diff --git a/.cvsignore b/.cvsignore index f8e70ba..9053fff 100644 --- a/.cvsignore +++ b/.cvsignore @@ -162,3 +162,4 @@ serefpolicy-3.6.4.tgz serefpolicy-3.6.5.tgz serefpolicy-3.6.6.tgz serefpolicy-3.6.7.tgz +serefpolicy-3.6.8.tgz diff --git a/modules-minimum.conf b/modules-minimum.conf index d8f2052..1f07777 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -749,13 +749,6 @@ lvm = base # mailman = module -# Layer: services -# Module: mailscanner -# -# Anti-Virus and Anti-Spam Filter -# -mailscanner = module - # Layer: kernel # Module: mcs # Required in base diff --git a/modules-mls.conf b/modules-mls.conf index debd8ff..6a679d5 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -742,13 +742,6 @@ lvm = base # mailman = module -# Layer: services -# Module: mailscanner -# -# Anti-Virus and Anti-Spam Filter -# -mailscanner = module - # Layer: kernel # Module: mcs # Required in base diff --git a/modules-targeted.conf b/modules-targeted.conf index d8f2052..1f07777 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -749,13 +749,6 @@ lvm = base # mailman = module -# Layer: services -# Module: mailscanner -# -# Anti-Virus and Anti-Spam Filter -# -mailscanner = module - # Layer: kernel # Module: mcs # Required in base diff --git a/policy-20090105.patch b/policy-20090105.patch index 80d80f2..dec96d0 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1,6 +1,6 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.7/config/appconfig-mcs/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.8/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.7/config/appconfig-mcs/failsafe_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.8/config/appconfig-mcs/failsafe_context --- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/config/appconfig-mcs/failsafe_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/failsafe_context 2009-03-05 15:25:24.000000000 -0500 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/guest_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/guest_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,6 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 @@ -38,9 +38,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:crond_t:s0 guest_r:guest_t:s0 +system_r:initrc_su_t:s0 guest_r:guest_t:s0 +guest_r:guest_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/root_default_contexts --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/root_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/root_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.7/config/appconfig-mcs/seusers +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.8/config/appconfig-mcs/seusers --- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/config/appconfig-mcs/seusers 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/seusers 2009-03-05 15:25:24.000000000 -0500 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/staff_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/staff_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/staff_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/unconfined_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/unconfined_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/unconfined_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/unconfined_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,4 +1,4 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 @@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0 +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.7/config/appconfig-mcs/userhelper_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.8/config/appconfig-mcs/userhelper_context --- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/config/appconfig-mcs/userhelper_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/userhelper_context 2009-03-05 15:25:24.000000000 -0500 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/user_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/user_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/user_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/user_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -118,19 +118,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con - +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.7/config/appconfig-mcs/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.8/config/appconfig-mcs/virtual_domain_context --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/virtual_domain_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/virtual_domain_context 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +system_u:system_r:svirt_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.7/config/appconfig-mcs/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.8/config/appconfig-mcs/virtual_image_context --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/virtual_image_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/virtual_image_context 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +system_u:object_r:virt_image_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.7/config/appconfig-mcs/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mcs/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mcs/xguest_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mcs/xguest_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -139,9 +139,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.7/config/appconfig-mls/default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.8/config/appconfig-mls/default_contexts --- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -163,17 +163,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.6.7/config/appconfig-mls/guest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mls/guest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/guest_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/guest_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,4 @@ +system_r:local_login_t:s0 guest_r:guest_t:s0 +system_r:remote_login_t:s0 guest_r:guest_t:s0 +system_r:sshd_t:s0 guest_r:guest_t:s0 +system_r:crond_t:s0 guest_r:guest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.7/config/appconfig-mls/root_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.8/config/appconfig-mls/root_default_contexts --- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/root_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/root_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -192,19 +192,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con # -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.7/config/appconfig-mls/virtual_domain_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.8/config/appconfig-mls/virtual_domain_context --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/virtual_domain_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/virtual_domain_context 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +system_u:system_r:qemu_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.7/config/appconfig-mls/virtual_image_context +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.8/config/appconfig-mls/virtual_image_context --- nsaserefpolicy/config/appconfig-mls/virtual_image_context 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/virtual_image_context 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/virtual_image_context 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +system_u:object_r:virt_image_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.7/config/appconfig-mls/xguest_u_default_contexts +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.6.8/config/appconfig-mls/xguest_u_default_contexts --- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/config/appconfig-mls/xguest_u_default_contexts 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/config/appconfig-mls/xguest_u_default_contexts 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,7 @@ +system_r:local_login_t xguest_r:xguest_t:s0 +system_r:remote_login_t xguest_r:xguest_t:s0 @@ -213,9 +213,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:xdm_t xguest_r:xguest_t:s0 +system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 +xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.7/Makefile +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.8/Makefile --- nsaserefpolicy/Makefile 2009-01-19 11:07:35.000000000 -0500 -+++ serefpolicy-3.6.7/Makefile 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/Makefile 2009-03-05 15:25:24.000000000 -0500 @@ -241,7 +241,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -278,117 +278,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak $(appdir)/%: $(appconf)/% @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.6.7/man/man8/httpd_selinux.8 ---- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.7/man/man8/httpd_selinux.8 2009-03-03 17:11:59.000000000 -0500 -@@ -41,7 +41,7 @@ - - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. - - .SH NOTE --With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. -+With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. - - .SH SHARING FILES - If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: -@@ -75,7 +75,7 @@ - .EE - - .PP --httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. -+httpd by default is not allowed access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. - - .EX - setsebool -P httpd_tty_comm 1 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-3.6.7/man/man8/kerberos_selinux.8 ---- nsaserefpolicy/man/man8/kerberos_selinux.8 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/man/man8/kerberos_selinux.8 2009-03-03 17:11:59.000000000 -0500 -@@ -12,7 +12,7 @@ - .SH "DESCRIPTION" - - Security-Enhanced Linux secures the system via flexible mandatory access --control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and addtional access to the network. -+control. By default Kerberos access is not allowed, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. - .SH BOOLEANS - .PP - You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.7/man/man8/nfs_selinux.8 ---- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/man/man8/nfs_selinux.8 2009-03-03 17:11:59.000000000 -0500 -@@ -1,14 +1,12 @@ --.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation" -+.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" - .SH "NAME" - nfs_selinux \- Security Enhanced Linux Policy for NFS - .SH "DESCRIPTION" - --Security-Enhanced Linux secures the nfs server via flexible mandatory access -+Security Enhanced Linux secures the NFS server via flexible mandatory access - control. - .SH BOOLEANS --SELinux policy is customizable based on least access required. So by --default SElinux policy does not allow nfs to share files. If you want to --setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean. -+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: - - .TP - setsebool -P nfs_export_all_ro 1 -@@ -18,7 +16,10 @@ - setsebool -P nfs_export_all_rw 1 - - .TP --If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean. -+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. -+ -+.TP -+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: - .TP - setsebool -P use_nfs_home_dirs 1 - .TP -@@ -26,5 +27,5 @@ - .SH AUTHOR - This manual page was written by Dan Walsh . - --.SH "SEE ALSpppO" -+.SH "SEE ALSO" - selinux(8), chcon(1), setsebool(8) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.7/man/man8/samba_selinux.8 ---- nsaserefpolicy/man/man8/samba_selinux.8 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.7/man/man8/samba_selinux.8 2009-03-03 17:11:59.000000000 -0500 -@@ -14,11 +14,17 @@ - .TP - chcon -t samba_share_t /var/eng - .TP --If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. -+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: -+.TP -+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" -+.TP -+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: - .TP --/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local --.br - /var/eng(/.*)? system_u:object_r:samba_share_t -+.TP -+Run the restorecon command to apply the changes: -+.TP -+restorecon -R -v /var/eng/ - - .SH SHARING FILES - If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.7/policy/flask/access_vectors ---- nsaserefpolicy/policy/flask/access_vectors 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/flask/access_vectors 2009-03-03 17:11:59.000000000 -0500 -@@ -616,6 +616,7 @@ - nlmsg_write - nlmsg_relay - nlmsg_readpriv -+ nlmsg_tty_audit - } - - class netlink_ip6fw_socket -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.7/policy/global_tunables +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.8/policy/flask/access_vectors +--- nsaserefpolicy/policy/flask/access_vectors 2009-03-05 10:02:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/flask/access_vectors 2009-03-05 15:26:58.000000000 -0500 +@@ -157,6 +157,9 @@ + + class sock_file + inherits file ++{ ++ open ++} + + class fifo_file + inherits file +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.8/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/global_tunables 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/global_tunables 2009-03-05 15:25:24.000000000 -0500 @@ -61,15 +61,6 @@ ## @@ -418,9 +323,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_tunable(allow_console_login,false) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.7/policy/mcs +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.8/policy/mcs --- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/mcs 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/mcs 2009-03-05 15:25:24.000000000 -0500 @@ -67,7 +67,8 @@ # Note that getattr on files is always permitted. # @@ -458,9 +363,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.7/policy/modules/admin/alsa.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/alsa.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/alsa.te 2009-03-05 15:25:24.000000000 -0500 @@ -43,6 +43,7 @@ dev_read_sound(alsa_t) @@ -469,9 +374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(alsa_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.7/policy/modules/admin/anaconda.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.8/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/anaconda.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/anaconda.te 2009-03-05 15:25:24.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -480,9 +385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.7/policy/modules/admin/certwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.8/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/certwatch.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/certwatch.te 2009-03-05 15:25:24.000000000 -0500 @@ -27,15 +27,20 @@ fs_list_inotifyfs(certwatch_t) @@ -504,9 +409,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.7/policy/modules/admin/consoletype.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.6.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/consoletype.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/consoletype.te 2009-03-05 15:25:24.000000000 -0500 @@ -18,7 +18,7 @@ # Local declarations # @@ -524,9 +429,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(consoletype_t) mls_file_write_all_levels(consoletype_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.7/policy/modules/admin/kismet.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.8/policy/modules/admin/kismet.if --- nsaserefpolicy/policy/modules/admin/kismet.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/kismet.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/kismet.if 2009-03-05 15:25:24.000000000 -0500 @@ -16,6 +16,7 @@ ') @@ -535,10 +440,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.7/policy/modules/admin/kismet.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.8/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/kismet.te 2009-03-03 17:11:59.000000000 -0500 -@@ -14,27 +14,37 @@ ++++ serefpolicy-3.6.8/policy/modules/admin/kismet.te 2009-03-05 15:25:24.000000000 -0500 +@@ -14,27 +14,36 @@ type kismet_var_run_t; files_pid_file(kismet_var_run_t) @@ -560,8 +465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # -allow kismet_t self:capability { net_admin net_raw setuid setgid }; -+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; -+allow kismet_t self:capability { kill net_admin net_raw setuid setgid }; ++allow kismet_t self:capability { dac_override kill net_admin net_raw setgid setuid }; +allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; @@ -581,7 +485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kismet_t kismet_var_lib_t:file manage_file_perms; allow kismet_t kismet_var_lib_t:dir manage_dir_perms; files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) -@@ -47,10 +57,22 @@ +@@ -47,10 +56,22 @@ corecmd_exec_bin(kismet_t) @@ -604,9 +508,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(kismet_t) +userdom_read_user_tmpfs_files(kismet_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.7/policy/modules/admin/logrotate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.8/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/logrotate.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/logrotate.te 2009-03-05 15:25:24.000000000 -0500 @@ -116,8 +116,9 @@ seutil_dontaudit_read_config(logrotate_t) @@ -625,9 +529,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - squid_signal(logrotate_t) + squid_domtrans(logrotate_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.7/policy/modules/admin/logwatch.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.8/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/logwatch.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/logwatch.te 2009-03-05 15:25:24.000000000 -0500 @@ -43,6 +43,8 @@ kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) @@ -697,9 +601,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_read_log(logwatch_t) + samba_read_share_files(logwatch_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.7/policy/modules/admin/mrtg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.8/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/mrtg.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/mrtg.te 2009-03-05 15:25:24.000000000 -0500 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -708,9 +612,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` corenet_udp_sendrecv_lo_if(mrtg_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.7/policy/modules/admin/netutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.8/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/netutils.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/netutils.te 2009-03-05 15:25:24.000000000 -0500 @@ -128,6 +128,8 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) @@ -735,18 +639,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_use_cardmgr_fds(ping_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.7/policy/modules/admin/prelink.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.6.8/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/admin/prelink.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/prelink.fc 2009-03-05 15:25:24.000000000 -0500 @@ -5,3 +5,5 @@ /var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0) /var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) + +/var/lib/misc/prelink\* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.7/policy/modules/admin/prelink.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.8/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/prelink.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/prelink.if 2009-03-05 15:25:24.000000000 -0500 @@ -120,3 +120,23 @@ logging_search_logs($1) manage_files_pattern($1, prelink_log_t, prelink_log_t) @@ -771,9 +675,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.7/policy/modules/admin/prelink.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.8/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/prelink.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/prelink.te 2009-03-05 15:25:24.000000000 -0500 @@ -21,12 +21,15 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -842,9 +746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(prelink_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.7/policy/modules/admin/rpm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.8/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/admin/rpm.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/rpm.fc 2009-03-05 15:25:24.000000000 -0500 @@ -3,6 +3,7 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -884,9 +788,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.7/policy/modules/admin/rpm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/rpm.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/rpm.if 2009-03-05 15:25:24.000000000 -0500 @@ -146,6 +146,24 @@ ######################################## @@ -1217,9 +1121,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 rpm_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.7/policy/modules/admin/rpm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/rpm.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/rpm.te 2009-03-05 15:25:24.000000000 -0500 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1435,9 +1339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.7/policy/modules/admin/sudo.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.8/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/sudo.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/sudo.if 2009-03-05 15:25:24.000000000 -0500 @@ -32,6 +32,7 @@ gen_require(` @@ -1573,9 +1477,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 sudodomain:process sigchld; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.7/policy/modules/admin/sudo.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.6.8/policy/modules/admin/sudo.te --- nsaserefpolicy/policy/modules/admin/sudo.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/sudo.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/sudo.te 2009-03-05 15:25:24.000000000 -0500 @@ -4,6 +4,7 @@ ######################################## # @@ -1584,9 +1488,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type sudo_exec_t; application_executable_file(sudo_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.7/policy/modules/admin/su.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.6.8/policy/modules/admin/su.if --- nsaserefpolicy/policy/modules/admin/su.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/su.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/su.if 2009-03-05 15:25:24.000000000 -0500 @@ -90,15 +90,6 @@ miscfiles_read_localization($1_su_t) @@ -1619,9 +1523,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.7/policy/modules/admin/tmpreaper.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.8/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/tmpreaper.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/tmpreaper.te 2009-03-05 15:25:24.000000000 -0500 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1666,9 +1570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(tmpreaper_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.7/policy/modules/admin/usermanage.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.8/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/usermanage.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/usermanage.if 2009-03-05 15:25:24.000000000 -0500 @@ -117,6 +117,24 @@ ######################################## @@ -1702,9 +1606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.7/policy/modules/admin/usermanage.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/usermanage.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/usermanage.te 2009-03-05 15:25:24.000000000 -0500 @@ -288,6 +288,7 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) @@ -1750,9 +1654,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(useradd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.7/policy/modules/admin/vbetool.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.6.8/policy/modules/admin/vbetool.if --- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/admin/vbetool.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/vbetool.if 2009-03-05 15:25:24.000000000 -0500 @@ -18,3 +18,28 @@ corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) @@ -1782,9 +1686,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + vbetool_domtrans($1) + role $2 types vbetool_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.7/policy/modules/admin/vbetool.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.8/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/vbetool.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/vbetool.te 2009-03-05 15:25:24.000000000 -0500 @@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1805,9 +1709,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.6.7/policy/modules/admin/vpn.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.6.8/policy/modules/admin/vpn.if --- nsaserefpolicy/policy/modules/admin/vpn.if 2008-11-11 16:13:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/admin/vpn.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/admin/vpn.if 2009-03-05 15:25:24.000000000 -0500 @@ -47,6 +47,24 @@ ######################################## @@ -1858,28 +1762,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## Vpnc over dbus. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.7/policy/modules/apps/awstats.te ---- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/awstats.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(awstats, 1.0.1) -+policy_module(awstats, 1.0.0) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.7/policy/modules/apps/cdrecord.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.8/policy/modules/apps/cdrecord.fc --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/cdrecord.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/cdrecord.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,4 +2,5 @@ # /usr # /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.6.7/policy/modules/apps/games.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.6.8/policy/modules/apps/games.if --- nsaserefpolicy/policy/modules/apps/games.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/games.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/games.if 2009-03-05 15:25:24.000000000 -0500 @@ -30,3 +30,22 @@ ps_process_pattern($2, games_t) allow $2 games_t:process signal_perms; @@ -1903,29 +1797,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + rw_files_pattern($1, games_data_t, games_data_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.7/policy/modules/apps/git.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.8/policy/modules/apps/git.fc --- nsaserefpolicy/policy/modules/apps/git.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/git.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/git.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,3 @@ +/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_content_rw_t,s0) +/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.7/policy/modules/apps/git.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.if serefpolicy-3.6.8/policy/modules/apps/git.if --- nsaserefpolicy/policy/modules/apps/git.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/git.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/git.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.7/policy/modules/apps/git.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.te serefpolicy-3.6.8/policy/modules/apps/git.te --- nsaserefpolicy/policy/modules/apps/git.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/git.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/git.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,4 @@ +policy_module(git, 1.0) + +apache_content_template(git) +permissive httpd_git_script_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.7/policy/modules/apps/gnome.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gnome.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gnome.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,8 +1,12 @@ HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) @@ -1940,9 +1834,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.7/policy/modules/apps/gnome.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gnome.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gnome.if 2009-03-05 15:25:24.000000000 -0500 @@ -89,5 +89,154 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -2098,9 +1992,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # Connect to pulseaudit server + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.7/policy/modules/apps/gnome.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.8/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gnome.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gnome.te 2009-03-05 15:25:24.000000000 -0500 @@ -9,16 +9,18 @@ attribute gnomedomain; @@ -2129,9 +2023,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(gnome_home_t) ############################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.7/policy/modules/apps/gpg.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.6.8/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gpg.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gpg.fc 2009-03-05 15:25:24.000000000 -0500 @@ -5,5 +5,5 @@ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) @@ -2140,9 +2034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.7/policy/modules/apps/gpg.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.8/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gpg.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gpg.if 2009-03-05 15:25:24.000000000 -0500 @@ -30,7 +30,7 @@ # allow ps to show gpg @@ -2170,9 +2064,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.7/policy/modules/apps/gpg.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.8/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/gpg.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/gpg.te 2009-03-05 15:25:24.000000000 -0500 @@ -60,7 +60,7 @@ allow gpg_t self:capability { ipc_lock setuid }; @@ -2270,9 +2164,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # GPG agent local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.7/policy/modules/apps/java.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/java.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/java.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,15 +2,16 @@ # /opt # @@ -2307,9 +2201,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.7/policy/modules/apps/java.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/java.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/java.if 2009-03-05 15:25:24.000000000 -0500 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2441,9 +2335,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_tmpfs_files($1_java_t) + corecmd_bin_domtrans($1_java_t, $1_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.7/policy/modules/apps/java.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.8/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/java.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/java.te 2009-03-05 15:25:24.000000000 -0500 @@ -40,7 +40,7 @@ # Local policy # @@ -2488,15 +2382,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_domtrans(unconfined_java_t) + ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.7/policy/modules/apps/livecd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.8/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/livecd.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/livecd.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.7/policy/modules/apps/livecd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.8/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/livecd.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/livecd.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,50 @@ + +## policy for livecd @@ -2548,9 +2442,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + seutil_run_setfiles_mac(livecd_t, $2) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.7/policy/modules/apps/livecd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.8/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/livecd.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/livecd.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,26 @@ +policy_module(livecd, 1.0.0) + @@ -2578,9 +2472,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +seutil_domtrans_setfiles_mac(livecd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.7/policy/modules/apps/loadkeys.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.8/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/loadkeys.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/loadkeys.te 2009-03-05 15:25:24.000000000 -0500 @@ -40,6 +40,7 @@ miscfiles_read_localization(loadkeys_t) @@ -2589,9 +2483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.7/policy/modules/apps/mono.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/mono.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mono.if 2009-03-05 15:25:24.000000000 -0500 @@ -21,6 +21,103 @@ ######################################## @@ -2705,9 +2599,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') corecmd_search_bin($1) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.7/policy/modules/apps/mono.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.8/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mono.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mono.te 2009-03-05 15:25:24.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -2725,9 +2619,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(mono_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.7/policy/modules/apps/mozilla.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.8/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mozilla.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mozilla.fc 2009-03-05 15:25:24.000000000 -0500 @@ -17,7 +17,6 @@ # # /etc @@ -2742,9 +2636,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.7/policy/modules/apps/mozilla.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mozilla.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mozilla.if 2009-03-05 15:25:24.000000000 -0500 @@ -82,8 +82,7 @@ type mozilla_home_t; ') @@ -2755,9 +2649,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.7/policy/modules/apps/mozilla.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mozilla.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mozilla.te 2009-03-05 15:25:24.000000000 -0500 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) @@ -2794,9 +2688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.7/policy/modules/apps/mplayer.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.6.8/policy/modules/apps/mplayer.fc --- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mplayer.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mplayer.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,11 +1,7 @@ # -# /etc @@ -2810,9 +2704,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0) /usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0) /usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.6.7/policy/modules/apps/mplayer.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.6.8/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/mplayer.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/mplayer.if 2009-03-05 15:25:24.000000000 -0500 @@ -83,3 +83,23 @@ read_files_pattern($1, mplayer_home_t, mplayer_home_t) userdom_search_user_home_dirs($1) @@ -2837,9 +2731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + can_exec($1, mplayer_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.7/policy/modules/apps/nsplugin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.8/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/nsplugin.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,12 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -2853,9 +2747,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.7/policy/modules/apps/nsplugin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/nsplugin.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,272 @@ + +## policy for nsplugin @@ -3129,9 +3023,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.7/policy/modules/apps/nsplugin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.8/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/nsplugin.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/nsplugin.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,288 @@ + +policy_module(nsplugin, 1.0.0) @@ -3421,16 +3315,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.7/policy/modules/apps/openoffice.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.8/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/openoffice.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/openoffice.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.7/policy/modules/apps/openoffice.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.8/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/openoffice.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/openoffice.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,92 @@ +## Openoffice + @@ -3524,9 +3418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_common_x_domain_template($1, $1_openoffice_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.7/policy/modules/apps/openoffice.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.8/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/openoffice.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/openoffice.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,14 @@ + +policy_module(openoffice, 1.0.0) @@ -3542,17 +3436,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.7/policy/modules/apps/podsleuth.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.6.8/policy/modules/apps/podsleuth.fc --- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/podsleuth.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) +/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.7/policy/modules/apps/podsleuth.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.6.8/policy/modules/apps/podsleuth.if --- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/podsleuth.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.if 2009-03-05 15:25:24.000000000 -0500 @@ -16,4 +16,32 @@ ') @@ -3586,9 +3480,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types podsleuth_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.7/policy/modules/apps/podsleuth.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.8/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/podsleuth.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/podsleuth.te 2009-03-05 15:25:24.000000000 -0500 @@ -11,21 +11,59 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -3651,17 +3545,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(podsleuth_t) dbus_system_bus_client(podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.7/policy/modules/apps/qemu.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.8/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/qemu.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/qemu.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.7/policy/modules/apps/qemu.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.8/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/qemu.if 2009-03-03 18:45:13.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/qemu.if 2009-03-05 15:25:24.000000000 -0500 @@ -40,6 +40,93 @@ qemu_domtrans($1) @@ -3968,9 +3862,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.7/policy/modules/apps/qemu.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.8/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/qemu.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/qemu.te 2009-03-05 15:25:24.000000000 -0500 @@ -13,28 +13,83 @@ ## gen_tunable(qemu_full_network, false) @@ -4063,23 +3957,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.7/policy/modules/apps/sambagui.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.8/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/sambagui.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/sambagui.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,4 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) + + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.7/policy/modules/apps/sambagui.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.8/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/sambagui.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/sambagui.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.7/policy/modules/apps/sambagui.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.8/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/sambagui.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/sambagui.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,59 @@ +policy_module(sambagui,1.0.0) + @@ -4140,9 +4034,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.7/policy/modules/apps/slocate.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.8/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/slocate.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/slocate.te 2009-03-05 15:25:24.000000000 -0500 @@ -22,7 +22,7 @@ # @@ -4161,22 +4055,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_all(locate_t) fs_list_inotifyfs(locate_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.7/policy/modules/apps/webalizer.te ---- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/webalizer.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(webalizer, 1.8.3) -+policy_module(webalizer, 1.8.2) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.7/policy/modules/apps/wine.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.8/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/apps/wine.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,4 +1,8 @@ ++++ serefpolicy-3.6.8/policy/modules/apps/wine.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,4 +1,12 @@ -/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) ++/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) ++/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) ++/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) ++/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) + +/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -4186,9 +4074,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.7/policy/modules/apps/wine.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.8/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/wine.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/wine.if 2009-03-05 15:25:24.000000000 -0500 @@ -43,3 +43,62 @@ wine_domtrans($1) role $2 types wine_t; @@ -4252,9 +4140,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.7/policy/modules/apps/wine.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.8/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/wine.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/wine.te 2009-03-05 15:25:24.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4281,16 +4169,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_shm(wine_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.7/policy/modules/apps/wm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.8/policy/modules/apps/wm.fc --- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/wm.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/wm.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,3 @@ +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.7/policy/modules/apps/wm.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.8/policy/modules/apps/wm.if --- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/wm.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/wm.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,108 @@ +## Window Manager. + @@ -4400,9 +4288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_use_xdm($1_wm_t) + ') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.7/policy/modules/apps/wm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.8/policy/modules/apps/wm.te --- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/apps/wm.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/apps/wm.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,9 @@ +policy_module(wm,0.0.4) + @@ -4413,42 +4301,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +type wm_exec_t; +corecmd_executable_file(wm_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.7/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/corecommands.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -58,6 +58,8 @@ - - /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - -+/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -+ - /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -74,10 +76,11 @@ - /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) --/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) --/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/sysconfig/network-scripts/ifup.* gen_context(system_u:object_r:bin_t,s0) -+/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0) -+/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) -+/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) - - /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) - /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) -@@ -124,12 +127,15 @@ - - /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) - ifdef(`distro_gentoo',` - /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) - /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.8/policy/modules/kernel/corecommands.fc +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/corecommands.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -134,6 +134,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4457,33 +4313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -203,6 +209,7 @@ - /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -@@ -223,14 +230,15 @@ - /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0) --/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -293,3 +301,14 @@ +@@ -299,3 +301,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4498,9 +4328,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0) + +/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.7/policy/modules/kernel/corecommands.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.8/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/corecommands.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/corecommands.if 2009-03-05 15:25:24.000000000 -0500 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4509,9 +4339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.7/policy/modules/kernel/corenetwork.if.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/corenetwork.if.in 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.if.in 2009-03-05 15:25:24.000000000 -0500 @@ -1612,6 +1612,24 @@ ######################################## @@ -4562,9 +4392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write the point-to-point device. ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.7/policy/modules/kernel/corenetwork.te.in +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/corenetwork.te.in 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/corenetwork.te.in 2009-03-05 15:25:24.000000000 -0500 @@ -65,10 +65,12 @@ type server_packet_t, packet_type, server_packet_type; @@ -4685,270 +4515,267 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.7/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/kernel/devices.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,7 +1,7 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.8/policy/modules/kernel/domain.if +--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/domain.if 2009-03-05 15:25:24.000000000 -0500 +@@ -629,6 +629,7 @@ - /dev -d gen_context(system_u:object_r:device_t,s0) - /dev/.* gen_context(system_u:object_r:device_t,s0) -- -+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -12,42 +12,59 @@ - /dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) - /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) -+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) - /dev/full -c gen_context(system_u:object_r:null_device_t,s0) -+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) - /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) - /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) -+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) -+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) - /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) -+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) - /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) - /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) - /dev/null -c gen_context(system_u:object_r:null_device_t,s0) - /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) - /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -@@ -69,14 +86,14 @@ - /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) - /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) --/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) --/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) --/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) - ifdef(`distro_suse', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') - /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) - /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -91,20 +108,34 @@ - - /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - --/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) -+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -+/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) - - /dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0) - - /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) - -+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) -+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) -+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) - - /dev/pts(/.*)? <> - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.7/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/devices.if 2009-03-03 17:11:59.000000000 -0500 -@@ -65,7 +65,7 @@ - - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) -- relabelfrom_lnk_files_pattern($1, device_t, device_node) -+ relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1,device_t,{ device_t device_node }) -@@ -129,6 +129,25 @@ + dontaudit $1 unconfined_domain_type:dir search_dir_perms; + dontaudit $1 unconfined_domain_type:file read_file_perms; ++ dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -1247,18 +1248,34 @@ + ## + ## + # +-interface(`domain_mmap_low',` ++interface(`domain_mmap_low_type',` + gen_require(` + attribute mmap_low_domain_type; + ') + +- allow $1 self:memprotect mmap_zero; +- + typeattribute $1 mmap_low_domain_type; + ') ######################################## ## -+## Do not audit attempts to append from random -+## number generator devices (e.g., /dev/random) ++## Ability to mmap a low area of the address space, ++## as configured by /proc/sys/kernel/mmap_min_addr. ++## Preventing such mappings helps protect against ++## exploiting null deref bugs in the kernel. +## +## +## -+## Domain allowed access. ++## Domain allowed to mmap low memory. +## +## +# -+interface(`dev_dontaudit_append_rand',` -+ gen_require(` -+ type random_device_t; -+ ') ++interface(`domain_mmap_low',` + -+ dontaudit $1 random_device_t:chr_file append; ++ allow $1 self:memprotect mmap_zero; +') + +######################################## +## - ## Add entries to directories in /dev. - ## - ## -@@ -166,6 +185,25 @@ + ## Allow specified type to receive labeled + ## networking packets from all domains, over + ## all protocols (TCP, UDP, etc) +@@ -1279,6 +1296,24 @@ ######################################## ## -+## Manage of directories in /dev. ++## Polyinstatiated access to domains. +## +## +## -+## Domain allowed to relabel. ++## Domain allowed access. +## +## +# -+interface(`dev_manage_generic_dirs',` ++interface(`domain_poly',` + gen_require(` -+ type device_t; ++ attribute polydomain; + ') + -+ manage_dirs_pattern($1, device_t, device_t) ++ typeattribute $1 polydomain; +') + -+ +######################################## +## - ## Delete a directory in the device directory. + ## Unconfined access to domains. ## ## -@@ -666,6 +704,7 @@ - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.8/policy/modules/kernel/domain.te +--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/domain.te 2009-03-05 15:25:24.000000000 -0500 +@@ -5,6 +5,13 @@ + # + # Declarations + # ++## ++##

