diff --git a/policy-F12.patch b/policy-F12.patch index d3f4cea..67bb971 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -45,6 +45,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.13/config/appconfig-mcs/securetty_types +--- nsaserefpolicy/config/appconfig-mcs/securetty_types 2009-06-08 15:22:18.000000000 -0400 ++++ serefpolicy-3.6.13/config/appconfig-mcs/securetty_types 2009-05-21 08:43:34.000000000 -0400 +@@ -1 +1,6 @@ ++auditadm_tty_device_t ++secadm_tty_device_t ++staff_tty_device_t ++sysadm_tty_device_t ++unconfined_tty_device_t + user_tty_device_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.13/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 +++ serefpolicy-3.6.13/config/appconfig-mcs/seusers 2009-05-21 09:48:23.000000000 -0400 @@ -164,16 +174,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/securetty_types serefpolicy-3.6.13/config/appconfig-mls/securetty_types ---- nsaserefpolicy/config/appconfig-mls/securetty_types 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.13/config/appconfig-mls/securetty_types 2009-05-21 09:48:23.000000000 -0400 -@@ -1,6 +1 @@ --auditadm_tty_device_t --secadm_tty_device_t --staff_tty_device_t --sysadm_tty_device_t --unconfined_tty_device_t - user_tty_device_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.13/config/appconfig-mls/virtual_domain_context 2009-05-21 09:48:23.000000000 -0400 @@ -250,114 +250,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.13/man/man8/httpd_selinux.8 ---- nsaserefpolicy/man/man8/httpd_selinux.8 2009-03-05 09:22:34.000000000 -0500 -+++ serefpolicy-3.6.13/man/man8/httpd_selinux.8 2009-05-21 09:48:23.000000000 -0400 -@@ -22,7 +22,7 @@ - .EX - httpd_sys_content_t - .EE --- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon. -+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. - .EX - httpd_sys_script_exec_t - .EE -@@ -30,11 +30,11 @@ - .EX - httpd_sys_content_rw_t - .EE --- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. -+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. - .EX - httpd_sys_content_ra_t - .EE --- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. -+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. - .EX - httpd_unconfined_script_exec_t - .EE -@@ -57,8 +57,7 @@ - .EE - - .SH BOOLEANS --SELinux policy is customizable based on least access required. So by --default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. - .PP - httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this - -@@ -67,7 +66,7 @@ - .EE - - .PP --httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. -+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. - - .EX - setsebool -P httpd_enable_homedirs 1 -@@ -75,7 +74,7 @@ - .EE - - .PP --httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. - - .EX - setsebool -P httpd_tty_comm 1 -@@ -89,7 +88,7 @@ - .EE - - .PP --httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. -+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean. - - .EX - setsebool -P httpd_can_sendmail 1 -@@ -102,7 +101,7 @@ - .EE - - .PP --httpd scripts by default are not allowed to connect out to the network. -+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. - This would prevent a hacker from breaking into you httpd server and attacking - other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.13/man/man8/kerberos_selinux.8 ---- nsaserefpolicy/man/man8/kerberos_selinux.8 2009-03-05 09:22:34.000000000 -0500 -+++ serefpolicy-3.6.13/man/man8/kerberos_selinux.8 2009-05-21 09:48:23.000000000 -0400 -@@ -12,7 +12,7 @@ - .SH "DESCRIPTION" - - Security-Enhanced Linux secures the system via flexible mandatory access --control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. -+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. - .SH BOOLEANS - .PP - You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.13/man/man8/nfs_selinux.8 ---- nsaserefpolicy/man/man8/nfs_selinux.8 2009-03-05 09:22:34.000000000 -0500 -+++ serefpolicy-3.6.13/man/man8/nfs_selinux.8 2009-05-21 09:48:23.000000000 -0400 -@@ -6,7 +6,7 @@ - Security Enhanced Linux secures the NFS server via flexible mandatory access - control. - .SH BOOLEANS --SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: -+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: - - .TP - setsebool -P nfs_export_all_ro 1 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-3.6.13/man/man8/ypbind_selinux.8 ---- nsaserefpolicy/man/man8/ypbind_selinux.8 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.13/man/man8/ypbind_selinux.8 2009-05-21 09:48:23.000000000 -0400 -@@ -4,7 +4,7 @@ - .SH "DESCRIPTION" - - Security-Enhanced Linux secures the system via flexible mandatory access --control. By default NIS is not allowed, since it requires daemons to be allowed greater access to the network. -+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. - .SH BOOLEANS - .TP - You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.13/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.13/policy/global_tunables 2009-05-21 09:48:23.000000000 -0400 @@ -441,18 +333,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.6.13/policy/modules/admin/brctl.te ---- nsaserefpolicy/policy/modules/admin/brctl.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/admin/brctl.te 2009-05-21 09:48:23.000000000 -0400 -@@ -21,6 +21,8 @@ - allow brctl_t self:unix_dgram_socket create_socket_perms; - allow brctl_t self:tcp_socket create_socket_perms; - -+corenet_rw_tun_tap_dev(brctl_t) -+ - kernel_load_module(brctl_t) - kernel_read_network_state(brctl_t) - kernel_read_sysctl(brctl_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.13/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/admin/certwatch.te 2009-05-21 09:48:23.000000000 -0400 @@ -736,7 +616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.13/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/admin/prelink.te 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/admin/prelink.te 2009-05-29 11:07:55.000000000 -0400 @@ -21,12 +21,15 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -778,16 +658,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) -@@ -65,6 +71,8 @@ +@@ -65,6 +71,9 @@ files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) files_dontaudit_read_all_symlinks(prelink_t) +files_manage_usr_files(prelink_t) ++files_manage_var_files(prelink_t) +files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) -@@ -81,6 +89,10 @@ +@@ -81,6 +90,10 @@ userdom_use_user_terminals(prelink_t) @@ -798,12 +679,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amanda_manage_lib(prelink_t) ') -@@ -88,3 +100,7 @@ +@@ -88,3 +101,11 @@ optional_policy(` cron_system_entry(prelink_t, prelink_exec_t) ') + +optional_policy(` ++ rpm_manage_tmp_files(prelink_t) ++') ++ ++optional_policy(` + unconfined_domain(prelink_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.6.13/policy/modules/admin/readahead.fc @@ -819,7 +704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.13/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/admin/readahead.te 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/admin/readahead.te 2009-06-06 06:41:50.000000000 -0400 @@ -11,8 +11,8 @@ init_daemon_domain(readahead_t, readahead_exec_t) application_domain(readahead_t, readahead_exec_t) @@ -853,7 +738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(readahead_t) kernel_dontaudit_getattr_core_if(readahead_t) -@@ -46,10 +48,13 @@ +@@ -46,10 +48,14 @@ storage_raw_read_fixed_disk(readahead_t) domain_use_interactive_fds(readahead_t) @@ -864,10 +749,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_non_security_files(readahead_t) +files_dontaudit_read_security_files(readahead_t) +files_dontaudit_getattr_non_security_blk_files(readahead_t) ++files_create_boot_flag(readahead_t) fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -58,6 +63,7 @@ +@@ -58,6 +64,7 @@ fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) @@ -875,7 +761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) -@@ -72,6 +78,7 @@ +@@ -72,6 +79,7 @@ init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) @@ -928,7 +814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.13/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/admin/rpm.if 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/admin/rpm.if 2009-05-29 11:02:40.000000000 -0400 @@ -66,6 +66,11 @@ rpm_domtrans($1) role $2 types rpm_t; @@ -1120,7 +1006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM package database. ## ## -@@ -283,3 +424,148 @@ +@@ -283,3 +424,166 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1189,6 +1075,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Manage RPM tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rpm_manage_tmp_files',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++') ++ ++######################################## ++## +## Do not audit attempts to read, +## write RPM shm +## @@ -1738,8 +1642,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.13/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-03-20 12:39:40.