diff --git a/policy-20070703.patch b/policy-20070703.patch index 35be2e3..4ffab80 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -710,7 +710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.4/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/admin/rpm.if 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/admin/rpm.if 2007-07-31 14:04:42.000000000 -0400 @@ -210,6 +210,24 @@ ######################################## @@ -767,7 +767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -289,3 +328,65 @@ +@@ -289,3 +328,84 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -833,6 +833,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + + dontaudit $1 rpm_tmp_t:file rw_file_perms; +') ++ ++######################################## ++## ++## Do not audit attempts to read, ++## write RPM shm ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rpm_dontaudit_rw_shm',` ++ gen_require(` ++ type rpm_t; ++ ') ++ ++ dontaudit $1 rpm_t:shm rw_shm_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.4/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-07-25 10:37:43.000000000 -0400 +++ serefpolicy-3.0.4/policy/modules/admin/rpm.te 2007-07-25 13:27:51.000000000 -0400 @@ -2697,7 +2716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-31 16:40:44.000000000 -0400 @@ -1192,6 +1192,24 @@ ######################################## @@ -2723,9 +2742,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Search inotifyfs filesystem. ## ## +@@ -2219,7 +2237,7 @@ + ## Domain allowed access. + ## + ## +-# ++ + interface(`fs_dontaudit_read_ramfs_files',` + gen_require(` + type ramfs_t; +@@ -3476,3 +3494,42 @@ + relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) + relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) + ') ++ ++######################################## ++## ++## Read files of anon_inodefs file system files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_anon_inodefs_files',` ++ gen_require(` ++ type anon_inodefs_t; ++ ++ ') ++ ++ read_files_pattern($1,anon_inodefs_t,anon_inodefs_t) ++') ++ ++######################################## ++## ++## Read/wrie files of anon_inodefs file system files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_anon_inodefs_files',` ++ gen_require(` ++ type anon_inodefs_t; ++ ++ ') ++ ++ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-25 10:37:36.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-31 16:40:53.000000000 -0400 @@ -43,6 +43,12 @@ # # Non-persistent/pseudo filesystems @@ -2749,7 +2820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # filesystem SID to label inodes in the following filesystem types, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.4/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-07-25 14:26:57.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-07-31 16:22:36.000000000 -0400 @@ -108,6 +108,24 @@ ######################################## @@ -3354,7 +3425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 13:46:18.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-31 16:48:18.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -3470,22 +3541,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -348,7 +396,13 @@ +@@ -348,7 +396,9 @@ userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) -+optional_policy(` -+ nscd_socket_use(httpd_t) -+') -+ +tunable_policy(`httpd_enable_homedirs',` + userdom_search_generic_user_home_dirs(httpd_t) +') tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) -@@ -360,6 +414,7 @@ +@@ -360,6 +410,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -3493,7 +3560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -367,6 +422,16 @@ +@@ -367,6 +418,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -3510,7 +3577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +452,17 @@ +@@ -387,6 +448,17 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -3528,7 +3595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +480,21 @@ +@@ -404,11 +476,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -3550,7 +3617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +516,12 @@ +@@ -430,6 +512,12 @@ ') optional_policy(` @@ -3563,7 +3630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -512,10 +604,16 @@ +@@ -512,10 +600,16 @@ tunable_policy(`httpd_tty_comm',` # cjp: this is redundant: term_use_controlling_term(httpd_helper_t) @@ -3581,7 +3648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -606,6 +704,10 @@ +@@ -567,7 +661,6 @@ + allow httpd_suexec_t self:capability { setuid setgid }; + allow httpd_suexec_t self:process signal_perms; + allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; +-allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; + + domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) + +@@ -581,6 +674,8 @@ + manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) + files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + ++auth_use_nsswitch(httpd_suexec_t) ++ + kernel_read_kernel_sysctls(httpd_suexec_t) + kernel_list_proc(httpd_suexec_t) + kernel_read_proc_symlinks(httpd_suexec_t) +@@ -606,6 +701,10 @@ miscfiles_read_localization(httpd_suexec_t) @@ -3592,7 +3676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -620,10 +722,13 @@ +@@ -620,10 +719,13 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -3607,7 +3691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -634,6 +739,12 @@ +@@ -634,6 +736,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -3620,7 +3704,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -672,7 +783,8 @@ +@@ -655,14 +763,6 @@ + nagios_domtrans_cgi(httpd_suexec_t) + ') + +-optional_policy(` +- nis_use_ypbind(httpd_suexec_t) +-') +- +-optional_policy(` +- nscd_socket_use(httpd_suexec_t) +-') +- + ######################################## + # + # Apache system script local policy +@@ -672,7 +772,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -3630,7 +3729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +798,66 @@ +@@ -686,15 +787,66 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3646,15 +3745,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -3698,7 +3797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -711,6 +874,19 @@ +@@ -711,6 +863,19 @@ ######################################## # @@ -3718,7 +3817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_rotatelogs local policy # -@@ -728,3 +904,26 @@ +@@ -728,3 +893,26 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -3795,7 +3894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:36.