++## Allow all domains to use other domains file descriptors ++##

++##
++# ++gen_tunable(allow_domain_fd_use, true) - dontaudit $1 device_node:blk_file getattr; -+ dev_dontaudit_getattr_generic_blk_files($1) - ') + # Mark process types as domains + attribute domain; +@@ -15,6 +22,8 @@ + # Domains that are unconfined + attribute unconfined_domain_type; - ######################################## -@@ -703,6 +742,7 @@ - ') ++attribute polydomain; ++ + # Domains that can mmap low memory. + attribute mmap_low_domain_type; + neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; +@@ -80,6 +89,8 @@ + allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; + allow domain self:file rw_file_perms; + kernel_read_proc_symlinks(domain) ++kernel_read_crypto_sysctls(domain) ++ + # Every domain gets the key ring, so we should default + # to no one allowed to look at it; afs kernel support creates + # a keyring +@@ -106,6 +117,10 @@ + ') - dontaudit $1 device_node:chr_file getattr; -+ dev_dontaudit_getattr_generic_chr_files($1) + optional_policy(` ++ afs_rw_cache(domain) ++') ++ ++optional_policy(` + libs_use_ld_so(domain) + libs_use_shared_libs(domain) + ') +@@ -118,6 +133,7 @@ + optional_policy(` + xserver_dontaudit_use_xdm_fds(domain) + xserver_dontaudit_rw_xdm_pipes(domain) ++ xserver_dontaudit_rw_xdm_home_files(domain) ') ######################################## -@@ -1159,6 +1199,25 @@ +@@ -136,6 +152,9 @@ + allow unconfined_domain_type domain:fd use; + allow unconfined_domain_type domain:fifo_file rw_file_perms; - ######################################## - ## -+## Set the attributes of the CPU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_cpu_dev',` -+ gen_require(` -+ type device_t, cpu_device_t; -+ ') ++allow unconfined_domain_type domain:dbus send_msg; ++allow domain unconfined_domain_type:dbus send_msg; ++ + # Act upon any other process. + allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; + +@@ -145,7 +164,7 @@ + + # For /proc/pid + allow unconfined_domain_type domain:dir list_dir_perms; +-allow unconfined_domain_type domain:file read_file_perms; ++allow unconfined_domain_type domain:file rw_file_perms; + allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + + # act on all domains keys +@@ -153,3 +172,43 @@ + + # receive from all domains over labeled networking + domain_all_recvfrom_all_domains(unconfined_domain_type) + -+ setattr_chr_files_pattern($1, device_t, cpu_device_t) ++tunable_policy(`allow_domain_fd_use',` ++ # Allow all domains to use fds past to them ++ allow domain domain:fd use; +') + -+######################################## -+## - ## Read the CPU identity. - ## - ## -@@ -1281,7 +1340,7 @@ - type dri_device_t; - ') ++optional_policy(` ++ cron_dontaudit_write_system_job_tmp_files(domain) ++ cron_rw_pipes(domain) ++ cron_rw_system_job_pipes(domain) ++ifdef(`hide_broken_symptoms',` ++ allow domain domain:key { link search }; ++') ++') ++ ++optional_policy(` ++ rpm_rw_pipes(domain) ++ rpm_dontaudit_use_script_fds(domain) ++ rpm_dontaudit_write_pid_files(domain) ++') ++ ++optional_policy(` ++ rhgb_dontaudit_use_ptys(domain) ++') ++ ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(domain) ++ unconfined_sigchld(domain) ++') ++ ++# broken kernel ++dontaudit can_change_object_identity can_change_object_identity:key link; ++ ++tunable_policy(`allow_polyinstantiation',` ++ files_polyinstantiate_all(polydomain) ++ userdom_manage_user_home_content_dirs(polydomain) ++ userdom_manage_user_home_content_files(polydomain) ++ userdom_relabelto_user_home_dirs(polydomain) ++ userdom_relabelto_user_home_files(polydomain) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.8/policy/modules/kernel/files.fc +--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/files.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -8,6 +8,8 @@ + /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) + /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) -- dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; -+ dontaudit $1 dri_device_t:chr_file rw_file_perms; ++/afs -d gen_context(system_u:object_r:mnt_t,s0) ++ + ifdef(`distro_redhat',` + /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) + /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) +@@ -17,6 +19,7 @@ + /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) + /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) + /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') - ######################################## -@@ -1957,6 +2016,42 @@ + ifdef(`distro_suse',` +@@ -228,6 +231,8 @@ - ######################################## - ## -+## Get the attributes of the null device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_null_dev',` + /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + ++/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) ++ + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) + + /var/lib/nfs/rpc_pipefs(/.*)? <> +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.8/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/files.if 2009-03-05 15:25:24.000000000 -0500 +@@ -110,6 +110,11 @@ + ## + # + interface(`files_config_file',` ++ gen_require(` ++ attribute etcfile; ++ ') ++ ++ typeattribute $1 etcfile; + files_type($1) + ') + +@@ -928,8 +933,8 @@ + relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) +- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) +- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) ++ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) +@@ -1086,6 +1091,24 @@ + ## + ## + # ++interface(`files_relabel_all_file_type_fs',` + gen_require(` -+ type device_t, null_device_t; ++ attribute file_type; + ') + -+ getattr_chr_files_pattern($1, device_t, null_device_t) ++ allow $1 file_type:filesystem { relabelfrom relabelto }; +') + +######################################## +## -+## Set the attributes of the null device nodes. ++## Relabel a filesystem to the type of a file. +## +## +## @@ -4956,24 +4783,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_setattr_null_dev',` -+ gen_require(` -+ type device_t, null_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, null_device_t) -+') -+ -+######################################## -+## - ## Read and write to the null device (/dev/null). - ## - ## -@@ -2767,6 +2862,24 @@ + interface(`files_relabelto_all_file_type_fs',` + gen_require(` + attribute file_type; +@@ -1695,6 +1718,25 @@ ######################################## ## -+## Read generic the USB devices. ++## Manage a filesystem on a directory with the default file type. +## +## +## @@ -4981,24 +4798,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_read_generic_usb_dev',` ++interface(`files_manage_default',` + gen_require(` -+ type usb_device_t; ++ type default_t; + ') + -+ read_chr_files_pattern($1, device_t, usb_device_t) ++ manage_dirs_pattern($1, default_t, default_t) ++ manage_files_pattern($1, default_t, default_t) +') + +######################################## +## - ## Read and write generic the USB devices. + ## Mount a filesystem on a directory with the default file type. ## ## -@@ -2785,6 +2898,115 @@ +@@ -1915,6 +1957,26 @@ ######################################## ## -+## Read and write generic the USB fifo files. ++## Read config files in /etc. +## +## +## @@ -5006,18 +4824,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_rw_generic_usb_pipes',` ++interface(`files_read_config_files',` + gen_require(` -+ type usb_device_t; ++ attribute etcfile; + ') + -+ allow $1 device_t:dir search_dir_perms; -+ allow $1 usb_device_t:fifo_file rw_fifo_file_perms; ++ allow $1 etcfile:dir list_dir_perms; ++ read_files_pattern($1, etcfile, etcfile) ++ read_lnk_files_pattern($1, etcfile, etcfile) +') + +######################################## +## -+## Get the attributes of the kvm devices. + ## Do not audit attempts to write generic files in /etc. + ## + ## +@@ -2250,6 +2312,49 @@ + + ######################################## + ## ++## Delete directories on new filesystems ++## that have not yet been labeled. +## +## +## @@ -5025,17 +4852,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_getattr_kvm_dev',` ++interface(`files_delete_isid_type_dirs',` + gen_require(` -+ type device_t, kvm_device_t; ++ type file_t; + ') + -+ getattr_chr_files_pattern($1, device_t, kvm_device_t) ++ delete_dirs_pattern($1, file_t, file_t) +') + +######################################## +## -+## Set the attributes of the kvm devices. ++## Delete files on new filesystems ++## that have not yet been labeled. +## +## +## @@ -5043,81 +4871,150 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_setattr_kvm_dev',` ++interface(`files_delete_isid_type_files',` + gen_require(` -+ type device_t, kvm_device_t; ++ type file_t; + ') + -+ setattr_chr_files_pattern($1, device_t, kvm_device_t) ++ delete_files_pattern($1, file_t, file_t) ++ delete_lnk_files_pattern($1, file_t, file_t) ++ delete_fifo_files_pattern($1, file_t, file_t) ++ delete_sock_files_pattern($1, file_t, file_t) ++ delete_blk_files_pattern($1, file_t, file_t) ++ delete_chr_files_pattern($1, file_t, file_t) +') + +######################################## +## -+## Read the kernel messages -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_kmsg',` -+ gen_require(` -+ type device_t, kmsg_device_t; -+ ') + ## Do not audit attempts to search directories on new filesystems + ## that have not yet been labeled. + ## +@@ -3456,6 +3561,8 @@ + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) + ') + + ######################################## +@@ -3546,7 +3653,7 @@ + type usr_t; + ') + +- allow $1 usr_t:file delete_dir_perms; ++ delete_dirs_pattern($1, usr_t, usr_t) + ') + + ######################################## +@@ -3564,7 +3671,12 @@ + type usr_t; + ') + +- allow $1 usr_t:file delete_file_perms; ++ delete_files_pattern($1, usr_t, usr_t) ++ delete_lnk_files_pattern($1, usr_t, usr_t) ++ delete_fifo_files_pattern($1, usr_t, usr_t) ++ delete_sock_files_pattern($1, usr_t, usr_t) ++ delete_blk_files_pattern($1, usr_t, usr_t) ++ delete_chr_files_pattern($1, usr_t, usr_t) + ') + + ######################################## +@@ -4532,7 +4644,8 @@ + type var_t, var_run_t; + ') + +- read_files_pattern($1, { var_t var_run_t }, var_run_t) ++ list_dirs_pattern($1,var_t,var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) + ') + + ######################################## +@@ -4873,7 +4986,7 @@ + selinux_compute_member($1) + + # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin }; ++ allow $1 self:capability { chown fsetid sys_admin fowner }; + + # Need to give access to the directories to be polyinstantiated + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +@@ -4895,12 +5008,15 @@ + allow $1 poly_t:dir { create mounton }; + fs_unmount_xattr_fs($1) + ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) + -+ read_chr_files_pattern($1, device_t, kmsg_device_t) -+') + ifdef(`distro_redhat',` + # namespace.init ++ files_search_tmp($1) + files_search_home($1) + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) +- mount_domtrans($1) + ') + ') + +@@ -4921,3 +5037,95 @@ + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## -+## Read the kvm devices. ++## Create a core files in / +## ++## ++##

++## Create a core file in /, ++##

++##
+## +## +## Domain allowed access. +## +## ++## +# -+interface(`dev_read_kvm',` ++interface(`files_dump_core',` + gen_require(` -+ type device_t, kvm_device_t; ++ type root_t; + ') + -+ read_chr_files_pattern($1, device_t, kvm_device_t) ++ manage_files_pattern($1, root_t, root_t) +') + +######################################## +## -+## Read and write to kvm devices. ++## Create a default directory in / +## ++## ++##

++## Create a default_t direcrory in / ++##

++##
+## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`dev_rw_kvm',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') ++interface(`files_create_default_dir',` ++ gen_require(` ++ type root_t, default_t; ++ ') + -+ rw_chr_files_pattern($1, device_t, kvm_device_t) ++ allow $1 default_t:dir create; ++ filetrans_pattern($1, root_t, default_t, dir) +') + +######################################## +## - ## Mount a usbfs filesystem. - ## - ## -@@ -3320,3 +3542,242 @@ - - typeattribute $1 devices_unconfined_type; - ') -+ -+######################################## -+## -+## Get the attributes of the autofs device node. ++## manage generic symbolic links ++## in the /var/run directory. +## +## +## @@ -5125,55 +5022,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_getattr_autofs_dev',` ++interface(`files_manage_generic_pids_symlinks',` + gen_require(` -+ type device_t, autofs_device_t; ++ type var_run_t; + ') + -+ getattr_chr_files_pattern($1, device_t, autofs_device_t) ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) +') + +######################################## +## -+## Do not audit attempts to get the attributes of -+## the autofs device node. ++## manage generic symbolic links ++## in the /var/run directory. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_getattr_autofs_dev',` ++interface(`files_boot',` + gen_require(` -+ type autofs_device_t; ++ type root_t; + ') + -+ dontaudit $1 autofs_device_t:chr_file getattr; ++ allow $1 root_t:blk_file manage_blk_file_perms; ++ allow $1 root_t:chr_file manage_chr_file_perms; ++ manage_dirs_pattern($1, root_t, root_t) ++ manage_files_pattern($1, root_t, root_t) ++ manage_lnk_files_pattern($1, root_t, root_t) ++ can_exec(kernel_t, root_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.8/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/files.te 2009-03-05 15:25:24.000000000 -0500 +@@ -52,7 +52,9 @@ + # + # etc_t is the type of the system etc directories. + # +-type etc_t; ++attribute etcfile; + -+######################################## -+## -+## Set the attributes of the autofs device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_autofs_dev',` -+ gen_require(` -+ type device_t, autofs_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, autofs_device_t) ++type etc_t, etcfile; + files_type(etc_t) + # compatibility aliases for removed types: + typealias etc_t alias automount_etc_t; +@@ -198,10 +200,7 @@ + # + # Rules for all tmp file types + # +- +-allow tmpfile tmp_t:filesystem associate; +- +-fs_associate_tmpfs(tmpfile) ++allow file_type tmp_t:filesystem associate; + + ######################################## + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.8/policy/modules/kernel/filesystem.fc +--- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/kernel/filesystem.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.8/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/filesystem.if 2009-03-05 15:25:24.000000000 -0500 +@@ -754,6 +754,7 @@ + attribute noxattrfs; + ') + ++ list_dirs_pattern($1, noxattrfs, noxattrfs) + read_files_pattern($1, noxattrfs, noxattrfs) + ') + +@@ -2173,6 +2174,7 @@ + type removable_t; + ') + ++ allow $1 removable_t:dir list_dir_perms; + rw_blk_files_pattern($1, removable_t, removable_t) + ') + +@@ -3322,6 +3324,7 @@ + type tmpfs_t; + ') + ++ dontaudit $1 tmpfs_t:dir rw_dir_perms; + dontaudit $1 tmpfs_t:file rw_file_perms; + ') + +@@ -3643,6 +3646,7 @@ + ') + + allow $1 filesystem_type:filesystem getattr; ++ files_getattr_all_file_type_fs($1) + ') + + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.8/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/kernel.if 2009-03-05 15:25:24.000000000 -0500 +@@ -1197,6 +1197,26 @@ + ') + + dontaudit $1 proc_type:dir list_dir_perms; ++ dontaudit $1 proc_type:file getattr; +') + +######################################## +## -+## Do not audit attempts to set the attributes of -+## the autofs device node. ++## Allow attempts to list all proc directories. +## +## +## @@ -5181,17 +5140,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_dontaudit_setattr_autofs_dev',` ++interface(`kernel_list_all_proc',` + gen_require(` -+ type autofs_device_t; ++ attribute proc_type; + ') + -+ dontaudit $1 autofs_device_t:chr_file setattr; -+') -+ -+######################################## -+## -+## Read and write the autofs device. ++ allow $1 proc_type:dir list_dir_perms; ++ allow $1 proc_type:file getattr; + ') + + ######################################## +@@ -1233,9 +1253,11 @@ + interface(`kernel_read_sysctl',` + gen_require(` + type sysctl_t; ++ type proc_t; + ') + + list_dirs_pattern($1, proc_t, sysctl_t) ++ read_files_pattern($1, sysctl_t, sysctl_t) + ') + + ######################################## +@@ -1568,6 +1590,26 @@ + + ######################################## + ## ++## Read generic crypto sysctls. +## +## +## @@ -5199,53 +5174,63 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_rw_autofs',` ++interface(`kernel_read_crypto_sysctls',` + gen_require(` -+ type device_t, autofs_device_t; ++ type proc_t, sysctl_t, sysctl_crypto_t; + ') + -+ rw_chr_files_pattern($1, device_t, autofs_device_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) ++ ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) +') + +######################################## +## -+## Get the attributes of the network control device + ## Read generic kernel sysctls. + ## + ## +@@ -1767,6 +1809,7 @@ + ') + + dontaudit $1 sysctl_type:dir list_dir_perms; ++ dontaudit $1 sysctl_type:file read_file_perms; + ') + + ######################################## +@@ -2580,6 +2623,24 @@ + + ######################################## + ## ++## Relabel to unlabeled context . +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`dev_getattr_netcontrol',` ++interface(`kernel_relabelto_unlabeled',` + gen_require(` -+ type device_t, netcontrol_device_t; ++ type unlabeled_t; + ') + -+ getattr_chr_files_pattern($1, device_t, netcontrol_device_t) ++ allow $1 unlabeled_t:dir_file_class_set relabelto; +') + +######################################## +## -+## Read the network control identity. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_netcontrol',` -+ gen_require(` -+ type device_t, netcontrol_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, netcontrol_device_t) -+') + ## Unconfined access to kernel module resources. + ## + ## +@@ -2595,3 +2656,23 @@ + + typeattribute $1 kern_unconfined; + ') + +######################################## +## -+## Read and write the the network control device. ++## Allow the specified domain to connect to ++## the kernel with a unix socket. +## +## +## @@ -5253,91 +5238,160 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_rw_netcontrol',` ++interface(`kernel_stream_connect',` + gen_require(` -+ type device_t, netcontrol_device_t; ++ type kernel_t; + ') + -+ rw_chr_files_pattern($1, device_t, netcontrol_device_t) ++ allow $1 kernel_t:unix_stream_socket connectto; +') + -+######################################## -+## -+## Get the attributes of the QEMU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.8/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/kernel.te 2009-03-05 15:25:24.000000000 -0500 +@@ -63,6 +63,15 @@ + genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) + + # ++# infinibandeventfs fs +# -+interface(`dev_getattr_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') + -+ getattr_chr_files_pattern($1, device_t, qemu_device_t) -+') ++type infinibandeventfs_t; ++fs_type(infinibandeventfs_t) ++allow infinibandeventfs_t self:filesystem associate; ++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) + -+######################################## -+## -+## Set the attributes of the QEMU -+## microcode and id interfaces. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`dev_setattr_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') + # kvmFS + # + +@@ -120,6 +129,10 @@ + type sysctl_rpc_t, sysctl_type; + genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) + ++# /proc/sys/crypto directory and files ++type sysctl_crypto_t, sysctl_type; ++genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) + -+ setattr_chr_files_pattern($1, device_t, qemu_device_t) -+') + # /proc/sys/fs directory and files + type sysctl_fs_t, sysctl_type; + files_mountpoint(sysctl_fs_t) +@@ -160,6 +173,7 @@ + # + type unlabeled_t; + sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) ++fs_associate(unlabeled_t) + + # These initial sids are no longer used, and can be removed: + sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -198,6 +212,8 @@ + allow kernel_t self:sock_file read_sock_file_perms; + allow kernel_t self:fd use; + ++allow kernel_t debugfs_t:dir search; + -+######################################## -+## -+## Read the QEMU device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') + allow kernel_t proc_t:dir list_dir_perms; + allow kernel_t proc_t:file read_file_perms; + allow kernel_t proc_t:lnk_file read_lnk_file_perms; +@@ -248,7 +264,8 @@ + + selinux_load_policy(kernel_t) + +-term_use_console(kernel_t) ++term_use_all_terms(kernel_t) ++term_use_ptmx(kernel_t) + + corecmd_exec_shell(kernel_t) + corecmd_list_bin(kernel_t) +@@ -262,6 +279,8 @@ + files_list_etc(kernel_t) + files_list_home(kernel_t) + files_read_usr_files(kernel_t) ++files_manage_mounttab(kernel_t) ++files_manage_generic_spool_dirs(kernel_t) + + mcs_process_set_categories(kernel_t) + +@@ -269,12 +288,18 @@ + mls_process_write_down(kernel_t) + mls_file_write_all_levels(kernel_t) + mls_file_read_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_share_all_levels(kernel_t) ++ ++logging_manage_generic_logs(kernel_t) + + ifdef(`distro_redhat',` + # Bugzilla 222337 + fs_rw_tmpfs_chr_files(kernel_t) + ') + ++userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) + -+ read_chr_files_pattern($1, device_t, qemu_device_t) + tunable_policy(`read_default_t',` + files_list_default(kernel_t) + files_read_default_files(kernel_t) +@@ -359,6 +384,10 @@ + unconfined_domain(kernel_t) + ') + ++optional_policy(` ++ xserver_xdm_manage_spool(kernel_t) +') + -+######################################## -+## -+## Read and write the the QEMU device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_qemu',` -+ gen_require(` -+ type device_t, qemu_device_t; -+ ') + ######################################## + # + # Unlabeled process local policy +@@ -388,3 +417,5 @@ + allow kern_unconfined unlabeled_t:association *; + allow kern_unconfined unlabeled_t:packet *; + allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + -+ rw_chr_files_pattern($1, device_t, qemu_device_t) -+') ++files_boot(kernel_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.8/policy/modules/kernel/selinux.if +--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/selinux.if 2009-03-05 15:25:24.000000000 -0500 +@@ -40,7 +40,7 @@ + + # because of this statement, any module which + # calls this interface must be in the base module: +- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ++# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) + ') + + ######################################## +@@ -202,6 +202,7 @@ + type security_t; + ') + ++ selinux_dontaudit_getattr_fs($1) + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file read_file_perms; + ') +@@ -223,6 +224,7 @@ + type security_t; + ') + ++ selinux_get_fs_mount($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; + ') +@@ -404,6 +406,7 @@ + ') + + allow $1 security_t:dir list_dir_perms; ++ allow $1 boolean_type:dir list_dir_perms; + allow $1 boolean_type:file rw_file_perms; + + if(!secure_mode_policyload) { +@@ -622,3 +625,23 @@ + + typeattribute $1 selinux_unconfined_type; + ') + +######################################## +## -+## Read printk devices (e.g., /dev/kmsg /dev/mcelog) ++## Generate a file context for a boolean type +## +## +## @@ -5345,4634 +5399,2169 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dev_read_printk',` ++interface(`selinux_genbool',` + gen_require(` -+ type device_t, printk_device_t; ++ attribute boolean_type; + ') + -+ read_chr_files_pattern($1, device_t, printk_device_t) ++ type $1, boolean_type; ++ fs_type($1) ++ mls_trusted_object($1) +') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.7/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/kernel/devices.te 2009-03-03 17:11:59.000000000 -0500 -@@ -32,6 +32,12 @@ - type apm_bios_t; - dev_node(apm_bios_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.8/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/kernel/terminal.if 2009-03-05 15:25:24.000000000 -0500 +@@ -173,7 +173,7 @@ -+# -+# Type for /dev/autofs -+# -+type autofs_device_t; -+dev_node(autofs_device_t) -+ - type cardmgr_dev_t; - dev_node(cardmgr_dev_t) - files_tmp_file(cardmgr_dev_t) -@@ -49,6 +55,12 @@ - type cpu_device_t; - dev_node(cpu_device_t) + dev_list_all_dev_nodes($1) + allow $1 devpts_t:dir list_dir_perms; +- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + ') -+# -+# network control devices -+# -+type netcontrol_device_t; -+dev_node(netcontrol_device_t) -+ - # for the IBM zSeries z90crypt hardware ssl accelorator - type crypt_device_t; - dev_node(crypt_device_t) -@@ -66,12 +78,25 @@ - dev_node(framebuf_device_t) + ######################################## +@@ -250,9 +250,11 @@ + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') - # -+# Type for /dev/ipmi/0 -+# -+type ipmi_device_t; -+dev_node(ipmi_device_t) -+ -+# - # Type for /dev/kmsg - # - type kmsg_device_t; - dev_node(kmsg_device_t) + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') - # -+# kvm_device_t is the type of -+# /dev/kvm -+# -+type kvm_device_t; -+dev_node(kvm_device_t) -+ -+# - # Type for /dev/mapper/control - # - type lvm_control_t; -@@ -118,6 +143,12 @@ - dev_node(nvram_device_t) + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.8/policy/modules/roles/auditadm.te +--- nsaserefpolicy/policy/modules/roles/auditadm.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/auditadm.te 2009-03-05 15:25:24.000000000 -0500 +@@ -17,6 +17,8 @@ - # -+# qemu control devices -+# -+type qemu_device_t; -+dev_node(qemu_device_t) + allow auditadm_t self:capability { dac_read_search dac_override }; + ++kernel_read_ring_buffer(auditadm_t) + -+# - # Type for /dev/pmu - # - type power_device_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.7/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/domain.if 2009-03-03 18:37:10.000000000 -0500 -@@ -629,6 +629,7 @@ + corecmd_exec_shell(auditadm_t) - dontaudit $1 unconfined_domain_type:dir search_dir_perms; - dontaudit $1 unconfined_domain_type:file read_file_perms; -+ dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; + domain_kill_all_domains(auditadm_t) +@@ -32,158 +34,18 @@ + seutil_read_bin_policy(auditadm_t) + + optional_policy(` +- apache_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- auth_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- bluetooth_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- cdrecord_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` + consoletype_exec(auditadm_t) ') - ######################################## -@@ -1247,18 +1248,34 @@ - ## - ## - # --interface(`domain_mmap_low',` -+interface(`domain_mmap_low_type',` - gen_require(` - attribute mmap_low_domain_type; - ') + optional_policy(` +- cron_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- dbus_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` + dmesg_exec(auditadm_t) + ') -- allow $1 self:memprotect mmap_zero; + optional_policy(` +- ethereal_role(auditadm_r, auditadm_t) +-') - - typeattribute $1 mmap_low_domain_type; +-optional_policy(` +- evolution_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- games_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- gift_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- gpg_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- gnome_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- irc_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- java_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- lockdev_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- lpd_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- mozilla_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- mplayer_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- mta_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- oident_manage_user_content(auditadm_t) +- oident_relabel_user_content(auditadm_t) +-') +- +-optional_policy(` +- pyzor_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- razor_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- rssh_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- screen_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- spamassassin_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- ssh_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` + secadm_role_change(auditadm_r) ') - ######################################## - ## -+## Ability to mmap a low area of the address space, -+## as configured by /proc/sys/kernel/mmap_min_addr. -+## Preventing such mappings helps protect against -+## exploiting null deref bugs in the kernel. + optional_policy(` +- su_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- sudo_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` + sysadm_role_change(auditadm_r) + ') + +-optional_policy(` +- thunderbird_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- tvtime_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- userhelper_role_template(auditadm, auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- vmware_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- wireshark_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- uml_role(auditadm_r, auditadm_t) +-') +- +-optional_policy(` +- xserver_role(auditadm_r, auditadm_t) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.6.8/policy/modules/roles/guest.fc +--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/guest.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1 @@ ++# file contexts handled by userdomain and genhomedircon +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.6.8/policy/modules/roles/guest.if +--- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/guest.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,50 @@ ++## Least privledge terminal user role ++ ++######################################## ++## ++## Change to the guest role. +## -+## ++## +## -+## Domain allowed to mmap low memory. ++## Role allowed access. +## +## ++## +# -+interface(`domain_mmap_low',` ++interface(`guest_role_change',` ++ gen_require(` ++ role guest_r; ++ ') + -+ allow $1 self:memprotect mmap_zero; ++ allow $1 guest_r; +') + +######################################## +## - ## Allow specified type to receive labeled - ## networking packets from all domains, over - ## all protocols (TCP, UDP, etc) -@@ -1279,6 +1296,24 @@ - - ######################################## - ## -+## Polyinstatiated access to domains. ++## Change from the guest role. +## -+## ++## ++##

++## Change from the guest role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
++## +## -+## Domain allowed access. ++## Role allowed access. +## +## ++## +# -+interface(`domain_poly',` ++interface(`guest_role_change_to',` + gen_require(` -+ attribute polydomain; ++ role guest_r; + ') + -+ typeattribute $1 polydomain; ++ allow guest_r $1; +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.8/policy/modules/roles/guest.te +--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/guest.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,26 @@ ++ ++policy_module(guest, 1.0.0) + +######################################## -+## - ## Unconfined access to domains. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.7/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/domain.te 2009-03-03 17:11:59.000000000 -0500 -@@ -5,6 +5,13 @@ - # - # Declarations - # -+## -+##

-+## Allow all domains to use other domains file descriptors -+##

-+##
+# -+gen_tunable(allow_domain_fd_use, true) - - # Mark process types as domains - attribute domain; -@@ -15,6 +22,8 @@ - # Domains that are unconfined - attribute unconfined_domain_type; - -+attribute polydomain; -+ - # Domains that can mmap low memory. - attribute mmap_low_domain_type; - neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; -@@ -80,6 +89,8 @@ - allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; - allow domain self:file rw_file_perms; - kernel_read_proc_symlinks(domain) -+kernel_read_crypto_sysctls(domain) -+ - # Every domain gets the key ring, so we should default - # to no one allowed to look at it; afs kernel support creates - # a keyring -@@ -106,6 +117,10 @@ - ') - - optional_policy(` -+ afs_rw_cache(domain) -+') -+ -+optional_policy(` - libs_use_ld_so(domain) - libs_use_shared_libs(domain) - ') -@@ -118,6 +133,7 @@ - optional_policy(` - xserver_dontaudit_use_xdm_fds(domain) - xserver_dontaudit_rw_xdm_pipes(domain) -+ xserver_dontaudit_rw_xdm_home_files(domain) - ') - - ######################################## -@@ -136,6 +152,9 @@ - allow unconfined_domain_type domain:fd use; - allow unconfined_domain_type domain:fifo_file rw_file_perms; - -+allow unconfined_domain_type domain:dbus send_msg; -+allow domain unconfined_domain_type:dbus send_msg; -+ - # Act upon any other process. - allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; - -@@ -145,7 +164,7 @@ - - # For /proc/pid - allow unconfined_domain_type domain:dir list_dir_perms; --allow unconfined_domain_type domain:file read_file_perms; -+allow unconfined_domain_type domain:file rw_file_perms; - allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; - - # act on all domains keys -@@ -153,3 +172,43 @@ - - # receive from all domains over labeled networking - domain_all_recvfrom_all_domains(unconfined_domain_type) ++# Declarations ++# + -+tunable_policy(`allow_domain_fd_use',` -+ # Allow all domains to use fds past to them -+ allow domain domain:fd use; -+') ++role xguest_r; + -+optional_policy(` -+ cron_dontaudit_write_system_job_tmp_files(domain) -+ cron_rw_pipes(domain) -+ cron_rw_system_job_pipes(domain) -+ifdef(`hide_broken_symptoms',` -+ allow domain domain:key { link search }; -+') -+') ++userdom_restricted_user_template(guest) + -+optional_policy(` -+ rpm_rw_pipes(domain) -+ rpm_dontaudit_use_script_fds(domain) -+ rpm_dontaudit_write_pid_files(domain) -+') ++######################################## ++# ++# Local policy ++# + +optional_policy(` -+ rhgb_dontaudit_use_ptys(domain) ++ java_role_template(guest, guest_r, guest_t) +') + +optional_policy(` -+ unconfined_dontaudit_rw_pipes(domain) -+ unconfined_sigchld(domain) -+') -+ -+# broken kernel -+dontaudit can_change_object_identity can_change_object_identity:key link; -+ -+tunable_policy(`allow_polyinstantiation',` -+ files_polyinstantiate_all(polydomain) -+ userdom_manage_user_home_content_dirs(polydomain) -+ userdom_manage_user_home_content_files(polydomain) -+ userdom_relabelto_user_home_dirs(polydomain) -+ userdom_relabelto_user_home_files(polydomain) ++ mono_role_template(guest, guest_r, guest_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.7/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/files.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -8,6 +8,8 @@ - /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) - /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) - -+/afs -d gen_context(system_u:object_r:mnt_t,s0) -+ - ifdef(`distro_redhat',` - /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) - /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -50,6 +52,7 @@ - /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -+/etc/hosts.deny -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -@@ -228,6 +231,8 @@ - - /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - -+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) -+ - /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - - /var/lib/nfs/rpc_pipefs(/.*)? <> -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.7/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/files.if 2009-03-04 08:43:36.000000000 -0500 -@@ -110,6 +110,11 @@ - ## - # - interface(`files_config_file',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ typeattribute $1 etcfile; - files_type($1) - ') - -@@ -928,8 +933,8 @@ - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) -- relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) -- relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) -+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) -+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) -@@ -1086,6 +1091,24 @@ - ##
- ## - # -+interface(`files_relabel_all_file_type_fs',` -+ gen_require(` -+ attribute file_type; -+ ') + -+ allow $1 file_type:filesystem { relabelfrom relabelto }; -+') ++gen_user(guest_u, user, guest_r, s0, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.8/policy/modules/roles/logadm.fc +--- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/logadm.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1 @@ ++# file contexts handled by userdomain and genhomedircon +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.6.8/policy/modules/roles/logadm.if +--- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/logadm.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,50 @@ ++## Log administrator role + +######################################## +## -+## Relabel a filesystem to the type of a file. ++## Change to the log administrator role. +## -+## ++## +## -+## Domain allowed access. ++## Role allowed access. +## +## ++## +# - interface(`files_relabelto_all_file_type_fs',` - gen_require(` - attribute file_type; -@@ -1695,6 +1718,25 @@ - - ######################################## - ## -+## Manage a filesystem on a directory with the default file type. ++interface(`logadm_role_change',` ++ gen_require(` ++ role logadm_r; ++ ') ++ ++ allow $1 logadm_r; ++') ++ ++######################################## ++## ++## Change from the log administrator role. +## -+## ++## ++##