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/admin/usermanage.te 2009-05-21 09:48:23.000000000 -0400 -@@ -326,6 +326,7 @@ ++++ serefpolicy-3.6.13/policy/modules/admin/usermanage.te 2009-05-26 13:03:03.000000000 -0400 +@@ -209,6 +209,7 @@ + files_manage_etc_files(groupadd_t) + files_relabel_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) ++files_read_usr_symlinks(groupadd_t) + + # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. + corecmd_exec_bin(groupadd_t) +@@ -326,6 +327,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1747,7 +1659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_domtrans(passwd_t) -@@ -515,6 +516,12 @@ +@@ -515,6 +517,12 @@ ') optional_policy(` @@ -1781,16 +1693,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.13/policy/modules/apps/ada.te ---- nsaserefpolicy/policy/modules/apps/ada.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/apps/ada.te 2009-05-21 09:48:23.000000000 -0400 -@@ -21,5 +21,5 @@ - userdom_use_user_terminals(ada_t) - - optional_policy(` -- unconfined_domain_noaudit(ada_t) -+ unconfined_domain(ada_t) - ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.13/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/apps/awstats.te 2009-05-21 09:48:23.000000000 -0400 @@ -1803,15 +1705,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(awstats_t) sysnet_dns_name_resolve(awstats_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.13/policy/modules/apps/cdrecord.fc ---- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/apps/cdrecord.fc 2009-05-21 09:48:23.000000000 -0400 -@@ -2,4 +2,5 @@ - # /usr - # - /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -+/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.13/policy/modules/apps/cpufreqselector.fc --- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/apps/cpufreqselector.fc 2009-05-21 09:48:23.000000000 -0400 @@ -4055,11 +3948,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.13/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/apps/qemu.fc 2009-05-21 09:48:23.000000000 -0400 -@@ -1,2 +1,2 @@ ++++ serefpolicy-3.6.13/policy/modules/apps/qemu.fc 2009-06-08 13:48:58.000000000 -0400 +@@ -1,2 +1,3 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.13/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 @@ -4696,16 +4590,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +kernel_dontaudit_read_system_state(sandbox_t) +corecmd_exec_all_executables(sandbox_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.13/policy/modules/apps/screen.fc ---- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/apps/screen.fc 2009-05-21 09:48:23.000000000 -0400 -@@ -11,5 +11,5 @@ - # - # /var - # --/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0) - /var/run/screens?/S-[^/]+/.* <> -+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.13/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/apps/screen.if 2009-05-21 09:48:23.000000000 -0400 @@ -4734,28 +4618,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) + manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.6.13/policy/modules/apps/screen.te ---- nsaserefpolicy/policy/modules/apps/screen.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/apps/screen.te 2009-05-21 09:48:23.000000000 -0400 -@@ -6,9 +6,6 @@ - # Declarations - # - --type screen_dir_t; --files_pid_file(screen_dir_t) -- - type screen_exec_t; - application_executable_file(screen_exec_t) - -@@ -24,7 +21,7 @@ - ubac_constrained(screen_tmp_t) - - type screen_var_run_t; --typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; -+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t screen_dir_t }; - typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t }; - files_pid_file(screen_var_run_t) - ubac_constrained(screen_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.13/policy/modules/apps/uml.te --- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/apps/uml.te 2009-05-21 09:48:23.000000000 -0400 @@ -5140,8 +5002,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/corecommands.fc 2009-05-21 09:48:23.000000000 -0400 -@@ -32,6 +32,8 @@ ++++ serefpolicy-3.6.13/policy/modules/kernel/corecommands.fc 2009-06-08 08:49:12.000000000 -0400 +@@ -7,6 +7,7 @@ + /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) ++/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) + /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -32,6 +33,8 @@ # # /etc # @@ -5150,7 +5020,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,6 +136,9 @@ +@@ -67,6 +70,8 @@ + /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + + /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) +@@ -134,12 +139,16 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5160,18 +5039,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -209,7 +214,10 @@ + /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) + + /usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -209,7 +218,15 @@ /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -299,3 +307,20 @@ +@@ -299,3 +316,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5194,7 +5085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.13/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/corecommands.if 2009-05-22 08:45:16.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/corecommands.if 2009-06-04 16:18:26.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -5257,7 +5148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.13/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-05-21 08:43:07.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-06-08 15:22:17.000000000 -0400 +++ serefpolicy-3.6.13/policy/modules/kernel/corenetwork.te.in 2009-05-21 09:48:23.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5267,7 +5158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -86,21 +87,28 @@ +@@ -86,22 +87,28 @@ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(comsat, udp,512,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -5291,13 +5182,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) -+network_port(gpsd,tcp,2947,s0) + network_port(gpsd, tcp,2947,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy +portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -@@ -120,6 +128,7 @@ +@@ -121,6 +128,7 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -5305,7 +5196,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) -@@ -130,6 +139,7 @@ +@@ -131,6 +139,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -5313,7 +5204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -141,7 +151,14 @@ +@@ -142,7 +151,14 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pingd, tcp,9125,s0) @@ -5328,7 +5219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -164,11 +181,14 @@ +@@ -165,11 +181,14 @@ network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) @@ -5344,7 +5235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -177,14 +197,18 @@ +@@ -178,14 +197,18 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5365,7 +5256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -213,6 +237,8 @@ +@@ -214,6 +237,8 @@ type node_t, node_type; sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) @@ -5375,30 +5266,182 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.13/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/devices.fc 2009-05-21 09:48:23.000000000 -0400 -@@ -91,6 +91,7 @@ - /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) - /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) - /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) -@@ -113,7 +114,9 @@ - - /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - -+/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -+/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - - /dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-06-08 15:22:17.