, xproperty_t; ++ class x_property all_x_property_perms; ++ ') ++ ++ # Type attributes ++ typeattribute $1 x_domain; ++ ++ allow $1 xselection_t:x_selection setattr; ++ allow $1 user_xproperty_t:x_property { write read }; ++ allow $1 xproperty_t:x_property all_x_property_perms; ++ ++ # X Windows ++ # new windows have the domain type ++ type_transition $1 rootwindow_t:x_drawable $1; ++ ++ # X Input ++ # can receive own events ++ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send }; ++ xserver_communicate($1, $1) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## xdm over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_xdm_dbus_chat',` ++ gen_require(` ++ type xdm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 xdm_t:dbus send_msg; ++ allow xdm_t $1:dbus send_msg; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 11:00:16.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 14:02:11.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -22084,13 +22700,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -256,13 +275,13 @@ +@@ -250,19 +269,21 @@ + # Xauth local policy + # + ++allow xauth_t self:capability dac_override; + allow xauth_t self:process signal; + allow xauth_t self:unix_stream_socket create_stream_socket_perms; + allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) - ++userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file) ++ +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) -+ + manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) @@ -22101,7 +22725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) -@@ -300,13 +319,14 @@ +@@ -300,13 +321,14 @@ # XDM Local policy # @@ -22119,7 +22743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; -@@ -314,6 +334,11 @@ +@@ -314,6 +336,11 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -22131,7 +22755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -329,6 +354,8 @@ +@@ -329,6 +356,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -22140,7 +22764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -336,15 +363,30 @@ +@@ -336,15 +365,30 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -22173,7 +22797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +400,7 @@ +@@ -358,6 +402,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -22181,7 +22805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t) -@@ -389,11 +432,13 @@ +@@ -389,11 +434,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -22195,7 +22819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +446,7 @@ +@@ -401,6 +448,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -22203,7 +22827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +459,17 @@ +@@ -413,14 +461,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -22223,7 +22847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +480,13 @@ +@@ -431,9 +482,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -22237,7 +22861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +495,7 @@ +@@ -442,6 +497,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -22245,7 +22869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +504,7 @@ +@@ -450,6 +506,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -22253,7 +22877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +515,10 @@ +@@ -460,10 +517,10 @@ logging_read_generic_logs(xdm_t) @@ -22266,7 +22890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -504,10 +559,12 @@ +@@ -504,10 +561,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -22279,7 +22903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +572,41 @@ +@@ -515,12 +574,41 @@ ') optional_policy(` @@ -22321,7 +22945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +628,19 @@ +@@ -542,6 +630,19 @@ ') optional_policy(` @@ -22341,7 +22965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +649,8 @@ +@@ -550,8 +651,8 @@ ') optional_policy(` @@ -22351,7 +22975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +670,10 @@ +@@ -571,6 +672,10 @@ ') optional_policy(` @@ -22362,7 +22986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +690,7 @@ +@@ -587,7 +692,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -22371,7 +22995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,6 +705,7 @@ +@@ -602,6 +707,7 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -22379,7 +23003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Device rules allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; -@@ -635,6 +739,15 @@ +@@ -635,6 +741,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -22395,7 +23019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -680,9 +793,13 @@ +@@ -680,9 +795,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -22406,18 +23030,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_mmap_low_type(xserver_t) domain_mmap_low(xserver_t) +domain_dontaudit_read_all_domains_state(xserver_t) ++domain_signal_all_domains(xserver_t) files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,6 +814,7 @@ +@@ -697,8 +817,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) +fs_list_inotifyfs(xdm_t) ++fs_rw_tmpfs_files(xserver_t) mls_xwin_read_to_clearance(xserver_t) ++mls_process_write_to_clearance(xserver_t) ++mls_file_write_to_clearance(xserver_t) -@@ -720,6 +838,7 @@ + selinux_validate_context(xserver_t) + selinux_compute_access_vector(xserver_t) +@@ -720,6 +844,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -22425,7 +23055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -774,6 +893,10 @@ +@@ -774,6 +899,10 @@ ') optional_policy(` @@ -22436,7 +23066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +929,7 @@ +@@ -806,7 +935,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -22445,7 +23075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -830,6 +953,10 @@ +@@ -830,6 +959,10 @@ xserver_use_user_fonts(xserver_t) @@ -22456,7 +23086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +971,14 @@ +@@ -844,11 +977,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -22472,7 +23102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +986,11 @@ +@@ -856,6 +992,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -22484,7 +23114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -972,6 +1107,37 @@ +@@ -972,6 +1113,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -22522,7 +23152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1152,13 @@ +@@ -986,3 +1158,13 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -24415,7 +25045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.3/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-21 13:05:22.000000000 -0500 @@ -23,6 +23,45 @@ ######################################## @@ -26720,7 +27350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-20 16:18:13.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 15:37:07.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -27049,7 +27679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +432,39 @@ +@@ -420,34 +432,41 @@ ## is the prefix for user_t). ## ## @@ -27103,11 +27733,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_manage_xdm_tmp_files($1_t) + xserver_manage_xdm_tmp_files($1) + xserver_stream_connect($1) ++ xserver_xdm_dbus_chat($1) + ') ++ ') ####################################### -@@ -497,11 +514,7 @@ +@@ -497,11 +516,7 @@ attribute unpriv_userdomain; ') @@ -27120,7 +27752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +525,198 @@ +@@ -512,189 +527,198 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -27361,16 +27993,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + postgresql_stream_connect($1_usertype) -+ ') ') -+ -+ optional_policy(` -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) ++ # to allow monitoring of pcmcia status ++ pcmcia_read_pid($1_usertype) ++ ') ++ ++ optional_policy(` + pcscd_read_pub_files($1_usertype) + pcscd_stream_connect($1_usertype) ') @@ -27400,22 +28032,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +744,29 @@ +@@ -722,15 +746,29 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_change_password_template($1) ++ ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -27436,7 +28068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -746,70 +782,72 @@ +@@ -746,70 +784,72 @@ allow $1_t self:context contains; @@ -27542,7 +28174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +884,28 @@ +@@ -846,6 +886,28 @@ # Local policy # @@ -27571,7 +28203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +936,7 @@ +@@ -876,7 +938,7 @@ userdom_restricted_user_template($1) @@ -27580,17 +28212,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +944,18 @@ +@@ -884,14 +946,19 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -27604,7 +28237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +963,24 @@ +@@ -899,28 +966,28 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -27615,31 +28248,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -- -- optional_policy(` -- consolekit_dbus_chat($1_t) + apache_role($1_r, $1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) ++ gnome_manage_config($1_usertype) ++ gnome_manage_gconf_home_files($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) - ') -+ gnome_manage_config($1_usertype) -+ gnome_manage_gconf_home_files($1_usertype) ++ openoffice_role_template($1, $1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) ++ polkit_role($1_r, $1_usertype) ') optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) -+ polkit_role($1_r, $1_usertype) ++ wm_role_template($1, $1_r, $1_usertype) ') ') -@@ -931,8 +991,7 @@ +@@ -931,8 +998,7 @@ ## ## ##

@@ -27649,7 +28284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1013,8 @@ +@@ -954,8 +1020,8 @@ # Declarations # @@ -27659,7 +28294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1023,10 @@ +@@ -964,11 +1030,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -27669,10 +28304,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_xserver_port($1_t) - files_exec_usr_files($1_t) ++ storage_rw_fuse($1_t) ++ # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1044,47 @@ +@@ -986,37 +1053,47 @@ ') ') @@ -27723,17 +28360,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + mount_run($1_t, $1_r) - ') ++ ') + + # Run pppd in pppd_t by default for user + optional_policy(` + ppp_run_cond($1_t, $1_r) -+ ') + ') + ') ####################################### -@@ -1050,7 +1118,7 @@ +@@ -1050,7 +1127,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -27742,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1127,7 @@ +@@ -1059,8 +1136,7 @@ # # Inherit rules for ordinary users. @@ -27752,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1150,8 @@ +@@ -1083,7 +1159,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -27762,7 +28399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1167,7 @@ +@@ -1099,6 +1176,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -27770,7 +28407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1175,6 @@ +@@ -1106,8 +1184,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27779,7 +28416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1229,6 @@ +@@ -1162,20 +1238,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27800,7 +28437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1274,7 @@ +@@ -1221,6 +1283,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27808,7 +28445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1340,15 @@ +@@ -1286,11 +1349,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27824,7 +28461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1445,7 @@ +@@ -1387,7 +1454,7 @@ ######################################## ##

@@ -27833,7 +28470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1478,14 @@ +@@ -1420,6 +1487,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27848,7 +28485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1501,11 @@ +@@ -1435,9 +1510,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27860,7 +28497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1562,25 @@ +@@ -1494,6 +1571,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27886,7 +28523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1634,9 @@ +@@ -1547,9 +1643,9 @@ type user_home_dir_t, user_home_t; ') @@ -27898,7 +28535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1655,8 @@ +@@ -1568,6 +1664,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27907,7 +28544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1732,7 @@ +@@ -1643,6 +1741,7 @@ type user_home_dir_t, user_home_t; ') @@ -27915,7 +28552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1831,62 @@ +@@ -1741,6 +1840,62 @@ ######################################## ## @@ -27978,7 +28615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1903,6 @@ +@@ -1757,14 +1912,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -27993,7 +28630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1925,46 @@ +@@ -1787,6 +1934,46 @@ ######################################## ## @@ -28040,7 +28677,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2997,24 @@ +@@ -1921,6 +2108,36 @@ + + ######################################## + ## ++## Create objects in the /root directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`userdom_admin_home_dir_filetrans',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ filetrans_pattern($1, admin_home_t, $2, $3) ++') ++ ++######################################## ++## + ## Create objects in a user home directory + ## with an automatic type transition to + ## a specified private type. +@@ -2819,6 +3036,24 @@ ######################################## ## @@ -28065,7 +28739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2851,6 +3047,7 @@ +@@ -2851,6 +3086,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -28073,7 +28747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3162,24 @@ +@@ -2965,6 +3201,24 @@ ######################################## ## @@ -28098,7 +28772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3196,264 @@ +@@ -2981,3 +3235,264 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ad3b6a3..b9945c5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Wed Jan 21 2009 Dan Walsh 3.6.3-4 +- Add wm policy + * Tue Jan 20 2009 Dan Walsh 3.6.3-3 - Fixed for DeviceKit