++## Change from the log administrator role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
++## +## -+## Domain allowed access. ++## Role allowed access. +## +## ++## +# -+interface(`files_manage_default',` ++interface(`logadm_role_change_to',` + gen_require(` -+ type default_t; ++ role logadm_r; + ') + -+ manage_dirs_pattern($1, default_t, default_t) -+ manage_files_pattern($1, default_t, default_t) ++ allow logadm_r $1; +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.6.8/policy/modules/roles/logadm.te +--- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/logadm.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,20 @@ + -+######################################## -+## - ## Mount a filesystem on a directory with the default file type. - ## - ## -@@ -1915,6 +1957,26 @@ - - ######################################## - ## -+## Read config files in /etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_config_files',` -+ gen_require(` -+ attribute etcfile; -+ ') -+ -+ allow $1 etcfile:dir list_dir_perms; -+ read_files_pattern($1, etcfile, etcfile) -+ read_lnk_files_pattern($1, etcfile, etcfile) -+') ++policy_module(logadm, 1.0.0) + +######################################## -+## - ## Do not audit attempts to write generic files in /etc. - ## - ## -@@ -2250,6 +2312,49 @@ - - ######################################## - ## -+## Delete directories on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`files_delete_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') ++# Declarations ++# + -+ delete_dirs_pattern($1, file_t, file_t) -+') ++role logadm_r; ++ ++userdom_base_user_template(logadm) + +######################################## -+## -+## Delete files on new filesystems -+## that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`files_delete_isid_type_files',` -+ gen_require(` -+ type file_t; -+ ') ++# logadmin local policy ++# + -+ delete_files_pattern($1, file_t, file_t) -+ delete_lnk_files_pattern($1, file_t, file_t) -+ delete_fifo_files_pattern($1, file_t, file_t) -+ delete_sock_files_pattern($1, file_t, file_t) -+ delete_blk_files_pattern($1, file_t, file_t) -+ delete_chr_files_pattern($1, file_t, file_t) -+') ++allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + -+######################################## -+## - ## Do not audit attempts to search directories on new filesystems - ## that have not yet been labeled. - ## -@@ -3456,6 +3561,8 @@ - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) ++logging_admin(logadm_t, logadm_r) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.6.8/policy/modules/roles/secadm.te +--- nsaserefpolicy/policy/modules/roles/secadm.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/secadm.te 2009-03-05 15:25:24.000000000 -0500 +@@ -45,154 +45,18 @@ ') - ######################################## -@@ -3546,7 +3653,7 @@ - type usr_t; - ') - -- allow $1 usr_t:file delete_dir_perms; -+ delete_dirs_pattern($1, usr_t, usr_t) + optional_policy(` +- apache_role(secadm_r, secadm_t) +-') +- +-optional_policy(` + auditadm_role_change(secadm_r) ') - ######################################## -@@ -3564,7 +3671,12 @@ - type usr_t; - ') - -- allow $1 usr_t:file delete_file_perms; -+ delete_files_pattern($1, usr_t, usr_t) -+ delete_lnk_files_pattern($1, usr_t, usr_t) -+ delete_fifo_files_pattern($1, usr_t, usr_t) -+ delete_sock_files_pattern($1, usr_t, usr_t) -+ delete_blk_files_pattern($1, usr_t, usr_t) -+ delete_chr_files_pattern($1, usr_t, usr_t) + optional_policy(` +- bluetooth_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- cdrecord_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- cron_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- dbus_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` + dmesg_exec(secadm_t) ') - ######################################## -@@ -4532,7 +4644,8 @@ - type var_t, var_run_t; - ') - -- read_files_pattern($1, { var_t var_run_t }, var_run_t) -+ list_dirs_pattern($1,var_t,var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) + optional_policy(` +- ethereal_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- evolution_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- games_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- gift_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- gnome_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- gpg_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- irc_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- java_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- lockdev_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- lpd_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- mozilla_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- mplayer_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- mta_role(secadm_r, secadm_t) +-') +- +-optional_policy(` + netlabel_run_mgmt(secadm_t, secadm_r) ') - ######################################## -@@ -4873,7 +4986,7 @@ - selinux_compute_member($1) - - # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin }; -+ allow $1 self:capability { chown fsetid sys_admin fowner }; - - # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4895,12 +5008,15 @@ - allow $1 poly_t:dir { create mounton }; - fs_unmount_xattr_fs($1) + optional_policy(` +- oident_manage_user_content(secadm_t) +- oident_relabel_user_content(secadm_t) +-') +- +-optional_policy(` +- pyzor_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- razor_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- rssh_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- screen_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` +- spamassassin_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- ssh_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` +- su_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` +- sudo_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` + sysadm_role_change(secadm_r) + ') -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ - ifdef(`distro_redhat',` - # namespace.init -+ files_search_tmp($1) - files_search_home($1) - corecmd_exec_bin($1) - seutil_domtrans_setfiles($1) -- mount_domtrans($1) - ') - ') - -@@ -4921,3 +5037,95 @@ - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+## -+## Create a core files in / -+## -+## -+##

-+## Create a core file in /, -+##

-+##
-+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_dump_core',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ manage_files_pattern($1, root_t, root_t) -+') -+ -+######################################## -+## -+## Create a default directory in / -+## -+## -+##

-+## Create a default_t direcrory in / -+##

-+##
-+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_create_default_dir',` -+ gen_require(` -+ type root_t, default_t; -+ ') -+ -+ allow $1 default_t:dir create; -+ filetrans_pattern($1, root_t, default_t, dir) -+') -+ -+######################################## -+## -+## manage generic symbolic links -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -+ -+######################################## -+## -+## manage generic symbolic links -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_boot',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ allow $1 root_t:blk_file manage_blk_file_perms; -+ allow $1 root_t:chr_file manage_chr_file_perms; -+ manage_dirs_pattern($1, root_t, root_t) -+ manage_files_pattern($1, root_t, root_t) -+ manage_lnk_files_pattern($1, root_t, root_t) -+ can_exec(kernel_t, root_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.7/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/files.te 2009-03-03 17:11:59.000000000 -0500 -@@ -52,7 +52,9 @@ - # - # etc_t is the type of the system etc directories. - # --type etc_t; -+attribute etcfile; -+ -+type etc_t, etcfile; - files_type(etc_t) - # compatibility aliases for removed types: - typealias etc_t alias automount_etc_t; -@@ -198,10 +200,7 @@ - # - # Rules for all tmp file types +-optional_policy(` +- thunderbird_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- tvtime_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- uml_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- userhelper_role_template(secadm, secadm_r, secadm_t) +-') +- +-optional_policy(` +- vmware_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- wireshark_role(secadm_r, secadm_t) +-') +- +-optional_policy(` +- xserver_role(secadm_r, secadm_t) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.8/policy/modules/roles/staff.te +--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/staff.te 2009-03-05 15:25:24.000000000 -0500 +@@ -15,156 +15,88 @@ + # Local policy # + +-optional_policy(` +- apache_role(staff_r, staff_t) +-') - --allow tmpfile tmp_t:filesystem associate; +-optional_policy(` +- auth_role(staff_r, staff_t) +-') - --fs_associate_tmpfs(tmpfile) -+allow file_type tmp_t:filesystem associate; +-optional_policy(` +- auditadm_role_change(staff_r) +-') +- +-optional_policy(` +- bluetooth_role(staff_r, staff_t) +-') +- +-optional_policy(` +- cdrecord_role(staff_r, staff_t) +-') +- +-optional_policy(` +- cron_role(staff_r, staff_t) +-') +- +-optional_policy(` +- dbus_role_template(staff, staff_r, staff_t) +-') +- +-optional_policy(` +- ethereal_role(staff_r, staff_t) +-') +- +-optional_policy(` +- evolution_role(staff_r, staff_t) +-') +- +-optional_policy(` +- games_role(staff_r, staff_t) +-') +- +-optional_policy(` +- gift_role(staff_r, staff_t) +-') +- +-optional_policy(` +- gnome_role(staff_r, staff_t) +-') +- +-optional_policy(` +- gpg_role(staff_r, staff_t) +-') +- +-optional_policy(` +- irc_role(staff_r, staff_t) +-') +- +-optional_policy(` +- java_role(staff_r, staff_t) +-') ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.7/policy/modules/kernel/filesystem.fc ---- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/kernel/filesystem.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1 +1 @@ --# This module currently does not have any file contexts. -+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.7/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/filesystem.if 2009-03-03 17:11:59.000000000 -0500 -@@ -534,6 +534,24 @@ +-optional_policy(` +- lockdev_role(staff_r, staff_t) +-') ++auth_domtrans_pam_console(staff_t) - ######################################## - ## -+## Mounton a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_cifs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ allow $1 cifs_t:dir mounton; -+') -+ -+######################################## -+## - ## Remount a CIFS or SMB network filesystem. - ## This allows some mount options to be changed. - ## -@@ -736,6 +754,7 @@ - attribute noxattrfs; - ') +-optional_policy(` +- lpd_role(staff_r, staff_t) +-') ++libs_manage_shared_libs(staff_t) -+ list_dirs_pattern($1, noxattrfs, noxattrfs) - read_files_pattern($1, noxattrfs, noxattrfs) +-optional_policy(` +- mozilla_role(staff_r, staff_t) +-') ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` +- mplayer_role(staff_r, staff_t) ++ sudo_role_template(staff, staff_r, staff_t) ') -@@ -778,6 +797,25 @@ - ######################################## - ## - ## Do not audit attempts to read -+## dirs on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_cifs_dirs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read - ## files on a CIFS or SMB filesystem. - ## - ## -@@ -954,6 +992,46 @@ + optional_policy(` +- mta_role(staff_r, staff_t) ++ auditadm_role_change(staff_r) + ') - ######################################## - ## -+## Append files -+## on a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_append_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ append_files_pattern($1, cifs_t, cifs_t) -+') -+ -+######################################## -+## -+## dontaudit Append files -+## on a CIFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_dontaudit_append_cifs_files',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:file append; -+') -+ -+######################################## -+## - ## Do not audit attempts to create, read, - ## write, and delete files - ## on a CIFS or SMB network filesystem. -@@ -1208,6 +1286,25 @@ + optional_policy(` +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) ++ kerneloops_manage_tmp_files(staff_t) + ') - ######################################## - ## -+## Create, read, write, and delete dirs -+## on a DOS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_dos_dirs',` -+ gen_require(` -+ type dosfs_t; -+ ') -+ -+ manage_dirs_pattern($1, dosfs_t, dosfs_t) -+') -+ -+######################################## -+## - ## Create, read, write, and delete files - ## on a DOS filesystem. - ## -@@ -1477,6 +1574,24 @@ + optional_policy(` +- pyzor_role(staff_r, staff_t) ++ logadm_role_change(staff_r) + ') - ######################################## - ## -+## Mounton a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mounton_nfs',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir mounton; -+') -+ -+######################################## -+## - ## Remount a NFS filesystem. This allows - ## some mount options to be changed. - ## -@@ -1680,7 +1795,7 @@ - type nfs_t; - ') + optional_policy(` +- razor_role(staff_r, staff_t) ++ secadm_role_change(staff_r) + ') -- dontaudit $1 nfs_t:file { read write }; -+ dontaudit $1 nfs_t:file rw_file_perms; + optional_policy(` +- rssh_role(staff_r, staff_t) ++ ssh_role_template(staff, staff_r, staff_t) ') - ######################################## -@@ -2018,6 +2133,47 @@ + optional_policy(` +- screen_role_template(staff, staff_r, staff_t) ++ sysadm_role_change(staff_r) + ') - ######################################## - ## -+## Append files -+## on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_append_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ append_files_pattern($1, nfs_t, nfs_t) -+') -+ -+######################################## -+## -+## dontaudit Append files -+## on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_dontaudit_append_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ dontaudit $1 nfs_t:file append; -+') -+ -+ -+######################################## -+## - ## Do not audit attempts to create, - ## read, write, and delete files - ## on a NFS filesystem. -@@ -3012,6 +3168,7 @@ - type tmpfs_t; - ') + optional_policy(` +- secadm_role_change(staff_r) ++ usernetctl_run(staff_t, staff_r) + ') -+ dontaudit $1 tmpfs_t:dir rw_dir_perms; - dontaudit $1 tmpfs_t:file rw_file_perms; + optional_policy(` +- spamassassin_role(staff_r, staff_t) ++ unconfined_role_change(staff_r) ') -@@ -3148,6 +3305,25 @@ + optional_policy(` +- ssh_role_template(staff, staff_r, staff_t) ++ webadm_role_change(staff_r) + ') - ######################################## - ## -+## Read and write block nodes on removable filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_removable_blk_files',` -+ gen_require(` -+ type removable_t; -+ ') -+ -+ allow $1 removable_t:dir list_dir_perms; -+ rw_blk_files_pattern($1, removable_t, removable_t) -+') -+ -+######################################## -+## - ## Relabel block nodes on tmpfs filesystems. - ## - ## -@@ -3333,6 +3509,7 @@ - ') +-optional_policy(` +- su_role_template(staff, staff_r, staff_t) +-') ++domain_read_all_domains_state(staff_t) ++domain_getattr_all_domains(staff_t) ++domain_obj_id_change_exemption(staff_t) - allow $1 filesystem_type:filesystem getattr; -+ files_getattr_all_file_type_fs($1) +-optional_policy(` +- sudo_role_template(staff, staff_r, staff_t) +-') ++files_read_kernel_modules(staff_t) + +-optional_policy(` +- sysadm_role_change(staff_r) +- userdom_dontaudit_use_user_terminals(staff_t) +-') ++kernel_read_fs_sysctls(staff_t) + +-optional_policy(` +- thunderbird_role(staff_r, staff_t) +-') ++modutils_read_module_config(staff_t) ++modutils_read_module_deps(staff_t) + +-optional_policy(` +- tvtime_role(staff_r, staff_t) +-') ++miscfiles_read_hwdata(staff_t) + + optional_policy(` +- uml_role(staff_r, staff_t) ++ gnomeclock_dbus_chat(staff_t) ') - ######################################## -@@ -3660,3 +3837,142 @@ - relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) + optional_policy(` +- userhelper_role_template(staff, staff_r, staff_t) ++ kerneloops_dbus_chat(staff_t) ') -+ -+######################################## -+## -+## Search directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_search_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to create, read, -+## write, and delete directories -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_dirs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ manage_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## -+## Read, a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_read_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ read_files_pattern($1,fusefs_t,fusefs_t) -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+ -+######################################## -+## -+## Do not audit attempts to create, -+## read, write, and delete files -+## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:file manage_file_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.7/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/filesystem.te 2009-03-03 17:11:59.000000000 -0500 -@@ -21,7 +21,7 @@ - - # Use xattrs for the following filesystem types. - # Requires that a security xattr handler exist for the filesystem. --fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); -@@ -33,7 +33,6 @@ - fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); --fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); - - # Use the allocating task SID to label inodes in the following filesystem - # types, and label the filesystem itself with the specified context. -@@ -77,6 +76,11 @@ - allow cpusetfs_t self:filesystem associate; - genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) - -+type ecryptfs_t; -+fs_noxattr_type(ecryptfs_t) -+files_mountpoint(ecryptfs_t) -+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) -+ - type eventpollfs_t; - fs_type(eventpollfs_t) - # change to task SID 20060628 -@@ -142,6 +146,8 @@ - fs_noxattr_type(vmblock_t) - files_mountpoint(vmblock_t) - genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) -+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) -+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) - - type vxfs_t; - fs_noxattr_type(vxfs_t) -@@ -242,6 +248,8 @@ - genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) - genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) - genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) -+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.7/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/kernel.if 2009-03-03 17:11:59.000000000 -0500 -@@ -1197,6 +1197,26 @@ - ') - dontaudit $1 proc_type:dir list_dir_perms; -+ dontaudit $1 proc_type:file getattr; -+') -+ -+######################################## -+## -+## Allow attempts to list all proc directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`kernel_list_all_proc',` -+ gen_require(` -+ attribute proc_type; -+ ') -+ -+ allow $1 proc_type:dir list_dir_perms; -+ allow $1 proc_type:file getattr; + optional_policy(` +- vmware_role(staff_r, staff_t) ++ rpm_dbus_chat(staff_usertype) ') - ######################################## -@@ -1233,9 +1253,11 @@ - interface(`kernel_read_sysctl',` - gen_require(` - type sysctl_t; -+ type proc_t; - ') - - list_dirs_pattern($1, proc_t, sysctl_t) -+ read_files_pattern($1, sysctl_t, sysctl_t) + optional_policy(` +- wireshark_role(staff_r, staff_t) ++ setroubleshoot_stream_connect(staff_t) ++ setroubleshoot_dbus_chat(staff_t) ') - ######################################## -@@ -1568,6 +1590,26 @@ + optional_policy(` +- xserver_role(staff_r, staff_t) ++ virt_stream_connect(staff_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.8/policy/modules/roles/sysadm.if +--- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/sysadm.if 2009-03-05 15:25:24.000000000 -0500 +@@ -116,41 +116,6 @@ ######################################## ## -+## Read generic crypto sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_crypto_sysctls',` -+ gen_require(` -+ type proc_t, sysctl_t, sysctl_crypto_t; -+ ') -+ -+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) -+ -+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) -+') -+ -+######################################## -+## - ## Read generic kernel sysctls. - ## - ## -@@ -1767,6 +1809,7 @@ - ') +-## Allow sysadm to execute all entrypoint files in +-## a specified domain. This is an explicit transition, +-## requiring the caller to use setexeccon(). +-## +-## +-##

+-## Allow sysadm to execute all entrypoint files in +-## a specified domain. This is an explicit transition, +-## requiring the caller to use setexeccon(). +-##

+-##

+-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

+-##
+-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`sysadm_entry_spec_domtrans_to',` +- gen_require(` +- type sysadm_t; +- ') +- +- domain_entry_file_spec_domtrans(sysadm_t, $1) +- allow $1 sysadm_t:fd use; +- allow $1 sysadm_t:fifo_file rw_file_perms; +- allow $1 sysadm_t:process sigchld; +-') +- +-######################################## +-## + ## Allow sysadm to execute a generic bin program in + ## a specified domain. This is an explicit transition, + ## requiring the caller to use setexeccon(). +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.8/policy/modules/roles/sysadm.te +--- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/sysadm.te 2009-03-05 15:25:24.000000000 -0500 +@@ -15,7 +15,7 @@ - dontaudit $1 sysctl_type:dir list_dir_perms; -+ dontaudit $1 sysctl_type:file read_file_perms; - ') + role sysadm_r; - ######################################## -@@ -2580,6 +2623,24 @@ +-userdom_admin_user_template(sysadm) ++userdom_admin_login_user_template(sysadm) - ######################################## - ## -+## Relabel to unlabeled context . -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_relabelto_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir_file_class_set relabelto; -+') -+ -+######################################## -+## - ## Unconfined access to kernel module resources. - ## - ## -@@ -2595,3 +2656,23 @@ + ifndef(`enable_mls',` + userdom_security_admin_template(sysadm_t, sysadm_r) +@@ -70,7 +70,6 @@ + apache_run_helper(sysadm_t, sysadm_r) + #apache_run_all_scripts(sysadm_t, sysadm_r) + #apache_domtrans_sys_script(sysadm_t) +- apache_role(sysadm_r, sysadm_t) + ') - typeattribute $1 kern_unconfined; + optional_policy(` +@@ -87,10 +86,6 @@ ') -+ -+######################################## -+## -+## Allow the specified domain to connect to -+## the kernel with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_stream_connect',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:unix_stream_socket connectto; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.7/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/kernel.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ --policy_module(kernel, 1.10.3) -+policy_module(kernel, 1.10.2) + optional_policy(` +- auth_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + backup_run(sysadm_t, sysadm_r) + ') - ######################################## - # -@@ -63,6 +63,15 @@ - genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) +@@ -99,18 +94,10 @@ + ') - # -+# infinibandeventfs fs -+# -+ -+type infinibandeventfs_t; -+fs_type(infinibandeventfs_t) -+allow infinibandeventfs_t self:filesystem associate; -+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) -+ -+# - # kvmFS - # - -@@ -120,6 +129,10 @@ - type sysctl_rpc_t, sysctl_type; - genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) - -+# /proc/sys/crypto directory and files -+type sysctl_crypto_t, sysctl_type; -+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0) -+ - # /proc/sys/fs directory and files - type sysctl_fs_t, sysctl_type; - files_mountpoint(sysctl_fs_t) -@@ -160,6 +173,7 @@ - # - type unlabeled_t; - sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -+fs_associate(unlabeled_t) - - # These initial sids are no longer used, and can be removed: - sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -198,6 +212,8 @@ - allow kernel_t self:sock_file read_sock_file_perms; - allow kernel_t self:fd use; - -+allow kernel_t debugfs_t:dir search; -+ - allow kernel_t proc_t:dir list_dir_perms; - allow kernel_t proc_t:file read_file_perms; - allow kernel_t proc_t:lnk_file read_lnk_file_perms; -@@ -248,7 +264,8 @@ - - selinux_load_policy(kernel_t) - --term_use_console(kernel_t) -+term_use_all_terms(kernel_t) -+term_use_ptmx(kernel_t) - - corecmd_exec_shell(kernel_t) - corecmd_list_bin(kernel_t) -@@ -262,6 +279,8 @@ - files_list_etc(kernel_t) - files_list_home(kernel_t) - files_read_usr_files(kernel_t) -+files_manage_mounttab(kernel_t) -+files_manage_generic_spool_dirs(kernel_t) - - mcs_process_set_categories(kernel_t) - -@@ -269,12 +288,18 @@ - mls_process_write_down(kernel_t) - mls_file_write_all_levels(kernel_t) - mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_share_all_levels(kernel_t) -+ -+logging_manage_generic_logs(kernel_t) - - ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) - ') - -+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) -+ - tunable_policy(`read_default_t',` - files_list_default(kernel_t) - files_read_default_files(kernel_t) -@@ -359,6 +384,10 @@ - unconfined_domain(kernel_t) - ') - -+optional_policy(` -+ xserver_xdm_manage_spool(kernel_t) -+') -+ - ######################################## - # - # Unlabeled process local policy -@@ -388,3 +417,5 @@ - allow kern_unconfined unlabeled_t:association *; - allow kern_unconfined unlabeled_t:packet *; - allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; -+ -+files_boot(kernel_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.7/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/selinux.if 2009-03-03 17:11:59.000000000 -0500 -@@ -40,7 +40,7 @@ - - # because of this statement, any module which - # calls this interface must be in the base module: -- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) -+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) + optional_policy(` +- bluetooth_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + bootloader_run(sysadm_t, sysadm_r) ') - ######################################## -@@ -202,6 +202,7 @@ - type security_t; - ') - -+ selinux_dontaudit_getattr_fs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; + optional_policy(` +- cdrecord_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + certwatch_run(sysadm_t, sysadm_r) ') -@@ -223,6 +224,7 @@ - type security_t; - ') -+ selinux_get_fs_mount($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; +@@ -127,18 +114,10 @@ ') -@@ -404,6 +406,7 @@ - ') - - allow $1 security_t:dir list_dir_perms; -+ allow $1 boolean_type:dir list_dir_perms; - allow $1 boolean_type:file rw_file_perms; - - if(!secure_mode_policyload) { -@@ -622,3 +625,23 @@ - typeattribute $1 selinux_unconfined_type; + optional_policy(` +- cron_admin_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + cvs_exec(sysadm_t) ') -+ -+######################################## -+## -+## Generate a file context for a boolean type -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`selinux_genbool',` -+ gen_require(` -+ attribute boolean_type; -+ ') -+ -+ type $1, boolean_type; -+ fs_type($1) -+ mls_trusted_object($1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.7/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/kernel/storage.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -36,7 +36,7 @@ - /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) - /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) --/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - ifdef(`distro_redhat', ` - /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -57,7 +57,7 @@ - - /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - --/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh) -+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) - /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -67,6 +67,8 @@ - /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - -+/dev/device-mapper -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+ - /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - - /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.7/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/storage.if 2009-03-03 17:11:59.000000000 -0500 -@@ -207,6 +207,7 @@ - dev_list_all_dev_nodes($1) - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; -+ allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; + optional_policy(` +- dbus_role_template(sysadm, sysadm_r, sysadm_t) +-') +- +-optional_policy(` + dcc_run_cdcc(sysadm_t, sysadm_r) + dcc_run_client(sysadm_t, sysadm_r) + dcc_run_dbclean(sysadm_t, sysadm_r) +@@ -166,10 +145,6 @@ ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.7/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/kernel/terminal.if 2009-03-03 17:11:59.000000000 -0500 -@@ -173,7 +173,7 @@ - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; -- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; -+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + optional_policy(` +- evolution_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + firstboot_run(sysadm_t, sysadm_r) ') - ######################################## -@@ -250,9 +250,11 @@ - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; +@@ -178,22 +153,6 @@ ') - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.7/policy/modules/roles/auditadm.te ---- nsaserefpolicy/policy/modules/roles/auditadm.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/auditadm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -17,6 +17,8 @@ - - allow auditadm_t self:capability { dac_read_search dac_override }; - -+kernel_read_ring_buffer(auditadm_t) -+ - corecmd_exec_shell(auditadm_t) - - domain_kill_all_domains(auditadm_t) -@@ -32,158 +34,18 @@ - seutil_read_bin_policy(auditadm_t) - optional_policy(` -- apache_role(auditadm_r, auditadm_t) +- games_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- auth_role(auditadm_r, auditadm_t) +- gift_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- bluetooth_role(auditadm_r, auditadm_t) +- gnome_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- cdrecord_role(auditadm_r, auditadm_t) +- gpg_role(sysadm_r, sysadm_t) -') - -optional_policy(` - consoletype_exec(auditadm_t) + hostname_run(sysadm_t, sysadm_r) + ') + +@@ -212,11 +171,7 @@ ') optional_policy(` -- cron_role(auditadm_r, auditadm_t) +- irc_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- dbus_role_template(auditadm, auditadm_r, auditadm_t) +- java_role(sysadm_r, sysadm_t) ++ kerberos_exec_kadmind(sysadm_t) + ') + + optional_policy(` +@@ -228,10 +183,6 @@ + ') + + optional_policy(` +- lockdev_role(sysadm_r, sysadm_t) -') - -optional_policy(` - dmesg_exec(auditadm_t) + logrotate_run(sysadm_t, sysadm_r) + ') + +@@ -255,14 +206,6 @@ ') optional_policy(` -- ethereal_role(auditadm_r, auditadm_t) +- mozilla_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- evolution_role(auditadm_r, auditadm_t) +- mplayer_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- games_role(auditadm_r, auditadm_t) --') -- --optional_policy(` -- gift_role(auditadm_r, auditadm_t) + mta_role(sysadm_r, sysadm_t) + ') + +@@ -290,11 +233,6 @@ + ') + + optional_policy(` +- oident_manage_user_content(sysadm_t) +- oident_relabel_user_content(sysadm_t) -') - -optional_policy(` -- gpg_role(auditadm_r, auditadm_t) + pcmcia_run_cardctl(sysadm_t, sysadm_r) + ') + +@@ -308,10 +246,6 @@ + ') + + optional_policy(` +- pyzor_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- gnome_role(auditadm_r, auditadm_t) + quota_run(sysadm_t, sysadm_r) + ') + +@@ -320,22 +254,10 @@ + ') + + optional_policy(` +- razor_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- irc_role(auditadm_r, auditadm_t) + rpc_domtrans_nfsd(sysadm_t) + ') + + optional_policy(` +- rpm_run(sysadm_t, sysadm_r) -') - -optional_policy(` -- java_role(auditadm_r, auditadm_t) +- rssh_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- lockdev_role(auditadm_r, auditadm_t) + rsync_exec(sysadm_t) + ') + +@@ -345,10 +267,6 @@ + ') + + optional_policy(` +- screen_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` -- lpd_role(auditadm_r, auditadm_t) + secadm_role_change(sysadm_r) + ') + +@@ -358,35 +276,15 @@ + ') + + optional_policy(` +- spamassassin_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- mozilla_role(auditadm_r, auditadm_t) +- ssh_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` -- mplayer_role(auditadm_r, auditadm_t) + staff_role_change(sysadm_r) + ') + + optional_policy(` +- su_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` -- mta_role(auditadm_r, auditadm_t) +- sudo_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` -- oident_manage_user_content(auditadm_t) -- oident_relabel_user_content(auditadm_t) + sysnet_run_ifconfig(sysadm_t, sysadm_r) + sysnet_run_dhcpc(sysadm_t, sysadm_r) + ') + + optional_policy(` +- thunderbird_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- pyzor_role(auditadm_r, auditadm_t) + tripwire_run_siggen(sysadm_t, sysadm_r) + tripwire_run_tripwire(sysadm_t, sysadm_r) + tripwire_run_twadmin(sysadm_t, sysadm_r) +@@ -394,18 +292,10 @@ + ') + + optional_policy(` +- tvtime_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- razor_role(auditadm_r, auditadm_t) + tzdata_domtrans(sysadm_t) + ') + + optional_policy(` +- uml_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- rssh_role(auditadm_r, auditadm_t) + unconfined_domtrans(sysadm_t) + ') + +@@ -418,20 +308,12 @@ + ') + + optional_policy(` +- userhelper_role_template(sysadm, sysadm_r, sysadm_t) -') - -optional_policy(` -- screen_role_template(auditadm, auditadm_r, auditadm_t) + usermanage_run_admin_passwd(sysadm_t, sysadm_r) + usermanage_run_groupadd(sysadm_t, sysadm_r) + usermanage_run_useradd(sysadm_t, sysadm_r) + ') + + optional_policy(` +- vmware_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- spamassassin_role(auditadm_r, auditadm_t) + vpn_run(sysadm_t, sysadm_r) + ') + +@@ -440,13 +322,5 @@ + ') + + optional_policy(` +- wireshark_role(sysadm_r, sysadm_t) -') - -optional_policy(` -- ssh_role_template(auditadm, auditadm_r, auditadm_t) +- xserver_role(sysadm_r, sysadm_t) -') - -optional_policy(` - secadm_role_change(auditadm_r) + yam_run(sysadm_t, sysadm_r) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.8/policy/modules/roles/unprivuser.te +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/unprivuser.te 2009-03-05 15:25:24.000000000 -0500 +@@ -14,142 +14,13 @@ + userdom_unpriv_user_template(user) + + optional_policy(` +- apache_role(user_r, user_t) ++ kerneloops_dontaudit_dbus_chat(user_t) ') optional_policy(` -- su_role_template(auditadm, auditadm_r, auditadm_t) +- auth_role(user_r, user_t) ++ rpm_dontaudit_dbus_chat(user_t) + ') + + optional_policy(` +- bluetooth_role(user_r, user_t) -') - -optional_policy(` -- sudo_role_template(auditadm, auditadm_r, auditadm_t) +- cdrecord_role(user_r, user_t) -') - -optional_policy(` - sysadm_role_change(auditadm_r) - ') - +- cron_role(user_r, user_t) +-') +- -optional_policy(` -- thunderbird_role(auditadm_r, auditadm_t) +- dbus_role_template(user, user_r, user_t) -') - -optional_policy(` -- tvtime_role(auditadm_r, auditadm_t) +- ethereal_role(user_r, user_t) -') - -optional_policy(` -- userhelper_role_template(auditadm, auditadm_r, auditadm_t) +- evolution_role(user_r, user_t) -') - -optional_policy(` -- vmware_role(auditadm_r, auditadm_t) +- games_role(user_r, user_t) -') - -optional_policy(` -- wireshark_role(auditadm_r, auditadm_t) +- gift_role(user_r, user_t) -') - -optional_policy(` -- uml_role(auditadm_r, auditadm_t) +- gnome_role(user_r, user_t) -') - -optional_policy(` -- xserver_role(auditadm_r, auditadm_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.6.7/policy/modules/roles/guest.fc ---- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/guest.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.6.7/policy/modules/roles/guest.if ---- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/guest.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,50 @@ -+## Least privledge terminal user role -+ -+######################################## -+## -+## Change to the guest role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`guest_role_change',` -+ gen_require(` -+ role guest_r; -+ ') -+ -+ allow $1 guest_r; -+') -+ -+######################################## -+## -+## Change from the guest role. -+## -+## -+##