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/devices.fc 2009-06-08 09:15:51.000000000 -0400 +@@ -47,8 +46,10 @@ + /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) + /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) ++/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0) + /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) + /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) + /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.13/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/devices.if 2009-05-21 09:48:23.000000000 -0400 -@@ -2268,6 +2268,25 @@ +--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-06-08 15:22:17.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/devices.if 2009-06-08 09:15:34.000000000 -0400 +@@ -1655,6 +1655,96 @@ + + ######################################## + ## ++## Read and write to kvm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_kvm',` ++ gen_require(` ++ type device_t, kvm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, kvm_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the ksm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_ksm_dev',` ++ gen_require(` ++ type device_t, ksm_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, ksm_device_t) ++') ++ ++######################################## ++## ++## Set the attributes of the ksm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_ksm_dev',` ++ gen_require(` ++ type device_t, ksm_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, ksm_device_t) ++') ++ ++######################################## ++## ++## Read the ksm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_ksm',` ++ gen_require(` ++ type device_t, ksm_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, ksm_device_t) ++') ++ ++######################################## ++## ++## Read and write to ksm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_ksm',` ++ gen_require(` ++ type device_t, ksm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, ksm_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of the kvm devices. + ## + ## +@@ -1725,6 +1815,61 @@ + rw_chr_files_pattern($1, device_t, kvm_device_t) + ') + ++###################################### ++## ++## Read the lirc device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_lirc',` ++ gen_require(` ++ type device_t, lirc_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, lirc_device_t) ++') ++ ++###################################### ++## ++## Read and write the lirc device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_lirc',` ++ gen_require(` ++ type device_t, lirc_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, lirc_device_t) ++') ++ ++###################################### ++## ++## Automatic type transition to the type ++## for lirc device nodes when created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_filetrans_lirc',` ++ gen_require(` ++ type device_t, lirc_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, lirc_device_t, chr_file) ++') ++ + ######################################## + ## + ## Read the lvm comtrol device. +@@ -2268,6 +2413,25 @@ ######################################## ## @@ -5424,34 +5467,50 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write to the null device (/dev/null). ## ## -@@ -3217,6 +3236,7 @@ - # - interface(`dev_rw_generic_usb_dev',` - gen_require(` -+ type device_t; - type usb_device_t; - ') - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.13/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/devices.te 2009-05-21 09:48:23.000000000 -0400 -@@ -188,6 +188,12 @@ - genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) +--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-06-08 15:22:17.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/devices.te 2009-06-08 09:11:39.000000000 -0400 +@@ -84,6 +84,13 @@ + dev_node(kmsg_device_t) + + # ++# ksm_device_t is the type of ++# /dev/ksm ++# ++type ksm_device_t; ++dev_node(ksm_device_t) ++ ++# + # kvm_device_t is the type of + # /dev/kvm + # +@@ -91,6 +98,12 @@ + dev_node(kvm_device_t) # -+# Type for /dev/tpm ++# Type for /dev/lirc +# -+type tpm_device_t; -+dev_node(tpm_device_t) ++type lirc_device_t; ++dev_node(lirc_device_t) + +# - # urandom_device_t is the type of /dev/urandom + # Type for /dev/mapper/control # - type urandom_device_t; + type lvm_control_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.13/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/domain.if 2009-05-21 09:48:23.000000000 -0400 -@@ -525,7 +525,7 @@ ++++ serefpolicy-3.6.13/policy/modules/kernel/domain.if 2009-06-02 11:47:39.000000000 -0400 +@@ -65,7 +65,8 @@ + ') + + optional_policy(` +- selinux_dontaudit_getattr_fs($1) ++ selinux_getattr_fs($1) ++ selinux_search_fs($1) + selinux_dontaudit_read_fs($1) + ') + +@@ -525,7 +526,7 @@ ') kernel_search_proc($1) @@ -5460,7 +5519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -629,6 +629,7 @@ +@@ -629,6 +630,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file read_file_perms; @@ -5468,7 +5527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1247,18 +1248,34 @@ +@@ -1247,18 +1249,34 @@ ## ## # @@ -5506,7 +5565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -@@ -1279,6 +1296,24 @@ +@@ -1279,6 +1297,24 @@ ######################################## ## @@ -5533,7 +5592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.13/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/domain.te 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/domain.te 2009-06-04 16:19:19.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5566,7 +5625,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -106,6 +117,10 @@ +@@ -97,6 +108,9 @@ + # list the root directory + files_list_root(domain) + ++# All executables should be able to search the directory they are in ++corecmd_search_bin(domain) ++ + tunable_policy(`global_ssp',` + # enable reading of urandom for all domains: + # this should be enabled when all programs +@@ -106,6 +120,10 @@ ') optional_policy(` @@ -5577,7 +5646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(domain) libs_use_shared_libs(domain) ') -@@ -118,6 +133,7 @@ +@@ -118,6 +136,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -5585,7 +5654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -136,6 +152,9 @@ +@@ -136,6 +155,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -5595,7 +5664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -145,7 +164,7 @@ +@@ -145,7 +167,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -5604,7 +5673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -153,3 +172,50 @@ +@@ -153,3 +175,50 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5686,7 +5755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.13/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/files.if 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/files.if 2009-06-06 06:41:00.