diff --git a/policy-20071130.patch b/policy-20071130.patch index 5786485..bd5aa49 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1932,8 +1932,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-04-04 12:06:55.000000000 -0400 -@@ -94,6 +94,10 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-04-07 21:56:32.000000000 -0400 +@@ -50,6 +50,7 @@ + files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) + + kernel_search_proc(netutils_t) ++kernel_read_sysctl(netutils_t) + + corenet_all_recvfrom_unlabeled(netutils_t) + corenet_all_recvfrom_netlabel(netutils_t) +@@ -78,6 +79,8 @@ + init_use_fds(netutils_t) + init_use_script_ptys(netutils_t) + ++auth_use_nsswitch(netutils_t) ++ + libs_use_ld_so(netutils_t) + libs_use_shared_libs(netutils_t) + +@@ -85,8 +88,6 @@ + + miscfiles_read_localization(netutils_t) + +-sysnet_read_config(netutils_t) +- + userdom_use_all_users_fds(netutils_t) + + optional_policy(` +@@ -94,6 +95,10 @@ ') optional_policy(` @@ -1944,7 +1970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil xen_append_log(netutils_t) ') -@@ -107,12 +111,14 @@ +@@ -107,12 +112,14 @@ allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; @@ -1959,6 +1985,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil corenet_tcp_sendrecv_all_nodes(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) +@@ -123,6 +130,8 @@ + files_read_etc_files(ping_t) + files_dontaudit_search_var(ping_t) + ++auth_use_nsswitch(ping_t) ++ + libs_use_ld_so(ping_t) + libs_use_shared_libs(ping_t) + +@@ -130,9 +139,6 @@ + + miscfiles_read_localization(ping_t) + +-sysnet_read_config(ping_t) +-sysnet_dns_name_resolve(ping_t) +- + ifdef(`hide_broken_symptoms',` + init_dontaudit_use_fds(ping_t) + ') +@@ -143,14 +149,6 @@ + ') + + optional_policy(` +- nis_use_ypbind(ping_t) +-') +- +-optional_policy(` +- nscd_socket_use(ping_t) +-') +- +-optional_policy(` + pcmcia_use_cardmgr_fds(ping_t) + ') + +@@ -166,7 +164,6 @@ + allow traceroute_t self:capability { net_admin net_raw setuid setgid }; + allow traceroute_t self:rawip_socket create_socket_perms; + allow traceroute_t self:packet_socket create_socket_perms; +-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; + allow traceroute_t self:udp_socket create_socket_perms; + + kernel_read_system_state(traceroute_t) +@@ -200,6 +197,8 @@ + + init_use_fds(traceroute_t) + ++auth_use_nsswitch(traceroute_t) ++ + libs_use_ld_so(traceroute_t) + libs_use_shared_libs(traceroute_t) + +@@ -212,17 +211,7 @@ + dev_read_urand(traceroute_t) + files_read_usr_files(traceroute_t) + +-sysnet_read_config(traceroute_t) +- + tunable_policy(`user_ping',` + term_use_all_user_ttys(traceroute_t) + term_use_all_user_ptys(traceroute_t) + ') +- +-optional_policy(` +- nis_use_ypbind(traceroute_t) +-') +- +-optional_policy(` +- nscd_socket_use(traceroute_t) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.3.1/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/admin/prelink.te 2008-04-04 12:06:55.000000000 -0400 @@ -6480,7 +6575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-07 14:56:13.000000000 -0400 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6494,16 +6589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /dev # -@@ -58,6 +58,8 @@ - - /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+ - /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) - /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) - /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -67,6 +69,12 @@ +@@ -67,6 +67,12 @@ /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) @@ -6516,7 +6602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -99,11 +107,6 @@ +@@ -99,11 +105,6 @@ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6528,7 +6614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /sbin # -@@ -127,6 +130,8 @@ +@@ -127,6 +128,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6537,7 +6623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -144,10 +149,7 @@ +@@ -144,10 +147,7 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6549,7 +6635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -178,6 +180,8 @@ +@@ -178,6 +178,8 @@ /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6558,7 +6644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -185,8 +189,12 @@ +@@ -185,8 +187,12 @@ /usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6571,7 +6657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -213,9 +221,10 @@ +@@ -213,9 +219,10 @@ /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6583,7 +6669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +293,10 @@ +@@ -284,3 +291,10 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7294,6 +7380,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.3.1/policy/modules/kernel/files.fc +--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-10-29 18:02:31.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.fc 2008-04-07 21:39:29.000000000 -0400 +@@ -31,7 +31,7 @@ + /boot/\.journal <> + /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /boot/lost\+found/.* <> +-/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) ++/boot(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) + + # + # /emul diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-04-06 06:52:30.000000000 -0400 @@ -8848,7 +8946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-04 16:08:27.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-07 14:54:08.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -10895,7 +10993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.3.1/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-05 11:51:54.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/consolekit.te 2008-04-07 22:36:44.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -14637,8 +14735,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te --- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-04-04 12:06:55.000000000 -0400 -@@ -0,0 +1,39 @@ ++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-04-07 22:37:02.000000000 -0400 +@@ -0,0 +1,40 @@ +policy_module(gamin,1.0.0) + +######################################## @@ -14657,6 +14755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + +# Init script handling +domain_use_interactive_fds(gamin_t) ++allow gamin_t self:capability sys_ptrace; + +# internal communication is often done using fifo and unix sockets. +allow gamin_t self:fifo_file rw_file_perms; @@ -14766,7 +14865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.3.1/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/gnomeclock.te 2008-04-07 22:47:29.000000000 -0400 @@ -0,0 +1,53 @@ +policy_module(gnomeclock,1.0.0) +######################################## @@ -14789,7 +14888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +allow gnomeclock_t self:fifo_file rw_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + -+corecmd_search_bin(gnomeclock_t) ++corecmd_exec_bin(gnomeclock_t) + +files_read_etc_files(gnomeclock_t) +files_read_usr_files(gnomeclock_t) @@ -15344,7 +15443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb +/etc/rc.d/init.d/krb5kdc -- gen_context(system_u:object_r:kerberos_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.3.1/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/kerberos.if 2008-04-07 20:46:54.000000000 -0400 @@ -43,7 +43,13 @@ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -15371,11 +15470,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb optional_policy(` tunable_policy(`allow_kerberos',` pcscd_stream_connect($1) -@@ -172,3 +174,156 @@ - allow $1 krb5kdc_conf_t:file read_file_perms; +@@ -169,6 +171,158 @@ + ') + + files_search_etc($1) +- allow $1 krb5kdc_conf_t:file read_file_perms; ++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ++') - ') -+ +######################################## +## +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). @@ -15422,7 +15524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + corenet_udp_sendrecv_kerberos_master_port($1) + corenet_udp_bind_all_nodes($1) + ') -+') + ') + +######################################## +## @@ -17019,8 +17121,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-04 12:06:55.000000000 -0400 -@@ -1,7 +1,10 @@ ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc 2008-04-07 14:55:55.000000000 -0400 +@@ -1,7 +1,11 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -17031,6 +17133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) ++/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.3.1/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/networkmanager.if 2008-04-04 12:06:55.000000000 -0400 @@ -17058,18 +17161,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-05 15:04:32.000000000 -0400 -@@ -13,6 +13,9 @@ ++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-04-07 14:54:21.000000000 -0400 +@@ -13,6 +13,13 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_log_t; +logging_log_file(NetworkManager_log_t) + ++type NetworkManager_script_exec_t; ++init_script_type(NetworkManager_script_exec_t) ++init_script_domtrans_spec(NetworkManager_t,httpd_script_exec_t) ++ ######################################## # # Local policy -@@ -20,9 +23,9 @@ +@@ -20,9 +27,9 @@ # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -17081,7 +17188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -@@ -38,10 +41,14 @@ +@@ -38,10 +45,14 @@ manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) @@ -17096,7 +17203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -67,6 +74,7 @@ +@@ -67,6 +78,7 @@ fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) @@ -17104,7 +17211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw mls_file_read_all_levels(NetworkManager_t) -@@ -84,8 +92,11 @@ +@@ -84,8 +96,11 @@ files_read_usr_files(NetworkManager_t) init_read_utmp(NetworkManager_t) @@ -17116,7 +17223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -129,21 +140,21 @@ +@@ -129,21 +144,21 @@ ') optional_policy(` @@ -17143,7 +17250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,19 +166,20 @@ +@@ -155,19 +170,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -20497,7 +20604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-07 22:12:28.000000000 -0400 @@ -60,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -20566,11 +20673,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -157,8 +177,13 @@ +@@ -157,8 +177,14 @@ files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) -+auth_read_cache(gssd_t) ++auth_use_nsswitch(gssd_t) ++auth_rw_cache(gssd_t) + miscfiles_read_certs(gssd_t) @@ -25506,7 +25614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-06 06:54:26.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-07 22:44:31.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -25757,7 +25865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) -+domain_dontaudit_ptrace_all_domains_state(xdm_t) ++domain_dontaudit_ptrace_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) @@ -26363,7 +26471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-05 07:50:51.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-07 22:13:19.000000000 -0400 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -26517,7 +26625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1563,23 @@ +@@ -1491,3 +1563,41 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -26541,6 +26649,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + read_files_pattern($1, auth_cache_t, auth_cache_t) +') + ++######################################## ++## ++## Read/Write authentication cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`auth_rw_cache',` ++ gen_require(` ++ type auth_cache_t; ++ ') ++ ++ rw_files_pattern($1, auth_cache_t, auth_cache_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-04 12:06:56.000000000 -0400 @@ -30630,7 +30756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-06 07:10:40.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-07 22:54:48.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -33100,6 +33226,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## +@@ -5559,7 +5933,7 @@ + attribute userdomain; + ') + +- read_files_pattern($1,userdomain,userdomain) ++ ps_process_pattern($1,userdomain) + kernel_search_proc($1) + ') + @@ -5674,7 +6048,7 @@ ######################################## diff --git a/policygentool b/policygentool index 1424cbb..bbdfa97 100644 --- a/policygentool +++ b/policygentool @@ -241,7 +241,7 @@ compile your policy package. Then use the semodule tool to load it. # /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp # make -f /usr/share/selinux/devel/Makefile -# semodule -l myapp.pp +# semodule -i myapp.pp # restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc" Now you can turn on permissive mode, start your application and avc messages diff --git a/selinux-policy.spec b/selinux-policy.spec index 55439d3..2a80307 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -292,11 +292,11 @@ SELinux Reference policy targeted base module. %post targeted if [ $1 -eq 1 ]; then %loadpolicy targeted -semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null -semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null -semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null -semanage user -a -P guest -R guest_r guest_u -semanage user -a -P xguest -R xguest_r xguest_u +semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null +semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null +semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null +semanage user -a -S targeted -R guest_r guest_u +semanage user -a -S targeted -R xguest_r xguest_u restorecon -R /root /var/log /var/run 2> /dev/null else semodule -s targeted -r moilscanner 2>/dev/null @@ -388,7 +388,7 @@ exit 0 %changelog * Sat Apr 5 2008 Dan Walsh 3.3.1-29 -- +- Fix initial install * Fri Apr 4 2008 Dan Walsh 3.3.1-28 - Allow radvd to use fifo_file