-+## Change from the guest role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`guest_role_change_to',` -+ gen_require(` -+ role guest_r; -+ ') -+ -+ allow guest_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.7/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/guest.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,26 @@ -+ -+policy_module(guest, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_user_template(guest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` -+ java_role_template(guest, guest_r, guest_t) -+') -+ -+optional_policy(` -+ mono_role_template(guest, guest_r, guest_t) -+') -+ -+gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.6.7/policy/modules/roles/logadm.fc ---- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/logadm.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.6.7/policy/modules/roles/logadm.if ---- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/logadm.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,50 @@ -+## Log administrator role -+ -+######################################## -+## -+## Change to the log administrator role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`logadm_role_change',` -+ gen_require(` -+ role logadm_r; -+ ') -+ -+ allow $1 logadm_r; -+') -+ -+######################################## -+## -+## Change from the log administrator role. -+## -+## -+##

-+## Change from the log administrator role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`logadm_role_change_to',` -+ gen_require(` -+ role logadm_r; -+ ') -+ -+ allow logadm_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.6.7/policy/modules/roles/logadm.te ---- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/logadm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,20 @@ -+ -+policy_module(logadm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role logadm_r; -+ -+userdom_base_user_template(logadm) -+ -+######################################## -+# -+# logadmin local policy -+# -+ -+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+logging_admin(logadm_t, logadm_r) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.6.7/policy/modules/roles/secadm.te ---- nsaserefpolicy/policy/modules/roles/secadm.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/secadm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -45,154 +45,18 @@ - ') - - optional_policy(` -- apache_role(secadm_r, secadm_t) --') -- --optional_policy(` - auditadm_role_change(secadm_r) - ') - - optional_policy(` -- bluetooth_role(secadm_r, secadm_t) --') -- --optional_policy(` -- cdrecord_role(secadm_r, secadm_t) --') -- --optional_policy(` -- cron_role(secadm_r, secadm_t) --') -- --optional_policy(` -- dbus_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` - dmesg_exec(secadm_t) - ') - - optional_policy(` -- ethereal_role(secadm_r, secadm_t) --') -- --optional_policy(` -- evolution_role(secadm_r, secadm_t) --') -- --optional_policy(` -- games_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gift_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gnome_role(secadm_r, secadm_t) --') -- --optional_policy(` -- gpg_role(secadm_r, secadm_t) --') -- --optional_policy(` -- irc_role(secadm_r, secadm_t) --') -- --optional_policy(` -- java_role(secadm_r, secadm_t) --') -- --optional_policy(` -- lockdev_role(secadm_r, secadm_t) --') -- --optional_policy(` -- lpd_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mozilla_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mplayer_role(secadm_r, secadm_t) --') -- --optional_policy(` -- mta_role(secadm_r, secadm_t) --') -- --optional_policy(` - netlabel_run_mgmt(secadm_t, secadm_r) - ') - - optional_policy(` -- oident_manage_user_content(secadm_t) -- oident_relabel_user_content(secadm_t) --') -- --optional_policy(` -- pyzor_role(secadm_r, secadm_t) --') -- --optional_policy(` -- razor_role(secadm_r, secadm_t) +- gpg_role(user_r, user_t) -') - -optional_policy(` -- rssh_role(secadm_r, secadm_t) --') -- --optional_policy(` -- screen_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- spamassassin_role(secadm_r, secadm_t) --') -- --optional_policy(` -- ssh_role_template(secadm, secadm_r, secadm_t) --') -- --optional_policy(` -- su_role_template(secadm, secadm_r, secadm_t) +- irc_role(user_r, user_t) -') - -optional_policy(` -- sudo_role_template(secadm, secadm_r, secadm_t) +- java_role(user_r, user_t) -') - -optional_policy(` - sysadm_role_change(secadm_r) - ') - --optional_policy(` -- thunderbird_role(secadm_r, secadm_t) +- lockdev_role(user_r, user_t) -') - -optional_policy(` -- tvtime_role(secadm_r, secadm_t) +- lpd_role(user_r, user_t) -') - -optional_policy(` -- uml_role(secadm_r, secadm_t) +- mozilla_role(user_r, user_t) -') - -optional_policy(` -- userhelper_role_template(secadm, secadm_r, secadm_t) +- mplayer_role(user_r, user_t) -') - -optional_policy(` -- vmware_role(secadm_r, secadm_t) +- mta_role(user_r, user_t) -') - -optional_policy(` -- wireshark_role(secadm_r, secadm_t) +- oident_manage_user_content(user_t) +- oident_relabel_user_content(user_t) -') - -optional_policy(` -- xserver_role(secadm_r, secadm_t) --') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.7/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/staff.te 2009-03-03 17:11:59.000000000 -0500 -@@ -15,156 +15,88 @@ - # Local policy - # - --optional_policy(` -- apache_role(staff_r, staff_t) +- pyzor_role(user_r, user_t) -') - -optional_policy(` -- auth_role(staff_r, staff_t) +- razor_role(user_r, user_t) -') - -optional_policy(` -- auditadm_role_change(staff_r) +- rssh_role(user_r, user_t) -') - -optional_policy(` -- bluetooth_role(staff_r, staff_t) +- screen_role_template(user, user_r, user_t) -') - -optional_policy(` -- cdrecord_role(staff_r, staff_t) +- spamassassin_role(user_r, user_t) -') - -optional_policy(` -- cron_role(staff_r, staff_t) +- ssh_role_template(user, user_r, user_t) -') - -optional_policy(` -- dbus_role_template(staff, staff_r, staff_t) +- su_role_template(user, user_r, user_t) -') - -optional_policy(` -- ethereal_role(staff_r, staff_t) +- sudo_role_template(user, user_r, user_t) -') - -optional_policy(` -- evolution_role(staff_r, staff_t) +- thunderbird_role(user_r, user_t) -') - -optional_policy(` -- games_role(staff_r, staff_t) +- tvtime_role(user_r, user_t) -') - -optional_policy(` -- gift_role(staff_r, staff_t) +- uml_role(user_r, user_t) -') - -optional_policy(` -- gnome_role(staff_r, staff_t) +- userhelper_role_template(user, user_r, user_t) -') - -optional_policy(` -- gpg_role(staff_r, staff_t) +- vmware_role(user_r, user_t) -') - -optional_policy(` -- irc_role(staff_r, staff_t) +- wireshark_role(user_r, user_t) -') - -optional_policy(` -- java_role(staff_r, staff_t) --') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - --optional_policy(` -- lockdev_role(staff_r, staff_t) --') -+auth_domtrans_pam_console(staff_t) - --optional_policy(` -- lpd_role(staff_r, staff_t) --') -+libs_manage_shared_libs(staff_t) - --optional_policy(` -- mozilla_role(staff_r, staff_t) --') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` -- mplayer_role(staff_r, staff_t) -+ sudo_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` -- mta_role(staff_r, staff_t) -+ auditadm_role_change(staff_r) - ') - - optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) -+ kerneloops_manage_tmp_files(staff_t) - ') - - optional_policy(` -- pyzor_role(staff_r, staff_t) -+ logadm_role_change(staff_r) - ') - - optional_policy(` -- razor_role(staff_r, staff_t) -+ secadm_role_change(staff_r) - ') - - optional_policy(` -- rssh_role(staff_r, staff_t) -+ ssh_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` -- screen_role_template(staff, staff_r, staff_t) -+ sysadm_role_change(staff_r) - ') - - optional_policy(` -- secadm_role_change(staff_r) -+ usernetctl_run(staff_t, staff_r) - ') - - optional_policy(` -- spamassassin_role(staff_r, staff_t) -+ unconfined_role_change(staff_r) - ') - - optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) -+ webadm_role_change(staff_r) - ') - --optional_policy(` -- su_role_template(staff, staff_r, staff_t) --') -+domain_read_all_domains_state(staff_t) -+domain_getattr_all_domains(staff_t) -+domain_obj_id_change_exemption(staff_t) - --optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) --') -+files_read_kernel_modules(staff_t) - --optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) --') -+kernel_read_fs_sysctls(staff_t) - --optional_policy(` -- thunderbird_role(staff_r, staff_t) --') -+modutils_read_module_config(staff_t) -+modutils_read_module_deps(staff_t) - --optional_policy(` -- tvtime_role(staff_r, staff_t) --') -+miscfiles_read_hwdata(staff_t) - - optional_policy(` -- uml_role(staff_r, staff_t) -+ gnomeclock_dbus_chat(staff_t) - ') - - optional_policy(` -- userhelper_role_template(staff, staff_r, staff_t) -+ kerneloops_dbus_chat(staff_t) - ') - - optional_policy(` -- vmware_role(staff_r, staff_t) -+ rpm_dbus_chat(staff_usertype) - ') - - optional_policy(` -- wireshark_role(staff_r, staff_t) -+ setroubleshoot_stream_connect(staff_t) -+ setroubleshoot_dbus_chat(staff_t) - ') - - optional_policy(` -- xserver_role(staff_r, staff_t) -+ virt_stream_connect(staff_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.7/policy/modules/roles/sysadm.if ---- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/sysadm.if 2009-03-03 17:11:59.000000000 -0500 -@@ -116,41 +116,6 @@ - - ######################################## - ## --## Allow sysadm to execute all entrypoint files in --## a specified domain. This is an explicit transition, --## requiring the caller to use setexeccon(). --## --## --##

--## Allow sysadm to execute all entrypoint files in --## a specified domain. This is an explicit transition, --## requiring the caller to use setexeccon(). --##

--##

--## This is a interface to support third party modules --## and its use is not allowed in upstream reference --## policy. --##

--##
--## --## --## Domain allowed access. --## --## --# --interface(`sysadm_entry_spec_domtrans_to',` -- gen_require(` -- type sysadm_t; -- ') -- -- domain_entry_file_spec_domtrans(sysadm_t, $1) -- allow $1 sysadm_t:fd use; -- allow $1 sysadm_t:fifo_file rw_file_perms; -- allow $1 sysadm_t:process sigchld; --') -- --######################################## --## - ## Allow sysadm to execute a generic bin program in - ## a specified domain. This is an explicit transition, - ## requiring the caller to use setexeccon(). -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.7/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/sysadm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -15,7 +15,7 @@ - - role sysadm_r; - --userdom_admin_user_template(sysadm) -+userdom_admin_login_user_template(sysadm) - - ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -70,7 +70,6 @@ - apache_run_helper(sysadm_t, sysadm_r) - #apache_run_all_scripts(sysadm_t, sysadm_r) - #apache_domtrans_sys_script(sysadm_t) -- apache_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -@@ -87,10 +86,6 @@ - ') - - optional_policy(` -- auth_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - backup_run(sysadm_t, sysadm_r) - ') - -@@ -99,18 +94,10 @@ - ') - - optional_policy(` -- bluetooth_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - bootloader_run(sysadm_t, sysadm_r) - ') - - optional_policy(` -- cdrecord_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - certwatch_run(sysadm_t, sysadm_r) - ') - -@@ -127,18 +114,10 @@ - ') - - optional_policy(` -- cron_admin_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - cvs_exec(sysadm_t) - ') - - optional_policy(` -- dbus_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - dcc_run_cdcc(sysadm_t, sysadm_r) - dcc_run_client(sysadm_t, sysadm_r) - dcc_run_dbclean(sysadm_t, sysadm_r) -@@ -166,10 +145,6 @@ - ') - - optional_policy(` -- evolution_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - firstboot_run(sysadm_t, sysadm_r) - ') - -@@ -178,22 +153,6 @@ - ') - - optional_policy(` -- games_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gift_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gnome_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gpg_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - hostname_run(sysadm_t, sysadm_r) - ') - -@@ -212,11 +171,7 @@ - ') - - optional_policy(` -- irc_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- java_role(sysadm_r, sysadm_t) -+ kerberos_exec_kadmind(sysadm_t) - ') - - optional_policy(` -@@ -228,10 +183,6 @@ - ') - - optional_policy(` -- lockdev_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - logrotate_run(sysadm_t, sysadm_r) - ') - -@@ -255,14 +206,6 @@ - ') - - optional_policy(` -- mozilla_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- mplayer_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - mta_role(sysadm_r, sysadm_t) - ') - -@@ -290,11 +233,6 @@ - ') - - optional_policy(` -- oident_manage_user_content(sysadm_t) -- oident_relabel_user_content(sysadm_t) --') -- --optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r) - ') - -@@ -308,10 +246,6 @@ - ') - - optional_policy(` -- pyzor_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - quota_run(sysadm_t, sysadm_r) - ') - -@@ -320,22 +254,10 @@ - ') - - optional_policy(` -- razor_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - rpc_domtrans_nfsd(sysadm_t) - ') - - optional_policy(` -- rpm_run(sysadm_t, sysadm_r) --') -- --optional_policy(` -- rssh_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - rsync_exec(sysadm_t) - ') - -@@ -345,10 +267,6 @@ - ') - - optional_policy(` -- screen_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - secadm_role_change(sysadm_r) - ') - -@@ -358,35 +276,15 @@ - ') - - optional_policy(` -- spamassassin_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- ssh_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - staff_role_change(sysadm_r) - ') - - optional_policy(` -- su_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` -- sudo_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - sysnet_run_ifconfig(sysadm_t, sysadm_r) - sysnet_run_dhcpc(sysadm_t, sysadm_r) - ') - - optional_policy(` -- thunderbird_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) - tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +292,10 @@ - ') - - optional_policy(` -- tvtime_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - tzdata_domtrans(sysadm_t) - ') - - optional_policy(` -- uml_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - unconfined_domtrans(sysadm_t) - ') - -@@ -418,20 +308,12 @@ - ') - - optional_policy(` -- userhelper_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - usermanage_run_admin_passwd(sysadm_t, sysadm_r) - usermanage_run_groupadd(sysadm_t, sysadm_r) - usermanage_run_useradd(sysadm_t, sysadm_r) - ') - - optional_policy(` -- vmware_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - vpn_run(sysadm_t, sysadm_r) - ') - -@@ -440,13 +322,5 @@ - ') - - optional_policy(` -- wireshark_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- xserver_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - yam_run(sysadm_t, sysadm_r) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.7/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/unprivuser.te 2009-03-03 17:11:59.000000000 -0500 -@@ -14,142 +14,13 @@ - userdom_unpriv_user_template(user) - - optional_policy(` -- apache_role(user_r, user_t) -+ kerneloops_dontaudit_dbus_chat(user_t) - ') - - optional_policy(` -- auth_role(user_r, user_t) -+ rpm_dontaudit_dbus_chat(user_t) - ') - - optional_policy(` -- bluetooth_role(user_r, user_t) --') -- --optional_policy(` -- cdrecord_role(user_r, user_t) --') -- --optional_policy(` -- cron_role(user_r, user_t) --') -- --optional_policy(` -- dbus_role_template(user, user_r, user_t) --') -- --optional_policy(` -- ethereal_role(user_r, user_t) --') -- --optional_policy(` -- evolution_role(user_r, user_t) --') -- --optional_policy(` -- games_role(user_r, user_t) --') -- --optional_policy(` -- gift_role(user_r, user_t) --') -- --optional_policy(` -- gnome_role(user_r, user_t) --') -- --optional_policy(` -- gpg_role(user_r, user_t) --') -- --optional_policy(` -- irc_role(user_r, user_t) --') -- --optional_policy(` -- java_role(user_r, user_t) --') -- --optional_policy(` -- lockdev_role(user_r, user_t) --') -- --optional_policy(` -- lpd_role(user_r, user_t) --') -- --optional_policy(` -- mozilla_role(user_r, user_t) --') -- --optional_policy(` -- mplayer_role(user_r, user_t) --') -- --optional_policy(` -- mta_role(user_r, user_t) --') -- --optional_policy(` -- oident_manage_user_content(user_t) -- oident_relabel_user_content(user_t) --') -- --optional_policy(` -- pyzor_role(user_r, user_t) --') -- --optional_policy(` -- razor_role(user_r, user_t) --') -- --optional_policy(` -- rssh_role(user_r, user_t) --') -- --optional_policy(` -- screen_role_template(user, user_r, user_t) --') -- --optional_policy(` -- spamassassin_role(user_r, user_t) --') -- --optional_policy(` -- ssh_role_template(user, user_r, user_t) --') -- --optional_policy(` -- su_role_template(user, user_r, user_t) --') -- --optional_policy(` -- sudo_role_template(user, user_r, user_t) --') -- --optional_policy(` -- thunderbird_role(user_r, user_t) --') -- --optional_policy(` -- tvtime_role(user_r, user_t) --') -- --optional_policy(` -- uml_role(user_r, user_t) --') -- --optional_policy(` -- userhelper_role_template(user, user_r, user_t) --') -- --optional_policy(` -- vmware_role(user_r, user_t) --') -- --optional_policy(` -- wireshark_role(user_r, user_t) --') -- --optional_policy(` -- xserver_role(user_r, user_t) -+ setroubleshoot_dontaudit_stream_connect(user_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.7/policy/modules/roles/webadm.fc ---- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/webadm.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1 @@ -+# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.7/policy/modules/roles/webadm.if ---- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/webadm.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,50 @@ -+## Web administrator role -+ -+######################################## -+## -+## Change to the web administrator role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`webadm_role_change',` -+ gen_require(` -+ role webadm_r; -+ ') -+ -+ allow $1 webadm_r; -+') -+ -+######################################## -+## -+## Change from the web administrator role. -+## -+## -+##

-+## Change from the web administrator role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`webadm_role_change_to',` -+ gen_require(` -+ role webadm_r; -+ ') -+ -+ allow webadm_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.7/policy/modules/roles/webadm.te ---- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/webadm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,64 @@ -+ -+policy_module(webadm, 1.0.0) -+ -+## -+##

-+## Allow webadm to read files in users home directories -+##

-+##
-+gen_tunable(webadm_read_user_files, false) -+ -+## -+##

-+## Allow webadm to manage files in users home directories -+##

-+##
-+gen_tunable(webadm_manage_user_files, false) -+ -+######################################## -+# -+# Declarations -+# -+ -+role webadm_r; -+ -+userdom_base_user_template(webadm) -+ -+######################################## -+# -+# webadmin local policy -+# -+ -+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+files_dontaudit_search_all_dirs(webadm_t) -+files_manage_generic_locks(webadm_t) -+files_list_var(webadm_t) -+ -+selinux_get_enforce_mode(webadm_t) -+seutil_domtrans_setfiles(webadm_t) -+ -+logging_send_syslog_msg(webadm_t) -+ -+userdom_dontaudit_search_user_home_dirs(webadm_t) -+ -+optional_policy(` -+ sysadm_role_change(webadm_r) -+') -+ -+apache_admin(webadm_t, webadm_r) -+ -+optional_policy(` -+tunable_policy(`webadm_read_user_files',` -+ userdom_read_user_home_content_files(webadm_t) -+ userdom_read_user_tmp_files(webadm_t) -+') -+') -+ -+optional_policy(` -+tunable_policy(`webadm_manage_user_files',` -+ userdom_manage_user_home_content_files(webadm_t) -+ userdom_read_user_tmp_files(webadm_t) -+ userdom_write_user_tmp_files(webadm_t) -+') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.6.7/policy/modules/roles/xguest.fc ---- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/xguest.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.6.7/policy/modules/roles/xguest.if ---- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/xguest.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,50 @@ -+## Least privledge xwindows user role -+ -+######################################## -+## -+## Change to the xguest role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`xguest_role_change',` -+ gen_require(` -+ role xguest_r; -+ ') -+ -+ allow $1 xguest_r; -+') -+ -+######################################## -+## -+## Change from the xguest role. -+## -+## -+##

-+## Change from the xguest role to -+## the specified role. -+##

-+##

-+## This is an interface to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+##
-+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`xguest_role_change_to',` -+ gen_require(` -+ role xguest_r; -+ ') -+ -+ allow xguest_r $1; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.7/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/roles/xguest.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,87 @@ -+ -+policy_module(xguest, 1.0.0) -+ -+## -+##

-+## Allow xguest users to mount removable media -+##

-+##
-+gen_tunable(xguest_mount_media, true) -+ -+## -+##

-+## Allow xguest to configure Network Manager -+##

-+##
-+gen_tunable(xguest_connect_network, true) -+ -+## -+##

-+## Allow xguest to use blue tooth devices -+##

-+##
-+gen_tunable(xguest_use_bluetooth, true) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_xwindows_user_template(xguest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` -+ mozilla_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` -+ java_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` -+ mono_role_template(xguest, xguest_r, xguest_t) -+') -+ -+optional_policy(` -+ nsplugin_role(xguest_r, xguest_t) -+') -+ -+# Allow mounting of file systems -+optional_policy(` -+ tunable_policy(`xguest_mount_media',` -+ hal_dbus_chat(xguest_t) -+ init_read_utmp(xguest_t) -+ auth_list_pam_console_data(xguest_t) -+ kernel_read_fs_sysctls(xguest_t) -+ files_dontaudit_getattr_boot_dirs(xguest_t) -+ files_search_mnt(xguest_t) -+ fs_manage_noxattr_fs_files(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_getattr_noxattr_fs(xguest_t) -+ fs_read_noxattr_fs_symlinks(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ hal_dbus_chat(xguest_t) -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ networkmanager_dbus_chat(xguest_t) -+ ') -+') -+ -+optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ bluetooth_dbus_chat(xguest_t) -+ ') -+') -+gen_user(xguest_u, user, xguest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.7/policy/modules/services/afs.fc ---- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/afs.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,3 +1,6 @@ -+/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_script_exec_t,s0) -+/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_script_exec_t,s0) -+ - /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) - /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) - /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) -@@ -17,6 +20,13 @@ - - /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) - -+/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) -+ - /vicepa gen_context(system_u:object_r:afs_files_t,s0) - /vicepb gen_context(system_u:object_r:afs_files_t,s0) - /vicepc gen_context(system_u:object_r:afs_files_t,s0) -+ -+ -+/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) -+ -+/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.7/policy/modules/services/afs.if ---- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/afs.if 2009-03-03 17:11:59.000000000 -0500 -@@ -1 +1,110 @@ - ## Andrew Filesystem server -+ -+######################################## -+## -+## Execute a domain transition to run afs. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`afs_domtrans',` -+ gen_require(` -+ type afs_t; -+ type afs_exec_t; -+ ') -+ -+ domtrans_pattern($1,afs_exec_t,afs_t) -+') -+ -+ -+######################################## -+## -+## Read and write afs UDP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`afs_rw_udp_sockets',` -+ gen_require(` -+ type afs_t; -+ ') -+ -+ allow $1 afs_t:udp_socket { read write }; -+') -+ -+######################################## -+## -+## read/write afs cache files -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`afs_rw_cache',` -+ gen_require(` -+ type afs_cache_t; -+ ') -+ -+ allow $1 afs_cache_t:file {read write}; -+') -+ -+ -+######################################## -+## -+## Execute afs server in the afs domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`afs_script_domtrans',` -+ gen_require(` -+ type afs_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,afs_script_exec_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an afs environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the afs domain. -+## -+## -+## -+# -+interface(`afs_admin',` -+ gen_require(` -+ type afs_t; -+ type afs_script_exec_t; -+ ') -+ -+ allow $1 afs_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, afs_t, afs_t) -+ -+ # Allow afs_t to restart the apache service -+ afs_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 afs_script_exec_t system_r; -+ allow $2 system_r; -+ -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.7/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/afs.te 2009-03-03 17:11:59.000000000 -0500 -@@ -6,6 +6,16 @@ - # Declarations - # - -+type afs_t; -+type afs_exec_t; -+init_daemon_domain(afs_t, afs_exec_t) -+ -+type afs_script_exec_t; -+init_script_file(afs_script_exec_t) -+ -+type afs_cache_t; -+files_type(afs_cache_t) -+ - type afs_bosserver_t; - type afs_bosserver_exec_t; - init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) -@@ -302,3 +312,46 @@ - sysnet_read_config(afs_vlserver_t) - - userdom_dontaudit_use_user_terminals(afs_vlserver_t) -+ -+######################################## -+# -+# afs local policy -+# -+ -+allow afs_t self:capability { sys_nice sys_tty_config }; -+allow afs_t self:process setsched; -+allow afs_t self:udp_socket create_socket_perms; -+allow afs_t self:fifo_file rw_file_perms; -+allow afs_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) -+manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) -+files_var_filetrans(afs_t,afs_cache_t,{file dir}) -+ -+files_mounton_mnt(afs_t) -+files_read_etc_files(afs_t) -+files_rw_etc_runtime_files(afs_t) -+ -+fs_getattr_xattr_fs(afs_t) -+fs_mount_nfs(afs_t) -+ -+kernel_rw_afs_state(afs_t) -+ -+# Init script handling -+domain_use_interactive_fds(afs_t) -+ -+corenet_all_recvfrom_unlabeled(afs_t) -+corenet_all_recvfrom_netlabel(afs_t) -+corenet_tcp_sendrecv_generic_if(afs_t) -+corenet_udp_sendrecv_generic_if(afs_t) -+corenet_tcp_sendrecv_generic_node(afs_t) -+corenet_udp_sendrecv_generic_node(afs_t) -+corenet_tcp_sendrecv_all_ports(afs_t) -+corenet_udp_sendrecv_all_ports(afs_t) -+corenet_udp_bind_generic_node(afs_t) -+ -+miscfiles_read_localization(afs_t) -+ -+logging_send_syslog_msg(afs_t) -+ -+permissive afs_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.7/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/apache.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,12 +1,13 @@ --HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) - - /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) - /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) --/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) --/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) - /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) - /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) -+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) - - /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,6 +23,7 @@ - /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - -+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) - /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -@@ -32,12 +34,14 @@ - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -+/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - - /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,6 +51,7 @@ - - /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +55,10 @@ - /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) - /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+ - /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - -+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) - /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +71,26 @@ - /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) - /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - - /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) - /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) - - /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+ -+#Bugzilla file context -+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) -+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) -+#viewvc file context -+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -+ -+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) -+ -+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.7/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/apache.if 2009-03-03 17:11:59.000000000 -0500 -@@ -13,21 +13,16 @@ - # - template(`apache_content_template',` - gen_require(` -- attribute httpdcontent; - attribute httpd_exec_scripts; - attribute httpd_script_exec_type; - type httpd_t, httpd_suexec_t, httpd_log_t; - ') -- # allow write access to public file transfer -- # services files. -- gen_tunable(allow_httpd_$1_script_anon_write, false) -- - #This type is for webpages -- type httpd_$1_content_t, httpdcontent; # customizable -+ type httpd_$1_content_t; - files_type(httpd_$1_content_t) - - # This type is used for .htaccess files -- type httpd_$1_htaccess_t; # customizable; -+ type httpd_$1_htaccess_t; - files_type(httpd_$1_htaccess_t) - - # Type that CGI scripts run as -@@ -42,20 +37,22 @@ - - # The following three are the only areas that - # scripts can read, read/write, or append to -- type httpd_$1_script_ro_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ro_t) -+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - -- type httpd_$1_script_rw_t, httpdcontent; # customizable -- files_type(httpd_$1_script_rw_t) -+ type httpd_$1_content_rw_t; -+ files_type(httpd_$1_content_rw_t) -+ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; - -- type httpd_$1_script_ra_t, httpdcontent; # customizable -- files_type(httpd_$1_script_ra_t) -+ type httpd_$1_content_ra_t; -+ files_type(httpd_$1_content_ra_t) -+ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; - -- allow httpd_t httpd_$1_htaccess_t:file read_file_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - - domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; -+ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; - - allow httpd_$1_script_t self:fifo_file rw_file_perms; - allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -65,29 +62,27 @@ - dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; - - # Allow the script process to search the cgi directory, and users directory -- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -+ list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - - append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) - logging_search_logs(httpd_$1_script_t) - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; -+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - -- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) -- -- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) -+ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ -+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) - - kernel_dontaudit_search_sysctl(httpd_$1_script_t) - kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -96,6 +91,7 @@ - dev_read_urand(httpd_$1_script_t) - - corecmd_exec_all_executables(httpd_$1_script_t) -+ application_exec_all(httpd_$1_script_t) - - files_exec_etc_files(httpd_$1_script_t) - files_read_etc_files(httpd_$1_script_t) -@@ -109,34 +105,21 @@ - - seutil_dontaudit_search_config(httpd_$1_script_t) - -- tunable_policy(`httpd_enable_cgi && httpd_unified',` -- allow httpd_$1_script_t httpdcontent:file entrypoint; -- -- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) -- can_exec(httpd_$1_script_t, httpdcontent) -- ') -- -- tunable_policy(`allow_httpd_$1_script_anon_write',` -- miscfiles_manage_public_files(httpd_$1_script_t) -- ') -- - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` -- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) -- -- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) -- -- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; -- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) -+ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) -+ -+ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) -+ -+ allow httpd_t httpd_$1_content_t:dir list_dir_perms; -+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - - allow httpd_t httpd_$1_content_t:dir list_dir_perms; - read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) -@@ -149,9 +132,13 @@ - # privileged users run the script: - domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; -+ - # apache runs the script: - domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) - -+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; -+ - allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; - allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - -@@ -175,50 +162,6 @@ - miscfiles_read_localization(httpd_$1_script_t) - ') - -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_$1_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) -- corenet_all_recvfrom_netlabel(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) -- corenet_tcp_connect_all_ports(httpd_$1_script_t) -- corenet_sendrecv_all_client_packets(httpd_$1_script_t) -- -- sysnet_read_config(httpd_$1_script_t) -- ') -- -- optional_policy(` -- mta_send_mail(httpd_$1_script_t) -- ') -- -- optional_policy(` -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_$1_script_t) -- ') -- ') -- - optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -227,10 +170,6 @@ - - optional_policy(` - postgresql_unpriv_client(httpd_$1_script_t) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- postgresql_tcp_connect(httpd_$1_script_t) -- ') - ') - - optional_policy(` -@@ -504,6 +443,47 @@ - ######################################## - ## - ## Allow the specified domain to read -+## apache tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_tmp',` -+ gen_require(` -+ type httpd_config_t; -+ ') -+ -+ files_search_tmp($1) -+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) -+') -+ -+######################################## -+## -+## Dontaudit attempts ti write -+## apache tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_dontaudit_write_tmp',` -+ gen_require(` -+ type httpd_config_t; -+ ') -+ -+ dontaudit $1 httpd_tmp_t:file write; -+') -+ -+######################################## -+## -+## Allow the specified domain to read - ## apache configuration files. - ## - ## -@@ -579,7 +559,7 @@ - ## - ## - ## --## The role to be allowed the dmidecode domain. -+## The role to be allowed the http_helper domain. - ## - ## - ## -@@ -715,6 +695,7 @@ - ') - - allow $1 httpd_modules_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) - ') - - ######################################## -@@ -782,6 +763,32 @@ - - ######################################## - ## -+## Allow the specified domain to delete -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr -+interface(`apache_delete_sys_content_rw',` -+ gen_require(` -+ type httpd_sys_content_rw_t; -+ ') -+ -+ files_search_tmp($1) -+ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) -+') -+ -+######################################## -+## - ## Execute all web scripts in the system - ## script domain. - ## -@@ -791,16 +798,18 @@ - ##
- ## - # --# cjp: this interface specifically added to allow --# sysadm_t to run scripts - interface(`apache_domtrans_sys_script',` - gen_require(` -- attribute httpdcontent; - type httpd_sys_script_t; -+ type httpd_sys_content_t; -+ ') -+ -+ tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` -- domtrans_pattern($1, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) - ') - ') - -@@ -859,6 +868,8 @@ - ##
- ## - # -+# cjp: this is missing the terminal since scripts -+# do not output to the terminal - interface(`apache_run_all_scripts',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_domains; -@@ -884,7 +895,7 @@ - type httpd_squirrelmail_t; - ') - -- allow $1 httpd_squirrelmail_t:file read_file_perms; -+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) - ') - - ######################################## -@@ -1040,3 +1051,160 @@ - - allow httpd_t $1:process signal; - ') -+ -+######################################## -+## -+## Allow the specified domain to search -+## apache bugzilla directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_search_bugzilla_dirs',` -+ gen_require(` -+ type httpd_bugzilla_content_t; -+ ') -+ -+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and write Apache -+## bugzill script unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` -+ gen_require(` -+ type httpd_bugzilla_script_t; -+ ') -+ -+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -+') -+ -+######################################## -+## -+## All of the rules required to administrate an apache environment -+## -+## -+## -+## Prefix of the domain. Example, user would be -+## the prefix for the uder_t domain. -+## -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the apache domain. -+## -+## -+## -+# -+interface(`apache_admin',` -+ -+ gen_require(` -+ type httpd_t, httpd_initrc_exec_t, httpd_config_t; -+ type httpd_log_t, httpd_modules_t, httpd_lock_t; -+ type httpd_var_run_t; -+ attribute httpdcontent; -+ attribute httpd_script_exec_type; -+ type httpd_bool_t; -+ type httpd_php_tmp_t; -+ type httpd_suexec_tmp_t; -+ type httpd_tmp_t; -+ -+ ') -+ -+ allow $1 httpd_t:process { getattr ptrace signal_perms }; -+ ps_process_pattern($1, httpd_t) -+ -+ init_labeled_script_domtrans($1, httpd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 httpd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ apache_manage_all_content($1) -+ miscfiles_manage_public_files($1) -+ -+ files_search_etc($1) -+ admin_pattern($1, httpd_config_t) -+ -+ logging_search_logs($1) -+ admin_pattern($1, httpd_log_t) -+ -+ admin_pattern($1, httpd_modules_t) -+ -+ admin_pattern($1, httpd_lock_t) -+ files_lock_filetrans($1, httpd_lock_t, file) -+ -+ admin_pattern($1, httpd_var_run_t) -+ files_pid_filetrans($1, httpd_var_run_t, file) -+ -+ kernel_search_proc($1) -+ allow $1 httpd_t:dir list_dir_perms; -+ ps_process_pattern($1, httpd_t) -+ read_lnk_files_pattern($1, httpd_t, httpd_t) -+ -+ admin_pattern($1, httpdcontent) -+ admin_pattern($1, httpd_script_exec_type) -+ -+ seutil_domtrans_setfiles($1) -+ -+ admin_pattern($1, httpd_tmp_t) -+ admin_pattern($1, httpd_php_tmp_t) -+ admin_pattern($1, httpd_suexec_tmp_t) -+ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) -+ -+ifdef(`TODO',` -+ apache_set_booleans($1, $2, $3, httpd_bool_t ) -+ seutil_setsebool_role_template($1, $3, $2) -+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; -+') -+') +- xserver_role(user_r, user_t) ++ setroubleshoot_dontaudit_stream_connect(user_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.6.8/policy/modules/roles/webadm.fc +--- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/webadm.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1 @@ ++# No webadm file contexts. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.6.8/policy/modules/roles/webadm.if +--- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/webadm.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,50 @@ ++## Web administrator role + +######################################## +## -+## Mark content as being readable by standard apache processes ++## Change to the web administrator role. +## -+## ++## +## -+## Domain allowed access. ++## Role allowed access. +## +## ++## +# -+template(`apache_ro_content',` ++interface(`webadm_role_change',` + gen_require(` -+ attribute httpd_ro_content; ++ role webadm_r; + ') -+ typeattribute $1 httpd_ro_content; ++ ++ allow $1 webadm_r; +') + +######################################## +## -+## Mark content as being read/write by standard apache processes ++## Change from the web administrator role. +## -+## ++## ++##