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -6175,50 +6244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.13/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-06-08 15:22:17.000000000 -0400 +++ serefpolicy-3.6.13/policy/modules/kernel/filesystem.if 2009-05-21 09:48:23.000000000 -0400 -@@ -723,6 +723,24 @@ - - ######################################## - ## -+## Dont audit attempts to write to all noxattrfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_write_noxattr_fs_files',` -+ gen_require(` -+ attribute noxattrfs; -+ ') -+ -+ dontaudit $1 noxattrfs:file write; -+') -+ -+######################################## -+## - ## Create, read, write, and delete all noxattrfs directories. - ## - ## -@@ -754,6 +772,7 @@ - attribute noxattrfs; - ') - -+ list_dirs_pattern($1, noxattrfs, noxattrfs) - read_files_pattern($1, noxattrfs, noxattrfs) - ') - -@@ -2173,6 +2192,7 @@ - type removable_t; - ') - -+ allow $1 removable_t:dir list_dir_perms; - rw_blk_files_pattern($1, removable_t, removable_t) - ') - -@@ -3322,6 +3342,7 @@ +@@ -3341,6 +3342,7 @@ type tmpfs_t; ') @@ -6226,43 +6254,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 tmpfs_t:file rw_file_perms; ') -@@ -3643,6 +3664,7 @@ - ') - - allow $1 filesystem_type:filesystem getattr; -+ files_getattr_all_file_type_fs($1) - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.13/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-03-04 15:43:10.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/filesystem.te 2009-05-21 09:48:23.000000000 -0400 -@@ -206,6 +206,10 @@ - genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) - genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) - genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) -+# Labeling dosfs_t since these are removable file systems with the i -+# same security properties as dosfs_t -+genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) -+genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0) - - type fusefs_t; - fs_noxattr_type(fusefs_t) -@@ -244,12 +248,12 @@ - genfscon afs / gen_context(system_u:object_r:nfs_t,s0) - genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) - genfscon coda / gen_context(system_u:object_r:nfs_t,s0) --genfscon hfs / gen_context(system_u:object_r:nfs_t,s0) --genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0) - genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) - genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) - - ######################################## - # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.13/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/kernel/kernel.if 2009-05-22 08:52:10.000000000 -0400 @@ -6521,9 +6512,237 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_boot(kernel_t) + +permissive kernel_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/rwhod.fc serefpolicy-3.6.13/policy/modules/kernel/rwhod.fc +--- nsaserefpolicy/policy/modules/kernel/rwhod.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.13/policy/modules/kernel/rwhod.fc 2009-05-27 10:46:22.000000000 -0400 +@@ -0,0 +1,5 @@ ++ ++/usr/sbin/rwhod -- gen_context(system_u:object_r:rwhod_exec_t,s0) ++ ++/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwhod_initrc_exec_t,s0) ++/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwhod_spool_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/rwhod.if serefpolicy-3.6.13/policy/modules/kernel/rwhod.if +--- nsaserefpolicy/policy/modules/kernel/rwhod.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.13/policy/modules/kernel/rwhod.if 2009-05-27 10:46:22.000000000 -0400 +@@ -0,0 +1,164 @@ ++ ++## policy for rwhod ++ ++######################################## ++## ++## Execute a domain transition to run rwhod. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rwhod_domtrans',` ++ gen_require(` ++ type rwhod_t; ++ type rwhod_exec_t; ++ ') ++ ++ domtrans_pattern($1,rwhod_exec_t,rwhod_t) ++') ++ ++ ++######################################## ++## ++## Execute rwhod server in the rwhod domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rwhod_initrc_domtrans',` ++ gen_require(` ++ type rwhod_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1,rwhod_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search rwhod spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rwhod_search_spool',` ++ gen_require(` ++ type rwhod_spool_t; ++ ') ++ ++ allow $1 rwhod_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Read rwhod spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rwhod_read_spool_files',` ++ gen_require(` ++ type rwhod_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, rwhod_spool_t rwhod_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## rwhod spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rwhod_manage_spool_files',` ++ gen_require(` ++ type rwhod_spool_t; ++ ') ++ ++ files_search_spool($1) ++ manage_files_pattern($1,rwhod_spool_t,rwhod_spool_t) ++') ++ ++######################################## ++## ++## Allow domain to manage rwhod spool files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rwhod_manage_spool',` ++ gen_require(` ++ type rwhod_spool_t; ++ ') ++ ++ manage_dirs_pattern($1,rwhod_spool_t,rwhod_spool_t) ++ manage_files_pattern($1,rwhod_spool_t,rwhod_spool_t) ++ manage_lnk_files_pattern($1,rwhod_spool_t,rwhod_spool_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rwhod environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the rwhod domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`rwhod_admin',` ++ gen_require(` ++ type rwhod_t; ++ ') ++ ++ allow $1 rwhod_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, rwhod_t, rwhod_t) ++ ++ ++ gen_require(` ++ type rwhod_initrc_exec_t; ++ ') ++ ++ # Allow rwhod_t to restart the apache service ++ rwhod_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 rwhod_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ rwhod_manage_spool($1) ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/rwhod.te serefpolicy-3.6.13/policy/modules/kernel/rwhod.te +--- nsaserefpolicy/policy/modules/kernel/rwhod.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.13/policy/modules/kernel/rwhod.te 2009-05-27 10:46:22.000000000 -0400 +@@ -0,0 +1,47 @@ ++policy_module(rwhod,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rwhod_t; ++type rwhod_exec_t; ++init_daemon_domain(rwhod_t, rwhod_exec_t) ++ ++permissive rwhod_t; ++ ++type rwhod_initrc_exec_t; ++init_script_file(rwhod_initrc_exec_t) ++ ++type rwhod_spool_t; ++files_type(rwhod_spool_t) ++ ++######################################## ++# ++# rwhod local policy ++# ++ ++allow rwhod self:capability { kill setgid setuid }; ++allow rwhod self:process { fork signal }; ++ ++# Init script handling ++domain_use_interactive_fds(rwhod_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow rwhod_t self:fifo_file rw_file_perms; ++allow rwhod_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(rwhod_t) ++ ++miscfiles_read_localization(rwhod_t) ++ ++ ++allow rwhod_t rwhod_spool_t:dir manage_dir_perms; ++allow rwhod_t rwhod_spool_t:file manage_file_perms; ++allow rwhod_t rwhod_spool_t:sock_file manage_sock_file_perms; ++files_spool_filetrans(rwhod_t,rwhod_spool_t, { file dir sock_file }) ++ ++auth_use_nsswitch(rwhod_t) ++ ++logging_send_syslog_msg(rwhod_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.13/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/kernel/selinux.if 2009-05-21 09:48:23.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/kernel/selinux.if 2009-05-28 21:05:47.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -6680,29 +6899,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.13/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/roles/staff.te 2009-05-21 15:10:09.000000000 -0400 -@@ -15,156 +15,95 @@ ++++ serefpolicy-3.6.13/policy/modules/roles/staff.te 2009-06-01 08:42:09.000000000 -0400 +@@ -15,156 +15,99 @@ # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - +- -optional_policy(` - auth_role(staff_r, staff_t) -') -+auth_domtrans_pam_console(staff_t) - +- -optional_policy(` - auditadm_role_change(staff_r) --') -+libs_manage_shared_libs(staff_t) - +-') +- -optional_policy(` - bluetooth_role(staff_r, staff_t) -') @@ -6734,46 +6947,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - gift_role(staff_r, staff_t) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - gnome_role(staff_r, staff_t) -') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) ++auth_domtrans_pam_console(staff_t) - optional_policy(` +-optional_policy(` - gpg_role(staff_r, staff_t) -') -- ++libs_manage_shared_libs(staff_t) + -optional_policy(` - irc_role(staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - java_role(staff_r, staff_t) --') -- --optional_policy(` -- lockdev_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- lpd_role(staff_r, staff_t) +- lockdev_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- mozilla_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` +- mplayer_role(staff_r, staff_t) ++ postgresql_role(staff_r, staff_t) + ') + + optional_policy(` - mta_role(staff_r, staff_t) + secadm_role_change(staff_r) ') @@ -8694,7 +8914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.13/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/apache.fc 2009-05-26 09:24:36.