diff --git a/policy-20090105.patch b/policy-20090105.patch index 803eea6..7c1201e 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1536,6 +1536,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.10/policy/modules/apps/awstats.te +--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/apps/awstats.te 2009-03-27 09:09:07.000000000 -0400 +@@ -51,6 +51,8 @@ + + libs_read_lib_files(awstats_t) + ++logging_read_generic_logs(awstats_t) ++ + miscfiles_read_localization(awstats_t) + + sysnet_dns_name_resolve(awstats_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc 2009-03-24 09:03:48.000000000 -0400 @@ -4771,7 +4783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-27 09:36:29.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5121,8 +5133,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-24 09:03:48.000000000 -0400 -@@ -754,6 +754,7 @@ ++++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-27 13:53:56.000000000 -0400 +@@ -723,6 +723,24 @@ + + ######################################## + ## ++## Dont audit attempts to write to all noxattrfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_write_noxattr_fs_files',` ++ gen_require(` ++ attribute noxattrfs; ++ ') ++ ++ dontaudit $1 noxattrfs:file write; ++') ++ ++######################################## ++## + ## Create, read, write, and delete all noxattrfs directories. + ## + ## +@@ -754,6 +772,7 @@ attribute noxattrfs; ') @@ -5130,7 +5167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, noxattrfs, noxattrfs) ') -@@ -2173,6 +2174,7 @@ +@@ -2173,6 +2192,7 @@ type removable_t; ') @@ -5138,7 +5175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_blk_files_pattern($1, removable_t, removable_t) ') -@@ -3322,6 +3324,7 @@ +@@ -3322,6 +3342,7 @@ type tmpfs_t; ') @@ -5146,7 +5183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 tmpfs_t:file rw_file_perms; ') -@@ -3643,6 +3646,7 @@ +@@ -3643,6 +3664,7 @@ ') allow $1 filesystem_type:filesystem getattr; @@ -8278,6 +8315,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.10/policy/modules/services/bitlbee.te +--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/services/bitlbee.te 2009-03-27 10:19:31.000000000 -0400 +@@ -75,6 +75,8 @@ + # grant read-only access to the user help files + files_read_usr_files(bitlbee_t) + ++kernel_read_system_state(bitlbee_t) ++ + libs_legacy_use_shared_libs(bitlbee_t) + + miscfiles_read_localization(bitlbee_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc 2009-03-24 09:03:48.000000000 -0400 @@ -10570,6 +10619,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow session_bus_type dbusd_unconfined:dbus send_msg; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.10/policy/modules/services/dcc.fc +--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/dcc.fc 2009-03-27 08:55:46.000000000 -0400 +@@ -11,6 +11,7 @@ + /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) + + /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) ++/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) + /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) + + /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/services/dcc.te 2009-03-24 09:03:48.000000000 -0400 @@ -12833,8 +12893,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-24 09:03:48.000000000 -0400 -@@ -0,0 +1,51 @@ ++++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-27 09:36:23.000000000 -0400 +@@ -0,0 +1,55 @@ +policy_module(lircd,1.0.0) + +######################################## @@ -12883,8 +12943,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +logging_send_syslog_msg(lircd_t) + -+miscfiles_read_localization(lircd_t) ++files_read_etc_files(lircd_t) ++files_list_var(lircd_t) ++files_manage_generic_locks(lircd_t) ++files_read_all_locks(lircd_t) + ++miscfiles_read_localization(lircd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 @@ -13062,7 +13126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-27 09:50:44.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -13130,6 +13194,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') +@@ -806,6 +818,7 @@ + ') + + files_search_spool($1) ++ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) + manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-24 09:03:48.000000000 -0400 @@ -21169,7 +21241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-27 13:53:49.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## @@ -21264,7 +21336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an virt environment ## -@@ -327,3 +341,50 @@ +@@ -327,3 +341,53 @@ virt_manage_log($1) ') @@ -21310,6 +21382,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + fs_getattr_tmpfs($1_t) + ++ fs_read_noxattr_fs_files($1_t) ++ fs_dontaudit_write_noxattr_fs_files($1_t) ++ + optional_policy(` + xserver_common_app($1_t) + ') @@ -24700,7 +24775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-27 09:08:50.000000000 -0400 @@ -623,7 +623,7 @@ ')