diff --git a/policy-20090105.patch b/policy-20090105.patch index 5e7b769..5e28ed7 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -475,7 +475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-05-07 14:53:23.000000000 -0400 @@ -9,6 +9,7 @@ type dmesg_t; type dmesg_exec_t; @@ -484,7 +484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -20,12 +21,14 @@ +@@ -20,12 +21,16 @@ allow dmesg_t self:process signal_perms; @@ -496,10 +496,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) +dev_read_kmsg(dmesg_t) ++ ++mls_process_read_all_levels(dmesg_t) dev_read_sysfs(dmesg_t) -@@ -35,7 +38,7 @@ +@@ -35,7 +40,7 @@ domain_use_interactive_fds(dmesg_t) @@ -1246,7 +1248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-05-07 14:59:51.000000000 -0400 @@ -9,6 +9,8 @@ type rpm_t; type rpm_exec_t; @@ -1293,20 +1295,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -87,8 +96,12 @@ +@@ -87,8 +96,13 @@ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) +manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) +files_pid_filetrans(rpm_t, rpm_var_run_t, file) + ++kernel_read_network_state(rpm_t) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) +kernel_read_network_state_symlinks(rpm_t) corecmd_exec_all_executables(rpm_t) -@@ -108,13 +121,16 @@ +@@ -108,13 +122,16 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1323,7 +1326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(rpm_t) mls_file_write_all_levels(rpm_t) -@@ -132,6 +148,8 @@ +@@ -132,6 +149,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) @@ -1332,7 +1335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +173,7 @@ +@@ -155,6 +174,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -1340,7 +1343,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,17 +193,28 @@ +@@ -174,17 +194,28 @@ ') optional_policy(` @@ -1370,7 +1373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ifdef(`TODO',` -@@ -210,8 +240,8 @@ +@@ -210,8 +241,8 @@ # rpm-script Local policy # @@ -1381,7 +1384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +252,15 @@ +@@ -222,12 +253,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1397,7 +1400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +272,9 @@ +@@ -239,6 +273,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1407,7 +1410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(rpm_script_t) -@@ -255,6 +291,7 @@ +@@ -255,6 +292,7 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) @@ -1415,7 +1418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +309,19 @@ +@@ -272,14 +310,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1435,7 +1438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,6 +333,7 @@ +@@ -291,6 +334,7 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1443,7 +1446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_domtrans_script(rpm_script_t) -@@ -308,12 +351,15 @@ +@@ -308,12 +352,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1459,7 +1462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -326,13 +372,18 @@ +@@ -326,13 +373,18 @@ ') optional_policy(` @@ -4490,10 +4493,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive sambagui_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400 -@@ -13,3 +13,4 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-07 10:29:37.000000000 -0400 +@@ -11,5 +11,5 @@ + # + # /var # - /var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0) +-/var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0) /var/run/screens?/S-[^/]+/.* <> +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if @@ -4524,6 +4529,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) + manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.6.12/policy/modules/apps/screen.te +--- nsaserefpolicy/policy/modules/apps/screen.te 2009-01-19 11:03:28.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.te 2009-05-07 10:30:00.000000000 -0400 +@@ -6,9 +6,6 @@ + # Declarations + # + +-type screen_dir_t; +-files_pid_file(screen_dir_t) +- + type screen_exec_t; + application_executable_file(screen_exec_t) + +@@ -24,7 +21,7 @@ + ubac_constrained(screen_tmp_t) + + type screen_var_run_t; +-typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; ++typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t screen_dir_t }; + typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t }; + files_pid_file(screen_var_run_t) + ubac_constrained(screen_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te --- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400 @@ -4897,7 +4924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 18:05:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-07 15:02:13.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc @@ -4917,15 +4944,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -210,6 +215,7 @@ +@@ -209,7 +214,10 @@ + /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -299,3 +305,20 @@ +@@ -299,3 +307,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5211,7 +5241,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-07 10:28:45.000000000 -0400 +@@ -1,4 +1,4 @@ +-## Core policy for domains. ++# Core policy for domains. + ## + ## Contains the concept of a domain. + ## @@ -525,7 +525,7 @@ ') @@ -5447,7 +5483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-07 10:31:31.