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/apache.fc 2009-05-26 15:12:54.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -8786,7 +9006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) -+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.13/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 @@ -10078,6 +10298,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(entropyd_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.13/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/automount.if 2009-06-08 08:39:40.000000000 -0400 +@@ -109,6 +109,25 @@ + + ######################################## + ## ++## Send automount a signal ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`automount_signal',` ++ gen_require(` ++ type automount_t; ++ ') ++ ++ allow $1 automount_t:process signal; ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an automount environment + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.13/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/services/automount.te 2009-05-21 09:48:23.000000000 -0400 @@ -10583,8 +10832,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.13/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/services/consolekit.te 2009-05-21 09:48:23.000000000 -0400 -@@ -61,12 +61,17 @@ ++++ serefpolicy-3.6.13/policy/modules/services/consolekit.te 2009-06-01 06:48:30.000000000 -0400 +@@ -11,7 +11,7 @@ + init_daemon_domain(consolekit_t, consolekit_exec_t) + + type consolekit_log_t; +-files_pid_file(consolekit_log_t) ++logging_log_file(consolekit_log_t) + + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) +@@ -50,6 +50,7 @@ + files_read_usr_files(consolekit_t) + # needs to read /var/lib/dbus/machine-id + files_read_var_lib_files(consolekit_t) ++files_search_all_mountpoints(consolekit_t) + + fs_list_inotifyfs(consolekit_t) + +@@ -61,12 +62,17 @@ init_telinit(consolekit_t) init_rw_utmp(consolekit_t) @@ -10602,7 +10868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_ptrace(consolekit_t) -@@ -81,9 +86,12 @@ +@@ -81,9 +87,12 @@ ') optional_policy(` @@ -10616,7 +10882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat(consolekit_t) ') -@@ -97,11 +105,23 @@ +@@ -97,11 +106,23 @@ ') optional_policy(` @@ -12628,8 +12894,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.13/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/devicekit.te 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,237 @@ ++++ serefpolicy-3.6.13/policy/modules/services/devicekit.te 2009-05-27 07:00:39.000000000 -0400 +@@ -0,0 +1,238 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -12807,6 +13073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_list_inotifyfs(devicekit_disk_t) +fs_mount_all_fs(devicekit_disk_t) +fs_unmount_all_fs(devicekit_disk_t) ++fs_manage_fusefs_dirs(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) +storage_raw_write_fixed_disk(devicekit_disk_t) @@ -12856,17 +13123,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -+ifdef(`TESTING',` ++#ifdef(`TESTING',` + permissive devicekit_t; + permissive devicekit_power_t; + permissive devicekit_disk_t; -+',` -+optional_policy(` -+ unconfined_domain(devicekit_t) -+ unconfined_domain(devicekit_power_t) -+ unconfined_domain(devicekit_disk_t) -+') -+') ++#',` ++#optional_policy(` ++# unconfined_domain(devicekit_t) ++# unconfined_domain(devicekit_power_t) ++# unconfined_domain(devicekit_disk_t) ++#') ++#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.13/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/services/dhcp.if 2009-05-21 09:48:24.000000000 -0400 @@ -13437,8 +13704,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.13/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/fprintd.te 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,49 @@ ++++ serefpolicy-3.6.13/policy/modules/services/fprintd.te 2009-06-04 13:22:27.000000000 -0400 +@@ -0,0 +1,52 @@ +policy_module(fprintd,1.0.0) + +######################################## @@ -13463,12 +13730,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corecmd_search_bin(fprintd_t) + ++dev_list_usbfs(fprintd_t) +dev_rw_generic_usb_dev(fprintd_t) +dev_read_sysfs(fprintd_t) + +files_read_etc_files(fprintd_t) +files_read_usr_files(fprintd_t) + ++kernel_read_system_state(fprintd_t) ++ +auth_use_nsswitch(fprintd_t) + +miscfiles_read_localization(fprintd_t) @@ -13773,156 +14043,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(gpm_t) fs_search_auto_mountpoints(gpm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.13/policy/modules/services/gpsd.fc ---- nsaserefpolicy/policy/modules/services/gpsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/gpsd.fc 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,3 @@ -+ -+/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.13/policy/modules/services/gpsd.if ---- nsaserefpolicy/policy/modules/services/gpsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/gpsd.if 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,83 @@ -+## gpsd monitor daemon -+ -+######################################## -+## -+## Execute a domain transition to run gpsd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gpsd_domtrans',` -+ gen_require(` -+ type gpsd_t, gpsd_exec_t; -+ ') -+ -+ domtrans_pattern($1, gpsd_exec_t, gpsd_t) -+') -+ -+######################################## -+## -+## Execute gpsd in the gpsd domain, and -+## allow the specified role the gpsd domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gpsd domain. -+## -+## -+# -+interface(`gpsd_run',` -+ gen_require(` -+ type gpsd_t; -+ ') -+ -+ gpsd_domtrans($1) -+ role $2 types gpsd_t; -+') -+ -+######################################## -+## -+## Read and write to gpsd shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`gpsd_rw_shm',` -+ gen_require(` -+ type gpsd_t; -+ ') -+ -+ allow $1 gpsd_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read/write gpsd tmpfs files. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`gpsd_rw_tmpfs_files',` -+ gen_require(` -+ type gpsd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ allow $1 gpsd_tmpfs_t:dir list_dir_perms; -+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) -+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.13/policy/modules/services/gpsd.te ---- nsaserefpolicy/policy/modules/services/gpsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/gpsd.te 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,52 @@ -+policy_module(gpsd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type gpsd_t; -+type gpsd_exec_t; -+application_domain(gpsd_t, gpsd_exec_t) -+role system_r types gpsd_t; -+ -+type gpsd_tmpfs_t; -+files_tmpfs_file(gpsd_tmpfs_t) -+ -+######################################## -+# -+# gpsd local policy -+# -+ -+allow gpsd_t self:capability { setuid sys_nice setgid fowner }; -+allow gpsd_t self:process setsched; -+allow gpsd_t self:shm create_shm_perms; -+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow gpsd_t self:tcp_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) -+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) -+ -+corenet_tcp_bind_all_nodes(gpsd_t) -+corenet_tcp_bind_gpsd_port(gpsd_t) -+ -+term_use_unallocated_ttys(gpsd_t) -+term_setattr_unallocated_ttys(gpsd_t) -+ -+auth_use_nsswitch(gpsd_t) -+ -+logging_send_syslog_msg(gpsd_t) -+ -+miscfiles_read_localization(gpsd_t) -+ -+optional_policy(` -+ ntpd_rw_shm(gpsd_t) -+ ntpd_rw_tmpfs_files(gpsd_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(gpsd_t) -+') -+ -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.13/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/services/hal.fc 2009-05-21 09:48:24.000000000 -0400 @@ -14064,7 +14184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.13/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/hal.