++## Change from the web administrator role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
++## +## -+## Domain allowed access. ++## Role allowed access. +## +## ++## +# -+template(`apache_rw_content',` ++interface(`webadm_role_change_to',` + gen_require(` -+ attribute httpd_rw_content; ++ role webadm_r; + ') -+ typeattribute $1 httpd_rw_content; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.7/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/apache.te 2009-03-03 17:11:59.000000000 -0500 -@@ -19,6 +19,8 @@ - # Declarations - # - -+selinux_genbool(httpd_bool_t) -+ - ## - ##

- ## Allow Apache to modify public files -@@ -30,10 +32,17 @@ - - ## - ##

--## Allow Apache to use mod_auth_pam -+## Allow httpd scripts and modules execmem/execstack - ##

- ##
--gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_execmem, false) + -+## -+##

-+## Allow Apache to communicate with avahi service via dbus -+##

-+##
-+gen_tunable(httpd_dbus_avahi, false) - - ## - ##

-@@ -44,6 +53,13 @@ - - ## - ##

-+## Allow http daemon to send mail -+##

-+##
-+gen_tunable(httpd_can_sendmail, false) ++ allow webadm_r $1; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.8/policy/modules/roles/webadm.te +--- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/webadm.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,64 @@ + -+## -+##

- ## Allow HTTPD scripts and modules to connect to the network using TCP. - ##

- ##
-@@ -108,6 +124,29 @@ - ## - gen_tunable(httpd_unified, false) - -+## -+##

-+## Allow httpd to access nfs file systems -+##

-+##
-+gen_tunable(httpd_use_nfs, false) ++policy_module(webadm, 1.0.0) + +## +##

-+## Allow httpd to access cifs file systems ++## Allow webadm to read files in users home directories +##

+##
-+gen_tunable(httpd_use_cifs, false) ++gen_tunable(webadm_read_user_files, false) + +## +##

-+## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. ++## Allow webadm to manage files in users home directories +##

+##
-+gen_tunable(allow_httpd_sys_script_anon_write, false) -+ -+attribute httpd_ro_content; -+attribute httpd_rw_content; - attribute httpdcontent; - attribute httpd_user_content_type; - -@@ -140,6 +179,9 @@ - domain_entry_file(httpd_helper_t, httpd_helper_exec_t) - role system_r types httpd_helper_t; - -+type httpd_initrc_exec_t; -+init_script_file(httpd_initrc_exec_t) -+ - type httpd_lock_t; - files_lock_file(httpd_lock_t) - -@@ -180,6 +222,10 @@ - # setup the system domain for system CGI scripts - apache_content_template(sys) - -+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable -+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable -+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable -+ - type httpd_tmp_t; - files_tmp_file(httpd_tmp_t) - -@@ -187,15 +233,20 @@ - files_tmpfs_file(httpd_tmpfs_t) - - apache_content_template(user) -+ - ubac_constrained(httpd_user_script_t) -+typeattribute httpd_user_content_t httpdcontent; -+typeattribute httpd_user_content_rw_t httpdcontent; -+typeattribute httpd_user_content_ra_t httpdcontent; -+ - userdom_user_home_content(httpd_user_content_t) - userdom_user_home_content(httpd_user_htaccess_t) - userdom_user_home_content(httpd_user_script_exec_t) --userdom_user_home_content(httpd_user_script_ra_t) --userdom_user_home_content(httpd_user_script_ro_t) --userdom_user_home_content(httpd_user_script_rw_t) -+userdom_user_home_content(httpd_user_content_ra_t) -+userdom_user_home_content(httpd_user_content_rw_t) - typeattribute httpd_user_script_t httpd_script_domains; - typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; -+typealias httpd_user_content_t alias httpd_unconfined_content_t; - typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; - typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; - typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; -@@ -230,7 +281,7 @@ - # Apache server local policy - # - --allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; -+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; - dontaudit httpd_t self:capability { net_admin sys_tty_config }; - allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow httpd_t self:fd use; -@@ -272,6 +323,7 @@ - allow httpd_t httpd_modules_t:dir list_dir_perms; - mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) -+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - - apache_domtrans_rotatelogs(httpd_t) - # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +335,9 @@ - - allow httpd_t httpd_suexec_exec_t:file read_file_perms; - --allow httpd_t httpd_sys_content_t:dir list_dir_perms; --read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) --read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+allow httpd_t httpd_ro_content:dir list_dir_perms; -+read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) -+read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) - - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) - manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,6 +353,7 @@ - manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) - files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) - -+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) - files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -312,6 +365,7 @@ - kernel_read_kernel_sysctls(httpd_t) - # for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) -+kernel_search_network_sysctl(httpd_t) - - corenet_all_recvfrom_unlabeled(httpd_t) - corenet_all_recvfrom_netlabel(httpd_t) -@@ -322,6 +376,7 @@ - corenet_tcp_sendrecv_all_ports(httpd_t) - corenet_udp_sendrecv_all_ports(httpd_t) - corenet_tcp_bind_generic_node(httpd_t) -+corenet_udp_bind_generic_node(httpd_t) - corenet_tcp_bind_http_port(httpd_t) - corenet_tcp_bind_http_cache_port(httpd_t) - corenet_sendrecv_http_server_packets(httpd_t) -@@ -335,12 +390,12 @@ - - fs_getattr_all_fs(httpd_t) - fs_search_auto_mountpoints(httpd_t) -+fs_list_inotifyfs(httpd_t) -+fs_read_iso9660_files(httpd_t) - - auth_use_nsswitch(httpd_t) - --# execute perl --corecmd_exec_bin(httpd_t) --corecmd_exec_shell(httpd_t) -+application_exec_all(httpd_t) - - domain_use_interactive_fds(httpd_t) - -@@ -358,6 +413,10 @@ - files_read_var_lib_symlinks(httpd_t) - - fs_search_auto_mountpoints(httpd_sys_script_t) -+# php uploads a file to /tmp and then execs programs to acton them -+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) -+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) - - libs_read_lib_files(httpd_t) - -@@ -372,18 +431,33 @@ - - userdom_use_unpriv_users_fds(httpd_t) - --mta_send_mail(httpd_t) -- - tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) - ') - --ifdef(`TODO', ` - # - # We need optionals to be able to be within booleans to make this work - # ++gen_tunable(webadm_manage_user_files, false) ++ ++######################################## ++# ++# Declarations ++# ++ ++role webadm_r; ++ ++userdom_base_user_template(webadm) ++ ++######################################## ++# ++# webadmin local policy ++# ++ ++allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; ++ ++files_dontaudit_search_all_dirs(webadm_t) ++files_manage_generic_locks(webadm_t) ++files_list_var(webadm_t) ++ ++selinux_get_enforce_mode(webadm_t) ++seutil_domtrans_setfiles(webadm_t) ++ ++logging_send_syslog_msg(webadm_t) ++ ++userdom_dontaudit_search_user_home_dirs(webadm_t) ++ ++optional_policy(` ++ sysadm_role_change(webadm_r) ++') ++ ++apache_admin(webadm_t, webadm_r) ++ ++optional_policy(` ++tunable_policy(`webadm_read_user_files',` ++ userdom_read_user_home_content_files(webadm_t) ++ userdom_read_user_tmp_files(webadm_t) ++') ++') ++ ++optional_policy(` ++tunable_policy(`webadm_manage_user_files',` ++ userdom_manage_user_home_content_files(webadm_t) ++ userdom_read_user_tmp_files(webadm_t) ++ userdom_write_user_tmp_files(webadm_t) ++') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.6.8/policy/modules/roles/xguest.fc +--- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/xguest.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1 @@ ++# file contexts handled by userdomain and genhomedircon +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.6.8/policy/modules/roles/xguest.if +--- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/xguest.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,50 @@ ++## Least privledge xwindows user role ++ ++######################################## ++## ++## Change to the xguest role. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`xguest_role_change',` ++ gen_require(` ++ role xguest_r; ++ ') ++ ++ allow $1 xguest_r; ++') ++ ++######################################## ++## ++## Change from the xguest role. ++## ++## ++##

++## Change from the xguest role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++##
++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`xguest_role_change_to',` ++ gen_require(` ++ role xguest_r; ++ ') ++ ++ allow xguest_r $1; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.8/policy/modules/roles/xguest.te +--- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/roles/xguest.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,87 @@ ++ ++policy_module(xguest, 1.0.0) ++ +## +##

-+## Allow Apache to use mod_auth_pam ++## Allow xguest users to mount removable media +##

+##
-+gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(xguest_mount_media, true) + - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) -+ auth_domtrans_chkpwd(httpd_t) -+') ++## ++##

++## Allow xguest to configure Network Manager ++##

++##
++gen_tunable(xguest_connect_network, true) + +## +##

-+## Allow Apache to use mod_auth_pam ++## Allow xguest to use blue tooth devices +##

+##
-+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(xguest_use_bluetooth, true) ++ ++######################################## ++# ++# Declarations ++# ++ ++role xguest_r; ++ ++userdom_restricted_xwindows_user_template(xguest) ++ ++######################################## ++# ++# Local policy ++# ++ +optional_policy(` -+tunable_policy(`allow_httpd_mod_auth_pam',` -+ samba_domtrans_winbind_helper(httpd_t) - ') - ') - -@@ -391,20 +465,54 @@ - corenet_tcp_connect_all_ports(httpd_t) - ') - -+tunable_policy(`httpd_can_sendmail',` -+ # allow httpd to connect to mail servers -+ corenet_tcp_connect_smtp_port(httpd_t) -+ corenet_sendrecv_smtp_client_packets(httpd_t) -+ corenet_tcp_connect_pop_port(httpd_t) -+ corenet_sendrecv_pop_client_packets(httpd_t) -+ mta_send_mail(httpd_t) -+ mta_send_mail(httpd_sys_script_t) ++ mozilla_role(xguest_r, xguest_t) +') + - tunable_policy(`httpd_can_network_relay',` - # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) -+ corenet_tcp_connect_memcache_port(httpd_t) - corenet_sendrecv_gopher_client_packets(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - ') ++optional_policy(` ++ java_role_template(xguest, xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ mono_role_template(xguest, xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ nsplugin_role(xguest_r, xguest_t) ++') ++ ++# Allow mounting of file systems ++optional_policy(` ++ tunable_policy(`xguest_mount_media',` ++ hal_dbus_chat(xguest_t) ++ init_read_utmp(xguest_t) ++ auth_list_pam_console_data(xguest_t) ++ kernel_read_fs_sysctls(xguest_t) ++ files_dontaudit_getattr_boot_dirs(xguest_t) ++ files_search_mnt(xguest_t) ++ fs_manage_noxattr_fs_files(xguest_t) ++ fs_manage_noxattr_fs_dirs(xguest_t) ++ fs_manage_noxattr_fs_dirs(xguest_t) ++ fs_getattr_noxattr_fs(xguest_t) ++ fs_read_noxattr_fs_symlinks(xguest_t) ++ ') ++') ++ ++optional_policy(` ++ hal_dbus_chat(xguest_t) ++') ++ ++optional_policy(` ++ tunable_policy(`xguest_connect_network',` ++ networkmanager_dbus_chat(xguest_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`xguest_use_bluetooth',` ++ bluetooth_dbus_chat(xguest_t) ++ ') ++') ++gen_user(xguest_u, user, xguest_r, s0, s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.8/policy/modules/services/afs.fc +--- nsaserefpolicy/policy/modules/services/afs.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/afs.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,3 +1,6 @@ ++/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_script_exec_t,s0) ++/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_script_exec_t,s0) ++ + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) + /usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) + /usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0) +@@ -17,6 +20,13 @@ -+tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; -+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ can_exec(httpd_sys_script_t, httpd_sys_content_t) + /usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0) + ++/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ + /vicepa gen_context(system_u:object_r:afs_files_t,s0) + /vicepb gen_context(system_u:object_r:afs_files_t,s0) + /vicepc gen_context(system_u:object_r:afs_files_t,s0) ++ ++ ++/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) ++ ++/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.6.8/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/afs.if 2009-03-05 15:25:24.000000000 -0500 +@@ -1 +1,110 @@ + ## Andrew Filesystem server ++ ++######################################## ++## ++## Execute a domain transition to run afs. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`afs_domtrans',` ++ gen_require(` ++ type afs_t; ++ type afs_exec_t; ++ ') ++ ++ domtrans_pattern($1,afs_exec_t,afs_t) +') + -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') + -+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t) -+') ++######################################## ++## ++## Read and write afs UDP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`afs_rw_udp_sockets',` ++ gen_require(` ++ type afs_t; ++ ') + -+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` -+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ++ allow $1 afs_t:udp_socket { read write }; +') + ++######################################## ++## ++## read/write afs cache files ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`afs_rw_cache',` ++ gen_require(` ++ type afs_cache_t; ++ ') + - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` -- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) -+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) -+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) -+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -415,20 +523,28 @@ - corenet_tcp_bind_ftp_port(httpd_t) - ') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_t) --') -- - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(httpd_t) - fs_read_nfs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_dirs(httpd_t) -+ fs_manage_nfs_files(httpd_t) -+ fs_manage_nfs_symlinks(httpd_t) ++ allow $1 afs_cache_t:file {read write}; +') + - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) - ') - -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_t) -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) -+') + - tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) - allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +567,10 @@ - ') - - optional_policy(` -+ cvs_read_data(httpd_t) ++######################################## ++## ++## Execute afs server in the afs domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`afs_script_domtrans',` ++ gen_require(` ++ type afs_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,afs_script_exec_t) +') + -+optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) - ') - -@@ -459,8 +579,13 @@ - ') - - optional_policy(` -- kerberos_use(httpd_t) -- kerberos_read_kdc_config(httpd_t) -+ dbus_system_bus_client(httpd_t) -+ tunable_policy(`httpd_dbus_avahi',` -+ avahi_dbus_chat(httpd_t) ++######################################## ++## ++## All of the rules required to administrate ++## an afs environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the afs domain. ++## ++## ++## ++# ++interface(`afs_admin',` ++ gen_require(` ++ type afs_t; ++ type afs_script_exec_t; + ') ++ ++ allow $1 afs_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, afs_t, afs_t) ++ ++ # Allow afs_t to restart the apache service ++ afs_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 afs_script_exec_t system_r; ++ allow $2 system_r; ++ +') -+optional_policy(` -+ kerberos_keytab_template(httpd, httpd_t) - ') - - optional_policy(` -@@ -468,22 +593,18 @@ - mailman_domtrans_cgi(httpd_t) - # should have separate types for public and private archives - mailman_search_data(httpd_t) -+ mailman_read_data_files(httpd_t) - mailman_read_archive(httpd_t) - ') - - optional_policy(` -- # Allow httpd to work with mysql - mysql_stream_connect(httpd_t) - mysql_rw_db_sockets(httpd_t) -- -- tunable_policy(`httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_t) -- ') -+ mysql_read_config(httpd_t) - ') - - optional_policy(` - nagios_read_config(httpd_t) -- nagios_domtrans_cgi(httpd_t) - ') - - optional_policy(` -@@ -493,6 +614,12 @@ - openca_kill(httpd_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.6.8/policy/modules/services/afs.te +--- nsaserefpolicy/policy/modules/services/afs.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/afs.te 2009-03-05 15:25:24.000000000 -0500 +@@ -6,6 +6,16 @@ + # Declarations + # -+tunable_policy(`httpd_execmem',` -+ allow httpd_t self:process { execmem execstack }; -+ allow httpd_sys_script_t self:process { execmem execstack }; -+ allow httpd_suexec_t self:process { execmem execstack }; -+') ++type afs_t; ++type afs_exec_t; ++init_daemon_domain(afs_t, afs_exec_t) + - optional_policy(` - # Allow httpd to work with postgresql - postgresql_stream_connect(httpd_t) -@@ -500,6 +627,7 @@ - - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) -+ postgresql_tcp_connect(httpd_sys_script_t) - ') - ') - -@@ -508,6 +636,7 @@ - ') - - optional_policy(` -+ files_dontaudit_rw_usr_dirs(httpd_t) - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) - ') -@@ -535,6 +664,22 @@ - - userdom_use_user_terminals(httpd_helper_t) ++type afs_script_exec_t; ++init_script_file(afs_script_exec_t) ++ ++type afs_cache_t; ++files_type(afs_cache_t) ++ + type afs_bosserver_t; + type afs_bosserver_exec_t; + init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t) +@@ -302,3 +312,46 @@ + sysnet_read_config(afs_vlserver_t) -+tunable_policy(`httpd_tty_comm',` -+ userdom_use_user_terminals(httpd_helper_t) -+') + userdom_dontaudit_use_user_terminals(afs_vlserver_t) + -+optional_policy(` -+ type httpd_unconfined_script_t; -+ type httpd_unconfined_script_exec_t; -+ domain_type(httpd_unconfined_script_t) -+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) -+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+ unconfined_domain(httpd_unconfined_script_t) ++######################################## ++# ++# afs local policy ++# ++ ++allow afs_t self:capability { sys_nice sys_tty_config }; ++allow afs_t self:process setsched; ++allow afs_t self:udp_socket create_socket_perms; ++allow afs_t self:fifo_file rw_file_perms; ++allow afs_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(afs_t,afs_cache_t,afs_cache_t) ++manage_dirs_pattern(afs_t,afs_cache_t,afs_cache_t) ++files_var_filetrans(afs_t,afs_cache_t,{file dir}) ++ ++files_mounton_mnt(afs_t) ++files_read_etc_files(afs_t) ++files_rw_etc_runtime_files(afs_t) + -+ role system_r types httpd_unconfined_script_t; -+') ++fs_getattr_xattr_fs(afs_t) ++fs_mount_nfs(afs_t) + ++kernel_rw_afs_state(afs_t) + - ######################################## - # - # Apache PHP script local policy -@@ -564,20 +709,25 @@ - - fs_search_auto_mountpoints(httpd_php_t) - -+auth_use_nsswitch(httpd_php_t) ++# Init script handling ++domain_use_interactive_fds(afs_t) + - libs_exec_lib_files(httpd_php_t) - - userdom_use_unpriv_users_fds(httpd_php_t) ++corenet_all_recvfrom_unlabeled(afs_t) ++corenet_all_recvfrom_netlabel(afs_t) ++corenet_tcp_sendrecv_generic_if(afs_t) ++corenet_udp_sendrecv_generic_if(afs_t) ++corenet_tcp_sendrecv_generic_node(afs_t) ++corenet_udp_sendrecv_generic_node(afs_t) ++corenet_tcp_sendrecv_all_ports(afs_t) ++corenet_udp_sendrecv_all_ports(afs_t) ++corenet_udp_bind_generic_node(afs_t) ++ ++miscfiles_read_localization(afs_t) ++ ++logging_send_syslog_msg(afs_t) ++ ++permissive afs_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.8/policy/modules/services/apache.fc +--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/apache.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,12 +1,13 @@ +-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) ++HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) --optional_policy(` -- mysql_stream_connect(httpd_php_t) -+tunable_policy(`httpd_can_network_connect_db',` -+ corenet_tcp_connect_mysqld_port(httpd_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_t) -+ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_mysqld_port(httpd_suexec_t) -+ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) - ') + /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) + /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +-/etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0) +-/etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) + /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) + /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) --optional_policy(` -- nis_use_ypbind(httpd_php_t) --') + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +@@ -22,6 +23,7 @@ + /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - optional_policy(` -- postgresql_stream_connect(httpd_php_t) -+ mysql_stream_connect(httpd_php_t) -+ mysql_read_config(httpd_php_t) ++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +@@ -32,12 +34,14 @@ + /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') - ######################################## -@@ -595,23 +745,24 @@ - append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - --allow httpd_suexec_t httpd_t:fifo_file getattr; -+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; ++/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) - files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) + /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +@@ -47,6 +51,7 @@ -+can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +@@ -50,8 +55,10 @@ + /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + - kernel_read_kernel_sysctls(httpd_suexec_t) - kernel_list_proc(httpd_suexec_t) - kernel_read_proc_symlinks(httpd_suexec_t) - - dev_read_urand(httpd_suexec_t) - -+fs_read_iso9660_files(httpd_suexec_t) - fs_search_auto_mountpoints(httpd_suexec_t) - --# for shell scripts --corecmd_exec_bin(httpd_suexec_t) --corecmd_exec_shell(httpd_suexec_t) -+application_exec_all(httpd_suexec_t) - - files_read_etc_files(httpd_suexec_t) - files_read_usr_files(httpd_suexec_t) -@@ -624,6 +775,7 @@ - logging_send_syslog_msg(httpd_suexec_t) + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) - miscfiles_read_localization(httpd_suexec_t) -+miscfiles_read_public_files(httpd_suexec_t) ++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +@@ -64,11 +71,26 @@ + /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) - tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -641,12 +793,20 @@ - corenet_sendrecv_all_client_packets(httpd_suexec_t) - ') + /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) + /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) -+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` -+ allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) - ') ++#Bugzilla file context ++/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) ++/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) ++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) ++#viewvc file context ++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++ ++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++ ++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.8/policy/modules/services/apache.if +--- nsaserefpolicy/policy/modules/services/apache.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/apache.if 2009-03-05 15:25:24.000000000 -0500 +@@ -13,21 +13,16 @@ + # + template(`apache_content_template',` + gen_require(` +- attribute httpdcontent; + attribute httpd_exec_scripts; + attribute httpd_script_exec_type; + type httpd_t, httpd_suexec_t, httpd_log_t; + ') +- # allow write access to public file transfer +- # services files. +- gen_tunable(allow_httpd_$1_script_anon_write, false) - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_suexec_t) -+tunable_policy(`httpd_enable_cgi',` -+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) - ') + #This type is for webpages +- type httpd_$1_content_t, httpdcontent; # customizable ++ type httpd_$1_content_t; + files_type(httpd_$1_content_t) - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +832,14 @@ - dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; - ') + # This type is used for .htaccess files +- type httpd_$1_htaccess_t; # customizable; ++ type httpd_$1_htaccess_t; + files_type(httpd_$1_htaccess_t) --optional_policy(` -- nagios_domtrans_cgi(httpd_suexec_t) --') -- - ######################################## - # - # Apache system script local policy - # + # Type that CGI scripts run as +@@ -42,20 +37,22 @@ -+auth_use_nsswitch(httpd_sys_script_t) -+ -+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; - allow httpd_sys_script_t httpd_t:tcp_socket { read write }; + # The following three are the only areas that + # scripts can read, read/write, or append to +- type httpd_$1_script_ro_t, httpdcontent; # customizable +- files_type(httpd_$1_script_ro_t) ++ typealias httpd_$1_content_t alias httpd_$1_script_ro_t; - dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +858,24 @@ - # Should we add a boolean? - apache_domtrans_rotatelogs(httpd_sys_script_t) +- type httpd_$1_script_rw_t, httpdcontent; # customizable +- files_type(httpd_$1_script_rw_t) ++ type httpd_$1_content_rw_t; ++ files_type(httpd_$1_content_rw_t) ++ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t; -+sysnet_read_config(httpd_sys_script_t) -+ - ifdef(`distro_redhat',` - allow httpd_sys_script_t httpd_log_t:file append_file_perms; - ') +- type httpd_$1_script_ra_t, httpdcontent; # customizable +- files_type(httpd_$1_script_ra_t) ++ type httpd_$1_content_ra_t; ++ files_type(httpd_$1_content_ra_t) ++ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t; --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_user_home_content_files(httpd_sys_script_t) -+fs_read_iso9660_files(httpd_sys_script_t) -+ -+tunable_policy(`httpd_use_nfs',` -+ fs_manage_nfs_dirs(httpd_sys_script_t) -+ fs_manage_nfs_files(httpd_sys_script_t) -+ fs_manage_nfs_symlinks(httpd_sys_script_t) -+ fs_exec_nfs_files(httpd_sys_script_t) -+ -+ fs_manage_nfs_dirs(httpd_suexec_t) -+ fs_manage_nfs_files(httpd_suexec_t) -+ fs_manage_nfs_symlinks(httpd_suexec_t) -+ fs_exec_nfs_files(httpd_suexec_t) - ') +- allow httpd_t httpd_$1_htaccess_t:file read_file_perms; ++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t) - tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +883,35 @@ - fs_read_nfs_symlinks(httpd_sys_script_t) - ') + domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) -+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` -+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; -+ allow httpd_sys_script_t self:udp_socket create_socket_perms; -+ -+ corenet_tcp_bind_generic_node(httpd_sys_script_t) -+ corenet_udp_bind_generic_node(httpd_sys_script_t) -+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) -+ corenet_all_recvfrom_netlabel(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) -+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) -+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) -+ corenet_tcp_connect_all_ports(httpd_sys_script_t) -+ corenet_sendrecv_all_client_packets(httpd_sys_script_t) -+') -+ -+ -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_sys_script_t) -+ fs_manage_cifs_files(httpd_sys_script_t) -+ fs_manage_cifs_symlinks(httpd_sys_script_t) -+ fs_manage_cifs_dirs(httpd_suexec_t) -+ fs_manage_cifs_files(httpd_suexec_t) -+ fs_manage_cifs_symlinks(httpd_suexec_t) -+ fs_exec_cifs_files(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(httpd_sys_script_t) - fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +924,10 @@ - optional_policy(` - mysql_stream_connect(httpd_sys_script_t) - mysql_rw_db_sockets(httpd_sys_script_t) -+ mysql_read_config(httpd_sys_script_t) -+ mysql_stream_connect(httpd_suexec_t) -+ mysql_rw_db_sockets(httpd_suexec_t) -+ mysql_read_config(httpd_suexec_t) - ') +- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; ++ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; ++ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms; - optional_policy(` -@@ -735,6 +939,8 @@ - # httpd_rotatelogs local policy - # + allow httpd_$1_script_t self:fifo_file rw_file_perms; + allow httpd_$1_script_t self:unix_stream_socket connectto; +@@ -65,29 +62,27 @@ + dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; -+allow httpd_rotatelogs_t self:capability dac_override; -+ - manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) + # Allow the script process to search the cgi directory, and users directory +- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; ++ list_dirs_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) - kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +960,12 @@ + append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t) + logging_search_logs(httpd_$1_script_t) - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_user_script_t httpdcontent:file entrypoint; -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) -+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) -+ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) - ') + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; - # allow accessing files/dirs below the users home dir -@@ -762,3 +974,66 @@ - userdom_search_user_home_dirs(httpd_suexec_t) - userdom_search_user_home_dirs(httpd_user_script_t) - ') -+ -+#============= bugzilla policy ============== -+apache_content_template(bugzilla) -+ -+type httpd_bugzilla_tmp_t; -+files_tmp_file(httpd_bugzilla_tmp_t) -+ -+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; -+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; -+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; -+ -+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) -+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) -+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) -+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) -+ -+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) -+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) -+ -+files_search_var_lib(httpd_bugzilla_script_t) -+ -+mta_send_mail(httpd_bugzilla_script_t) -+ -+sysnet_read_config(httpd_bugzilla_script_t) -+sysnet_use_ldap(httpd_bugzilla_script_t) -+ -+optional_policy(` -+ mysql_search_db(httpd_bugzilla_script_t) -+ mysql_stream_connect(httpd_bugzilla_script_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(httpd_bugzilla_script_t) -+') -+ -+manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) -+ -+manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) -+manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) +- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; +- read_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- +- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms; +- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t) +- +- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_script_rw_t, { dir file lnk_file sock_file fifo_file }) ++ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) + -+# Removal of fastcgi, will cause problems without the following -+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; -+typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; -+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; -+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; -+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; -+typealias httpd_sys_script_t alias httpd_fastcgi_script_t; -+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.7/policy/modules/services/apcupsd.fc ---- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/apcupsd.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -5,6 +5,7 @@ - ') ++ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) - /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) -+/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + kernel_dontaudit_search_sysctl(httpd_$1_script_t) + kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) +@@ -96,6 +91,7 @@ + dev_read_urand(httpd_$1_script_t) - /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.7/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/apm.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ + corecmd_exec_all_executables(httpd_$1_script_t) ++ application_exec_all(httpd_$1_script_t) --policy_module(apm, 1.9.1) -+policy_module(apm, 1.9.0) + files_exec_etc_files(httpd_$1_script_t) + files_read_etc_files(httpd_$1_script_t) +@@ -109,34 +105,21 @@ - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.7/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/automount.te 2009-03-03 17:11:59.000000000 -0500 -@@ -71,6 +71,7 @@ - files_mounton_all_mountpoints(automount_t) - files_mount_all_file_type_fs(automount_t) - files_unmount_all_file_type_fs(automount_t) -+files_manage_non_security_dirs(automount_t) + seutil_dontaudit_search_config(httpd_$1_script_t) - fs_mount_all_fs(automount_t) - fs_unmount_all_fs(automount_t) -@@ -100,6 +101,7 @@ - corenet_udp_bind_all_rpc_ports(automount_t) +- tunable_policy(`httpd_enable_cgi && httpd_unified',` +- allow httpd_$1_script_t httpdcontent:file entrypoint; +- +- manage_dirs_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- manage_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpdcontent) +- can_exec(httpd_$1_script_t, httpdcontent) +- ') +- +- tunable_policy(`allow_httpd_$1_script_anon_write',` +- miscfiles_manage_public_files(httpd_$1_script_t) +- ') +- + # Allow the web server to run scripts and serve pages + tunable_policy(`httpd_builtin_scripting',` +- manage_dirs_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- manage_lnk_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- rw_sock_files_pattern(httpd_t, httpd_$1_script_rw_t, httpd_$1_script_rw_t) +- +- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; +- read_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- append_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ra_t, httpd_$1_script_ra_t) +- +- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms; +- read_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) +- read_lnk_files_pattern(httpd_t, httpd_$1_script_ro_t, httpd_$1_script_ro_t) ++ manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_$1_content_rw_t) ++ ++ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_$1_content_ra_t) ++ ++ allow httpd_t httpd_$1_content_t:dir list_dir_perms; ++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) ++ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) - dev_read_sysfs(automount_t) -+dev_rw_autofs(automount_t) - # for SSP - dev_read_rand(automount_t) - dev_read_urand(automount_t) -@@ -127,6 +129,7 @@ - fs_unmount_autofs(automount_t) - fs_mount_autofs(automount_t) - fs_manage_autofs_symlinks(automount_t) -+fs_read_nfs_files(automount_t) + allow httpd_t httpd_$1_content_t:dir list_dir_perms; + read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) +@@ -149,9 +132,13 @@ + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) - storage_rw_fuse(automount_t) ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -@@ -142,6 +145,7 @@ ++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; ++ + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; - # Run mount in the mount_t domain. - mount_domtrans(automount_t) -+mount_signal(automount_t) +@@ -175,50 +162,6 @@ + miscfiles_read_localization(httpd_$1_script_t) + ') - userdom_dontaudit_use_unpriv_user_fds(automount_t) - userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,7 +159,7 @@ - ') +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; +- allow httpd_$1_script_t self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) +- corenet_all_recvfrom_netlabel(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) +- +- sysnet_read_config(httpd_$1_script_t) +- ') +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms; +- allow httpd_$1_script_t self:udp_socket create_socket_perms; +- +- corenet_all_recvfrom_unlabeled(httpd_$1_script_t) +- corenet_all_recvfrom_netlabel(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_if(httpd_$1_script_t) +- corenet_tcp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_udp_sendrecv_generic_node(httpd_$1_script_t) +- corenet_tcp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_udp_sendrecv_all_ports(httpd_$1_script_t) +- corenet_tcp_connect_all_ports(httpd_$1_script_t) +- corenet_sendrecv_all_client_packets(httpd_$1_script_t) +- +- sysnet_read_config(httpd_$1_script_t) +- ') +- +- optional_policy(` +- mta_send_mail(httpd_$1_script_t) +- ') +- +- optional_policy(` +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_$1_script_t) +- ') +- ') +- + optional_policy(` + tunable_policy(`httpd_enable_cgi && allow_ypbind',` + nis_use_ypbind_uncond(httpd_$1_script_t) +@@ -227,10 +170,6 @@ - optional_policy(` -- kerberos_read_keytab(automount_t) -+ kerberos_keytab_template(automount, automount_t) - kerberos_read_config(automount_t) - kerberos_dontaudit_write_config(automount_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.7/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/avahi.if 2009-03-03 17:11:59.000000000 -0500 -@@ -21,6 +21,25 @@ + optional_policy(` + postgresql_unpriv_client(httpd_$1_script_t) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- postgresql_tcp_connect(httpd_$1_script_t) +- ') + ') + optional_policy(` +@@ -504,6 +443,47 @@ ######################################## ## -+## Execute avahi server in the avahi domain. + ## Allow the specified domain to read ++## apache tmp files. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## ++## +# ++interface(`apache_read_tmp',` ++ gen_require(` ++ type httpd_config_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ++') ++ ++######################################## ++## ++## Dontaudit attempts ti write ++## apache tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## +# -+interface(`avahi_initrc_domtrans',` ++interface(`apache_dontaudit_write_tmp',` + gen_require(` -+ type avahi_initrc_exec_t; ++ type httpd_config_t; + ') + -+ init_labeled_script_domtrans($1, avahi_initrc_exec_t) ++ dontaudit $1 httpd_tmp_t:file write; +') + +######################################## +## - ## Send avahi a signal ++## Allow the specified domain to read + ## apache configuration files. ## ## -@@ -57,6 +76,24 @@ +@@ -579,7 +559,7 @@ + ## + ## + ## +-## The role to be allowed the dmidecode domain. ++## The role to be allowed the http_helper domain. + ## + ## + ## +@@ -715,6 +695,7 @@ + ') + + allow $1 httpd_modules_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) + ') + + ######################################## +@@ -782,6 +763,32 @@ ######################################## ## -+## Send avahi a signull ++## Allow the specified domain to delete ++## apache system content rw files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`avahi_signull',` ++# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr ++interface(`apache_delete_sys_content_rw',` + gen_require(` -+ type avahi_t; ++ type httpd_sys_content_rw_t; + ') + -+ allow $1 avahi_t:process signull; ++ files_search_tmp($1) ++ delete_dirs_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_fifo_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) ++ delete_sock_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t) +') + +######################################## +## - ## Send and receive messages from - ## avahi over dbus. + ## Execute all web scripts in the system + ## script domain. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.7/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/avahi.te 2009-03-04 14:39:26.000000000 -0500 -@@ -33,6 +33,7 @@ - allow avahi_t self:tcp_socket create_stream_socket_perms; - allow avahi_t self:udp_socket create_socket_perms; - -+files_search_var_lib(avahi_t) - manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) - files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) -@@ -93,6 +94,7 @@ - dbus_connect_system_bus(avahi_t) - - init_dbus_chat_script(avahi_t) -+ dbus_system_domain(avahi_t, avahi_exec_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.7/policy/modules/services/bind.fc ---- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bind.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,17 +1,22 @@ - /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +@@ -791,16 +798,18 @@ + ##
+ ## + # +-# cjp: this interface specifically added to allow +-# sysadm_t to run scripts + interface(`apache_domtrans_sys_script',` + gen_require(` +- attribute httpdcontent; + type httpd_sys_script_t; ++ type httpd_sys_content_t; ++ ') + - /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) - /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) -+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - - /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) - /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) - /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) -+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) ++ tunable_policy(`httpd_enable_cgi',` ++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) + ') - /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) + tunable_policy(`httpd_enable_cgi && httpd_unified',` +- domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ++ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t) + ') + ') - /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +@@ -859,6 +868,8 @@ + ##
+ ## + # ++# cjp: this is missing the terminal since scripts ++# do not output to the terminal + interface(`apache_run_all_scripts',` + gen_require(` + attribute httpd_exec_scripts, httpd_script_domains; +@@ -884,7 +895,7 @@ + type httpd_squirrelmail_t; + ') - ifdef(`distro_debian',` - /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -@@ -40,7 +45,6 @@ - /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) - /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) --/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) - /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) - /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.7/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bind.if 2009-03-03 17:11:59.000000000 -0500 -@@ -38,6 +38,42 @@ +- allow $1 httpd_squirrelmail_t:file read_file_perms; ++ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) + ') ######################################## - ## -+## Send signulls to BIND. +@@ -1040,3 +1051,160 @@ + + allow httpd_t $1:process signal; + ') ++ ++######################################## ++## ++## Allow the specified domain to search ++## apache bugzilla directories. +## +## +## @@ -9980,17 +7569,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`bind_signull',` ++interface(`apache_search_bugzilla_dirs',` + gen_require(` -+ type named_t; ++ type httpd_bugzilla_content_t; + ') + -+ allow $1 named_t:process signull; ++ allow $1 httpd_bugzilla_content_t:dir search_dir_perms; +') + +######################################## +## -+## Send BIND the kill signal ++## Do not audit attempts to read and write Apache ++## bugzill script unix domain stream sockets. +## +## +## @@ -9998,933 +7588,1010 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`bind_kill',` ++interface(`apache_dontaudit_rw_bugzilla_script_stream_sockets',` + gen_require(` -+ type named_t; ++ type httpd_bugzilla_script_t; + ') + -+ allow $1 named_t:process sigkill; ++ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; +') + +######################################## +## - ## Execute ndc in the ndc domain, and - ## allow the specified role the ndc domain. - ## -@@ -251,6 +287,25 @@ - - ######################################## - ## -+## Execute bind server in the bind domain. ++## All of the rules required to administrate an apache environment +## ++## ++## ++## Prefix of the domain. Example, user would be ++## the prefix for the uder_t domain. ++## ++## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the apache domain. ++## ++## ++## +# -+# -+interface(`bind_initrc_domtrans',` ++interface(`apache_admin',` ++ + gen_require(` -+ type bind_initrc_exec_t; -+ ') ++ type httpd_t, httpd_initrc_exec_t, httpd_config_t; ++ type httpd_log_t, httpd_modules_t, httpd_lock_t; ++ type httpd_var_run_t; ++ attribute httpdcontent; ++ attribute httpd_script_exec_type; ++ type httpd_bool_t; ++ type httpd_php_tmp_t; ++ type httpd_suexec_tmp_t; ++ type httpd_tmp_t; + -+ init_labeled_script_domtrans($1, bind_initrc_exec_t) -+') ++ ') + -+######################################## -+## - ## All of the rules required to administrate - ## an bind environment - ## -@@ -269,7 +324,7 @@ - interface(`bind_admin',` - gen_require(` - type named_t, named_tmp_t, named_log_t; -- type named_conf_t, named_var_run_t; -+ type named_conf_t, named_var_lib_t, named_var_run_t; - type named_cache_t, named_zone_t; - type dnssec_t, ndc_t; - type named_initrc_exec_t; -@@ -283,6 +338,7 @@ - - bind_run_ndc($1, $2) - -+ bind_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; -@@ -300,6 +356,9 @@ - admin_pattern($1, named_zone_t) - admin_pattern($1, dnssec_t) - -+ files_list_var_lib($1) -+ admin_pattern($1, named_var_lib_t) ++ allow $1 httpd_t:process { getattr ptrace signal_perms }; ++ ps_process_pattern($1, httpd_t) + - files_list_pids($1) - admin_pattern($1, named_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.7/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bind.te 2009-03-03 17:11:59.000000000 -0500 -@@ -169,7 +169,7 @@ - ') - - optional_policy(` -- kerberos_use(named_t) -+ kerberos_keytab_template(named, named_t) - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.6.7/policy/modules/services/bluetooth.fc ---- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bluetooth.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -15,6 +15,7 @@ - /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - -+/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.7/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bluetooth.if 2009-03-03 17:11:59.000000000 -0500 -@@ -173,7 +173,7 @@ - interface(`bluetooth_admin',` - gen_require(` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; -- type bluetooth_var_lib_t, bluetooth_var_run_t; -+ type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; - type bluetooth_conf_t, bluetooth_conf_rw_t; - type bluetooth_initrc_exec_t; - ') -@@ -196,6 +196,9 @@ - admin_pattern($1, bluetooth_conf_t) - admin_pattern($1, bluetooth_conf_rw_t) - -+ files_list_spool($1) -+ admin_pattern($1, bluetooth_spool_t) ++ init_labeled_script_domtrans($1, httpd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 httpd_initrc_exec_t system_r; ++ allow $2 system_r; + - files_list_var_lib($1) - admin_pattern($1, bluetooth_var_lib_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.7/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/bluetooth.te 2009-03-03 17:11:59.000000000 -0500 -@@ -93,6 +93,7 @@ - - kernel_read_kernel_sysctls(bluetooth_t) - kernel_read_system_state(bluetooth_t) -+kernel_read_network_state(bluetooth_t) - - corenet_all_recvfrom_unlabeled(bluetooth_t) - corenet_all_recvfrom_netlabel(bluetooth_t) -@@ -147,10 +148,10 @@ - optional_policy(` - cups_dbus_chat(bluetooth_t) - ') --') - - optional_policy(` -- nis_use_ypbind(bluetooth_t) -+ hal_dbus_chat(bluetooth_t) -+ ') - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.7/policy/modules/services/certmaster.fc ---- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/certmaster.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,9 @@ ++ apache_manage_all_content($1) ++ miscfiles_manage_public_files($1) + -+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) -+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) ++ files_search_etc($1) ++ admin_pattern($1, httpd_config_t) + -+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) ++ logging_search_logs($1) ++ admin_pattern($1, httpd_log_t) + -+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) ++ admin_pattern($1, httpd_modules_t) + -+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.7/policy/modules/services/certmaster.if ---- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/certmaster.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,123 @@ -+## policy for certmaster ++ admin_pattern($1, httpd_lock_t) ++ files_lock_filetrans($1, httpd_lock_t, file) + -+######################################## -+## -+## Execute a domain transition to run certmaster. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`certmaster_domtrans',` -+ gen_require(` -+ type certmaster_t, certmaster_exec_t; -+ ') ++ admin_pattern($1, httpd_var_run_t) ++ files_pid_filetrans($1, httpd_var_run_t, file) + -+ domtrans_pattern($1,certmaster_exec_t,certmaster_t) -+') ++ kernel_search_proc($1) ++ allow $1 httpd_t:dir list_dir_perms; ++ ps_process_pattern($1, httpd_t) ++ read_lnk_files_pattern($1, httpd_t, httpd_t) + -+####################################### -+## -+## read certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_read_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') ++ admin_pattern($1, httpdcontent) ++ admin_pattern($1, httpd_script_exec_type) + -+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') ++ seutil_domtrans_setfiles($1) + -+####################################### -+## -+## Append to certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_append_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') ++ admin_pattern($1, httpd_tmp_t) ++ admin_pattern($1, httpd_php_tmp_t) ++ admin_pattern($1, httpd_suexec_tmp_t) ++ files_tmp_filetrans($1, httpd_tmp_t, { file dir }) + -+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ifdef(`TODO',` ++ apache_set_booleans($1, $2, $3, httpd_bool_t ) ++ seutil_setsebool_role_template($1, $3, $2) ++ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; ++ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; ++') +') + -+####################################### ++######################################## +## -+## Create, read, write, and delete -+## certmaster logs. ++## Mark content as being readable by standard apache processes +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`certmaster_manage_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++template(`apache_ro_content',` ++ gen_require(` ++ attribute httpd_ro_content; ++ ') ++ typeattribute $1 httpd_ro_content; +') + +######################################## +## -+## All of the rules required to administrate -+## an snort environment ++## Mark content as being read/write by standard apache processes +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`certmaster_admin',` -+ gen_require(` -+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t; -+ type certmaster_initrc_exec_t; -+ ') -+ -+ allow $1 certmaster_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, certmaster_t) ++template(`apache_rw_content',` ++ gen_require(` ++ attribute httpd_rw_content; ++ ') ++ typeattribute $1 httpd_rw_content; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.8/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/apache.te 2009-03-05 15:25:24.000000000 -0500 +@@ -19,6 +19,8 @@ + # Declarations + # + ++selinux_genbool(httpd_bool_t) + -+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 certmaster_initrc_exec_t system_r; -+ allow $2 system_r; + ## + ##

