diff --git a/.cvsignore b/.cvsignore index 4c1f1a7..b668565 100644 --- a/.cvsignore +++ b/.cvsignore @@ -127,3 +127,4 @@ serefpolicy-3.0.6.tgz serefpolicy-3.0.7.tgz serefpolicy-3.0.8.tgz serefpolicy-3.1.0.tgz +serefpolicy-3.1.1.tgz diff --git a/booleans-targeted.conf b/booleans-targeted.conf index eb70247..d122def 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,6 +1,6 @@ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # -allow_execmem = true +allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +allow_execstack = false # Allow ftpd to read cifs directories. # @@ -148,7 +148,7 @@ stunnel_is_daemon = false # Support NFS home directories # -use_nfs_home_dirs = false +use_nfs_home_dirs = true # Support SAMBA home directories # diff --git a/modules-targeted.conf b/modules-targeted.conf index ad634d3..bec5ec0 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -887,6 +887,13 @@ portmap = base # postfix = base +o# Layer: services +# Module: postgrey +# +# email scanner +# +postgrey = base + # Layer: services # Module: ppp # @@ -1500,6 +1507,13 @@ vmware = module guest = module # Layer: users +# Module: xguest +# +# Minimally privs guest account on X Windows logins +# +xguest = module + +# Layer: users # Module: logadm # # Minimally prived root role for managing logging system diff --git a/policy-20071023.patch b/policy-20071023.patch index 3cac7b8..0e8afd2 100644 --- a/policy-20071023.patch +++ b/policy-20071023.patch @@ -1,3 +1,14 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.1.0/Changelog +--- nsaserefpolicy/Changelog 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.1.0/Changelog 2007-11-06 09:28:26.000000000 -0500 +@@ -12,7 +12,6 @@ + of confined and unconfined users. + - Added modules: + exim (Dan Walsh) +- postfixpolicyd (Jan-Frode Myklebust) + + * Fri Sep 28 2007 Chris PeBenito - 20070928 + - Add support for setting the unknown permissions handling. diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.1.0/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400 +++ serefpolicy-3.1.0/config/appconfig-mcs/default_contexts 2007-11-06 09:28:35.000000000 -0500 @@ -283,7 +294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors class key diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.1.0/policy/global_tunables 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/global_tunables 2007-11-07 15:32:58.000000000 -0500 @@ -6,38 +6,35 @@ ## @@ -328,7 +339,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref ##

##
gen_tunable(allow_polyinstantiation,false) -@@ -132,3 +129,12 @@ +@@ -64,23 +61,14 @@ + + ## + ##

+-## Allow email client to various content. +-## nfs, samba, removable devices, user temp +-## and untrusted content files +-##

+-##
+-gen_tunable(mail_read_content,false) +- +-## +-##

+-## Allow nfs to be exported read/write. ++## Allow any files/directories to be exported read/write via NFS. + ##

+ ##
+ gen_tunable(nfs_export_all_rw,false) + + ## + ##

+-## Allow nfs to be exported read only ++## Allow any files/directories to be exported read/only via NFS. + ##

+ ##
+ gen_tunable(nfs_export_all_ro,false) +@@ -132,3 +120,12 @@ ##

## gen_tunable(write_untrusted_content,false) @@ -1462,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.1.0/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-08 11:40:26.000000000 -0500 @@ -41,12 +41,11 @@ allow $2 $1_su_t:process signal; @@ -1580,7 +1617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.1.0/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-08 13:57:59.000000000 -0500 @@ -92,6 +92,7 @@ dev_read_urand(chfn_t) @@ -1589,7 +1626,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_dontaudit_read_shadow(chfn_t) # allow checking if a shell is executable -@@ -297,9 +298,11 @@ +@@ -123,13 +124,7 @@ + # on user home dir + userdom_dontaudit_search_all_users_home_content(chfn_t) + +-optional_policy(` +- nis_use_ypbind(chfn_t) +-') +- +-optional_policy(` +- nscd_socket_use(chfn_t) +-') ++auth_use_nsswitch(chfn_t) + + ######################################## + # +@@ -297,9 +292,11 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) @@ -1601,7 +1653,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) -@@ -533,6 +536,12 @@ +@@ -334,12 +331,9 @@ + # on user home dir + userdom_dontaudit_search_all_users_home_content(passwd_t) + +-optional_policy(` +- nis_use_ypbind(passwd_t) +-') ++auth_use_nsswitch(passwd_t) + + optional_policy(` +- nscd_socket_use(passwd_t) + nscd_domtrans(passwd_t) + ') + +@@ -425,12 +419,9 @@ + # on user home dir + userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) + +-optional_policy(` +- nis_use_ypbind(sysadm_passwd_t) +-') ++auth_use_nsswitch(sysadm_passwd_t) + + optional_policy(` +- nscd_socket_use(sysadm_passwd_t) + nscd_domtrans(sysadm_passwd_t) + ') + +@@ -533,6 +524,12 @@ ') optional_policy(` @@ -2847,20 +2927,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-29 18:02:31.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:31:44.000000000 -0500 -@@ -132,6 +132,7 @@ +@@ -132,7 +132,7 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) +-network_port(postfix_policyd, tcp,10031,s0) +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.0/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-06 09:28:35.000000000 -0500 -@@ -20,6 +20,7 @@ ++++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-10 07:48:09.000000000 -0500 +@@ -13,6 +13,7 @@ + /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -20,6 +21,7 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) @@ -2868,7 +2957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) -@@ -30,6 +31,7 @@ +@@ -30,6 +32,7 @@ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -2878,7 +2967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-08 14:28:51.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -2888,10 +2977,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device relabelfrom_fifo_files_pattern($1,device_t,device_node) relabelfrom_sock_files_pattern($1,device_t,device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) -@@ -2787,6 +2787,78 @@ +@@ -2787,6 +2787,97 @@ ######################################## ## ++## Read and write generic the USB fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_generic_usb_pipes',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 usb_device_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## +## Get the attributes of the kvm devices. +## +## @@ -2967,7 +3075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -3322,3 +3394,4 @@ +@@ -3322,3 +3413,4 @@ typeattribute $1 devices_unconfined_type; ') @@ -3008,7 +3116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain selinux_dontaudit_read_fs($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.1.0/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/kernel/domain.te 2007-11-06 10:15:22.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/kernel/domain.te 2007-11-08 13:58:30.000000000 -0500 @@ -145,3 +145,9 @@ # act on all domains keys @@ -3017,12 +3125,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +# Allow all domains to use fds past to them +allow domain domain:fd use; +optional_policy(` -+ rpm_dontaudit_rw_pipes(domain) ++ rpm_rw_pipes(domain) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-06 09:28:35.000000000 -0500 -@@ -4756,3 +4756,54 @@ ++++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-09 14:39:44.000000000 -0500 +@@ -3054,6 +3054,24 @@ + + ######################################## + ## ++## Remove entries from the tmp directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_tmp_dir_entry',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 tmp_t:dir del_entry_dir_perms; ++') ++ ++######################################## ++## + ## Search the tmp directory (/tmp). + ## + ## +@@ -4756,3 +4774,54 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -3090,6 +3223,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # etc_runtime_t is the type of various +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.1.0/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/kernel/filesystem.te 2007-11-10 07:39:37.000000000 -0500 +@@ -25,6 +25,8 @@ + fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.1.0/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-06-21 09:32:03.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/kernel/selinux.if 2007-11-06 09:28:35.000000000 -0500 @@ -3255,7 +3400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-07 12:47:31.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-08 09:03:24.000000000 -0500 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -3547,8 +3692,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-06 09:28:35.000000000 -0500 -@@ -20,16 +20,25 @@ ++++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-07 15:26:15.000000000 -0500 +@@ -20,20 +20,22 @@ # Declarations # @@ -3565,20 +3710,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## ##