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/hal.te 2009-05-27 06:59:21.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -14081,7 +14201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -@@ -141,13 +150,19 @@ +@@ -141,13 +150,20 @@ # hal is now execing pm-suspend files_create_boot_flag(hald_t) files_getattr_all_dirs(hald_t) @@ -14097,11 +14217,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_mount_dos_fs(hald_t) +fs_unmount_dos_fs(hald_t) +fs_manage_dos_files(hald_t) ++fs_manage_fusefs_dirs(hald_t) + files_getattr_all_mountpoints(hald_t) mls_file_read_all_levels(hald_t) -@@ -195,6 +210,7 @@ +@@ -195,6 +211,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) @@ -14109,7 +14230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +293,17 @@ +@@ -277,6 +294,17 @@ ') optional_policy(` @@ -14127,7 +14248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -298,7 +325,11 @@ +@@ -298,7 +326,11 @@ ') optional_policy(` @@ -14140,7 +14261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -306,7 +337,7 @@ +@@ -306,7 +338,7 @@ # Hal acl local policy # @@ -14149,7 +14270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -321,6 +352,7 @@ +@@ -321,6 +353,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -14157,7 +14278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(hald_acl_t) -@@ -339,6 +371,8 @@ +@@ -339,6 +372,8 @@ storage_getattr_removable_dev(hald_acl_t) storage_setattr_removable_dev(hald_acl_t) @@ -14166,7 +14287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(hald_acl_t) -@@ -346,12 +380,18 @@ +@@ -346,12 +381,18 @@ miscfiles_read_localization(hald_acl_t) @@ -14186,7 +14307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -374,6 +414,8 @@ +@@ -374,6 +415,8 @@ auth_use_nsswitch(hald_mac_t) @@ -14195,7 +14316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(hald_mac_t) ######################################## -@@ -415,6 +457,55 @@ +@@ -415,6 +458,55 @@ dev_rw_input_dev(hald_keymap_t) @@ -14301,8 +14422,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.6.13/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/kerberos.if 2009-05-21 09:48:24.000000000 -0400 -@@ -124,10 +124,12 @@ ++++ serefpolicy-3.6.13/policy/modules/services/kerberos.if 2009-06-01 13:12:28.000000000 -0400 +@@ -70,6 +70,7 @@ + interface(`kerberos_use',` + gen_require(` + type krb5_conf_t, krb5kdc_conf_t; ++ type krb5_host_rcache_t; + ') + + files_search_etc($1) +@@ -101,6 +102,7 @@ + corenet_tcp_connect_ocsp_port($1) + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) ++ allow $1 krb5_host_rcache_t:file getattr; + ') + + optional_policy(` +@@ -124,10 +126,12 @@ interface(`kerberos_read_config',` gen_require(` type krb5_conf_t; @@ -14449,12 +14586,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.13/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-05-21 08:43:08.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/services/lircd.te 2009-05-21 09:48:24.000000000 -0400 -@@ -42,7 +42,16 @@ ++++ serefpolicy-3.6.13/policy/modules/services/lircd.te 2009-06-01 08:22:13.000000000 -0400 +@@ -42,7 +42,19 @@ # /dev/lircd socket manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) dev_filetrans(lircd_t, lircd_sock_t, sock_file ) +dev_read_generic_usb_dev(lircd_t) ++ ++dev_filetrans_lirc(lircd_t) ++dev_rw_lirc(lircd_t) logging_send_syslog_msg(lircd_t) @@ -14488,7 +14628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.13/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/mailman.if 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/mailman.if 2009-05-26 13:52:43.000000000 -0400 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -14510,15 +14650,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_all_executables(mailman_$1_t) -@@ -191,6 +198,7 @@ +@@ -190,7 +197,9 @@ + type mailman_data_t; ') ++ list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') ####################################### -@@ -209,6 +217,7 @@ +@@ -209,6 +218,7 @@ type mailman_data_t; ') @@ -14526,7 +14668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, mailman_data_t, mailman_data_t) ') -@@ -250,6 +259,25 @@ +@@ -250,6 +260,25 @@ ####################################### ## @@ -16286,7 +16428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_var_files(nscd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.13/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.if 2009-06-08 15:22:17.000000000 -0400 +++ serefpolicy-3.6.13/policy/modules/services/ntp.if 2009-05-21 09:48:24.000000000 -0400 @@ -37,6 +37,32 @@ @@ -16321,23 +16463,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute ntp server in the ntpd domain. ## ## -@@ -56,6 +82,63 @@ +@@ -56,7 +82,7 @@ ######################################## - ## + ## +-## Read and write ntpd shared memory. +## Execute ntp server in the ntpd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# + ## + ## + ## +@@ -64,16 +90,51 @@ + ## + ## + # +-interface(`ntpd_rw_shm',` +interface(`ntp_initrc_domtrans',` -+ gen_require(` + gen_require(` +- type ntpd_t, ntpd_tmpfs_t; + type ntpd_initrc_exec_t; -+ ') -+ + ') + +- allow $1 ntpd_t:shm rw_shm_perms; + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + @@ -16357,9 +16503,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + fs_search_tmpfs($1) -+ list_dirs_pattern($1,ntpd_tmpfs_t,ntpd_tmpfs_t) -+ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) -+ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) + read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) +- fs_search_tmpfs($1) +') + +######################################## @@ -16378,27 +16525,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + allow $1 ntpd_t:shm rw_shm_perms; -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an ntp environment - ## + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.13/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/ntp.te 2009-06-08 15:22:17.000000000 -0400 +++ serefpolicy-3.6.13/policy/modules/services/ntp.te 2009-05-21 09:48:24.000000000 -0400 -@@ -25,6 +25,9 @@ - type ntpd_tmp_t; - files_tmp_file(ntpd_tmp_t) - -+type ntpd_tmpfs_t; -+files_tmpfs_file(ntpd_tmpfs_t) -+ - type ntpd_var_run_t; - files_pid_file(ntpd_var_run_t) - -@@ -38,10 +41,11 @@ +@@ -41,10 +41,11 @@ # sys_resource and setrlimit is for locking memory # ntpdate wants sys_nice @@ -16411,7 +16544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -52,6 +56,7 @@ +@@ -55,6 +56,7 @@ can_exec(ntpd_t,ntpd_exec_t) read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) @@ -16419,39 +16552,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ntpd_t ntpd_log_t:dir setattr; manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) -@@ -62,6 +67,10 @@ - manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) - files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) - -+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t) -+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) -+ - manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) - files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) - -@@ -90,6 +99,9 @@ - - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) -+fs_list_inotifyfs(ntpd_t) - - term_use_ptmx(ntpd_t) +@@ -129,6 +134,7 @@ -@@ -121,6 +133,11 @@ + optional_policy(` + gpsd_rw_shm(ntpd_t) ++ gpsd_rw_tmpfs_files(ntpd_t) ') optional_policy(` -+ gpsd_rw_shm(ntpd_t) -+ gpsd_rw_tmpfs_files(ntpd_t) -+') -+ -+optional_policy(` - firstboot_dontaudit_use_fds(ntpd_t) - firstboot_dontaudit_rw_pipes(ntpd_t) - firstboot_dontaudit_rw_stream_sockets(ntpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.13/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/services/nx.te 2009-05-21 09:48:24.000000000 -0400 @@ -17327,7 +17435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.13/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/postfix.if 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/postfix.if 2009-06-03 08:37:56.