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-31 14:08:18.000000000 -0400 @@ -16,6 +16,9 @@ type apcupsd_log_t; logging_log_file(apcupsd_log_t) @@ -3844,7 +3943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu files_search_locks(apcupsd_t) +# Creates /etc/nologin +files_manage_etc_runtime_files(apcupsd_t) -+files_etc_filetrans_etc_runtime(apcuspd_t,file) ++files_etc_filetrans_etc_runtime(apcupsd_t,file) + +#apcupsd runs shutdown, probably need a shutdown domain +init_rw_utmp(apcupsd_t) @@ -4572,7 +4671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 12:58:26.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 16:41:22.000000000 -0400 @@ -81,12 +81,11 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; @@ -4596,7 +4695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t cupsd_exec_t:lnk_file read; manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t) -@@ -150,14 +149,17 @@ +@@ -150,20 +149,24 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -4615,7 +4714,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_getattr_printer_dev(cupsd_t) domain_read_all_domains_state(cupsd_t) -@@ -176,6 +178,7 @@ + + fs_getattr_all_fs(cupsd_t) + fs_search_auto_mountpoints(cupsd_t) ++fs_read_anon_inodefs_files(cupsd_t) + + mls_fd_use_all_levels(cupsd_t) + mls_file_downgrade(cupsd_t) +@@ -176,6 +179,7 @@ term_search_ptys(cupsd_t) auth_domtrans_chk_passwd(cupsd_t) @@ -4623,7 +4729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -@@ -189,7 +192,7 @@ +@@ -189,7 +193,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -4632,7 +4738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -223,21 +226,45 @@ +@@ -223,21 +227,45 @@ sysnet_read_config(cupsd_t) @@ -4678,7 +4784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_t, cupsd_exec_t) ') -@@ -250,6 +277,10 @@ +@@ -250,6 +278,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -4689,7 +4795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -265,16 +296,16 @@ +@@ -265,16 +297,16 @@ ') optional_policy(` @@ -4710,7 +4816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -379,6 +410,14 @@ +@@ -379,6 +411,14 @@ ') optional_policy(` @@ -4725,7 +4831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -562,7 +601,7 @@ +@@ -562,7 +602,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -4734,7 +4840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -589,8 +628,6 @@ +@@ -589,8 +629,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -6225,7 +6331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.4/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/postfix.if 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/postfix.if 2007-07-31 15:40:47.000000000 -0400 @@ -41,6 +41,8 @@ allow postfix_$1_t self:unix_stream_socket connectto; @@ -6235,7 +6341,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_$1_t postfix_etc_t:dir list_dir_perms; read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) -@@ -132,10 +134,8 @@ +@@ -66,6 +68,7 @@ + + fs_search_auto_mountpoints(postfix_$1_t) + fs_getattr_xattr_fs(postfix_$1_t) ++ fs_rw_anon_inodefs_files(postfix_$1_t) + + term_dontaudit_use_console(postfix_$1_t) + +@@ -132,10 +135,8 @@ corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) @@ -6247,7 +6361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ') -@@ -269,6 +269,42 @@ +@@ -269,6 +270,42 @@ ######################################## ## @@ -6290,7 +6404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Do not audit attempts to use ## postfix master process file ## file descriptors. -@@ -434,6 +470,25 @@ +@@ -434,6 +471,25 @@ ######################################## ## @@ -6316,7 +6430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -@@ -450,3 +505,22 @@ +@@ -450,3 +506,22 @@ typeattribute $1 postfix_user_domtrans; ') @@ -6677,7 +6791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-30 09:46:58.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-31 14:16:40.000000000 -0400 @@ -59,10 +59,13 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -7135,8 +7249,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te 2007-07-25 13:27:51.000000000 -0400 -@@ -76,6 +76,9 @@ ++++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te 2007-07-31 16:16:14.000000000 -0400 +@@ -33,7 +33,6 @@ + allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; + allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; +-allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms; + + # database files + allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; +@@ -51,6 +50,8 @@ + manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t) + files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file }) + ++auth_use_nsswitch(setroubleshootd_t) ++ + kernel_read_kernel_sysctls(setroubleshootd_t) + kernel_read_system_state(setroubleshootd_t) + kernel_read_network_state(setroubleshootd_t) +@@ -76,6 +77,9 @@ files_getattr_all_dirs(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) @@ -7146,6 +7277,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) +@@ -108,6 +112,3 @@ + rpm_use_script_fds(setroubleshootd_t) + ') + +-optional_policy(` +- nis_use_ypbind(setroubleshootd_t) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.4/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.4/policy/modules/services/smartmon.te 2007-07-25 13:27:51.000000000 -0400 @@ -10115,7 +10253,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.4/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te 2007-07-31 16:04:09.000000000 -0400 +@@ -45,7 +45,7 @@ + dontaudit dhcpc_t self:capability sys_tty_config; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +-allow dhcpc_t self:process signal_perms; ++allow dhcpc_t self:process { ptrace signal_perms }; + allow dhcpc_t self:fifo_file rw_file_perms; + allow dhcpc_t self:tcp_socket create_stream_socket_perms; + allow dhcpc_t self:udp_socket create_socket_perms; @@ -159,6 +159,10 @@ dbus_connect_system_bus(dhcpc_t) dbus_send_system_bus(dhcpc_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 235858a..644c05f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ %endif %define POLICYVER 21 %define libsepolver 2.0.3-2 -%define POLICYCOREUTILSVER 2.0.21-1 +%define POLICYCOREUTILSVER 2.0.22-11 %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy