diff --git a/policy-20071130.patch b/policy-20071130.patch index c0fb315..a1d2cee 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -957,7 +957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-03 11:32:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-08 08:11:14.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -983,7 +983,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Send and receive messages from ## rpm over dbus. ## -@@ -210,6 +228,24 @@ +@@ -173,6 +191,27 @@ + + ######################################## + ## ++## Send and receive messages from ++## rpm_script over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_script_dbus_chat',` ++ gen_require(` ++ type rpm_script_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 rpm_script_t:dbus send_msg; ++ allow rpm_script_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Create, read, write, and delete the RPM log. + ## + ## +@@ -210,6 +249,24 @@ ######################################## ## @@ -1008,7 +1036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Create, read, write, and delete RPM ## script temporary files. ## -@@ -225,7 +261,29 @@ +@@ -225,7 +282,29 @@ ') files_search_tmp($1) @@ -1038,7 +1066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -289,3 +347,137 @@ +@@ -289,3 +368,137 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1304,7 +1332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-03 13:47:22.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-08 05:34:26.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1330,7 +1358,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s logging_send_syslog_msg($1_su_t) miscfiles_read_localization($1_su_t) -@@ -172,13 +171,12 @@ +@@ -119,11 +118,6 @@ + optional_policy(` + kerberos_use($1_su_t) + ') +- +- ifdef(`TODO',` +- # Caused by su - init scripts +- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; +- ') dnl end TODO + ') + + ####################################### +@@ -172,13 +166,12 @@ domain_interactive_fd($1_su_t) role $3 types $1_su_t; @@ -1347,7 +1387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s allow $1_su_t self:key { search write }; # Transition from the user domain to this domain. -@@ -188,7 +186,7 @@ +@@ -188,7 +181,7 @@ corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; @@ -1356,7 +1396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) -@@ -203,15 +201,15 @@ +@@ -203,15 +196,15 @@ # needed for pam_rootok selinux_compute_access_vector($1_su_t) @@ -1375,7 +1415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) -@@ -226,12 +224,14 @@ +@@ -226,12 +219,14 @@ libs_use_ld_so($1_su_t) libs_use_shared_libs($1_su_t) @@ -1391,7 +1431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) -@@ -295,13 +295,7 @@ +@@ -295,13 +290,7 @@ xserver_domtrans_user_xauth($1, $1_su_t) ') @@ -2327,8 +2367,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-03 17:11:59.000000000 -0500 -@@ -7,15 +7,223 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-08 05:15:21.000000000 -0500 +@@ -7,15 +7,225 @@ # # Type for gpg or pgp executables. @@ -2378,6 +2418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +allow gpg_t user_gpg_secret_t:dir create_dir_perms; +userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir) +userdom_manage_user_home_content_files(user,gpg_t) ++userdom_manage_user_tmp_files(user,gpg_t) + +# transition from the gpg domain to the helper domain +domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t) @@ -2397,6 +2438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +dev_read_urand(gpg_t) + +fs_getattr_xattr_fs(gpg_t) ++fs_list_inotifyfs(gpg_t) + +domain_use_interactive_fds(gpg_t) + @@ -4364,8 +4406,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-03 14:26:07.000000000 -0500 -@@ -7,6 +7,7 @@ ++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:14.000000000 -0500 +@@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4373,7 +4415,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -58,6 +59,8 @@ + /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +- + # + # /dev + # +@@ -58,6 +58,8 @@ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4382,7 +4429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -127,6 +130,8 @@ +@@ -127,6 +129,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4391,7 +4438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -147,7 +152,7 @@ +@@ -147,7 +151,7 @@ /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4400,15 +4447,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -186,6 +191,8 @@ +@@ -186,7 +190,10 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -284,3 +291,6 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) @@ -5003,6 +5052,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.2.5/policy/modules/kernel/storage.if +--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-10-29 18:02:31.