+-## Allow Apache to use mod_auth_pam +## Allow Apache to communicate with avahi service via dbus -+##

-+##
-+gen_tunable(allow_httpd_dbus_avahi,false) -+ -+## -+##

- ## Allow Apache to use mod_auth_pam ##

##
-@@ -44,6 +53,13 @@ +-gen_tunable(allow_httpd_mod_auth_pam,false) ++gen_tunable(allow_httpd_dbus_avahi,false) + + ## + ##

+@@ -44,14 +46,21 @@ ## ##

+-## Allow http daemon to tcp connect +## Allow http daemon to send mail +##

+##
@@ -3586,23 +3731,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +## +##

- ## Allow http daemon to tcp connect ++## Allow HTTPD scripts and modules to connect to the network + ##

+ ##
+ gen_tunable(httpd_can_network_connect,false) + + ## + ##

+-## Allow httpd to connect to mysql/posgresql ++## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql + ##

+ ##
+ gen_tunable(httpd_can_network_connect_db, false) +@@ -87,25 +96,46 @@ + + ## + ##

+-## Run SSI execs in system CGI script domain. ++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts + ##

+ ##
+ gen_tunable(httpd_ssi_exec,false) + + ## + ##

+-## Allow http daemon to communicate with the TTY ++## Unify HTTPD to communicate with the terminal. Needed for handling certificates ##

##
-@@ -106,6 +122,27 @@ + gen_tunable(httpd_tty_comm,false) + + ## + ##

+-## Run CGI in the main httpd domain ++## Unify HTTPD handling of all content files + ##

##
gen_tunable(httpd_unified,false) +## +##

-+## Allow httpd to read nfs files ++## Allow httpd to access nfs file systems +##

+##
+gen_tunable(httpd_use_nfs,false) + +## +##

-+## Allow httpd to read cifs files ++## Allow httpd to access cifs file systems +##

+##
+gen_tunable(httpd_use_cifs,false) @@ -3617,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -144,6 +181,9 @@ +@@ -144,6 +174,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -3627,7 +3803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -204,7 +244,7 @@ +@@ -204,7 +237,7 @@ # Apache server local policy # @@ -3636,7 +3812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -246,6 +286,7 @@ +@@ -246,6 +279,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -3644,7 +3820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -286,6 +327,7 @@ +@@ -286,6 +320,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -3652,7 +3828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -332,6 +374,10 @@ +@@ -332,6 +367,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -3663,7 +3839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -346,12 +392,8 @@ +@@ -346,12 +385,8 @@ seutil_dontaudit_search_config(httpd_t) @@ -3676,8 +3852,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -362,6 +404,7 @@ +@@ -360,8 +395,16 @@ + # + # We need optionals to be able to be within booleans to make this work # ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++##
++gen_tunable(allow_httpd_mod_auth_pam,false) ++ tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_upd_passwd(httpd_t) @@ -4111,7 +4296,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.1.0/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-07 15:41:34.000000000 -0500 +@@ -9,7 +9,7 @@ + ## + ##

+ ## Allow BIND to write the master zone files. +-## Generally this is used for dynamic DNS. ++## Generally this is used for dynamic DNS, or zone transfers + ##