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5599,7 +5635,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3390,6 +3495,24 @@ +@@ -2820,6 +2925,7 @@ + ') + + allow $1 modules_object_t:dir search_dir_perms; ++ read_link_file_pattern($1, modules_object_t, modules_object_t) + ') + + ######################################## +@@ -3390,6 +3496,24 @@ ######################################## ## @@ -5624,7 +5668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3456,6 +3579,8 @@ +@@ -3456,6 +3580,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -5633,7 +5677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3546,7 +3671,7 @@ +@@ -3546,7 +3672,7 @@ type usr_t; ') @@ -5642,7 +5686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3564,7 +3689,12 @@ +@@ -3564,7 +3690,12 @@ type usr_t; ') @@ -5656,7 +5700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4413,6 +4543,28 @@ +@@ -4413,6 +4544,28 @@ ######################################## ## @@ -5685,7 +5729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create an object in the locks directory, with a private ## type using a type transition. ## -@@ -4532,7 +4684,8 @@ +@@ -4532,7 +4685,8 @@ type var_t, var_run_t; ') @@ -5695,7 +5739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4873,7 +5026,7 @@ +@@ -4873,7 +5027,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -5704,7 +5748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4895,12 +5048,15 @@ +@@ -4895,12 +5049,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5721,7 +5765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5077,114 @@ +@@ -4921,3 +5078,114 @@ typeattribute $1 files_unconfined_type; ') @@ -6257,6 +6301,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.12/policy/modules/kernel/storage.fc +--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-03-05 12:28:57.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/kernel/storage.fc 2009-05-07 14:55:19.000000000 -0400 +@@ -57,7 +57,7 @@ + + /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + +-/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh) ++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) + /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) + + /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc --- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-23 09:44:57.000000000 -0400 @@ -9661,6 +9717,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.12/policy/modules/services/apm.te +--- nsaserefpolicy/policy/modules/services/apm.te 2009-02-16 08:44:12.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/apm.te 2009-05-07 14:35:37.000000000 -0400 +@@ -123,6 +123,7 @@ + libs_exec_lib_files(apmd_t) + + logging_send_syslog_msg(apmd_t) ++logging_send_audit_msgs(apmd_t) + + miscfiles_read_localization(apmd_t) + miscfiles_read_hwdata(apmd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.6.12/policy/modules/services/audioentropy.te --- nsaserefpolicy/policy/modules/services/audioentropy.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/audioentropy.te 2009-04-23 09:44:57.000000000 -0400 @@ -10598,7 +10665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.12/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cron.fc 2009-05-07 15:06:38.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) @@ -10617,7 +10684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -41,7 +42,11 @@ +@@ -41,7 +42,12 @@ #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) @@ -10630,6 +10697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) ++/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.12/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/cron.if 2009-04-23 09:44:57.000000000 -0400 @@ -10940,7 +11008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-05-07 15:05:29.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10974,7 +11042,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -@@ -98,11 +108,18 @@ +@@ -82,6 +92,7 @@ + init_daemon_domain(system_cronjob_t, anacron_exec_t) + corecmd_shell_entry_type(system_cronjob_t) + role system_r types system_cronjob_t; ++domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) + + type system_cronjob_lock_t alias system_crond_lock_t; + files_lock_file(system_cronjob_lock_t) +@@ -98,11 +109,18 @@ # Type of user crontabs once moved to cron spool. type user_cron_spool_t, cron_spool_type; @@ -10994,7 +11070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Admin crontab local policy -@@ -130,7 +147,7 @@ +@@ -130,7 +148,7 @@ # Cron daemon local policy # @@ -11003,11 +11079,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -146,20 +163,20 @@ +@@ -146,20 +164,23 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; -allow crond_t crond_var_run_t:file manage_file_perms; ++manage_files_pattern(crond_t, cron_log_t, cron_log_t) ++logging_log_filetrans(crond_t, cron_log_t, file) ++ +manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -11029,7 +11108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_key(crond_t) dev_read_sysfs(crond_t) -@@ -174,6 +191,7 @@ +@@ -174,6 +195,7 @@ fs_getattr_all_fs(crond_t) fs_search_auto_mountpoints(crond_t) @@ -11037,7 +11116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) -@@ -183,7 +201,11 @@ +@@ -183,7 +205,11 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -11049,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) -@@ -192,10 +214,15 @@ +@@ -192,10 +218,15 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -11065,7 +11144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -208,6 +235,7 @@ +@@ -208,6 +239,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -11073,7 +11152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +255,44 @@ +@@ -227,21 +259,45 @@ ') ') @@ -11092,6 +11171,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + # these should probably be unconfined_crond_t ++ dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) +') + @@ -11119,7 +11199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -268,8 +319,8 @@ +@@ -268,8 +324,8 @@ # System cron process domain # @@ -11130,7 +11210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -283,7 +334,14 @@ +@@ -283,7 +339,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -11145,7 +11225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -303,6 +361,7 @@ +@@ -303,6 +366,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -11153,7 +11233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -314,9 +373,13 @@ +@@ -314,9 +378,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -11168,7 +11248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -345,6 +408,7 @@ +@@ -345,6 +413,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -11176,7 +11256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # quiet other ps operations domain_dontaudit_read_all_domains_state(system_cronjob_t) -@@ -370,7 +434,8 @@ +@@ -370,7 +439,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -11186,7 +11266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +443,7 @@ +@@ -378,6 +448,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -11194,7 +11274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +484,10 @@ +@@ -418,6 +489,10 @@ ') optional_policy(` @@ -11205,7 +11285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ftp_read_log(system_cronjob_t) ') -@@ -428,11 +498,20 @@ +@@ -428,11 +503,20 @@ ') optional_policy(` @@ -11226,7 +11306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -447,6 +526,7 @@ +@@ -447,6 +531,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) @@ -11234,7 +11314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +540,7 @@ +@@ -460,8 +545,7 @@ ') optional_policy(` @@ -11244,7 +11324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +548,17 @@ +@@ -469,24 +553,17 @@ ') optional_policy(` @@ -11272,7 +11352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +642,9 @@ +@@ -570,6 +647,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -13501,14 +13581,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_file(fetchmail_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400 -@@ -0,0 +1,2 @@ ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-07 10:07:34.000000000 -0400 +@@ -0,0 +1,4 @@ + +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) ++ ++/var/lib/fprint gen_context(system_u:object_r:fprintd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if --- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400 -@@ -0,0 +1,42 @@ ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-07 10:09:49.000000000 -0400 +@@ -0,0 +1,43 @@ + +## policy for fprintd + @@ -13551,10 +13633,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 fprintd_t:dbus send_msg; + allow fprintd_t $1:dbus send_msg; +') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400 -@@ -0,0 +1,41 @@ ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-07 10:09:32.000000000 -0400 +@@ -0,0 +1,48 @@ +policy_module(fprintd,1.0.0) + +######################################## @@ -13566,9 +13649,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type fprintd_exec_t; +dbus_system_domain(fprintd_t, fprintd_exec_t) + ++type fprintd_var_lib_t; ++files_type(fprintd_var_lib_t) ++ +allow fprintd_t self:fifo_file rw_fifo_file_perms; +allow fprintd_t self:process { getsched signal }; + ++manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) ++manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) ++files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file }) ++ +corecmd_search_bin(fprintd_t) + +dev_rw_generic_usb_dev(fprintd_t) @@ -15270,7 +15360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-05-07 14:39:20.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -15309,7 +15399,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -591,8 +603,8 @@ +@@ -446,6 +458,25 @@ + + ######################################## + ## ++## write mail server configuration. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mta_write_config',` ++ gen_require(` ++ type etc_mail_t; ++ ') ++ ++ write_files_pattern($1, etc_mail_t, etc_mail_t) ++') ++ ++######################################## ++## + ## Read mail address aliases. + ## + ## +@@ -591,8 +622,8 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -15320,7 +15436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -612,7 +624,7 @@ +@@ -612,7 +643,7 @@ ') files_dontaudit_search_spool($1) @@ -15329,7 +15445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 mail_spool_t:lnk_file read; dontaudit $1 mail_spool_t:file getattr; ') -@@ -665,7 +677,7 @@ +@@ -665,7 +696,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -15338,7 +15454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -806,6 +818,7 @@ +@@ -806,6 +837,7 @@ ') files_search_spool($1) @@ -24189,7 +24305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-07 13:00:34.000000000 -0400 @@ -8,19 +8,31 @@ ## @@ -24283,20 +24399,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +106,11 @@ +@@ -67,7 +106,12 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) -manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +virtual_manage_image(virtd_t) +virtual_image_relabel(virtd_t) ++virtual_read_all_domains_state(virtd_t) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +129,7 @@ +@@ -86,6 +130,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -24304,7 +24421,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,7 +140,7 @@ +@@ -96,7 +141,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -24313,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +148,39 @@ +@@ -104,21 +149,40 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) @@ -24325,6 +24442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_read_all_domains_state(virtd_t) +domain_obj_id_change_exemption(virtd_t) +domain_subj_id_change_exemption(virtd_t) ++domain_read_all_domains_state(virtd_t) files_read_usr_files(virtd_t) files_read_etc_files(virtd_t) @@ -24354,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +191,13 @@ +@@ -129,6 +193,13 @@ logging_send_syslog_msg(virtd_t) @@ -24368,7 +24486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +236,34 @@ +@@ -167,22 +238,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -24408,7 +24526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +276,88 @@ +@@ -195,8 +278,88 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -24592,7 +24710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-07 14:58:55.