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/kernel/storage.if 2008-01-08 06:26:10.000000000 -0500 +@@ -81,6 +81,26 @@ + + ######################################## + ## ++## dontaudit the caller attempts to read from a fixed disk. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`storage_dontaudit_raw_read_fixed_disk',` ++ gen_require(` ++ attribute fixed_disk_raw_read; ++ type fixed_disk_device_t; ++ ') ++ ++ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; ++ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; ++') ++ ++######################################## ++## + ## Allow the caller to directly read from a fixed disk. + ## This is extremly dangerous as it can bypass the + ## SELinux protections for filesystem objects, and diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.5/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/kernel/terminal.if 2007-12-19 05:38:09.000000000 -0500 @@ -7012,7 +7091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-30 09:53:47.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-08 10:52:45.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -7063,7 +7142,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; -@@ -214,7 +221,7 @@ +@@ -182,6 +189,7 @@ + optional_policy(` + xserver_use_xdm_fds($1_dbusd_t) + xserver_rw_xdm_pipes($1_dbusd_t) ++ xserver_dontaudit_xdm_lib_search($1_dbusd_t) + ') + ') + +@@ -214,7 +222,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -7072,7 +7159,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -251,6 +258,7 @@ +@@ -223,6 +231,10 @@ + files_search_pids($2) + stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) + dbus_read_config($2) ++ ++ optional_policy(` ++ rpm_script_dbus_chat($2) ++ ') + ') + + ####################################### +@@ -251,6 +263,7 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; @@ -7080,7 +7178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus class dbus send_msg; ') -@@ -263,6 +271,7 @@ +@@ -263,6 +276,7 @@ # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; @@ -7088,7 +7186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -292,6 +301,59 @@ +@@ -292,6 +306,59 @@ ######################################## ## @@ -7148,7 +7246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +428,53 @@ +@@ -366,3 +433,53 @@ allow $1 system_dbusd_t:dbus *; ') @@ -7243,7 +7341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.5/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2008-01-04 09:52:10.000000000 -0500 @@ -124,7 +124,7 @@ # dcc procmail interface local policy # @@ -7253,15 +7351,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow dcc_client_t self:unix_dgram_socket create_socket_perms; allow dcc_client_t self:udp_socket create_socket_perms; -@@ -148,6 +148,8 @@ +@@ -148,6 +148,10 @@ files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) +kernel_read_system_state(dcc_client_t) + ++auth_use_nsswitch(dcc_client_t) ++ libs_use_ld_so(dcc_client_t) libs_use_shared_libs(dcc_client_t) +@@ -155,11 +159,8 @@ + + miscfiles_read_localization(dcc_client_t) + +-sysnet_read_config(dcc_client_t) +-sysnet_dns_name_resolve(dcc_client_t) +- + optional_policy(` +- nscd_socket_use(dcc_client_t) ++ spamassassin_read_spamd_tmp_files(dcc_client_t) + ') + + ######################################## +@@ -275,9 +276,7 @@ + userdom_dontaudit_use_unpriv_user_fds(dccd_t) + userdom_dontaudit_search_sysadm_home_dirs(dccd_t) + +-optional_policy(` +- nscd_socket_use(dccd_t) +-') ++auth_use_nsswitch(dccd_t) + + optional_policy(` + seutil_sigchld_newrole(dccd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.5/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/dictd.fc 2007-12-19 05:38:09.000000000 -0500 @@ -7730,7 +7854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-01-08 13:32:00.000000000 -0500 @@ -1,3 +1,4 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) @@ -7887,7 +8011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/hal.te 2007-12-20 14:02:58.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/hal.te 2008-01-08 09:48:17.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -7940,7 +8064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. # allow hald_acl_t self:capability { dac_override fowner }; -+allow hald_acl_t self:process signal; ++allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file read_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) @@ -8376,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-27 11:44:00.