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -17497,7 +17605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -500,3 +558,43 @@ +@@ -500,3 +558,62 @@ typeattribute $1 postfix_user_domtrans; ') @@ -17523,6 +17631,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Execute the master postqueue in the ++## postfix_postqueue domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_domtrans_postqueue',` ++ gen_require(` ++ type postfix_postqueue_t, postfix_postqueue_exec_t; ++ ') ++ ++ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) ++') ++ ++######################################## ++## +## Execute the master postdrop in the +## postfix_postdrop domain. +## @@ -19263,7 +19390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.13/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/services/rpc.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/rpc.te 2009-06-08 08:38:43.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -19296,12 +19423,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_dontaudit_read_fs(rpcd_t) -@@ -85,10 +92,17 @@ +@@ -85,10 +92,21 @@ seutil_dontaudit_search_config(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) + ++optional_policy(` ++ automount_signal(rpcd_t) ++') ++ optional_policy(` nis_read_ypserv_config(rpcd_t) ') @@ -19314,7 +19445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -116,8 +130,9 @@ +@@ -116,8 +134,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type @@ -19325,7 +19456,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) -@@ -125,6 +140,7 @@ +@@ -125,6 +144,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -19333,7 +19464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -141,6 +157,7 @@ +@@ -141,6 +161,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -19341,7 +19472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -175,6 +192,7 @@ +@@ -175,6 +196,7 @@ corecmd_exec_bin(gssd_t) @@ -19349,7 +19480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -@@ -183,9 +201,12 @@ +@@ -183,9 +205,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -19362,6 +19493,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) +@@ -193,6 +218,10 @@ + ') + + optional_policy(` ++ automount_signal(gssd_t) ++') ++ ++optional_policy(` + kerberos_keytab_template(gssd, gssd_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.13/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/services/rshd.te 2009-05-21 09:48:24.000000000 -0400 @@ -19387,7 +19529,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.13/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/services/rsync.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/rsync.te 2009-06-03 08:45:37.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -19402,7 +19544,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow rsync to export any files/directories read only. ##

##
-@@ -124,4 +131,12 @@ +@@ -119,9 +126,19 @@ + + tunable_policy(`rsync_export_all_ro',` + fs_read_noxattr_fs_files(rsync_t) ++ fs_read_nfs_files(rsync_t) ++ fs_read_cifs_files(rsync_t) + auth_read_all_dirs_except_shadow(rsync_t) + auth_read_all_files_except_shadow(rsync_t) auth_read_all_symlinks_except_shadow(rsync_t) auth_tunable_read_shadow(rsync_t) ') @@ -20467,7 +20616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.13/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/sendmail.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/sendmail.te 2009-06-03 08:37:21.000000000 -0400 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -20572,7 +20721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -113,13 +143,19 @@ +@@ -113,13 +143,20 @@ ') optional_policy(` @@ -20583,6 +20732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) ++ postfix_domtrans_postqueue(sendmail_t) postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') @@ -20593,7 +20743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -127,24 +163,29 @@ +@@ -127,24 +164,29 @@ ') optional_policy(` @@ -22924,7 +23074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive varnishlog_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.13/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/virt.fc 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/virt.fc 2009-06-05 10:41:14.000000000 -0400 @@ -8,5 +8,16 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -22944,7 +23094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.13/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/virt.if 2009-05-21 15:09:53.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/virt.if 2009-06-02 16:34:54.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -23108,7 +23258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.13/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/virt.te 2009-05-21 12:58:16.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/virt.te 2009-06-05 10:42:40.000000000 -0400 @@ -8,19 +8,31 @@ ## @@ -23521,7 +23671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/services/xserver.if 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/services/xserver.if 2009-06-01 12:03:34.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -25001,7 +25151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.13/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/authlogin.if 2009-05-26 08:44:04.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/authlogin.if 2009-06-01 13:13:35.000000000 -0400 @@ -43,22 +43,42 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -25053,7 +25203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_utmp($1) -@@ -100,9 +121,42 @@ +@@ -100,9 +121,46 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -25066,15 +25216,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + afs_rw_udp_sockets($1) - ') ++ ') + + optional_policy(` + dbus_system_bus_client($1) + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) ++ ') + ') -+') + + optional_policy(` + corecmd_exec_bin($1) @@ -25083,6 +25233,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ kerberos_manage_host_rcache($1) ++ ') ++ ++ optional_policy(` + fprintd_dbus_chat($1) + ') + @@ -25093,12 +25247,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + ssh_agent_exec($1) + userdom_read_user_home_content_files($1) -+ ') + ') + ') ######################################## -@@ -197,8 +251,11 @@ +@@ -197,8 +255,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; @@ -25110,7 +25264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -@@ -207,19 +264,16 @@ +@@ -207,19 +268,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -25135,7 +25289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +284,29 @@ +@@ -230,6 +288,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -25165,7 +25319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +331,7 @@ +@@ -254,6 +335,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -25173,7 +25327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -650,7 +728,7 @@ +@@ -650,7 +732,7 @@ ######################################## ## @@ -25182,7 +25336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1031,6 +1109,32 @@ +@@ -1031,6 +1113,32 @@ ######################################## ## @@ -25215,7 +25369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1401,14 @@ +@@ -1297,6 +1405,14 @@ ') optional_policy(` @@ -25230,7 +25384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1305,8 +1417,13 @@ +@@ -1305,8 +1421,13 @@ ') optional_policy(` @@ -25244,7 +25398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1458,99 @@ +@@ -1341,3 +1462,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -25514,7 +25668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.13/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/init.if 2009-05-26 09:12:18.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/init.if 2009-06-01 11:27:59.000000000 -0400 @@ -174,6 +174,7 @@ role system_r types $1; @@ -26115,7 +26269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.13/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.13/policy/modules/system/ipsec.te 2009-05-26 09:16:40.