+ ##
+ gen_tunable(named_write_master_zones,false) @@ -156,6 +156,12 @@ ') @@ -4186,6 +4380,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.1.0/policy/modules/services/comsat.te +--- nsaserefpolicy/policy/modules/services/comsat.te 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/comsat.te 2007-11-08 13:31:46.000000000 -0500 +@@ -57,6 +57,8 @@ + files_search_spool(comsat_t) + files_search_home(comsat_t) + ++auth_use_nsswitch(comsat_t) ++ + init_read_utmp(comsat_t) + init_dontaudit_write_utmp(comsat_t) + +@@ -67,8 +69,6 @@ + + miscfiles_read_localization(comsat_t) + +-sysnet_read_config(comsat_t) +- + userdom_dontaudit_getattr_sysadm_ttys(comsat_t) + + mta_getattr_spool(comsat_t) +@@ -77,10 +77,3 @@ + kerberos_use(comsat_t) + ') + +-optional_policy(` +- nis_use_ypbind(comsat_t) +-') +- +-optional_policy(` +- nscd_socket_use(comsat_t) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.1.0/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/services/consolekit.if 2007-11-06 09:28:35.000000000 -0500 @@ -4738,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-08 13:32:52.000000000 -0500 @@ -48,9 +48,7 @@ type hplip_t; type hplip_exec_t; @@ -4817,7 +5043,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) mls_file_read_all_levels(cupsd_t) -@@ -187,7 +189,7 @@ +@@ -173,6 +175,8 @@ + term_use_unallocated_ttys(cupsd_t) + term_search_ptys(cupsd_t) + ++auth_use_nsswitch(cupsd_t) ++ + auth_domtrans_chk_passwd(cupsd_t) + auth_dontaudit_read_pam_pid(cupsd_t) + +@@ -187,7 +191,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -4826,7 +5061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -196,12 +198,9 @@ +@@ -196,12 +200,9 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -4840,7 +5075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups init_exec_script_files(cupsd_t) -@@ -221,17 +220,37 @@ +@@ -221,17 +222,37 @@ sysnet_read_config(cupsd_t) @@ -4878,7 +5113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups apm_domtrans_client(cupsd_t) ') -@@ -262,16 +281,16 @@ +@@ -262,16 +283,16 @@ ') optional_policy(` @@ -4899,7 +5134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -291,7 +310,9 @@ +@@ -291,7 +312,9 @@ allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; allow cupsd_config_t self:tcp_socket create_stream_socket_perms; @@ -4910,7 +5145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t,cupsd_t) -@@ -330,6 +351,7 @@ +@@ -330,6 +353,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -4918,7 +5153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -354,6 +376,8 @@ +@@ -354,6 +378,8 @@ logging_send_syslog_msg(cupsd_config_t) @@ -4927,7 +5162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups miscfiles_read_localization(cupsd_config_t) seutil_dontaudit_search_config(cupsd_config_t) -@@ -376,6 +400,14 @@ +@@ -376,6 +402,14 @@ ') optional_policy(` @@ -4942,7 +5177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -391,6 +423,7 @@ +@@ -391,6 +425,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -4950,7 +5185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -402,14 +435,6 @@ +@@ -402,14 +437,6 @@ ') optional_policy(` @@ -4965,7 +5200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups rpm_read_db(cupsd_config_t) ') -@@ -430,7 +455,6 @@ +@@ -430,7 +457,6 @@ allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms; allow cupsd_lpd_t self:udp_socket create_socket_perms; @@ -4973,7 +5208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # for identd # cjp: this should probably only be inetd_child rules? -@@ -480,6 +504,8 @@ +@@ -480,6 +506,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -4982,7 +5217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -495,14 +521,6 @@ +@@ -495,14 +523,6 @@ inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t) ') @@ -4997,7 +5232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -523,11 +541,9 @@ +@@ -523,11 +543,9 @@ allow hplip_t cupsd_etc_t:dir search; cups_stream_connect(hplip_t) @@ -5012,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -558,7 +574,9 @@ +@@ -558,7 +576,9 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5023,7 +5258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -585,8 +603,6 @@ +@@ -585,8 +605,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -5032,7 +5267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) ') -@@ -666,3 +682,15 @@ +@@ -666,3 +684,15 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -5050,7 +5285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.1.0/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-10 13:21:26.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-08 11:58:06.000000000 -0500 @@ -16,6 +16,7 @@ type cvs_t; type cvs_exec_t; @@ -5059,15 +5294,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. role system_r types cvs_t; type cvs_data_t; # customizable -@@ -68,6 +69,7 @@ +@@ -67,7 +68,9 @@ + fs_getattr_xattr_fs(cvs_t) ++sysnet_dns_name_resolve(cvs_t) auth_domtrans_chk_passwd(cvs_t) +auth_domtrans_upd_passwd_chk(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) -@@ -81,6 +83,7 @@ +@@ -81,6 +84,7 @@ libs_use_shared_libs(cvs_t) logging_send_syslog_msg(cvs_t) @@ -5075,6 +5312,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. miscfiles_read_localization(cvs_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.1.0/policy/modules/services/cyrus.te +--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/cyrus.te 2007-11-08 13:33:43.000000000 -0500 +@@ -41,7 +41,6 @@ + allow cyrus_t self:unix_stream_socket connectto; + allow cyrus_t self:tcp_socket create_stream_socket_perms; + allow cyrus_t self:udp_socket create_socket_perms; +-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms; + + manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) + manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t) +@@ -95,6 +94,8 @@ + files_read_etc_runtime_files(cyrus_t) + files_read_usr_files(cyrus_t) + ++auth_use_nsswitch(cyrus_t) ++ + libs_use_ld_so(cyrus_t) + libs_use_shared_libs(cyrus_t) + libs_exec_lib_files(cyrus_t) +@@ -122,14 +123,6 @@ + ') + + optional_policy(` +- ldap_stream_connect(cyrus_t) +-') +- +-optional_policy(` +- nis_use_ypbind(cyrus_t) +-') +- +-optional_policy(` + sasl_connect(cyrus_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.1.0/policy/modules/services/dbskk.te +--- nsaserefpolicy/policy/modules/services/dbskk.te 2007-07-16 14:09:46.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/dbskk.te 2007-11-08 12:00:39.000000000 -0500 +@@ -63,6 +63,8 @@ + + files_read_etc_files(dbskkd_t) + ++auth_use_nsswitch(dbskkd_t) ++ + libs_use_ld_so(dbskkd_t) + libs_use_shared_libs(dbskkd_t) + +@@ -70,12 +72,3 @@ + + miscfiles_read_localization(dbskkd_t) + +-sysnet_read_config(dbskkd_t) +- +-optional_policy(` +- nis_use_ypbind(dbskkd_t) +-') +- +-optional_policy(` +- nscd_socket_use(dbskkd_t) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.1.0/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-29 07:52:49.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/services/dbus.if 2007-11-06 09:28:35.000000000 -0500 @@ -5683,12 +5980,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.1.0/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-06 09:28:35.000000000 -0500 -@@ -9,7 +9,7 @@ ++++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-07 15:45:09.000000000 -0500 +@@ -8,8 +8,8 @@ + ## ##