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -9437,6 +9561,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. logrotate_exec(ntpd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500 +@@ -15,6 +15,7 @@ + type oddjob_mkhomedir_t; + type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) ++domain_obj_id_change_exemption(oddjob_mkhomedir_t) + init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + +@@ -68,20 +69,38 @@ + # oddjob_mkhomedir local policy + # + ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; ++allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file { read write }; + allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + files_read_etc_files(oddjob_mkhomedir_t) + ++kernel_read_system_state(oddjob_mkhomedir_t) ++ ++auth_use_nsswitch(oddjob_mkhomedir_t) ++ + libs_use_ld_so(oddjob_mkhomedir_t) + libs_use_shared_libs(oddjob_mkhomedir_t) + ++logging_send_syslog_msg(oddjob_mkhomedir_t) ++ + miscfiles_read_localization(oddjob_mkhomedir_t) + ++selinux_get_fs_mount(oddjob_mkhomedir_t) ++selinux_validate_context(oddjob_mkhomedir_t) ++selinux_compute_access_vector(oddjob_mkhomedir_t) ++selinux_compute_create_context(oddjob_mkhomedir_t) ++selinux_compute_relabel_context(oddjob_mkhomedir_t) ++selinux_compute_user_contexts(oddjob_mkhomedir_t) ++ ++seutil_read_config(oddjob_mkhomedir_t) ++seutil_read_file_contexts(oddjob_mkhomedir_t) ++seutil_read_default_contexts(oddjob_mkhomedir_t) ++ + # Add/remove user home directories ++userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t) + userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t) +-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t) +-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t) ++userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t) ++userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te --- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500 @@ -9460,7 +9638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2008-01-08 13:31:47.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -9479,7 +9657,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t self:process { signal getsched }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -110,3 +110,12 @@ +@@ -47,6 +47,7 @@ + allow openvpn_t openvpn_etc_t:dir list_dir_perms; + read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) + read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) ++can_exec(openvpn_t,openvpn_etc_t) + + allow openvpn_t openvpn_var_log_t:file manage_file_perms; + logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) +@@ -77,6 +78,7 @@ + corenet_sendrecv_openvpn_server_packets(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) + corenet_tcp_connect_openvpn_port(openvpn_t) ++corenet_tcp_connect_http_port(openvpn_t) + + dev_search_sysfs(openvpn_t) + dev_read_rand(openvpn_t) +@@ -110,3 +112,12 @@ networkmanager_dbus_chat(openvpn_t) ') @@ -10077,8 +10271,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500 -@@ -129,7 +129,9 @@ ++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500 +@@ -102,6 +102,10 @@ + ') + + optional_policy(` ++ cron_read_pipes(procmail_t) ++') ++ ++optional_policy(` + munin_dontaudit_search_lib(procmail_t) + ') + +@@ -129,7 +133,9 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) @@ -10167,6 +10372,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te +--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400 ++++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500 +@@ -85,6 +85,8 @@ + libs_use_ld_so(qmail_inject_t) + libs_use_shared_libs(qmail_inject_t) + ++miscfiles_read_localization(qmail_inject_t) ++ + qmail_read_config(qmail_inject_t) + + ######################################## +@@ -106,15 +108,25 @@ + + kernel_read_system_state(qmail_local_t) + ++corecmd_exec_bin(qmail_local_t) + corecmd_exec_shell(qmail_local_t) ++can_exec(qmail_local_t, qmail_local_exec_t) + + files_read_etc_files(qmail_local_t) + files_read_etc_runtime_files(qmail_local_t) + ++auth_use_nsswitch(qmail_local_t) ++ ++logging_send_syslog(qmail_local_t) ++ + mta_append_spool(qmail_local_t) + + qmail_domtrans_queue(qmail_local_t) + ++optional_policy(` ++ spamassassin_domtrans_spamc(qmail_local_t) ++') ++ + ######################################## + # + # qmail-lspawn local policy +@@ -155,6 +167,10 @@ + manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) + rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t) + ++corecmd_exec_bin(qmail_queue_t) ++ ++logging_send_syslog(qmail_queue_t) ++ + optional_policy(` + daemontools_ipc_domain(qmail_queue_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -10364,7 +10618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2008-01-08 