diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te index 3bd8c13..5dd72f7 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -1,5 +1,5 @@ -policy_module(apm, 1.9.1) +policy_module(apm, 1.9.2) ######################################## # @@ -123,6 +123,7 @@ libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) logging_send_syslog_msg(apmd_t) +logging_send_audit_msgs(apmd_t) miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index e8a50c0..46e4cd8 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -1,5 +1,5 @@ -policy_module(audioentropy, 1.5.0) +policy_module(audioentropy, 1.5.1) ######################################## # @@ -40,6 +40,9 @@ dev_read_sound(entropyd_t) # and sample rate. dev_write_sound(entropyd_t) +files_read_etc_files(entropyd_t) +files_read_usr_files(entropyd_t) + fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) @@ -53,6 +56,11 @@ userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) optional_policy(` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) +') + +optional_policy(` seutil_sigchld_newrole(entropyd_t) ') diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te index 95e1cd4..10611a0 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -1,5 +1,5 @@ -policy_module(bitlbee, 1.1.1) +policy_module(bitlbee, 1.1.2) ######################################## # @@ -46,6 +46,8 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file) manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) +kernel_read_system_state(bitlbee_t) + corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_udp_sendrecv_generic_if(bitlbee_t) corenet_udp_sendrecv_generic_node(bitlbee_t) diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if index 9c1c7cf..c358cd7 100644 --- a/policy/modules/services/lpd.if +++ b/policy/modules/services/lpd.if @@ -134,6 +134,7 @@ interface(`lpd_manage_spool',` files_search_spool($1) manage_dirs_pattern($1, print_spool_t, print_spool_t) manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) ') ######################################## diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 8604239..9c6b9ce 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,5 +1,5 @@ -policy_module(lpd, 1.11.2) +policy_module(lpd, 1.11.3) ######################################## # diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te index 347387b..7e1cf86 100644 --- a/policy/modules/services/portreserve.te +++ b/policy/modules/services/portreserve.te @@ -1,5 +1,5 @@ -policy_module(portreserve, 1.0.0) +policy_module(portreserve, 1.0.1) ######################################## # @@ -37,9 +37,11 @@ manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file }) +corenet_all_recvfrom_unlabeled(portreserve_t) +corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) corenet_udp_bind_generic_node(portreserve_t) -corenet_tcp_bind_all_reserved_ports(portreserve_t) -corenet_udp_bind_all_reserved_ports(portreserve_t) +corenet_tcp_bind_all_ports(portreserve_t) +corenet_udp_bind_all_ports(portreserve_t) files_read_etc_files(portreserve_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 9660faa..d95879a 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -1,11 +1,19 @@ -policy_module(privoxy, 1.8.2) +policy_module(privoxy, 1.8.3) ######################################## # # Declarations # +## +##

+## Allow privoxy to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

+##
+gen_tunable(privoxy_connect_any, false) + type privoxy_t; # web_client_domain type privoxy_exec_t; init_daemon_domain(privoxy_t, privoxy_exec_t) @@ -70,23 +78,20 @@ domain_use_interactive_fds(privoxy_t) files_read_etc_files(privoxy_t) +auth_use_nsswitch(privoxy_t) + logging_send_syslog_msg(privoxy_t) miscfiles_read_localization(privoxy_t) -sysnet_dns_name_resolve(privoxy_t) - userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed userdom_use_user_terminals(privoxy_t) -optional_policy(` - nis_use_ypbind(privoxy_t) -') - -optional_policy(` - nscd_socket_use(privoxy_t) +tunable_policy(`privoxy_connect_any',` + corenet_tcp_connect_all_ports(privoxy_t) + corenet_sendrecv_all_client_packets(privoxy_t) ') optional_policy(` diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 4d47b0a..703c8d9 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl, 1.11.2) +policy_module(sasl, 1.11.3) ######################################## # @@ -99,6 +99,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) ') optional_policy(` @@ -107,6 +108,10 @@ optional_policy(` ') optional_policy(` + nis_authenticate(saslauthd_t) +') + +optional_policy(` seutil_sigchld_newrole(saslauthd_t) ')