+ ## Allow Apache to modify public files +@@ -30,10 +32,17 @@ + + ## + ##

+-## Allow Apache to use mod_auth_pam ++## Allow httpd scripts and modules execmem/execstack + ##

+ ##
+-gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(httpd_execmem, false) + -+ files_list_etc($1) -+ miscfiles_manage_cert_dirs($1) -+ miscfiles_manage_cert_files($1) ++## ++##

++## Allow Apache to communicate with avahi service via dbus ++##

++##
++gen_tunable(httpd_dbus_avahi, false) + + ## + ##

+@@ -44,6 +53,13 @@ + + ## + ##

++## Allow http daemon to send mail ++##

++##
++gen_tunable(httpd_can_sendmail, false) + -+ admin_pattern($1, certmaster_etc_rw_t) ++## ++##

+ ## Allow HTTPD scripts and modules to connect to the network using TCP. + ##

+ ##
+@@ -108,6 +124,29 @@ + ## + gen_tunable(httpd_unified, false) + ++## ++##

++## Allow httpd to access nfs file systems ++##

++##
++gen_tunable(httpd_use_nfs, false) + -+ files_list_pids($1) -+ admin_pattern($1, certmaster_var_run_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, certmaster_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, certmaster_var_lib_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.7/policy/modules/services/certmaster.te ---- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/certmaster.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,79 @@ -+policy_module(certmaster,1.0.0) ++## ++##

++## Allow httpd to access cifs file systems ++##

++##
++gen_tunable(httpd_use_cifs, false) + -+######################################## -+# -+# Declarations -+# ++## ++##

++## Allow apache scripts to write to public content. Directories/Files must be labeled public_content_rw_t. ++##

++##
++gen_tunable(allow_httpd_sys_script_anon_write, false) + -+# type and domain for certmaster -+type certmaster_t; -+type certmaster_exec_t; -+init_daemon_domain(certmaster_t, certmaster_exec_t) ++attribute httpd_ro_content; ++attribute httpd_rw_content; + attribute httpdcontent; + attribute httpd_user_content_type; + +@@ -140,6 +179,9 @@ + domain_entry_file(httpd_helper_t, httpd_helper_exec_t) + role system_r types httpd_helper_t; + ++type httpd_initrc_exec_t; ++init_script_file(httpd_initrc_exec_t) + -+type certmaster_initrc_exec_t; -+init_script_file(certmaster_initrc_exec_t) + type httpd_lock_t; + files_lock_file(httpd_lock_t) + +@@ -180,6 +222,10 @@ + # setup the system domain for system CGI scripts + apache_content_template(sys) + ++typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable ++typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable ++typeattribute httpd_sys_content_ra_t httpdcontent; # customizable + -+# var/lib files -+type certmaster_var_lib_t; -+files_type(certmaster_var_lib_t) + type httpd_tmp_t; + files_tmp_file(httpd_tmp_t) + +@@ -187,15 +233,20 @@ + files_tmpfs_file(httpd_tmpfs_t) + + apache_content_template(user) + -+# config files -+type certmaster_etc_rw_t; -+files_config_file(certmaster_etc_rw_t) + ubac_constrained(httpd_user_script_t) ++typeattribute httpd_user_content_t httpdcontent; ++typeattribute httpd_user_content_rw_t httpdcontent; ++typeattribute httpd_user_content_ra_t httpdcontent; + -+# log files -+type certmaster_var_log_t; -+logging_log_file(certmaster_var_log_t) + userdom_user_home_content(httpd_user_content_t) + userdom_user_home_content(httpd_user_htaccess_t) + userdom_user_home_content(httpd_user_script_exec_t) +-userdom_user_home_content(httpd_user_script_ra_t) +-userdom_user_home_content(httpd_user_script_ro_t) +-userdom_user_home_content(httpd_user_script_rw_t) ++userdom_user_home_content(httpd_user_content_ra_t) ++userdom_user_home_content(httpd_user_content_rw_t) + typeattribute httpd_user_script_t httpd_script_domains; + typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; ++typealias httpd_user_content_t alias httpd_unconfined_content_t; + typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; + typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t }; + typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t }; +@@ -230,7 +281,7 @@ + # Apache server local policy + # + +-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config }; ++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; + dontaudit httpd_t self:capability { net_admin sys_tty_config }; + allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow httpd_t self:fd use; +@@ -272,6 +323,7 @@ + allow httpd_t httpd_modules_t:dir list_dir_perms; + mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) ++read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) + + apache_domtrans_rotatelogs(httpd_t) + # Apache-httpd needs to be able to send signals to the log rotate procs. +@@ -283,9 +335,9 @@ + + allow httpd_t httpd_suexec_exec_t:file read_file_perms; + +-allow httpd_t httpd_sys_content_t:dir list_dir_perms; +-read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +-read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) ++allow httpd_t httpd_ro_content:dir list_dir_perms; ++read_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) ++read_lnk_files_pattern(httpd_t, httpd_ro_content, httpd_ro_content) + + manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) + manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -301,6 +353,7 @@ + manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) + files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) + ++setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) + files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) +@@ -312,6 +365,7 @@ + kernel_read_kernel_sysctls(httpd_t) + # for modules that want to access /proc/meminfo + kernel_read_system_state(httpd_t) ++kernel_search_network_sysctl(httpd_t) + + corenet_all_recvfrom_unlabeled(httpd_t) + corenet_all_recvfrom_netlabel(httpd_t) +@@ -322,6 +376,7 @@ + corenet_tcp_sendrecv_all_ports(httpd_t) + corenet_udp_sendrecv_all_ports(httpd_t) + corenet_tcp_bind_generic_node(httpd_t) ++corenet_udp_bind_generic_node(httpd_t) + corenet_tcp_bind_http_port(httpd_t) + corenet_tcp_bind_http_cache_port(httpd_t) + corenet_sendrecv_http_server_packets(httpd_t) +@@ -335,12 +390,12 @@ + + fs_getattr_all_fs(httpd_t) + fs_search_auto_mountpoints(httpd_t) ++fs_list_inotifyfs(httpd_t) ++fs_read_iso9660_files(httpd_t) + + auth_use_nsswitch(httpd_t) + +-# execute perl +-corecmd_exec_bin(httpd_t) +-corecmd_exec_shell(httpd_t) ++application_exec_all(httpd_t) + + domain_use_interactive_fds(httpd_t) + +@@ -358,6 +413,10 @@ + files_read_var_lib_symlinks(httpd_t) + + fs_search_auto_mountpoints(httpd_sys_script_t) ++# php uploads a file to /tmp and then execs programs to acton them ++manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_sys_script_t, httpd_sys_content_rw_t, { dir file lnk_file sock_file fifo_file }) + + libs_read_lib_files(httpd_t) + +@@ -372,18 +431,33 @@ + + userdom_use_unpriv_users_fds(httpd_t) + +-mta_send_mail(httpd_t) +- + tunable_policy(`allow_httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) + ') + +-ifdef(`TODO', ` + # + # We need optionals to be able to be within booleans to make this work + # ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++##
++gen_tunable(allow_httpd_mod_auth_pam, false) + -+# pid files -+type certmaster_var_run_t; -+files_pid_file(certmaster_var_run_t) + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) ++ auth_domtrans_chkpwd(httpd_t) ++') + -+########################################### -+# -+# certmaster local policy -+# ++## ++##