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/ipsec.te 2009-06-08 13:37:09.000000000 -0400 @@ -55,7 +55,7 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -26143,7 +26297,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) -@@ -347,6 +349,7 @@ +@@ -159,7 +161,7 @@ + allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; + allow ipsec_mgmt_t self:udp_socket create_socket_perms; + allow ipsec_mgmt_t self:key_socket create_socket_perms; +-allow ipsec_mgmt_t self:fifo_file rw_file_perms; ++allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; + + allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; + files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) +@@ -280,6 +282,7 @@ + allow racoon_t self:netlink_selinux_socket { bind create read }; + allow racoon_t self:udp_socket create_socket_perms; + allow racoon_t self:key_socket create_socket_perms; ++allow racoon_t self:fifo_file rw_fifo_file_perms; + + # manage pid file + manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) +@@ -297,6 +300,13 @@ + kernel_read_system_state(racoon_t) + kernel_read_network_state(racoon_t) + ++can_exec(racoon_t, racoon_exec_t) ++ ++corecmd_exec_shell(racoon_t) ++corecmd_exec_bin(racoon_t) ++ ++sysnet_exec_ifconfig(racoon_t) ++ + corenet_all_recvfrom_unlabeled(racoon_t) + corenet_tcp_sendrecv_all_if(racoon_t) + corenet_udp_sendrecv_all_if(racoon_t) +@@ -347,6 +357,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -26249,8 +26434,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -sysnet_dns_name_resolve(iscsid_t) +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.13/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/libraries.fc 2009-05-21 09:48:24.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-06-08 15:22:18.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/libraries.fc 2009-06-08 08:45:36.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -26292,7 +26477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,24 +121,34 @@ +@@ -115,25 +121,35 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26313,8 +26498,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26328,7 +26515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +184,8 @@ +@@ -169,7 +185,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26338,7 +26525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,12 +204,15 @@ +@@ -188,12 +205,15 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26355,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -233,7 +253,7 @@ +@@ -234,7 +254,7 @@ /usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame @@ -26364,7 +26551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,12 +266,13 @@ +@@ -247,12 +267,13 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26380,7 +26567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +288,9 @@ +@@ -268,6 +289,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26390,7 +26577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +315,8 @@ +@@ -292,6 +316,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26399,7 +26586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -303,6 +329,8 @@ +@@ -304,6 +330,8 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -26408,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -@@ -310,3 +338,37 @@ +@@ -311,3 +339,37 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -26441,11 +26628,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+ -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.13/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.13/policy/modules/system/libraries.if 2009-05-21 09:48:24.000000000 -0400 @@ -26477,7 +26664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) mmap_files_pattern($1,lib_t,{ lib_t textrel_shlib_t }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.13/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/libraries.te 2009-06-08 15:22:18.000000000 -0400 +++ serefpolicy-3.6.13/policy/modules/system/libraries.te 2009-05-21 09:48:24.000000000 -0400 @@ -52,11 +52,11 @@ # ldconfig local policy @@ -26537,7 +26724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.13/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/locallogin.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/locallogin.te 2009-05-28 21:07:37.000000000 -0400 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -26575,7 +26762,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -235,17 +240,25 @@ +@@ -206,6 +211,7 @@ + # Sulogin local policy + # + ++allow sulogin_t self:capability dac_override; + allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow sulogin_t self:fd use; + allow sulogin_t self:fifo_file rw_file_perms; +@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t) auth_read_shadow(sulogin_t) @@ -26597,18 +26792,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat',`define(`sulogin_no_pam')') ++ifdef(`distro_redhat',` ++ define(`sulogin_no_pam') ++ selinux_compute_user_contexts(sulogin_t) ++') ifdef(`sulogin_no_pam', ` allow sulogin_t self:capability sys_tty_config; -@@ -260,10 +273,4 @@ +@@ -259,11 +276,3 @@ + selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') - +- -optional_policy(` - nis_use_ypbind(sulogin_t) -') - +- -optional_policy(` - nscd_socket_use(sulogin_t) -') @@ -28302,7 +28501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.13/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/sysnetwork.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/sysnetwork.te 2009-06-01 13:01:25.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -28318,8 +28517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # DHCP client local policy # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; +-dontaudit dhcpc_t self:capability sys_tty_config; +allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_nice sys_resource sys_tty_config }; - dontaudit dhcpc_t self:capability sys_tty_config; ++dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process signal_perms; @@ -29315,7 +29515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-05-26 08:16:31.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/userdomain.if 2009-06-04 14:43:48.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30589,7 +30789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) -+ allow $1 user_home_t:dir delete_file_perms; ++ allow $1 user_home_t:file delete_file_perms; +') + +######################################## @@ -31490,8 +31690,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.13/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/virtual.te 2009-05-21 09:48:24.000000000 -0400 -@@ -0,0 +1,79 @@ ++++ serefpolicy-3.6.13/policy/modules/system/virtual.te 2009-06-08 09:20:26.000000000 -0400 +@@ -0,0 +1,80 @@ + +policy_module(virtualization, 1.1.2) + @@ -31531,6 +31731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +dev_read_sound(virtualdomain) +dev_write_sound(virtualdomain) ++dev_rw_ksm(virtualdomain) +dev_rw_kvm(virtualdomain) +dev_rw_qemu(virtualdomain) + @@ -31690,7 +31891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.13/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.13/policy/modules/system/xen.te 2009-05-21 09:48:24.000000000 -0400 ++++ serefpolicy-3.6.13/policy/modules/system/xen.te 2009-06-04 14:46:24.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -31915,7 +32116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(xm_t) files_read_usr_files(xm_t) -@@ -339,15 +390,67 @@ +@@ -339,15 +390,68 @@ storage_raw_read_fixed_disk(xm_t) @@ -31949,6 +32150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_read_xen_state(xm_ssh_t) +kernel_write_xen_state(xm_ssh_t) + ++userdom_search_admin_dir(xm_ssh_t) + +#Should have a boolean wrapping these +fs_list_auto_mountpoints(xend_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3157e7c..2ba5746 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.13 -Release: 2%{?dist} +Version: 3.6.14 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -183,7 +183,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2987. +Based off of reference policy: Checked out revision 2993. %build @@ -473,6 +473,15 @@ exit 0 %endif %changelog +* Mon Jun 8 2009 Dan Walsh 3.6.14-1 +- Update to upstream + +* Tue Jun 2 2009 Dan Walsh 3.6.13-3 +- Add fish as a shell +- Allow fprintd to list usbfs_t +- Allow consolekit to search mountpoints +- Add proper labeling for shorewall + * Tue May 26 2009 Dan Walsh 3.6.13-2 - New log file for vmware - Allow xdm to setattr on user_tmp_t