+##
## Allow rsync to modify public files
## used for public file transfer services.
##
@@ -58,6 +65,8 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+auth_use_nsswitch(rsync_t)
+
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -90,8 +99,6 @@ logging_dontaudit_search_logs(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
-sysnet_read_config(rsync_t)
-
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
@@ -108,10 +115,8 @@ optional_policy(`
inetd_service_domain(rsync_t,rsync_exec_t)
')
-optional_policy(`
- nis_use_ypbind(rsync_t)
-')
-
-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
+ allow rsync_t self:capability dac_override;
+ fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 4edddfb..0a781f8 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,11 +1,19 @@
-policy_module(tftp,1.5.2)
+policy_module(tftp,1.5.3)
########################################
#
# Declarations
#
+##
+##
+## Allow tftp to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(tftp_anon_write,false)
+
type tftpd_t;
type tftpd_exec_t;
init_daemon_domain(tftpd_t,tftpd_exec_t)
@@ -16,6 +24,9 @@ files_pid_file(tftpd_var_run_t)
type tftpdir_t;
files_type(tftpdir_t)
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
########################################
#
# Local policy
@@ -33,6 +44,10 @@ allow tftpd_t tftpdir_t:dir { getattr read search };
allow tftpd_t tftpdir_t:file { read getattr };
allow tftpd_t tftpdir_t:lnk_file { getattr read };
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
@@ -80,6 +95,10 @@ userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
userdom_dontaudit_search_sysadm_home_dirs(tftpd_t)
+tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
+
optional_policy(`
inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index cf640b6..bebb25f 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -48,6 +48,26 @@ interface(`miscfiles_read_fonts',`
########################################
##
+## Do not audit attempts to write fonts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`miscfiles_dontaudit_write_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ dontaudit $1 fonts_t:dir write;
+ dontaudit $1 fonts_t:file write;
+')
+
+########################################
+##
## Create, read, write, and delete fonts.
##
##
@@ -253,6 +273,8 @@ interface(`miscfiles_delete_man_pages',`
files_search_usr($1)
allow $1 man_t:dir setattr;
+ # RH bug #309351
+ allow $1 man_t:dir list_dir_perms;
delete_dirs_pattern($1,man_t,man_t)
delete_files_pattern($1,man_t,man_t)
delete_lnk_files_pattern($1,man_t,man_t)
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 48c25c3..2b51b6e 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,5 +1,5 @@
-policy_module(miscfiles,1.4.0)
+policy_module(miscfiles,1.4.1)
########################################
#