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -24732,7 +24850,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -738,6 +738,7 @@ +@@ -680,6 +680,7 @@ + + files_search_tmp($1) + stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) ++ xserver_common_app($1) + ') + + ######################################## +@@ -738,6 +739,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -24740,7 +24866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -756,7 +757,26 @@ +@@ -756,7 +758,26 @@ ') files_search_pids($1) @@ -24768,7 +24894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -779,6 +799,50 @@ +@@ -779,6 +800,50 @@ ######################################## ## @@ -24819,7 +24945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -872,6 +936,27 @@ +@@ -872,6 +937,27 @@ ######################################## ## @@ -24847,7 +24973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1018,10 +1103,11 @@ +@@ -1018,10 +1104,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -24860,7 +24986,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1245,275 @@ +@@ -1136,6 +1223,7 @@ + + files_search_tmp($1) + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ++ xserver_common_app($1) + ') + + ######################################## +@@ -1159,6 +1247,275 @@ ######################################## ## @@ -25136,7 +25270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1527,102 @@ +@@ -1172,7 +1529,102 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -26753,7 +26887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-24 08:59:22.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-05-07 14:39:32.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -27030,7 +27164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,6 +728,11 @@ +@@ -647,20 +728,20 @@ ') optional_policy(` @@ -27042,8 +27176,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -@@ -655,12 +741,6 @@ + + optional_policy(` mta_read_config(initrc_t) ++ mta_write_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') -# cjp: require doesnt work in the else of optionals :\ @@ -27055,7 +27191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -719,8 +799,6 @@ +@@ -719,8 +800,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -27064,7 +27200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +811,12 @@ +@@ -733,10 +812,12 @@ squid_manage_logs(initrc_t) ') @@ -27077,7 +27213,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +834,11 @@ +@@ -754,6 +835,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -27089,7 +27225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +850,13 @@ +@@ -765,6 +851,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -27103,7 +27239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +882,35 @@ +@@ -790,3 +883,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -30479,7 +30615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-06 08:49:37.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-07 10:23:04.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -32506,8 +32642,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,114 @@ ++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-07 10:24:35.000000000 -0400 +@@ -0,0 +1,135 @@ +## Virtual machine emulator and virtualizer + +######################################## @@ -32622,6 +32758,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 virtualdomain:process { setsched transition signal signull sigkill }; +') + ++ ++######################################## ++## ++## Read the process state of all virtual domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virtual_read_all_domains_state',` ++ gen_require(` ++ attribute virtualdomain; ++ ') ++ ++ read_files_pattern($1,virtualdomain,virtualdomain) ++ read_lnk_files_pattern($1,virtualdomain,virtualdomain) ++ kernel_search_proc($1) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-23 09:44:57.000000000 -0400 @@ -33122,7 +33279,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400 ++++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-05-07 10:32:41.000000000 -0400 +@@ -201,7 +201,7 @@ + define(`setattr_file_perms',`{ setattr }') + define(`read_file_perms',`{ getattr open read lock ioctl }') + define(`mmap_file_perms',`{ getattr open read execute ioctl }') +-define(`exec_file_perms',`{ getattr open read execute execute_no_trans }') ++define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') + define(`append_file_perms',`{ getattr open append lock ioctl }') + define(`write_file_perms',`{ getattr open write append lock ioctl }') + define(`rw_file_perms',`{ getattr open read write append ioctl lock }') @@ -225,7 +225,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 30db0f9..905224c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -477,6 +477,9 @@ exit 0 %endif %changelog +* Thu May 7 2009 Dan Walsh 3.6.12-31 +- Add policy for /var/lib/fprint + * Tue May 5 2009 Dan Walsh 3.6.12-30 -Remove duplicate line