++## Allow Apache to use mod_auth_pam ++##

++##
++gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) ++optional_policy(` ++tunable_policy(`allow_httpd_mod_auth_pam',` ++ samba_domtrans_winbind_helper(httpd_t) + ') + ') + +@@ -391,20 +465,54 @@ + corenet_tcp_connect_all_ports(httpd_t) + ') + ++tunable_policy(`httpd_can_sendmail',` ++ # allow httpd to connect to mail servers ++ corenet_tcp_connect_smtp_port(httpd_t) ++ corenet_sendrecv_smtp_client_packets(httpd_t) ++ corenet_tcp_connect_pop_port(httpd_t) ++ corenet_sendrecv_pop_client_packets(httpd_t) ++ mta_send_mail(httpd_t) ++ mta_send_mail(httpd_sys_script_t) ++') + -+allow certmaster_t self:capability sys_tty_config; -+allow certmaster_t self:tcp_socket create_stream_socket_perms; + tunable_policy(`httpd_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) ++ corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) + corenet_sendrecv_ftp_client_packets(httpd_t) + corenet_sendrecv_http_client_packets(httpd_t) + corenet_sendrecv_http_cache_client_packets(httpd_t) + ') + ++tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint; ++ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) ++ can_exec(httpd_sys_script_t, httpd_sys_content_t) ++') + -+# config files -+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) -+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) ++tunable_policy(`allow_httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) ++') + -+# var/lib files for certmaster -+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) ++tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` ++ fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ++') + -+# log files -+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) ++tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` ++ fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ++') + -+# pid file -+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) + -+corecmd_search_bin(certmaster_t) -+corecmd_getattr_bin_files(certmaster_t) + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` +- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) ++ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) ++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) ++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) ++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) ++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) +@@ -415,20 +523,28 @@ + corenet_tcp_bind_ftp_port(httpd_t) + ') + +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_t) +-') +- + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(httpd_t) + fs_read_nfs_symlinks(httpd_t) + ') + ++tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_t) ++ fs_manage_nfs_files(httpd_t) ++ fs_manage_nfs_symlinks(httpd_t) ++') + -+# network -+corenet_tcp_bind_generic_node(certmaster_t) -+corenet_tcp_bind_certmaster_port(certmaster_t) + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) + ') + ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) ++ fs_manage_cifs_files(httpd_t) ++ fs_manage_cifs_symlinks(httpd_t) ++') + -+files_search_etc(certmaster_t) -+files_list_var(certmaster_t) -+files_search_var_lib(certmaster_t) + tunable_policy(`httpd_ssi_exec',` + corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) + allow httpd_sys_script_t httpd_t:fd use; +@@ -451,6 +567,10 @@ + ') + + optional_policy(` ++ cvs_read_data(httpd_t) ++') + -+# read meminfo -+kernel_read_system_state(certmaster_t) ++optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) + ') + +@@ -459,8 +579,13 @@ + ') + + optional_policy(` +- kerberos_use(httpd_t) +- kerberos_read_kdc_config(httpd_t) ++ dbus_system_bus_client(httpd_t) ++ tunable_policy(`httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ ') ++') ++optional_policy(` ++ kerberos_keytab_template(httpd, httpd_t) + ') + + optional_policy(` +@@ -468,22 +593,18 @@ + mailman_domtrans_cgi(httpd_t) + # should have separate types for public and private archives + mailman_search_data(httpd_t) ++ mailman_read_data_files(httpd_t) + mailman_read_archive(httpd_t) + ') + + optional_policy(` +- # Allow httpd to work with mysql + mysql_stream_connect(httpd_t) + mysql_rw_db_sockets(httpd_t) +- +- tunable_policy(`httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_t) +- ') ++ mysql_read_config(httpd_t) + ') + + optional_policy(` + nagios_read_config(httpd_t) +- nagios_domtrans_cgi(httpd_t) + ') + + optional_policy(` +@@ -493,6 +614,12 @@ + openca_kill(httpd_t) + ') + ++tunable_policy(`httpd_execmem',` ++ allow httpd_t self:process { execmem execstack }; ++ allow httpd_sys_script_t self:process { execmem execstack }; ++ allow httpd_suexec_t self:process { execmem execstack }; ++') + -+auth_use_nsswitch(certmaster_t) + optional_policy(` + # Allow httpd to work with postgresql + postgresql_stream_connect(httpd_t) +@@ -500,6 +627,7 @@ + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_t) ++ postgresql_tcp_connect(httpd_sys_script_t) + ') + ') + +@@ -508,6 +636,7 @@ + ') + + optional_policy(` ++ files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_read_snmp_var_lib_files(httpd_t) + snmp_dontaudit_write_snmp_var_lib_files(httpd_t) + ') +@@ -535,6 +664,22 @@ + + userdom_use_user_terminals(httpd_helper_t) + ++tunable_policy(`httpd_tty_comm',` ++ userdom_use_user_terminals(httpd_helper_t) ++') + -+miscfiles_read_localization(certmaster_t) ++optional_policy(` ++ type httpd_unconfined_script_t; ++ type httpd_unconfined_script_exec_t; ++ domain_type(httpd_unconfined_script_t) ++ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) ++ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) ++ unconfined_domain(httpd_unconfined_script_t) + -+miscfiles_manage_cert_dirs(certmaster_t) -+miscfiles_manage_cert_files(certmaster_t) ++ role system_r types httpd_unconfined_script_t; ++') + -+permissive certmaster_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.7/policy/modules/services/clamav.fc ---- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/clamav.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,20 +1,22 @@ - /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) -+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) ++ + ######################################## + # + # Apache PHP script local policy +@@ -564,20 +709,25 @@ - /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) - /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + fs_search_auto_mountpoints(httpd_php_t) - /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) -+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) ++auth_use_nsswitch(httpd_php_t) ++ + libs_exec_lib_files(httpd_php_t) - /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) --/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) + userdom_use_unpriv_users_fds(httpd_php_t) - /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) -+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) +-optional_policy(` +- mysql_stream_connect(httpd_php_t) ++tunable_policy(`httpd_can_network_connect_db',` ++ corenet_tcp_connect_mysqld_port(httpd_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_t) ++ corenet_tcp_connect_mysqld_port(httpd_sys_script_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_mysqld_port(httpd_suexec_t) ++ corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) + ') --/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) --/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) - /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) -+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) +-optional_policy(` +- nis_use_ypbind(httpd_php_t) +-') - /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.7/policy/modules/services/clamav.if ---- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/clamav.if 2009-03-03 17:11:59.000000000 -0500 -@@ -38,6 +38,27 @@ + optional_policy(` +- postgresql_stream_connect(httpd_php_t) ++ mysql_stream_connect(httpd_php_t) ++ mysql_read_config(httpd_php_t) + ') ######################################## - ## -+## Allow the specified domain to append -+## to clamav log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_append_log',` -+ gen_require(` -+ type clamav_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 clamav_log_t:dir list_dir_perms; -+ append_files_pattern($1, clamav_log_t, clamav_log_t) -+') -+ -+######################################## -+## - ## Read clamav configuration files. - ## - ## -@@ -91,3 +112,87 @@ +@@ -595,23 +745,24 @@ + append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) - domtrans_pattern($1, clamscan_exec_t, clamscan_t) - ') -+ -+######################################## -+## -+## Execute clamscan without a transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`clamav_exec_clamscan',` -+ gen_require(` -+ type clamscan_exec_t; -+ ') -+ -+ can_exec($1, clamscan_exec_t) -+ -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an clamav environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the clamav domain. -+## -+## -+## -+# -+interface(`clamav_admin',` -+ gen_require(` -+ type clamd_t, clamd_etc_t, clamd_tmp_t; -+ type clamd_var_log_t, clamd_var_lib_t; -+ type clamd_var_run_t; -+ -+ type clamscan_t, clamscan_tmp_t; -+ -+ type freshclam_t, freshclam_var_log_t; -+ -+ type clamd_initrc_exec_t; -+ ') -+ -+ allow $1 clamd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamd_t) -+ -+ allow $1 clamscan_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, clamscan_t) -+ -+ allow $1 freshclam_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, freshclam_t) -+ -+ init_labeled_script_domtrans($1, clamd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 clamd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, clamd_tmp_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, clamd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, clamd_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, clamd_var_lib_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, clamd_var_run_t) -+ -+ admin_pattern($1, clamscan_tmp_t) -+ -+ admin_pattern($1, freshclam_var_log_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.7/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/clamav.te 2009-03-03 17:11:59.000000000 -0500 -@@ -13,7 +13,10 @@ +-allow httpd_suexec_t httpd_t:fifo_file getattr; ++allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - # configuration files - type clamd_etc_t; --files_type(clamd_etc_t) -+files_config_file(clamd_etc_t) -+ -+type clamd_initrc_exec_t; -+init_script_file(clamd_initrc_exec_t) + manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) + files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - # tmp files - type clamd_tmp_t; -@@ -87,6 +90,9 @@ - kernel_dontaudit_list_proc(clamd_t) - kernel_read_sysctl(clamd_t) - kernel_read_kernel_sysctls(clamd_t) -+kernel_read_system_state(clamd_t) ++can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + -+corecmd_exec_shell(clamd_t) + kernel_read_kernel_sysctls(httpd_suexec_t) + kernel_list_proc(httpd_suexec_t) + kernel_read_proc_symlinks(httpd_suexec_t) - corenet_all_recvfrom_unlabeled(clamd_t) - corenet_all_recvfrom_netlabel(clamd_t) -@@ -97,6 +103,8 @@ - corenet_tcp_bind_generic_node(clamd_t) - corenet_tcp_bind_clamd_port(clamd_t) - corenet_sendrecv_clamd_server_packets(clamd_t) -+corenet_tcp_bind_generic_port(clamd_t) -+corenet_tcp_connect_generic_port(clamd_t) + dev_read_urand(httpd_suexec_t) - dev_read_rand(clamd_t) - dev_read_urand(clamd_t) -@@ -117,6 +125,9 @@ - cron_use_system_job_fds(clamd_t) - cron_rw_pipes(clamd_t) ++fs_read_iso9660_files(httpd_suexec_t) + fs_search_auto_mountpoints(httpd_suexec_t) -+mta_read_config(clamd_t) -+mta_send_mail(clamd_t) +-# for shell scripts +-corecmd_exec_bin(httpd_suexec_t) +-corecmd_exec_shell(httpd_suexec_t) ++application_exec_all(httpd_suexec_t) + + files_read_etc_files(httpd_suexec_t) + files_read_usr_files(httpd_suexec_t) +@@ -624,6 +775,7 @@ + logging_send_syslog_msg(httpd_suexec_t) + + miscfiles_read_localization(httpd_suexec_t) ++miscfiles_read_public_files(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; +@@ -641,12 +793,20 @@ + corenet_sendrecv_all_client_packets(httpd_suexec_t) + ') + ++read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) ++read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t) ++read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t) + - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) -@@ -124,6 +135,10 @@ - amavis_create_pid_files(clamd_t) ++domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` ++ allow httpd_sys_script_t httpdcontent:file entrypoint; + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + ') +- +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_suexec_t) ++tunable_policy(`httpd_enable_cgi',` ++ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -672,15 +832,14 @@ + dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') -+optional_policy(` -+ exim_read_spool_files(clamd_t) -+') -+ +-optional_policy(` +- nagios_domtrans_cgi(httpd_suexec_t) +-') +- ######################################## # - # Freshclam local policy -@@ -191,7 +206,7 @@ - allow clamscan_t self:fifo_file rw_file_perms; - allow clamscan_t self:unix_stream_socket create_stream_socket_perms; - allow clamscan_t self:unix_dgram_socket create_socket_perms; --allow clamscan_t self:tcp_socket { listen accept }; -+allow clamscan_t self:tcp_socket create_stream_socket_perms; - - # configuration files - allow clamscan_t clamd_etc_t:dir list_dir_perms; -@@ -207,6 +222,14 @@ - manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) - allow clamscan_t clamd_var_lib_t:dir list_dir_perms; + # Apache system script local policy + # -+corenet_all_recvfrom_unlabeled(clamscan_t) -+corenet_all_recvfrom_netlabel(clamscan_t) -+corenet_tcp_sendrecv_generic_if(clamscan_t) -+corenet_tcp_sendrecv_generic_node(clamscan_t) -+corenet_tcp_sendrecv_all_ports(clamscan_t) -+corenet_tcp_sendrecv_clamd_port(clamscan_t) -+corenet_tcp_connect_clamd_port(clamscan_t) ++auth_use_nsswitch(httpd_sys_script_t) + - kernel_read_kernel_sysctls(clamscan_t) - - files_read_etc_files(clamscan_t) -@@ -221,6 +244,12 @@ ++allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - clamav_stream_connect(clamscan_t) + dontaudit httpd_sys_script_t httpd_config_t:dir search; +@@ -699,12 +858,24 @@ + # Should we add a boolean? + apache_domtrans_rotatelogs(httpd_sys_script_t) -+mta_send_mail(clamscan_t) ++sysnet_read_config(httpd_sys_script_t) + - optional_policy(` - apache_read_sys_content(clamscan_t) + ifdef(`distro_redhat',` + allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -+ -+optional_policy(` -+ mailscanner_manage_spool(clamscan_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.7/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/consolekit.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,3 +1,6 @@ - /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -+/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_user_home_content_files(httpd_sys_script_t) ++fs_read_iso9660_files(httpd_sys_script_t) + -+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.7/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/consolekit.if 2009-03-03 17:11:59.000000000 -0500 -@@ -38,3 +38,24 @@ - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; - ') ++tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_sys_script_t) ++ fs_manage_nfs_files(httpd_sys_script_t) ++ fs_manage_nfs_symlinks(httpd_sys_script_t) ++ fs_exec_nfs_files(httpd_sys_script_t) + -+######################################## -+## -+## Read consolekit log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`consolekit_read_log',` -+ gen_require(` -+ type consolekit_log_t; -+ ') ++ fs_manage_nfs_dirs(httpd_suexec_t) ++ fs_manage_nfs_files(httpd_suexec_t) ++ fs_manage_nfs_symlinks(httpd_suexec_t) ++ fs_exec_nfs_files(httpd_suexec_t) + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -712,6 +883,35 @@ + fs_read_nfs_symlinks(httpd_sys_script_t) + ') + ++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; ++ allow httpd_sys_script_t self:udp_socket create_socket_perms; + -+ files_search_pids($1) -+ read_files_pattern($1, consolekit_log_t, consolekit_log_t) ++ corenet_tcp_bind_generic_node(httpd_sys_script_t) ++ corenet_udp_bind_generic_node(httpd_sys_script_t) ++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t) ++ corenet_all_recvfrom_netlabel(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t) ++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t) ++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t) ++ corenet_tcp_connect_all_ports(httpd_sys_script_t) ++ corenet_sendrecv_all_client_packets(httpd_sys_script_t) +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.7/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/consolekit.te 2009-03-03 17:11:59.000000000 -0500 -@@ -13,6 +13,9 @@ - type consolekit_var_run_t; - files_pid_file(consolekit_var_run_t) - -+type consolekit_log_t; -+files_pid_file(consolekit_log_t) ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_sys_script_t) ++ fs_manage_cifs_files(httpd_sys_script_t) ++ fs_manage_cifs_symlinks(httpd_sys_script_t) ++ fs_manage_cifs_dirs(httpd_suexec_t) ++ fs_manage_cifs_files(httpd_suexec_t) ++ fs_manage_cifs_symlinks(httpd_suexec_t) ++ fs_exec_cifs_files(httpd_suexec_t) ++') + - ######################################## + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) +@@ -724,6 +924,10 @@ + optional_policy(` + mysql_stream_connect(httpd_sys_script_t) + mysql_rw_db_sockets(httpd_sys_script_t) ++ mysql_read_config(httpd_sys_script_t) ++ mysql_stream_connect(httpd_suexec_t) ++ mysql_rw_db_sockets(httpd_suexec_t) ++ mysql_read_config(httpd_suexec_t) + ') + + optional_policy(` +@@ -735,6 +939,8 @@ + # httpd_rotatelogs local policy # - # consolekit local policy -@@ -24,20 +27,27 @@ - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; - allow consolekit_t self:unix_dgram_socket create_socket_perms; -+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -+logging_log_filetrans(consolekit_t, consolekit_log_t, file) ++allow httpd_rotatelogs_t self:capability dac_override; + -+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) - manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) --files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) -+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) - - kernel_read_system_state(consolekit_t) + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - corecmd_exec_bin(consolekit_t) -+corecmd_exec_shell(consolekit_t) + kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -754,6 +960,12 @@ - dev_read_urand(consolekit_t) - dev_read_sysfs(consolekit_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_ra_t, httpd_user_content_ra_t) ++ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) ++ manage_files_pattern(httpd_user_script_t, httpd_user_content_rw_t, httpd_user_content_rw_t) + ') - domain_read_all_domains_state(consolekit_t) - domain_use_interactive_fds(consolekit_t) -+domain_dontaudit_ptrace_all_domains(consolekit_t) + # allow accessing files/dirs below the users home dir +@@ -762,3 +974,66 @@ + userdom_search_user_home_dirs(httpd_suexec_t) + userdom_search_user_home_dirs(httpd_user_script_t) + ') ++ ++#============= bugzilla policy ============== ++apache_content_template(bugzilla) ++ ++type httpd_bugzilla_tmp_t; ++files_tmp_file(httpd_bugzilla_tmp_t) ++ ++allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms; ++allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms; ++allow httpd_bugzilla_script_t self:udp_socket create_socket_perms; ++ ++corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) ++corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t) ++corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t) ++corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t) ++corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_http_port(httpd_bugzilla_script_t) ++corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) ++corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t) ++corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t) ++ ++manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) ++files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) ++ ++files_search_var_lib(httpd_bugzilla_script_t) ++ ++mta_send_mail(httpd_bugzilla_script_t) ++ ++sysnet_read_config(httpd_bugzilla_script_t) ++sysnet_use_ldap(httpd_bugzilla_script_t) ++ ++optional_policy(` ++ mysql_search_db(httpd_bugzilla_script_t) ++ mysql_stream_connect(httpd_bugzilla_script_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(httpd_bugzilla_script_t) ++') ++ ++manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) ++ ++manage_dirs_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++manage_lnk_files_pattern(httpd_t,httpdcontent,httpd_rw_content) ++ ++# Removal of fastcgi, will cause problems without the following ++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; ++typealias httpd_sys_content_t alias httpd_fastcgi_content_t; ++typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; ++typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; ++typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; ++typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; ++typealias httpd_sys_script_t alias httpd_fastcgi_script_t; ++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.8/policy/modules/services/apcupsd.fc +--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/apcupsd.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -5,6 +5,7 @@ + ') - files_read_etc_files(consolekit_t) -+files_read_usr_files(consolekit_t) - # needs to read /var/lib/dbus/machine-id - files_read_var_lib_files(consolekit_t) + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) ++/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) -@@ -47,13 +57,35 @@ + /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.8/policy/modules/services/automount.te +--- nsaserefpolicy/policy/modules/services/automount.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/automount.te 2009-03-05 15:25:24.000000000 -0500 +@@ -71,6 +71,7 @@ + files_mounton_all_mountpoints(automount_t) + files_mount_all_file_type_fs(automount_t) + files_unmount_all_file_type_fs(automount_t) ++files_manage_non_security_dirs(automount_t) - auth_use_nsswitch(consolekit_t) + fs_mount_all_fs(automount_t) + fs_unmount_all_fs(automount_t) +@@ -100,6 +101,7 @@ + corenet_udp_bind_all_rpc_ports(automount_t) -+init_telinit(consolekit_t) -+init_rw_utmp(consolekit_t) -+init_chat(consolekit_t) -+ -+logging_send_syslog_msg(consolekit_t) -+ - miscfiles_read_localization(consolekit_t) + dev_read_sysfs(automount_t) ++dev_rw_autofs(automount_t) + # for SSP + dev_read_rand(automount_t) + dev_read_urand(automount_t) +@@ -127,6 +129,7 @@ + fs_unmount_autofs(automount_t) + fs_mount_autofs(automount_t) + fs_manage_autofs_symlinks(automount_t) ++fs_read_nfs_files(automount_t) -+# consolekit needs to be able to ptrace all logged in users -+userdom_ptrace_all_users(consolekit_t) -+userdom_dontaudit_read_user_home_content_files(consolekit_t) -+userdom_read_user_tmp_files(consolekit_t) -+ -+hal_ptrace(consolekit_t) -+mcs_ptrace_all(consolekit_t) -+ - optional_policy(` -- dbus_system_bus_client(consolekit_t) -- dbus_connect_system_bus(consolekit_t) -+ cron_read_system_job_lib_files(consolekit_t) -+') + storage_rw_fuse(automount_t) -+optional_policy(` -+ dbus_system_domain(consolekit_t, consolekit_exec_t) -+ optional_policy(` - hal_dbus_chat(consolekit_t) -+ ') -+ -+ optional_policy(` -+ rpm_dbus_chat(consolekit_t) -+ ') +@@ -142,6 +145,7 @@ - optional_policy(` - unconfined_dbus_chat(consolekit_t) -@@ -61,6 +93,31 @@ + # Run mount in the mount_t domain. + mount_domtrans(automount_t) ++mount_signal(automount_t) + + userdom_dontaudit_use_unpriv_user_fds(automount_t) + userdom_dontaudit_search_user_home_dirs(automount_t) +@@ -155,7 +159,7 @@ ') optional_policy(` -+ polkit_domtrans_auth(consolekit_t) -+ polkit_read_lib(consolekit_t) -+ polkit_read_reload(consolekit_t) -+') -+ -+optional_policy(` - xserver_read_user_xauth(consolekit_t) - xserver_stream_connect(consolekit_t) -+ xserver_ptrace_xdm(consolekit_t) -+ xserver_common_app(consolekit_t) -+') -+ -+optional_policy(` -+ #reading .Xauthity -+ unconfined_ptrace(consolekit_t) -+ unconfined_stream_connect(consolekit_t) -+') -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_list_nfs(consolekit_t) -+ fs_dontaudit_rw_nfs_files(consolekit_t) +- kerberos_read_keytab(automount_t) ++ kerberos_keytab_template(automount, automount_t) + kerberos_read_config(automount_t) + kerberos_dontaudit_write_config(automount_t) ') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_list_cifs(consolekit_t) -+ fs_dontaudit_rw_cifs_files(consolekit_t) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.7/policy/modules/services/courier.if ---- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/courier.if 2009-03-03 17:11:59.000000000 -0500 -@@ -179,6 +179,24 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.8/policy/modules/services/avahi.if +--- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/avahi.if 2009-03-05 15:25:24.000000000 -0500 +@@ -21,6 +21,25 @@ ######################################## ## -+## Read courier spool files. ++## Execute avahi server in the avahi domain. +## -+## ++## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`courier_read_spool',` ++# ++interface(`avahi_initrc_domtrans',` + gen_require(` -+ type courier_spool_t; ++ type avahi_initrc_exec_t; + ') + -+ read_files_pattern($1, courier_spool_t, courier_spool_t) ++ init_labeled_script_domtrans($1, avahi_initrc_exec_t) +') + +######################################## +## - ## Read and write to courier spool pipes. + ## Send avahi a signal ## ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.7/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/courier.te 2009-03-03 17:11:59.000000000 -0500 -@@ -10,6 +10,7 @@ - - type courier_etc_t; - files_config_file(courier_etc_t) -+mta_system_content(courier_etc_t) - - courier_domain_template(pcp) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.7/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cron.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - - /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) - /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -@@ -17,9 +18,9 @@ - /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) - /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) - --/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/at/[^/]* -- <> -+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -+ -+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - - /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -@@ -41,7 +42,11 @@ - #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +@@ -57,6 +76,24 @@ - /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) --/var/spool/fcron/[^/]* <> -+/var/spool/fcron/.* <> - /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) -+ -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) -+ -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.7/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cron.if 2009-03-03 17:11:59.000000000 -0500 -@@ -12,6 +12,10 @@ - ## - # - template(`cron_common_crontab_template',` + ######################################## + ## ++## Send avahi a signull ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`avahi_signull',` + gen_require(` -+ type crond_t, crond_var_run_t; ++ type avahi_t; + ') + - ############################## - # - # Declarations -@@ -31,16 +35,21 @@ - - # dac_override is to create the file in the directory under /tmp - allow $1_t self:capability { fowner setuid setgid chown dac_override }; -- allow $1_t self:process signal_perms; -+ allow $1_t self:process { setsched signal_perms }; -+ allow $1_t self:fifo_file rw_fifo_file_perms; ++ allow $1 avahi_t:process signull; ++') + -+ allow $1_t crond_t:process signal; -+ allow $1_t crond_var_run_t:file read_file_perms; - - allow $1_t $1_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_t,$1_tmp_t,file) - - # create files in /var/spool/cron - # cjp: change this to a role transition -+ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) - manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) - filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) -- files_search_spool($1_t) -+ files_list_spool($1_t) ++######################################## ++## + ## Send and receive messages from + ## avahi over dbus. + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.8/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/avahi.te 2009-03-05 15:25:24.000000000 -0500 +@@ -33,6 +33,7 @@ + allow avahi_t self:tcp_socket create_stream_socket_perms; + allow avahi_t self:udp_socket create_socket_perms; - # crontab signals crond by updating the mtime on the spooldir - allow $1_t cron_spool_t:dir setattr; -@@ -55,9 +64,16 @@ - domain_use_interactive_fds($1_t) ++files_search_var_lib(avahi_t) + manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) + files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) +@@ -93,6 +94,7 @@ + dbus_connect_system_bus(avahi_t) - files_read_etc_files($1_t) -+ files_read_usr_files($1_t) - files_dontaudit_search_pids($1_t) + init_dbus_chat_script(avahi_t) ++ dbus_system_domain(avahi_t, avahi_exec_t) + ') - logging_send_syslog_msg($1_t) -+ logging_send_audit_msgs($1_t) -+ logging_set_loginuid($1_t) -+ auth_domtrans_chk_passwd($1_t) + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.8/policy/modules/services/bind.fc +--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bind.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,17 +1,22 @@ + /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) + -+ init_dontaudit_write_utmp($1_t) -+ init_read_utmp($1_t) - - miscfiles_read_localization($1_t) - -@@ -147,26 +163,26 @@ - # - interface(`cron_unconfined_role',` - gen_require(` -- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; -+ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; - ') - -- role $1 types { unconfined_cronjob_t crontab_t }; -+ role $1 types { unconfined_cronjob_t admin_crontab_t }; - - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) - - # Transition from the user domain to the derived domain. -- domtrans_pattern($2, crontab_exec_t, crontab_t) -+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0) + /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) ++/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0) - # crontab shows up in user ps -- ps_process_pattern($2, crontab_t) -- allow $2 crontab_t:process signal; -+ ps_process_pattern($2, admin_crontab_t) -+ allow $2 admin_crontab_t:process signal; + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) + /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) + /usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) ++/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) - # Run helper programs as the user domain -- #corecmd_bin_domtrans(crontab_t, $2) -- #corecmd_shell_domtrans(crontab_t, $2) -- corecmd_exec_bin(crontab_t) -- corecmd_exec_shell(crontab_t) -+ #corecmd_bin_domtrans(admin_crontab_t, $2) -+ #corecmd_shell_domtrans(admin_crontab_t, $2) -+ corecmd_exec_bin(admin_crontab_t) -+ corecmd_exec_shell(admin_crontab_t) + /var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - optional_policy(` - gen_require(` -@@ -261,6 +277,7 @@ - allow $1 system_cronjob_t:fifo_file rw_file_perms; - allow $1 system_cronjob_t:process sigchld; + /var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) + /var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) + /var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) ++/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -+ domain_auto_trans(crond_t, $2, $1) - allow $1 crond_t:fifo_file rw_file_perms; - allow $1 crond_t:fd use; - allow $1 crond_t:process sigchld; -@@ -343,6 +360,24 @@ + ifdef(`distro_debian',` + /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +@@ -40,7 +45,6 @@ + /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) + /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) +-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) + /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) + /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) + /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.8/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bind.if 2009-03-05 15:25:24.000000000 -0500 +@@ -38,6 +38,42 @@ ######################################## ## -+## Allow read/write unix stream sockets from the system cron jobs. ++## Send signulls to BIND. +## +## +## @@ -10932,42 +8599,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cron_rw_system_stream_sockets',` ++interface(`bind_signull',` + gen_require(` -+ type system_cronjob_t; ++ type named_t; + ') + -+ allow $1 system_cronjob_t:unix_stream_socket { read write }; ++ allow $1 named_t:process signull; +') + +######################################## +## - ## Read and write a cron daemon unnamed pipe. - ## - ## -@@ -361,7 +396,7 @@ - - ######################################## - ## --## Read, and write cron daemon TCP sockets. -+## Dontaudit Read, and write cron daemon TCP sockets. - ## - ## - ## -@@ -369,7 +404,7 @@ - ## - ## - # --interface(`cron_rw_tcp_sockets',` -+interface(`cron_dontaudit_rw_tcp_sockets',` - gen_require(` - type crond_t; - ') -@@ -416,6 +451,42 @@ - - ######################################## - ## -+## Execute cron in the cron system domain. ++## Send BIND the kill signal +## +## +## @@ -10975,599 +8617,435 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cron_domtrans',` ++interface(`bind_kill',` + gen_require(` -+ type system_cronjob_t, crond_exec_t; ++ type named_t; + ') + -+ domtrans_pattern($1,crond_exec_t,system_cronjob_t) ++ allow $1 named_t:process sigkill; +') + +######################################## +## -+## Execute crond_exec_t + ## Execute ndc in the ndc domain, and + ## allow the specified role the ndc domain. + ## +@@ -251,6 +287,25 @@ + + ######################################## + ## ++## Execute bind server in the bind domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`cron_exec',` ++# ++interface(`bind_initrc_domtrans',` + gen_require(` -+ type crond_exec_t; ++ type bind_initrc_exec_t; + ') + -+ can_exec($1,crond_exec_t) ++ init_labeled_script_domtrans($1, bind_initrc_exec_t) +') + +######################################## +## - ## Inherit and use a file descriptor - ## from system cron jobs. + ## All of the rules required to administrate + ## an bind environment ## -@@ -481,11 +552,14 @@ - # - interface(`cron_read_system_job_tmp_files',` +@@ -269,7 +324,7 @@ + interface(`bind_admin',` gen_require(` -- type system_cronjob_tmp_t; -+ type system_cronjob_tmp_t, cron_var_run_t; - ') + type named_t, named_tmp_t, named_log_t; +- type named_conf_t, named_var_run_t; ++ type named_conf_t, named_var_lib_t, named_var_run_t; + type named_cache_t, named_zone_t; + type dnssec_t, ndc_t; + type named_initrc_exec_t; +@@ -283,6 +338,7 @@ - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; + bind_run_ndc($1, $2) + ++ bind_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 named_initrc_exec_t system_r; + allow $2 system_r; +@@ -300,6 +356,9 @@ + admin_pattern($1, named_zone_t) + admin_pattern($1, dnssec_t) + ++ files_list_var_lib($1) ++ admin_pattern($1, named_var_lib_t) + -+ files_search_pids($1) -+ allow $1 cron_var_run_t:file read_file_perms; + files_list_pids($1) + admin_pattern($1, named_var_run_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.6.8/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bind.te 2009-03-05 15:25:24.000000000 -0500 +@@ -169,7 +169,7 @@ ') - ######################################## -@@ -506,3 +580,101 @@ + optional_policy(` +- kerberos_use(named_t) ++ kerberos_keytab_template(named, named_t) + ') - dontaudit $1 system_cronjob_tmp_t:file append; + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.6.8/policy/modules/services/bluetooth.fc +--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bluetooth.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -15,6 +15,7 @@ + /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + ++/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) + /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.8/policy/modules/services/bluetooth.if +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bluetooth.if 2009-03-05 15:25:24.000000000 -0500 +@@ -173,7 +173,7 @@ + interface(`bluetooth_admin',` + gen_require(` + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; +- type bluetooth_var_lib_t, bluetooth_var_run_t; ++ type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t; + type bluetooth_initrc_exec_t; + ') +@@ -196,6 +196,9 @@ + admin_pattern($1, bluetooth_conf_t) + admin_pattern($1, bluetooth_conf_rw_t) + ++ files_list_spool($1) ++ admin_pattern($1, bluetooth_spool_t) ++ + files_list_var_lib($1) + admin_pattern($1, bluetooth_var_lib_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.8/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/bluetooth.te 2009-03-05 15:25:24.000000000 -0500 +@@ -93,6 +93,7 @@ + + kernel_read_kernel_sysctls(bluetooth_t) + kernel_read_system_state(bluetooth_t) ++kernel_read_network_state(bluetooth_t) + + corenet_all_recvfrom_unlabeled(bluetooth_t) + corenet_all_recvfrom_netlabel(bluetooth_t) +@@ -147,10 +148,10 @@ + optional_policy(` + cups_dbus_chat(bluetooth_t) + ') +-') + + optional_policy(` +- nis_use_ypbind(bluetooth_t) ++ hal_dbus_chat(bluetooth_t) ++ ') ') + + optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.8/policy/modules/services/certmaster.fc +--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/certmaster.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,9 @@ ++ ++/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) ++/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) ++ ++/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) + ++/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) ++ ++/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.6.8/policy/modules/services/certmaster.if +--- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/certmaster.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,123 @@ ++## policy for certmaster + +######################################## +## -+## Do not audit attempts to write temporary -+## files from the system cron jobs. ++## Execute a domain transition to run certmaster. +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`cron_dontaudit_write_system_job_tmp_files',` ++interface(`certmaster_domtrans',` + gen_require(` -+ type system_cronjob_tmp_t; -+ type cron_var_run_t; -+ type system_cronjob_var_run_t; ++ type certmaster_t, certmaster_exec_t; + ') + -+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; -+ dontaudit $1 cron_var_run_t:file write_file_perms; -+ ') ++ domtrans_pattern($1,certmaster_exec_t,certmaster_t) ++') + -+######################################## ++####################################### +## -+## Read temporary files from the system cron jobs. ++## read certmaster logs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`cron_read_system_job_lib_files',` -+ gen_require(` -+ type system_cronjob_var_lib_t; -+ ') -+ ++interface(`certmaster_read_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + -+######################################## ++####################################### +## -+## Manage files from the system cron jobs. ++## Append to certmaster logs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`cron_manage_system_job_lib_files',` -+ gen_require(` -+ type system_cronjob_var_lib_t; -+ ') -+ ++interface(`certmaster_append_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + -+######################################## ++####################################### +## -+## Manage pid files used by cron ++## Create, read, write, and delete ++## certmaster logs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`cron_manage_pid_files',` -+ gen_require(` -+ type crond_var_run_t; -+ ') ++interface(`certmaster_manage_log',` ++ gen_require(` ++ type certmaster_var_log_t; ++ ') + -+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ++ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) ++ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) +') + +######################################## +## -+## Execute crond server in the nscd domain. ++## All of the rules required to administrate ++## an snort environment +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## +## ++## +# -+interface(`cron_initrc_domtrans',` -+ gen_require(` -+ type crond_initrc_exec_t; -+') ++interface(`certmaster_admin',` ++ gen_require(` ++ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; ++ type certmaster_etc_rw_t, certmaster_var_log_t; ++ type certmaster_initrc_exec_t; ++ ') + -+ init_labeled_script_domtrans($1, crond_initrc_exec_t) -+') ++ allow $1 certmaster_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, certmaster_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.7/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cron.te 2009-03-03 17:11:59.000000000 -0500 -@@ -38,6 +38,10 @@ - type cron_var_lib_t; - files_type(cron_var_lib_t) - -+# var/lib files -+type cron_var_run_t; -+files_type(cron_var_run_t) ++ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 certmaster_initrc_exec_t system_r; ++ allow $2 system_r; + - # var/log files - type cron_log_t; - logging_log_file(cron_log_t) -@@ -56,8 +60,13 @@ - domain_interactive_fd(crond_t) - domain_cron_exemption_source(crond_t) - -+type crond_initrc_exec_t; -+init_script_file(crond_initrc_exec_t) ++ files_list_etc($1) ++ miscfiles_manage_cert_dirs($1) ++ miscfiles_manage_cert_files($1) + - type crond_tmp_t; - files_tmp_file(crond_tmp_t) -+files_poly_parent(crond_tmp_t) -+mta_system_content(crond_tmp_t) - - type crond_var_run_t; - files_pid_file(crond_var_run_t) -@@ -70,10 +79,11 @@ - typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; - - cron_common_crontab_template(crontab) --typealias crontab_t alias { user_crontab_t staff_crontab_t }; -+typealias crontab_t alias { user_crontab_t staff_crontab_t unconfined_crontab_t }; - typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; - typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; - typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; -+allow admin_crontab_t crond_t:process signal; - - type system_cron_spool_t, cron_spool_type; - files_type(system_cron_spool_t) -@@ -103,6 +113,13 @@ - files_type(user_cron_spool_t) - ubac_constrained(user_cron_spool_t) - -+type system_cronjob_var_lib_t; -+files_type(system_cronjob_var_lib_t) -+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; ++ admin_pattern($1, certmaster_etc_rw_t) + -+type system_cronjob_var_run_t; -+files_pid_file(system_cronjob_var_run_t) ++ files_list_pids($1) ++ admin_pattern($1, certmaster_var_run_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, certmaster_var_log_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, certmaster_var_lib_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.8/policy/modules/services/certmaster.te +--- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/certmaster.