06:24:04.000000000 -0500 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -10399,13 +10653,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ######################################## # # NFSD local policy -@@ -92,9 +102,13 @@ +@@ -92,9 +102,16 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) + ++dev_read_lvm_control(nfsd_t) ++storage_dontaudit_raw_read_fixed_disk(nfsd_t) ++ # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) @@ -10413,7 +10670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -124,6 +138,7 @@ +@@ -124,6 +141,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -10421,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -144,6 +159,7 @@ +@@ -144,6 +162,7 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -10429,7 +10686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -157,8 +173,13 @@ +@@ -157,8 +176,13 @@ files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) @@ -10584,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/samba.if 2008-01-08 13:39:02.000000000 -0500 @@ -331,6 +331,25 @@ ######################################## @@ -10619,7 +10876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -492,3 +512,102 @@ +@@ -492,3 +512,103 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') @@ -10669,6 +10926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + type samba_share_t; + ') + ++ allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + @@ -10724,7 +10982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-08 13:40:20.000000000 -0500 @@ -26,28 +26,28 @@ ## @@ -10801,7 +11059,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t samba_net_tmp_t:file getattr; -@@ -251,7 +256,7 @@ +@@ -234,6 +239,7 @@ + manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) + manage_files_pattern(smbd_t,samba_share_t,samba_share_t) + manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) ++allow smbd_t samba_share_t:filesystem getattr; + + manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) + manage_files_pattern(smbd_t,samba_var_t,samba_var_t) +@@ -251,7 +257,7 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) @@ -10810,7 +11076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -340,6 +345,17 @@ +@@ -340,6 +346,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -10828,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -391,7 +407,7 @@ +@@ -391,7 +408,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -10837,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -403,8 +419,7 @@ +@@ -403,8 +420,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -10847,7 +11113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -439,6 +454,7 @@ +@@ -439,6 +455,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -10855,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -522,6 +538,7 @@ +@@ -522,6 +539,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -10863,7 +11129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -546,28 +563,37 @@ +@@ -546,28 +564,37 @@ userdom_use_all_users_fds(smbmount_t) @@ -10908,7 +11174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -577,7 +603,9 @@ +@@ -577,7 +604,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -10919,7 +11185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -602,6 +630,7 @@ +@@ -602,6 +631,7 @@ dev_read_urand(swat_t) @@ -10927,7 +11193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb files_read_etc_files(swat_t) files_search_home(swat_t) files_read_usr_files(swat_t) -@@ -614,6 +643,7 @@ +@@ -614,6 +644,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -10935,7 +11201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -631,6 +661,17 @@ +@@ -631,6 +662,17 @@ kerberos_use(swat_t) ') @@ -10953,7 +11219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Winbind local policy -@@ -679,6 +720,8 @@ +@@ -679,6 +721,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -10962,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -766,6 +809,7 @@ +@@ -766,6 +810,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -10970,7 +11236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -790,3 +834,37 @@ +@@ -790,3 +835,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -11223,7 +11489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-08 06:17:24.000000000 -0500 @@ -27,8 +27,8 @@ # setroubleshootd local policy # @@ -11245,16 +11511,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -73,7 +75,7 @@ +@@ -68,13 +70,17 @@ + + dev_read_urand(setroubleshootd_t) + dev_read_sysfs(setroubleshootd_t) ++dev_getattr_all_blk_files(setroubleshootd_t) ++dev_getattr_all_chr_files(setroubleshootd_t) + + domain_dontaudit_search_all_domains_state(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) +files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) ++files_getattr_all_pipes(setroubleshootd_t) ++files_getattr_all_sockets(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) -@@ -110,6 +112,7 @@ + fs_getattr_all_files(setroubleshootd_t) +@@ -110,6 +116,7 @@ optional_policy(` dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) @@ -12584,7 +12860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-03 16:24:11.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-08 11:18:17.000000000 -0500 @@ -15,6 +15,7 @@ template(`xserver_common_domain_template',` gen_require(` @@ -13158,7 +13434,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -974,6 +1041,37 @@ +@@ -937,7 +1004,7 @@ + + ######################################## + ## +-## Read XDM var lib files. ++## dontaudit search of XDM var lib directories. + ## + ## + ## +@@ -945,12 +1012,12 @@ + ## + ## + # +-interface(`xserver_read_xdm_lib_files',` ++interface(`xserver_dontaudit_xdm_lib_search',` + gen_require(` + type xdm_var_lib_t; + ') + +- allow $1 xdm_var_lib_t:file { getattr read }; ++ dontaudit $1 xdm_var_lib_t:dir search_dir_perms; + ') + + ######################################## +@@ -965,15 +1032,47 @@ + # + interface(`xserver_domtrans_xdm_xserver',` + gen_require(` +- type xdm_xserver_t, xserver_exec_t; ++ type xdm_xserver_t, xserver_exec_t, xdm_t; + ') + + allow $1 xdm_xserver_t:process siginh; ++ allow xdm_t $1:process sigchld; + domtrans_pattern($1,xserver_exec_t,xdm_xserver_t) + ') ######################################## ## @@ -13196,7 +13507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1221,7 @@ +@@ -1123,7 +1222,7 @@ type xdm_xserver_tmp_t; ') @@ -13205,7 +13516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1410,45 @@ +@@ -1312,3 +1411,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -14276,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/init.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-08 13:52:56.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -14430,7 +14741,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -729,6 +765,11 @@ +@@ -708,9 +744,11 @@ + squid_manage_logs(initrc_t) + ') + +-optional_policy(` +- # allow init scripts to su +- su_restricted_domain_template(initrc,initrc_t,system_r) ++ifndef(`targeted_policy',` ++ optional_policy(` ++ # allow init scripts to su ++ su_restricted_domain_template(initrc,initrc_t,system_r) ++ ') + ') + + optional_policy(` +@@ -729,6 +767,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -14442,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -743,6 +784,10 @@ +@@ -743,6 +786,10 @@ ') optional_policy(` @@ -16552,7 +16878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-03 16:34:20.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-08 05:05:58.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19565,8 +19891,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-03 17:06:13.000000000 -0500 -@@ -0,0 +1,31 @@ ++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-08 05:06:18.000000000 -0500 +@@ -0,0 +1,34 @@ +policy_module(staff,1.0.1) +userdom_unpriv_user_template(staff) + @@ -19574,6 +19900,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +userdom_role_change_template(staff, sysadm) +userdom_dontaudit_use_sysadm_terms(staff_t) + ++domain_read_all_domains_state(staff_t) ++domain_getattr_all_domains(staff_t) ++ +optional_policy(` + xserver_per_role_template(staff, staff_t, staff_r) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index a870114..fb26e1d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -306,19 +306,20 @@ fi exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.2.4-3.fc9 +%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9 setsebool -P use_nfs_home_dirs=1 semanage user -l | grep -s unconfined_u if [ $? == 0 ]; then - semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null + semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null else - semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null + semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null fi seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'` [ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ seuser=`semanage login -l | grep root | awk '{ print $2 }'` [ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root restorecon -R /root /etc/selinux/targeted 2> /dev/null +semodule -r qmail 2> /dev/null exit 0 %files targeted @@ -386,6 +387,9 @@ exit 0 %endif %changelog +* Mon Jan 7 2008 Dan Walsh 3.2.5-9 +- Update gpg to allow reading of inotify + * Wed Jan 2 2008 Dan Walsh 3.2.5-8 - Change user and staff roles to work correctly with varied perms