- ## Allow ftp servers to modify public files +-## Allow ftp servers to modify public files -## used for public file transfer services. ++## Allow ftp servers to upload files, +## used for public file transfer services. Directories must be labeled public_content_rw_t ##

##
@@ -5764,7 +6063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.1.0/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-10 08:16:03.000000000 -0500 @@ -8,14 +8,18 @@ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) @@ -5857,7 +6156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-07 10:34:39.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-08 13:24:56.000000000 -0500 @@ -84,6 +84,7 @@ corenet_udp_bind_ftp_port(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) @@ -6074,6 +6373,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.1.0/policy/modules/services/ldap.te +--- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/ldap.te 2007-11-08 13:18:08.000000000 -0500 +@@ -42,7 +42,6 @@ + dontaudit slapd_t self:capability sys_tty_config; + allow slapd_t self:process setsched; + allow slapd_t self:fifo_file { read write }; +-allow slapd_t self:netlink_route_socket r_netlink_socket_perms; + allow slapd_t self:udp_socket create_socket_perms; + #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) + allow slapd_t self:tcp_socket create_stream_socket_perms; +@@ -104,6 +103,8 @@ + files_read_usr_files(slapd_t) + files_list_var_lib(slapd_t) + ++auth_use_nsswitch(slapd_t) ++ + libs_use_ld_so(slapd_t) + libs_use_shared_libs(slapd_t) + +@@ -112,8 +113,6 @@ + miscfiles_read_certs(slapd_t) + miscfiles_read_localization(slapd_t) + +-sysnet_read_config(slapd_t) +- + userdom_dontaudit_use_unpriv_user_fds(slapd_t) + userdom_dontaudit_search_sysadm_home_dirs(slapd_t) + +@@ -122,10 +121,6 @@ + ') + + optional_policy(` +- nis_use_ypbind(slapd_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(slapd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.1.0/policy/modules/services/lpd.fc --- nsaserefpolicy/policy/modules/services/lpd.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/services/lpd.fc 2007-11-06 09:28:35.000000000 -0500 @@ -6387,7 +6726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.1.0/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-08 08:57:27.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -7151,7 +7490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-07 15:47:03.000000000 -0500 +@@ -8,7 +8,7 @@ + + ## + ##

+-## Allow openvpn to read home directories ++## Allow openvpn service access to users home directories + ##

+ ##
+ gen_tunable(openvpn_enable_homedirs,false) @@ -110,3 +110,12 @@ networkmanager_dbus_chat(openvpn_t) @@ -7275,8 +7623,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc 1969-12-31 19:00:00.000000000 -0500 +@@ -1,5 +0,0 @@ +-/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0) +- +-/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0) +- +-/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if 1969-12-31 19:00:00.000000000 -0500 +@@ -1 +0,0 @@ +-## Postfix policy server +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te +--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te 1969-12-31 19:00:00.000000000 -0500 +@@ -1,54 +0,0 @@ +- +-policy_module(postfixpolicyd, 1.0.0) +- +-######################################## +-# +-# Declarations +-# +- +-type postfix_policyd_t; +-type postfix_policyd_exec_t; +-init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t) +- +-type postfix_policyd_conf_t; +-files_config_file(postfix_policyd_conf_t) +- +-type postfix_policyd_var_run_t; +-files_pid_file(postfix_policyd_var_run_t) +- +-######################################## +-# +-# Local Policy +-# +- +-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms; +-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid }; +-allow postfix_policyd_t self:process setrlimit; +-allow postfix_policyd_t self:unix_dgram_socket { connect create write}; +- +-allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; +-allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; +-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read }; +- +-manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) +-files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) +- +-corenet_all_recvfrom_unlabeled(postfix_policyd_t) +-corenet_tcp_sendrecv_generic_if(postfix_policyd_t) +-corenet_tcp_sendrecv_all_nodes(postfix_policyd_t) +-corenet_tcp_sendrecv_all_ports(postfix_policyd_t) +-corenet_tcp_bind_all_nodes(postfix_policyd_t) +-corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t) +-corenet_tcp_bind_mysqld_port(postfix_policyd_t) +- +-files_read_etc_files(postfix_policyd_t) +-files_read_usr_files(postfix_policyd_t) +- +-libs_use_ld_so(postfix_policyd_t) +-libs_use_shared_libs(postfix_policyd_t) +- +-logging_send_syslog_msg(postfix_policyd_t) +- +-miscfiles_read_localization(postfix_policyd_t) +- +-sysnet_dns_name_resolve(postfix_policyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.1.0/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-12 08:56:07.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.te 2007-11-08 09:29:27.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/services/postfix.te 2007-11-06 09:28:35.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations @@ -7404,7 +7824,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix smtp delivery local policy -@@ -569,6 +581,10 @@ +@@ -547,9 +559,6 @@ + # connect to master process + stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) + +-# Connect to policy server +-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) +- + # for prng_exch + allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; + allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; +@@ -572,6 +581,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -7507,7 +7937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.1.0/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-08 13:36:00.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -7518,6 +7948,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # postgresql Local policy +@@ -42,7 +45,6 @@ + allow postgresql_t self:udp_socket create_stream_socket_perms; + allow postgresql_t self:unix_dgram_socket create_socket_perms; + allow postgresql_t self:unix_stream_socket create_stream_socket_perms; +-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms; + + manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) + manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) +@@ -118,6 +120,8 @@ + + init_read_utmp(postgresql_t) + ++auth_use_nsswitch(postgresql_t) ++ + libs_use_ld_so(postgresql_t) + libs_use_shared_libs(postgresql_t) + +@@ -127,9 +131,6 @@ + + seutil_dontaudit_search_config(postgresql_t) + +-sysnet_read_config(postgresql_t) +-sysnet_use_ldap(postgresql_t) +- + userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) + userdom_dontaudit_use_sysadm_ttys(postgresql_t) + userdom_dontaudit_use_unpriv_user_fds(postgresql_t) +@@ -158,10 +159,6 @@ + ') + + optional_policy(` +- nis_use_ypbind(postgresql_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(postgresql_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.1.0/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/services/ppp.fc 2007-11-06 09:28:35.000000000 -0500 @@ -7914,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.1.0/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-08 12:02:07.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -7987,18 +8455,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +159,9 @@ +@@ -143,6 +159,7 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) -+auth_use_nsswitch(gssd_t) -+ +kernel_read_system_state(gssd_t) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -158,6 +177,9 @@ +@@ -156,8 +173,14 @@ + files_list_tmp(gssd_t) + files_read_usr_symlinks(gssd_t) ++auth_read_cache(gssd_t) ++auth_use_nsswitch(gssd_t) ++ miscfiles_read_certs(gssd_t) +userdom_dontaudit_search_users_home_dirs(rpcd_t) @@ -8083,12 +8554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.1.0/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-08 13:36:17.000000000 -0500 @@ -8,8 +8,15 @@ ## ##

-+## Allow rsync export files read only ++## Allow rsync to export any files/directories read only +##

+##
+gen_tunable(rsync_export_all_ro,false) @@ -8101,15 +8572,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn ##

##
gen_tunable(allow_rsync_anon_write,false) -@@ -58,6 +65,8 @@ - manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) - files_pid_filetrans(rsync_t,rsync_var_run_t,file) +@@ -81,6 +88,8 @@ + files_read_etc_files(rsync_t) + files_search_home(rsync_t) +auth_use_nsswitch(rsync_t) + - kernel_read_kernel_sysctls(rsync_t) - kernel_read_system_state(rsync_t) - kernel_read_network_state(rsync_t) + libs_use_ld_so(rsync_t) + libs_use_shared_libs(rsync_t) + @@ -90,8 +99,6 @@ miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -8296,8 +8767,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.1.0/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-06 09:28:35.000000000 -0500 -@@ -9,7 +9,7 @@ ++++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-07 16:11:34.000000000 -0500 +@@ -9,14 +9,14 @@ ## ##

## Allow samba to modify public files @@ -8306,6 +8777,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ##

##
gen_tunable(allow_smbd_anon_write,false) + + ## + ##

+-## Allow samba to run as the domain controller; add machines to passwd file ++## Allow samba to act as the domain controller, add users, groups and change passwords + ## + ##

+ ##
+@@ -24,28 +24,28 @@ + + ## + ##

+-## Allow samba to export user home directories. ++## Allow Samba to share users home directories + ##

+ ##
+ gen_tunable(samba_enable_home_dirs,false) + + ## + ##

+-## Export all files on system read only. ++## Allow Samba to share any file/directory read only + ##

+ ##
+ gen_tunable(samba_export_all_ro,false) + + ## + ##

+-## Export all files on system read-write. ++## Allow Samba to share any file/directory read/write + ##

+ ##
+ gen_tunable(samba_export_all_rw,false) + + ## + ##

+-## Allow samba to run unconfined scripts ++## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory + ##

+ ##
+ gen_tunable(samba_run_unconfined,false) @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -8710,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.1.0/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/sasl.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/sasl.te 2007-11-10 07:56:05.000000000 -0500 @@ -64,6 +64,7 @@ selinux_compute_access_vector(saslauthd_t) @@ -8719,6 +9231,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl auth_use_nsswitch(saslauthd_t) domain_use_interactive_fds(saslauthd_t) +@@ -107,6 +108,10 @@ + ') + + optional_policy(` ++ nis_authenticate(saslauthd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(saslauthd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.1.0/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/services/sendmail.if 2007-11-06 09:28:35.000000000 -0500 @@ -8810,7 +9333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.0/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/sendmail.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/sendmail.te 2007-11-10 07:37:48.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -8845,7 +9368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -94,30 +99,28 @@ +@@ -94,30 +99,32 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -8864,15 +9387,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send mta_manage_queue(sendmail_t) mta_manage_spool(sendmail_t) +mta_sendmail_exec(sendmail_t) ++ ++optional_policy(` ++ cron_read_pipes(sendmail_t) ++') optional_policy(` -- clamav_search_lib(sendmail_t) -+ cron_read_pipes(sendmail_t) + clamav_search_lib(sendmail_t) ') optional_policy(` - nis_use_ypbind(sendmail_t) -+ clamav_search_lib(sendmail_t) ++ cyrus_stream_connect(sendmail_t) ') optional_policy(` @@ -8881,7 +9407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -131,6 +134,10 @@ +@@ -131,6 +138,10 @@ ') optional_policy(` @@ -8892,7 +9418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send seutil_sigchld_newrole(sendmail_t) ') -@@ -156,3 +163,15 @@ +@@ -156,3 +167,15 @@ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; ') dnl end TODO @@ -9248,6 +9774,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_sigchld_newrole(ssh_keygen_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.1.0/policy/modules/services/stunnel.te +--- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/stunnel.te 2007-11-08 13:38:03.000000000 -0500 +@@ -68,6 +68,8 @@ + + fs_getattr_all_fs(stunnel_t) + ++auth_use_nsswitch(stunnel_t) ++ + libs_use_ld_so(stunnel_t) + libs_use_shared_libs(stunnel_t) + +@@ -112,14 +114,6 @@ + optional_policy(` + kerberos_use(stunnel_t) + ') +- +- optional_policy(` +- nis_use_ypbind(stunnel_t) +- ') +- +- optional_policy(` +- nscd_socket_use(stunnel_t) +- ') + ') + + # hack since this port has no interfaces since it doesnt diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.1.0/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-16 14:09:46.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/services/telnet.te 2007-11-06 09:28:35.000000000 -0500 @@ -9360,6 +9913,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp sysnet_read_config(tftpd_t) sysnet_use_ldap(tftpd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.1.0/policy/modules/services/uucp.te +--- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-12 08:56:07.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/uucp.te 2007-11-08 13:41:35.000000000 -0500 +@@ -88,6 +88,8 @@ + files_search_home(uucpd_t) + files_search_spool(uucpd_t) + ++auth_use_nsswitch(uucpd_t) ++ + libs_use_ld_so(uucpd_t) + libs_use_shared_libs(uucpd_t) + +@@ -95,20 +97,10 @@ + + miscfiles_read_localization(uucpd_t) + +-sysnet_read_config(uucpd_t) +- + optional_policy(` + kerberos_use(uucpd_t) + ') + +-optional_policy(` +- nis_use_ypbind(uucpd_t) +-') +- +-optional_policy(` +- nscd_socket_use(uucpd_t) +-') +- + ######################################## + # + # UUX Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.1.0/policy/modules/services/uwimap.te --- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/services/uwimap.te 2007-11-06 09:28:35.000000000 -0500 @@ -9445,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-07 12:15:33.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-08 14:26:18.000000000 -0500 @@ -58,7 +58,6 @@ allow $1_xserver_t self:msg { send receive }; allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -9454,15 +10040,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1_xserver_t self:tcp_socket create_stream_socket_perms; allow $1_xserver_t self:udp_socket create_socket_perms; -@@ -126,6 +125,7 @@ +@@ -126,6 +125,9 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) + dev_read_urand($1_xserver_t) ++ dev_rw_generic_usb_dev($1_xserver_t) ++ dev_rw_generic_usb_pipes($1_xserver_t) domain_mmap_low($1_xserver_t) -@@ -141,10 +141,14 @@ +@@ -141,10 +143,14 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -9478,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -160,8 +164,6 @@ +@@ -160,8 +166,6 @@ seutil_dontaudit_search_config($1_xserver_t) @@ -9487,7 +10075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow $1_xserver_t self:process { execmem execheap execstack }; ') -@@ -179,14 +181,6 @@ +@@ -179,14 +183,6 @@ ') optional_policy(` @@ -9502,7 +10090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser rhgb_getpgid($1_xserver_t) rhgb_signal($1_xserver_t) ') -@@ -251,7 +245,7 @@ +@@ -251,7 +247,7 @@ userdom_user_home_content($1,$1_fonts_cache_t) type $1_fonts_config_t, fonts_config_type; @@ -9511,7 +10099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type $1_iceauth_t; domain_type($1_iceauth_t) -@@ -282,11 +276,14 @@ +@@ -282,11 +278,14 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) allow $1_xserver_t $1_xauth_home_t:file { getattr read }; @@ -9526,7 +10114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -316,6 +313,7 @@ +@@ -316,6 +315,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -9534,7 +10122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -353,12 +351,6 @@ +@@ -353,12 +353,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -9547,7 +10135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +379,14 @@ +@@ -387,6 +381,14 @@ ') optional_policy(` @@ -9562,7 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -536,17 +536,15 @@ +@@ -536,17 +538,15 @@ template(`xserver_user_client_template',` gen_require(` @@ -9586,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +553,53 @@ +@@ -555,25 +555,53 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -9644,11 +10232,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + ') + + optional_policy(` -+ xserver_rw_session_template($1,$2,$3) ++ xserver_rw_session_template(xdm,$2,$3) ') ') -@@ -626,6 +652,24 @@ +@@ -626,6 +654,24 @@ ######################################## ## @@ -9673,7 +10261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +703,73 @@ +@@ -659,6 +705,73 @@ ######################################## ## @@ -9747,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -927,6 +1038,7 @@ +@@ -927,6 +1040,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -9755,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1099,37 @@ +@@ -987,6 +1101,37 @@ ######################################## ## @@ -9793,7 +10381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1279,7 @@ +@@ -1136,7 +1281,7 @@ type xdm_xserver_tmp_t; ') @@ -9802,7 +10390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1468,45 @@ +@@ -1325,3 +1470,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -10065,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-11-10 07:11:28.000000000 -0500 @@ -169,6 +169,7 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -10095,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -221,11 +230,17 @@ +@@ -221,11 +230,22 @@ logging_send_audit_msgs($1) logging_send_syslog_msg($1) @@ -10106,6 +10694,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo seutil_read_default_contexts($1) + userdom_set_rlimitnh($1) ++ userdom_unlink_unpriv_users_tmp_files($1) ++ ++ optional_policy(` ++ mount_domtrans($1) ++ ') + + optional_policy(` + nis_authenticate($1) @@ -10114,7 +10707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -342,6 +357,8 @@ +@@ -342,6 +362,8 @@ optional_policy(` kerberos_use($1) @@ -10123,7 +10716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -440,6 +457,59 @@ +@@ -440,6 +462,59 @@ ######################################## ## @@ -10183,7 +10776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -1457,6 +1527,7 @@ +@@ -1457,6 +1532,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -10191,6 +10784,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') +@@ -1491,3 +1567,23 @@ + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; + ') ++ ++######################################## ++## ++## Read authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`auth_read_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ read_files_pattern($1, auth_cache_t, auth_cache_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-06 09:28:35.000000000 -0500 @@ -10671,7 +11288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-08 13:26:15.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -10749,7 +11366,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -@@ -201,10 +217,9 @@ +@@ -196,15 +212,13 @@ + allow initrc_t self:tcp_socket create_stream_socket_perms; + allow initrc_t self:udp_socket create_socket_perms; + allow initrc_t self:fifo_file rw_file_perms; +-allow initrc_t self:netlink_route_socket r_netlink_socket_perms; + allow initrc_t initrc_devpts_t:chr_file rw_term_perms; term_create_pty(initrc_t,initrc_devpts_t) @@ -10762,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t) manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t) -@@ -283,7 +298,6 @@ +@@ -283,7 +297,6 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) @@ -10770,7 +11392,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -497,6 +511,33 @@ +@@ -365,7 +378,7 @@ + + seutil_read_config(initrc_t) + +-sysnet_read_config(initrc_t) ++auth_use_nsswitch(initrc_t) + + userdom_read_all_users_home_content_files(initrc_t) + # Allow access to the sysadm TTYs. Note that this will give access to the +@@ -497,6 +510,33 @@ ') optional_policy(` @@ -10804,7 +11435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) ') -@@ -631,12 +672,6 @@ +@@ -631,12 +671,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -10817,7 +11448,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -702,6 +737,9 @@ +@@ -648,15 +682,10 @@ + ') + + optional_policy(` +- nis_use_ypbind(initrc_t) + nis_list_var_yp(initrc_t) + ') + + optional_policy(` +- nscd_socket_use(initrc_t) +-') +- +-optional_policy(` + openvpn_read_config(initrc_t) + ') + +@@ -702,6 +731,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -10827,7 +11474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -749,6 +787,10 @@ +@@ -749,6 +781,10 @@ ') optional_policy(` @@ -10937,8 +11584,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.1.0/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/libraries.fc 2007-11-06 09:28:35.000000000 -0500 -@@ -65,11 +65,12 @@ ++++ serefpolicy-3.1.0/policy/modules/system/libraries.fc 2007-11-08 16:04:38.000000000 -0500 +@@ -65,11 +65,13 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) @@ -10950,10 +11597,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar -/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_gentoo',` # despite the extensions, they are actually libs -@@ -135,6 +136,8 @@ +@@ -135,6 +137,8 @@ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -10962,7 +11610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -158,6 +161,7 @@ +@@ -158,6 +162,7 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -10970,7 +11618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -216,6 +220,7 @@ +@@ -216,6 +221,7 @@ /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -10978,7 +11626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -236,7 +241,9 @@ +@@ -236,7 +242,9 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -10989,7 +11637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar # vmware /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -284,3 +291,10 @@ +@@ -284,3 +292,10 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -11761,7 +12409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.1.0/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if 2007-11-07 11:58:01.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if 2007-11-10 07:25:19.000000000 -0500 @@ -585,7 +585,7 @@ type selinux_config_t; ') @@ -11893,7 +12541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ##
-@@ -1058,3 +1134,138 @@ +@@ -1058,3 +1134,140 @@ files_search_etc($1) rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) ') @@ -12027,6 +12675,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + seutil_get_semanage_trans_lock($1) + seutil_get_semanage_read_lock($1) + ++ userdom_dontaudit_write_unpriv_user_home_content_files($1) ++ + optional_policy(` + rpm_dontaudit_rw_tmp_files($1) + rpm_dontaudit_rw_pipes($1) @@ -12034,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-06 09:28:35.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-09 14:28:06.000000000 -0500 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -12267,7 +12917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -519,7 +499,9 @@ +@@ -519,7 +499,12 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms; @@ -12275,10 +12925,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock}; + +logging_send_audit_msgs(setfiles_t) ++ ++files_list_isid_type_dirs(setfiles_t) ++files_read_isid_type_files(setfiles_t) kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) -@@ -537,6 +519,7 @@ +@@ -537,6 +522,7 @@ fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) @@ -12286,7 +12939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -590,8 +573,16 @@ +@@ -590,8 +576,16 @@ fs_relabel_tmpfs_chr_file(setfiles_t) ') @@ -13008,7 +13661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.0/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-29 07:52:50.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/userdomain.if 2007-11-07 11:01:16.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/userdomain.if 2007-11-09 14:39:07.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -14049,7 +14702,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3077,7 +3210,7 @@ +@@ -2706,6 +2839,25 @@ + + ######################################## + ## ++## unlink all unprivileged users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_unlink_unpriv_users_tmp_files',` ++ gen_require(` ++ attribute user_tmpfile; ++ ') ++ ++ files_delete_tmp_dir_entry($1) ++ allow $1 user_tmpfile:file unlink; ++') ++ ++######################################## ++## + ## Read and write user temporary files. + ## + ## +@@ -3077,7 +3229,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -14058,7 +14737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -3911,7 +4044,7 @@ +@@ -3911,7 +4063,7 @@ type sysadm_t; ') @@ -14067,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; -@@ -4201,11 +4334,11 @@ +@@ -4201,11 +4353,11 @@ ## # interface(`userdom_sigchld_sysadm',` @@ -14083,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4571,8 +4704,8 @@ +@@ -4571,8 +4723,8 @@ files_search_home($1) allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; @@ -14094,7 +14773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4592,8 +4725,8 @@ +@@ -4592,8 +4744,8 @@ files_search_tmp($1) allow $1 sysadm_tmp_t:dir list_dir_perms; @@ -14105,7 +14784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4608,11 +4741,29 @@ +@@ -4608,11 +4760,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -14136,7 +14815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4632,6 +4783,14 @@ +@@ -4632,6 +4802,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -14151,7 +14830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4950,7 +5109,7 @@ +@@ -4950,7 +5128,7 @@ # interface(`userdom_manage_generic_user_home_content_dirs',` gen_require(` @@ -14160,7 +14839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5068,7 +5227,7 @@ +@@ -5068,7 +5246,7 @@ # interface(`userdom_manage_generic_user_home_content_symlinks',` gen_require(` @@ -14169,7 +14848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5088,7 +5247,7 @@ +@@ -5088,7 +5266,7 @@ # interface(`userdom_manage_generic_user_home_content_pipes',` gen_require(` @@ -14178,7 +14857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5108,7 +5267,7 @@ +@@ -5108,7 +5286,7 @@ # interface(`userdom_manage_generic_user_home_content_sockets',` gen_require(` @@ -14187,7 +14866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5322,7 +5481,7 @@ +@@ -5322,7 +5500,7 @@ attribute user_tmpfile; ') @@ -14196,7 +14875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5528,6 +5687,24 @@ +@@ -5528,6 +5706,24 @@ ######################################## ## @@ -14221,7 +14900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5558,3 +5735,379 @@ +@@ -5558,3 +5754,379 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -14603,7 +15282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-06 16:05:43.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-07 15:10:02.000000000 -0500 @@ -17,20 +17,13 @@ ## @@ -15050,26 +15729,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.1.0/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-06 09:28:35.000000000 -0500 -@@ -0,0 +1,18 @@ ++++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-08 08:58:06.000000000 -0500 +@@ -0,0 +1,4 @@ +policy_module(guest,1.0.0) +userdom_unpriv_login_user(guest) +userdom_unpriv_login_user(gadmin) -+userdom_unpriv_xwindows_login_user(xguest) -+mozilla_per_role_template(xguest, xguest_t, xguest_r) + -+optional_policy(` -+ consolekit_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ bluetooth_dbus_chat(xguest_t) -+') -+ -+# Allow mounting of file systems -+optional_policy(` -+ hal_dbus_chat(xguest_t) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.1.0/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/users/logadm.fc 2007-11-06 09:28:35.000000000 -0500 @@ -15156,9 +15821,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +') +allow gadmin_t webadm_t:process transition; +allow webadm_t gadmin_t:dir getattr; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.1.0/policy/modules/users/xguest.fc +--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/users/xguest.fc 2007-11-08 08:59:47.000000000 -0500 +@@ -0,0 +1 @@ ++# No xguest file contexts. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.1.0/policy/modules/users/xguest.if +--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/users/xguest.if 2007-11-08 08:59:47.000000000 -0500 +@@ -0,0 +1 @@ ++## Policy for xguest user +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.1.0/policy/modules/users/xguest.te +--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.1.0/policy/modules/users/xguest.te 2007-11-08 08:59:49.000000000 -0500 +@@ -0,0 +1,11 @@ ++policy_module(xguest,1.0.0) ++userdom_unpriv_xwindows_login_user(xguest) ++mozilla_per_role_template(xguest, xguest_t, xguest_r) ++# Allow mounting of file systems ++optional_policy(` ++ hal_dbus_chat(xguest_t) ++') ++ ++optional_policy(` ++ bluetooth_dbus_chat(xguest_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.1.0/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-06 09:28:36.000000000 -0500 ++++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-09 14:33:41.000000000 -0500 @@ -204,7 +204,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') diff --git a/selinux-policy.spec b/selinux-policy.spec index b92e76c..b6ab7fd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.1.0 +Version: 3.1.1 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -179,7 +179,7 @@ Based off of reference policy: Checked out revision 2483. # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_mandir} -cp -R man %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config @@ -379,6 +379,9 @@ exit 0 %endif %changelog +* Sat Nov 10 2007 Dan Walsh 3.1.1-1 +- Update to upstream + * Mon Oct 22 2007 Dan Walsh 3.1.0-1 - Update to upstream diff --git a/sources b/sources index ef91975..9f90c78 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -31bbdec681a061d2589003b5715f7755 serefpolicy-3.1.0.tgz +68f90a44c27dbe325fa27b88608da3b4 serefpolicy-3.1.1.tgz