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,79 @@ ++policy_module(certmaster,1.0.0) + - ######################################## - # - # Admin crontab local policy -@@ -130,7 +147,7 @@ - # Cron daemon local policy - # - --allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; -+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; - dontaudit crond_t self:capability { sys_resource sys_tty_config }; - allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow crond_t self:process { setexec setfscreate }; -@@ -146,22 +163,23 @@ - allow crond_t self:msg { send receive }; - allow crond_t self:key { search write link }; - --allow crond_t crond_var_run_t:file manage_file_perms; -+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) - files_pid_filetrans(crond_t,crond_var_run_t,file) - --allow crond_t cron_spool_t:dir rw_dir_perms; --allow crond_t cron_spool_t:file read_file_perms; -+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - - manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) - manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) - files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - --allow crond_t system_cron_spool_t:dir list_dir_perms; --allow crond_t system_cron_spool_t:file read_file_perms; -+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) -+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - - kernel_read_kernel_sysctls(crond_t) -+kernel_read_fs_sysctls(crond_t) - kernel_search_key(crond_t) - -+dev_read_kmsg(crond_t) - dev_read_sysfs(crond_t) - selinux_get_fs_mount(crond_t) - selinux_validate_context(crond_t) -@@ -174,6 +192,7 @@ - - fs_getattr_all_fs(crond_t) - fs_search_auto_mountpoints(crond_t) -+fs_list_inotifyfs(crond_t) - - # need auth_chkpwd to check for locked accounts. - auth_domtrans_chk_passwd(crond_t) -@@ -183,7 +202,11 @@ - corecmd_read_bin_symlinks(crond_t) - - domain_use_interactive_fds(crond_t) -+domain_subj_id_change_exemption(crond_t) -+domain_role_change_exemption(crond_t) - -+files_read_usr_files(crond_t) -+files_read_etc_runtime_files(crond_t) - files_read_etc_files(crond_t) - files_read_generic_spool(crond_t) - files_list_usr(crond_t) -@@ -192,10 +215,15 @@ - files_search_default(crond_t) - - init_rw_utmp(crond_t) -+init_spec_domtrans_script(crond_t) - - auth_use_nsswitch(crond_t) - -+logging_send_audit_msgs(crond_t) - logging_send_syslog_msg(crond_t) -+logging_set_loginuid(crond_t) ++######################################## ++# ++# Declarations ++# + -+rpc_search_nfs_state_data(crond_t) - - seutil_read_config(crond_t) - seutil_read_default_contexts(crond_t) -@@ -208,6 +236,7 @@ - userdom_list_user_home_dirs(crond_t) - - mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) - - ifdef(`distro_debian',` - # pam_limits is used -@@ -227,21 +256,43 @@ - ') - ') - -+tunable_policy(`allow_polyinstantiation',` -+ files_polyinstantiate_all(crond_t) -+') ++# type and domain for certmaster ++type certmaster_t; ++type certmaster_exec_t; ++init_daemon_domain(certmaster_t, certmaster_exec_t) + -+optional_policy(` -+ apache_search_sys_content(crond_t) -+') ++type certmaster_initrc_exec_t; ++init_script_file(certmaster_initrc_exec_t) ++ ++# var/lib files ++type certmaster_var_lib_t; ++files_type(certmaster_var_lib_t) ++ ++# config files ++type certmaster_etc_rw_t; ++files_config_file(certmaster_etc_rw_t) ++ ++# log files ++type certmaster_var_log_t; ++logging_log_file(certmaster_var_log_t) + - optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) - ') - -+optional_policy(` -+ # these should probably be unconfined_crond_t -+ init_dbus_send_script(crond_t) -+') ++# pid files ++type certmaster_var_run_t; ++files_pid_file(certmaster_var_run_t) + -+optional_policy(` -+ mono_domtrans(crond_t) -+') ++########################################### ++# ++# certmaster local policy ++# + - tunable_policy(`fcron_crond', ` - allow crond_t system_cron_spool_t:file manage_file_perms; - ') - - optional_policy(` -+ amanda_search_var_lib(crond_t) -+') ++allow certmaster_t self:capability sys_tty_config; ++allow certmaster_t self:tcp_socket create_stream_socket_perms; + -+optional_policy(` - amavis_search_lib(crond_t) - ') - - optional_policy(` -- hal_dbus_send(crond_t) -+ hal_dbus_chat(crond_t) -+ hal_dbus_chat(system_cronjob_t) - ') - - optional_policy(` -@@ -268,8 +319,8 @@ - # System cron process domain - # - --allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; --allow system_cronjob_t self:process { signal_perms setsched }; -+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; -+allow system_cronjob_t self:process { signal_perms getsched setsched }; - allow system_cronjob_t self:fifo_file rw_fifo_file_perms; - allow system_cronjob_t self:passwd rootok; - -@@ -283,7 +334,14 @@ - allow system_cronjob_t cron_var_lib_t:file manage_file_perms; - files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - -+allow system_cronjob_t cron_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) ++# config files ++list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) ++manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) + - allow system_cronjob_t system_cron_spool_t:file read_file_perms; ++# var/lib files for certmaster ++manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) ++files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) + -+# anacron forces the following -+allow system_cronjob_t system_cron_spool_t:file { write setattr }; ++# log files ++manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) ++logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) + - # The entrypoint interface is not used as this is not - # a regular entrypoint. Since crontab files are - # not directly executed, crond must ensure that -@@ -314,9 +372,13 @@ - filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) - files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) - -+# var/lib files for system_crond -+files_search_var_lib(system_cronjob_t) -+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++# pid file ++manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) ++files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) + - # Read from /var/spool/cron. - allow system_cronjob_t cron_spool_t:dir list_dir_perms; --allow system_cronjob_t cron_spool_t:file read_file_perms; -+allow system_cronjob_t cron_spool_t:file rw_file_perms; - - kernel_read_kernel_sysctls(system_cronjob_t) - kernel_read_system_state(system_cronjob_t) -@@ -370,7 +432,8 @@ - init_read_utmp(system_cronjob_t) - init_dontaudit_rw_utmp(system_cronjob_t) - # prelink tells init to restart it self, we either need to allow or dontaudit --init_write_initctl(system_cronjob_t) -+init_telinit(system_cronjob_t) -+init_spec_domtrans_script(system_cronjob_t) - - auth_use_nsswitch(system_cronjob_t) - -@@ -378,6 +441,7 @@ - libs_exec_ld_so(system_cronjob_t) - - logging_read_generic_logs(system_cronjob_t) -+logging_send_audit_msgs(system_cronjob_t) - logging_send_syslog_msg(system_cronjob_t) - - miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +482,10 @@ - ') - - optional_policy(` -+ dbus_system_bus_client(system_cronjob_t) -+') ++corecmd_search_bin(certmaster_t) ++corecmd_getattr_bin_files(certmaster_t) + -+optional_policy(` - ftp_read_log(system_cronjob_t) - ') - -@@ -428,11 +496,20 @@ - ') - - optional_policy(` -+ lpd_list_spool(system_cronjob_t) -+') ++# network ++corenet_tcp_bind_generic_node(certmaster_t) ++corenet_tcp_bind_certmaster_port(certmaster_t) + -+optional_policy(` -+ mono_domtrans(system_cronjob_t) -+') ++files_search_etc(certmaster_t) ++files_list_var(certmaster_t) ++files_search_var_lib(certmaster_t) + -+optional_policy(` - mrtg_append_create_logs(system_cronjob_t) - ') - - optional_policy(` - mta_send_mail(system_cronjob_t) -+ mta_system_content(system_cron_spool_t) - ') - - optional_policy(` -@@ -447,6 +524,7 @@ - prelink_read_cache(system_cronjob_t) - prelink_manage_log(system_cronjob_t) - prelink_delete_cache(system_cronjob_t) -+ prelink_manage_var_lib(system_cronjob_t) - ') - - optional_policy(` -@@ -460,8 +538,7 @@ - ') - - optional_policy(` -- # cjp: why? -- squid_domtrans(system_cronjob_t) -+ spamassassin_manage_lib_files(system_cronjob_t) - ') - - optional_policy(` -@@ -469,24 +546,17 @@ - ') - - optional_policy(` -+ unconfined_dbus_send(crond_t) -+ unconfined_shell_domtrans(crond_t) -+ unconfined_domain(crond_t) - unconfined_domain(system_cronjob_t) -- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) --') -- --ifdef(`TODO',` --ifdef(`mta.te', ` --allow system_cronjob_t mail_spool_t:lnk_file read; --allow mta_user_agent system_cronjob_t:fd use; --r_dir_file(system_mail_t, crond_tmp_t) - ') --') dnl end TODO - - ######################################## - # - # User cronjobs local policy - # - --allow cronjob_t self:capability dac_override; - allow cronjob_t self:process { signal_perms setsched }; - allow cronjob_t self:fifo_file rw_fifo_file_perms; - allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +640,9 @@ - userdom_manage_user_home_content_sockets(cronjob_t) - #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) - -+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++# read meminfo ++kernel_read_system_state(certmaster_t) + - tunable_policy(`fcron_crond', ` - allow crond_t user_cron_spool_t:file manage_file_perms; - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.7/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/cups.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -5,27 +5,38 @@ - /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) ++auth_use_nsswitch(certmaster_t) + -+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - - /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - - /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - -+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++miscfiles_read_localization(certmaster_t) + - /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - --/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) --/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++miscfiles_manage_cert_dirs(certmaster_t) ++miscfiles_manage_cert_files(certmaster_t) ++ ++permissive certmaster_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.6.8/policy/modules/services/clamav.fc +--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/clamav.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,20 +1,23 @@ + /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) ++/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) - /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) - /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -+# keep as separate lines to ensure proper sorting -+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) -+ - /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) - /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +44,7 @@ + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) ++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) - /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) --/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) -+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +-/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) - /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +54,19 @@ - /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) ++/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) --/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) -+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) +-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) +-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) ++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) -+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) - /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -+ -+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -+ -+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.7/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cups.if 2009-03-03 17:11:59.000000000 -0500 -@@ -20,6 +20,30 @@ + /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.6.8/policy/modules/services/clamav.if +--- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/clamav.if 2009-03-05 15:25:24.000000000 -0500 +@@ -38,6 +38,27 @@ ######################################## ## -+## Setup cups to transtion to the cups backend domain ++## Allow the specified domain to append ++## to clamav log files. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`cups_backend',` ++interface(`clamav_append_log',` + gen_require(` -+ type cupsd_t; ++ type clamav_log_t; + ') + -+ domtrans_pattern(cupsd_t, $2, $1) -+ -+ allow cupsd_t $1:process signal; -+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; -+ -+ cups_read_config($1) -+ cups_append_log($1) ++ logging_search_logs($1) ++ allow $1 clamav_log_t:dir list_dir_perms; ++ append_files_pattern($1, clamav_log_t, clamav_log_t) +') + +######################################## +## - ## Connect to cupsd over an unix domain stream socket. + ## Read clamav configuration files. ## ## -@@ -212,6 +236,25 @@ +@@ -91,3 +112,87 @@ - ######################################## - ## -+## Append cups log files. + domtrans_pattern($1, clamscan_exec_t, clamscan_t) + ') ++ ++######################################## ++## ++## Execute clamscan without a transition. +## +## +## @@ -11575,29 +9053,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cups_append_log',` ++interface(`clamav_exec_clamscan',` + gen_require(` -+ type cupsd_log_t; ++ type clamscan_exec_t; + ') + -+ logging_search_logs($1) -+ append_files_pattern($1, cupsd_log_t, cupsd_log_t) -+') ++ can_exec($1, clamscan_exec_t) + -+######################################## -+## - ## Write cups log files. - ## - ## -@@ -247,3 +290,66 @@ - files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) - ') ++') + +######################################## +## +## All of the rules required to administrate -+## an cups environment ++## an clamav environment +## +## +## @@ -11606,626 +9074,624 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed to manage the cups domain. ++## The role to be allowed to manage the clamav domain. +## +## +## +# -+interface(`cups_admin',` ++interface(`clamav_admin',` + gen_require(` -+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; -+ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; -+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t; -+ type cupsd_var_run_t, ptal_etc_t; -+ type ptal_var_run_t, hplip_var_run_t; -+ type cupsd_initrc_exec_t; ++ type clamd_t, clamd_etc_t, clamd_tmp_t; ++ type clamd_var_log_t, clamd_var_lib_t; ++ type clamd_var_run_t; ++ ++ type clamscan_t, clamscan_tmp_t; ++ ++ type freshclam_t, freshclam_var_log_t; ++ ++ type clamd_initrc_exec_t; + ') + -+ allow $1 cupsd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, cupsd_t) ++ allow $1 clamd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, clamd_t) + -+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t) ++ allow $1 clamscan_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, clamscan_t) ++ ++ allow $1 freshclam_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, freshclam_t) ++ ++ init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) -+ role_transition $2 cupsd_initrc_exec_t system_r; ++ role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) -+ admin_pattern($1, cupsd_tmp_t) -+ -+ admin_pattern($1, cupsd_lpd_tmp_t) ++ admin_pattern($1, clamd_tmp_t) + + files_list_etc($1) -+ admin_pattern($1, cupsd_etc_t) -+ -+ admin_pattern($1, ptal_etc_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, cupsd_spool_t) ++ admin_pattern($1, clamd_etc_t) + + logging_list_logs($1) -+ admin_pattern($1, cupsd_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, cupsd_var_run_t) -+ -+ admin_pattern($1, ptal_var_run_t) -+ -+ admin_pattern($1, cupsd_config_var_run_t) -+ -+ admin_pattern($1, cupsd_lpd_var_run_t) -+ -+ admin_pattern($1, hplip_var_run_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.7/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cups.te 2009-03-03 17:11:59.000000000 -0500 -@@ -20,9 +20,18 @@ - type cupsd_etc_t; - files_config_file(cupsd_etc_t) - -+type cupsd_initrc_exec_t; -+init_script_file(cupsd_initrc_exec_t) -+ -+type cupsd_interface_t; -+files_type(cupsd_interface_t) -+ - type cupsd_rw_etc_t; - files_config_file(cupsd_rw_etc_t) - -+type cupsd_lock_t; -+files_lock_file(cupsd_lock_t) -+ - type cupsd_log_t; - logging_log_file(cupsd_log_t) - -@@ -48,6 +57,10 @@ - type hplip_t; - type hplip_exec_t; - init_daemon_domain(hplip_t, hplip_exec_t) -+# For CUPS to run as a backend -+cups_backend(hplip_t, hplip_exec_t) -+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) - - type hplip_etc_t; - files_config_file(hplip_etc_t) -@@ -65,6 +78,16 @@ - type ptal_var_run_t; - files_pid_file(ptal_var_run_t) - -+type cups_pdf_t; -+type cups_pdf_exec_t; -+domain_type(cups_pdf_t) -+domain_entry_file(cups_pdf_t, cups_pdf_exec_t) -+cups_backend(cups_pdf_t, cups_pdf_exec_t) -+role system_r types cups_pdf_t; -+ -+type cups_pdf_tmp_t; -+files_tmp_file(cups_pdf_tmp_t) -+ - ifdef(`enable_mcs',` - init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) - ') -@@ -79,13 +102,14 @@ - # - - # /usr/lib/cups/backend/serial needs sys_admin(?!) --allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; -+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; - dontaudit cupsd_t self:capability { sys_tty_config net_admin }; --allow cupsd_t self:process { setsched signal_perms }; --allow cupsd_t self:fifo_file rw_file_perms; -+allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; -+allow cupsd_t self:fifo_file rw_fifo_file_perms; - allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow cupsd_t self:unix_dgram_socket create_socket_perms; - allow cupsd_t self:netlink_selinux_socket create_socket_perms; -+allow cupsd_t self:shm create_shm_perms; - allow cupsd_t self:tcp_socket create_stream_socket_perms; - allow cupsd_t self:udp_socket create_socket_perms; - allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +121,9 @@ - read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - files_search_etc(cupsd_t) - -+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) -+can_exec(cupsd_t, cupsd_interface_t) ++ admin_pattern($1, clamd_var_log_t) + - manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) - filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +131,11 @@ - - # allow cups to execute its backend scripts - can_exec(cupsd_t, cupsd_exec_t) --allow cupsd_t cupsd_exec_t:dir search; --allow cupsd_t cupsd_exec_t:lnk_file read; -+allow cupsd_t cupsd_exec_t:dir search_dir_perms; -+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; ++ files_list_var_lib($1) ++ admin_pattern($1, clamd_var_lib_t) + -+allow cupsd_t cupsd_lock_t:file manage_file_perms; -+files_lock_filetrans(cupsd_t, cupsd_lock_t, file) - - manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +146,20 @@ - manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) - files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) - -+# This whole section needs to be moved to a smbspool policy -+# smbspool seems to be iterating through all existing tmp files. -+# Looking for kerberos files -+files_getattr_all_tmp_files(cupsd_t) -+userdom_read_user_tmp_files(cupsd_t) -+files_dontaudit_getattr_all_tmp_sockets(cupsd_t) ++ files_list_pids($1) ++ admin_pattern($1, clamd_var_run_t) + - allow cupsd_t cupsd_var_run_t:dir setattr; - manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) - manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) - files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) - --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -- -+allow cupsd_t hplip_t:process {signal sigkill }; - allow cupsd_t hplip_var_run_t:file read_file_perms; - - stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +186,49 @@ - corenet_tcp_bind_reserved_port(cupsd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) - corenet_tcp_connect_all_ports(cupsd_t) -+corenet_tcp_connect_smbd_port(cupsd_t) - corenet_sendrecv_hplip_client_packets(cupsd_t) - corenet_sendrecv_ipp_client_packets(cupsd_t) - corenet_sendrecv_ipp_server_packets(cupsd_t) -+corenet_tcp_bind_all_rpc_ports(cupsd_t) - - dev_rw_printer(cupsd_t) - dev_read_urand(cupsd_t) - dev_read_sysfs(cupsd_t) --dev_read_usbfs(cupsd_t) -+dev_rw_input_dev(cupsd_t) #447878 -+dev_rw_generic_usb_dev(cupsd_t) -+dev_rw_usbfs(cupsd_t) - dev_getattr_printer_dev(cupsd_t) - - domain_read_all_domains_state(cupsd_t) - - fs_getattr_all_fs(cupsd_t) - fs_search_auto_mountpoints(cupsd_t) -+fs_read_anon_inodefs_files(cupsd_t) - -+mls_fd_use_all_levels(cupsd_t) - mls_file_downgrade(cupsd_t) - mls_file_write_all_levels(cupsd_t) - mls_file_read_all_levels(cupsd_t) -+mls_rangetrans_target(cupsd_t) - mls_socket_write_all_levels(cupsd_t) - - term_use_unallocated_ttys(cupsd_t) - term_search_ptys(cupsd_t) - --auth_domtrans_chk_passwd(cupsd_t) --auth_dontaudit_read_pam_pid(cupsd_t) -- - # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp - corecmd_exec_shell(cupsd_t) - corecmd_exec_bin(cupsd_t) ++ admin_pattern($1, clamscan_tmp_t) ++ ++ admin_pattern($1, freshclam_var_log_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.8/policy/modules/services/clamav.te +--- nsaserefpolicy/policy/modules/services/clamav.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/clamav.te 2009-03-05 15:25:24.000000000 -0500 +@@ -13,7 +13,10 @@ - domain_use_interactive_fds(cupsd_t) + # configuration files + type clamd_etc_t; +-files_type(clamd_etc_t) ++files_config_file(clamd_etc_t) ++ ++type clamd_initrc_exec_t; ++init_script_file(clamd_initrc_exec_t) -+files_list_spool(cupsd_t) - files_read_etc_files(cupsd_t) - files_read_etc_runtime_files(cupsd_t) - # read python modules - files_read_usr_files(cupsd_t) - # for /var/lib/defoma --files_search_var_lib(cupsd_t) -+files_read_var_lib_files(cupsd_t) - files_list_world_readable(cupsd_t) - files_read_world_readable_files(cupsd_t) - files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +237,16 @@ - files_read_var_symlinks(cupsd_t) - # for /etc/printcap - files_dontaudit_write_etc_files(cupsd_t) --# smbspool seems to be iterating through all existing tmp files. --# redhat bug #214953 --# cjp: this might be a broken behavior --files_dontaudit_getattr_all_tmp_files(cupsd_t) + # tmp files + type clamd_tmp_t; +@@ -87,6 +90,9 @@ + kernel_dontaudit_list_proc(clamd_t) + kernel_read_sysctl(clamd_t) + kernel_read_kernel_sysctls(clamd_t) ++kernel_read_system_state(clamd_t) ++ ++corecmd_exec_shell(clamd_t) - selinux_compute_access_vector(cupsd_t) -+selinux_validate_context(cupsd_t) + corenet_all_recvfrom_unlabeled(clamd_t) + corenet_all_recvfrom_netlabel(clamd_t) +@@ -97,6 +103,8 @@ + corenet_tcp_bind_generic_node(clamd_t) + corenet_tcp_bind_clamd_port(clamd_t) + corenet_sendrecv_clamd_server_packets(clamd_t) ++corenet_tcp_bind_generic_port(clamd_t) ++corenet_tcp_connect_generic_port(clamd_t) - init_exec_script_files(cupsd_t) -+init_read_utmp(cupsd_t) + dev_read_rand(clamd_t) + dev_read_urand(clamd_t) +@@ -117,6 +125,9 @@ + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) -+auth_domtrans_chk_passwd(cupsd_t) -+auth_dontaudit_read_pam_pid(cupsd_t) -+auth_rw_faillog(cupsd_t) - auth_use_nsswitch(cupsd_t) ++mta_read_config(clamd_t) ++mta_send_mail(clamd_t) ++ + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -124,6 +135,10 @@ + amavis_create_pid_files(clamd_t) + ') - # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -217,17 +260,21 @@ - miscfiles_read_fonts(cupsd_t) ++optional_policy(` ++ exim_read_spool_files(clamd_t) ++') ++ + ######################################## + # + # Freshclam local policy +@@ -191,7 +206,7 @@ + allow clamscan_t self:fifo_file rw_file_perms; + allow clamscan_t self:unix_stream_socket create_stream_socket_perms; + allow clamscan_t self:unix_dgram_socket create_socket_perms; +-allow clamscan_t self:tcp_socket { listen accept }; ++allow clamscan_t self:tcp_socket create_stream_socket_perms; - seutil_read_config(cupsd_t) -+sysnet_exec_ifconfig(cupsd_t) + # configuration files + allow clamscan_t clamd_etc_t:dir list_dir_perms; +@@ -207,6 +222,14 @@ + manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) + allow clamscan_t clamd_var_lib_t:dir list_dir_perms; --sysnet_read_config(cupsd_t) -- -+files_dontaudit_list_home(cupsd_t) - userdom_dontaudit_use_unpriv_user_fds(cupsd_t) - userdom_dontaudit_search_user_home_content(cupsd_t) ++corenet_all_recvfrom_unlabeled(clamscan_t) ++corenet_all_recvfrom_netlabel(clamscan_t) ++corenet_tcp_sendrecv_generic_if(clamscan_t) ++corenet_tcp_sendrecv_generic_node(clamscan_t) ++corenet_tcp_sendrecv_all_ports(clamscan_t) ++corenet_tcp_sendrecv_clamd_port(clamscan_t) ++corenet_tcp_connect_clamd_port(clamscan_t) ++ + kernel_read_kernel_sysctls(clamscan_t) - # Write to /var/spool/cups. - lpd_manage_spool(cupsd_t) -+lpd_read_config(cupsd_t) -+lpd_exec_lpr(cupsd_t) -+lpd_relabel_spool(cupsd_t) + files_read_etc_files(clamscan_t) +@@ -221,6 +244,12 @@ - ifdef(`enable_mls',` -- lpd_relabel_spool(cupsd_t) -+ mls_trusted_object(cupsd_var_run_t) -+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) - ') + clamav_stream_connect(clamscan_t) ++mta_send_mail(clamscan_t) ++ optional_policy(` -@@ -244,8 +291,16 @@ - userdom_dbus_send_all_users(cupsd_t) + apache_read_sys_content(clamscan_t) + ') ++ ++optional_policy(` ++ mailscanner_manage_spool(clamscan_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.6.8/policy/modules/services/consolekit.fc +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/consolekit.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,3 +1,6 @@ + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - optional_policy(` -+ avahi_dbus_chat(cupsd_t) -+ ') + /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + -+ optional_policy(` - hal_dbus_chat(cupsd_t) - ') ++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.8/policy/modules/services/consolekit.if +--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/consolekit.if 2009-03-05 15:25:24.000000000 -0500 +@@ -38,3 +38,24 @@ + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; + ') + -+ optional_policy(` -+ unconfined_dbus_chat(cupsd_t) ++######################################## ++## ++## Read consolekit log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_read_log',` ++ gen_require(` ++ type consolekit_log_t; + ') - ') - - optional_policy(` -@@ -261,6 +316,10 @@ - ') - - optional_policy(` -+ mta_send_mail(cupsd_t) ++ ++ files_search_pids($1) ++ read_files_pattern($1, consolekit_log_t, consolekit_log_t) +') + -+optional_policy(` - # cups execs smbtool which reads samba_etc_t files - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) -@@ -279,7 +338,7 @@ - # Cups configuration daemon local policy ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.8/policy/modules/services/consolekit.te +--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/consolekit.te 2009-03-05 15:25:24.000000000 -0500 +@@ -13,6 +13,9 @@ + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + ++type consolekit_log_t; ++files_pid_file(consolekit_log_t) ++ + ######################################## # + # consolekit local policy +@@ -24,20 +27,27 @@ + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; + allow consolekit_t self:unix_dgram_socket create_socket_perms; + ++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) ++logging_log_filetrans(consolekit_t, consolekit_log_t, file) ++ ++manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) + manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) +-files_pid_filetrans(consolekit_t, consolekit_var_run_t, file) ++files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir }) --allow cupsd_config_t self:capability { chown sys_tty_config }; -+allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; - dontaudit cupsd_config_t self:capability sys_tty_config; - allow cupsd_config_t self:process signal_perms; - allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -311,7 +370,7 @@ - files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) + kernel_read_system_state(consolekit_t) - kernel_read_system_state(cupsd_config_t) --kernel_read_kernel_sysctls(cupsd_config_t) -+kernel_read_all_sysctls(cupsd_config_t) + corecmd_exec_bin(consolekit_t) ++corecmd_exec_shell(consolekit_t) - corenet_all_recvfrom_unlabeled(cupsd_config_t) - corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +383,7 @@ - dev_read_sysfs(cupsd_config_t) - dev_read_urand(cupsd_config_t) - dev_read_rand(cupsd_config_t) -+dev_rw_generic_usb_dev(cupsd_config_t) + dev_read_urand(consolekit_t) + dev_read_sysfs(consolekit_t) - fs_getattr_all_fs(cupsd_config_t) - fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +401,14 @@ - files_read_var_symlinks(cupsd_config_t) + domain_read_all_domains_state(consolekit_t) + domain_use_interactive_fds(consolekit_t) ++domain_dontaudit_ptrace_all_domains(consolekit_t) - # Alternatives asks for this --init_getattr_script_files(cupsd_config_t) -+init_getattr_all_script_files(cupsd_config_t) + files_read_etc_files(consolekit_t) ++files_read_usr_files(consolekit_t) + # needs to read /var/lib/dbus/machine-id + files_read_var_lib_files(consolekit_t) - auth_use_nsswitch(cupsd_config_t) +@@ -47,13 +57,35 @@ - logging_send_syslog_msg(cupsd_config_t) + auth_use_nsswitch(consolekit_t) - miscfiles_read_localization(cupsd_config_t) -+miscfiles_read_hwdata(cupsd_config_t) ++init_telinit(consolekit_t) ++init_rw_utmp(consolekit_t) ++init_chat(consolekit_t) ++ ++logging_send_syslog_msg(consolekit_t) ++ + miscfiles_read_localization(consolekit_t) - seutil_dontaudit_search_config(cupsd_config_t) ++# consolekit needs to be able to ptrace all logged in users ++userdom_ptrace_all_users(consolekit_t) ++userdom_dontaudit_read_user_home_content_files(consolekit_t) ++userdom_read_user_tmp_files(consolekit_t) ++ ++hal_ptrace(consolekit_t) ++mcs_ptrace_all(consolekit_t) ++ + optional_policy(` +- dbus_system_bus_client(consolekit_t) +- dbus_connect_system_bus(consolekit_t) ++ cron_read_system_job_lib_files(consolekit_t) ++') -@@ -359,14 +420,16 @@ - lpd_read_config(cupsd_config_t) ++optional_policy(` ++ dbus_system_domain(consolekit_t, consolekit_exec_t) ++ optional_policy(` + hal_dbus_chat(consolekit_t) ++ ') ++ ++ optional_policy(` ++ rpm_dbus_chat(consolekit_t) ++ ') - ifdef(`distro_redhat',` -- init_getattr_script_files(cupsd_config_t) -- optional_policy(` - rpm_read_db(cupsd_config_t) - ') + unconfined_dbus_chat(consolekit_t) +@@ -61,6 +93,31 @@ ') optional_policy(` -+ term_use_generic_ptys(cupsd_config_t) ++ polkit_domtrans_auth(consolekit_t) ++ polkit_read_lib(consolekit_t) ++ polkit_read_reload(consolekit_t) +') + +optional_policy(` - cron_system_entry(cupsd_config_t, cupsd_config_exec_t) - ') - -@@ -382,6 +445,7 @@ - optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) -+ hal_dontaudit_use_fds(hplip_t) + xserver_read_user_xauth(consolekit_t) + xserver_stream_connect(consolekit_t) ++ xserver_ptrace_xdm(consolekit_t) ++ xserver_common_app(consolekit_t) ++') ++ ++optional_policy(` ++ #reading .Xauthity ++ unconfined_ptrace(consolekit_t) ++ unconfined_stream_connect(consolekit_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_list_nfs(consolekit_t) ++ fs_dontaudit_rw_nfs_files(consolekit_t) ') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_list_cifs(consolekit_t) ++ fs_dontaudit_rw_cifs_files(consolekit_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.8/policy/modules/services/courier.if +--- nsaserefpolicy/policy/modules/services/courier.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/courier.if 2009-03-05 15:25:24.000000000 -0500 +@@ -179,6 +179,24 @@ - optional_policy(` -@@ -491,7 +555,10 @@ - allow hplip_t self:udp_socket create_socket_perms; - allow hplip_t self:rawip_socket create_socket_perms; + ######################################## + ## ++## Read courier spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`courier_read_spool',` ++ gen_require(` ++ type courier_spool_t; ++ ') ++ ++ read_files_pattern($1, courier_spool_t, courier_spool_t) ++') ++ ++######################################## ++## + ## Read and write to courier spool pipes. + ## + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.8/policy/modules/services/courier.te +--- nsaserefpolicy/policy/modules/services/courier.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/courier.te 2009-03-05 15:25:24.000000000 -0500 +@@ -10,6 +10,7 @@ --allow hplip_t cupsd_etc_t:dir search; -+allow hplip_t cupsd_etc_t:dir search_dir_perms; -+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) -+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) + type courier_etc_t; + files_config_file(courier_etc_t) ++mta_system_content(courier_etc_t) - cups_stream_connect(hplip_t) + courier_domain_template(pcp) -@@ -500,6 +567,10 @@ - read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) - files_search_etc(hplip_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.8/policy/modules/services/cron.fc +--- nsaserefpolicy/policy/modules/services/cron.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cron.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) -+fs_rw_anon_inodefs_files(hplip_t) -+ -+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -+ - manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) - files_pid_filetrans(hplip_t, hplip_var_run_t, file) + /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +@@ -17,9 +18,9 @@ + /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -@@ -529,7 +600,8 @@ - dev_read_urand(hplip_t) - dev_read_rand(hplip_t) - dev_rw_generic_usb_dev(hplip_t) --dev_read_usbfs(hplip_t) -+dev_rw_usbfs(hplip_t) +-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/at/[^/]* -- <> ++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) + ++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - fs_getattr_all_fs(hplip_t) - fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +625,9 @@ - userdom_dontaudit_search_user_home_dirs(hplip_t) - userdom_dontaudit_search_user_home_content(hplip_t) - --lpd_read_config(cupsd_t) -+ -+lpd_read_config(hplip_t) -+lpd_manage_spool(hplip_t) + /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) + #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +@@ -41,7 +42,11 @@ + #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - optional_policy(` - dbus_system_bus_client(hplip_t) -@@ -635,3 +709,49 @@ - optional_policy(` - udev_read_db(ptal_t) - ') -+ -+######################################## -+# -+# cups_pdf local policy -+# -+ -+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; -+ -+allow cups_pdf_t self:fifo_file rw_file_perms; -+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(cups_pdf_t) -+files_read_usr_files(cups_pdf_t) -+ -+kernel_read_system_state(cups_pdf_t) -+ -+auth_use_nsswitch(cups_pdf_t) -+ -+corecmd_exec_shell(cups_pdf_t) -+corecmd_exec_bin(cups_pdf_t) -+ -+miscfiles_read_localization(cups_pdf_t) -+ -+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) -+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) -+ -+userdom_home_filetrans_user_home_dir(cups_pdf_t) -+userdom_manage_user_home_content_dirs(cups_pdf_t) -+userdom_manage_user_home_content_files(cups_pdf_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(cups_pdf_t) -+ fs_manage_nfs_files(cups_pdf_t) -+') + /var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/fcron/[^/]* <> ++/var/spool/fcron/.* <> + /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) + -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(cups_pdf_t) -+ fs_manage_cifs_files(cups_pdf_t) -+') ++/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + -+lpd_manage_spool(cups_pdf_t) ++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.8/policy/modules/services/cron.if +--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cron.if 2009-03-05 15:25:24.000000000 -0500 +@@ -12,6 +12,10 @@ + ## + # + template(`cron_common_crontab_template',` ++ gen_require(` ++ type crond_t, crond_var_run_t; ++ ') + -+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -+miscfiles_read_fonts(cups_pdf_t) + ############################## + # + # Declarations +@@ -31,16 +35,21 @@ + + # dac_override is to create the file in the directory under /tmp + allow $1_t self:capability { fowner setuid setgid chown dac_override }; +- allow $1_t self:process signal_perms; ++ allow $1_t self:process { setsched signal_perms }; ++ allow $1_t self:fifo_file rw_fifo_file_perms; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.7/policy/modules/services/cvs.if ---- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cvs.if 2009-03-03 17:11:59.000000000 -0500 -@@ -15,7 +15,9 @@ - type cvs_data_t; - ') ++ allow $1_t crond_t:process signal; ++ allow $1_t crond_var_run_t:file read_file_perms; -- allow $1 cvs_data_t:file { getattr read }; -+ list_dirs_pattern($1, cvs_data_t, cvs_data_t) -+ read_files_pattern($1, cvs_data_t, cvs_data_t) -+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) - ') + allow $1_t $1_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_t,$1_tmp_t,file) - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.7/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cvs.te 2009-03-03 17:11:59.000000000 -0500 -@@ -112,4 +112,5 @@ - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.6.7/policy/modules/services/cyphesis.te ---- nsaserefpolicy/policy/modules/services/cyphesis.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/cyphesis.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ + # create files in /var/spool/cron + # cjp: change this to a role transition ++ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t) + manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t) + filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file) +- files_search_spool($1_t) ++ files_list_spool($1_t) --policy_module(cyphesis, 1.1.2) -+policy_module(cyphesis, 1.1.1) + # crontab signals crond by updating the mtime on the spooldir + allow $1_t cron_spool_t:dir setattr; +@@ -55,9 +64,16 @@ + domain_use_interactive_fds($1_t) - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.7/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dbus.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -4,6 +4,9 @@ - /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + files_read_etc_files($1_t) ++ files_read_usr_files($1_t) + files_dontaudit_search_pids($1_t) -+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + logging_send_syslog_msg($1_t) ++ logging_send_audit_msgs($1_t) ++ logging_set_loginuid($1_t) ++ auth_domtrans_chk_passwd($1_t) + - /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) ++ init_dontaudit_write_utmp($1_t) ++ init_read_utmp($1_t) - /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.7/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dbus.if 2009-03-03 17:11:59.000000000 -0500 -@@ -44,6 +44,7 @@ + miscfiles_read_localization($1_t) - attribute session_bus_type; - type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; -+ type $1_t; +@@ -147,26 +163,26 @@ + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_tmp_t, crontab_exec_t; ++ type unconfined_cronjob_t, admin_crontab_t, crontab_tmp_t, crontab_exec_t; ') - ############################## -@@ -91,7 +92,7 @@ - allow $3 $1_dbusd_t:process { sigkill signal }; - - # cjp: this seems very broken -- corecmd_bin_domtrans($1_dbusd_t, $3) -+ corecmd_bin_domtrans($1_dbusd_t, $1_t) - allow $1_dbusd_t $3:process sigkill; - allow $3 $1_dbusd_t:fd use; - allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -117,6 +118,7 @@ - dev_read_urand($1_dbusd_t) +- role $1 types { unconfined_cronjob_t crontab_t }; ++ role $1 types { unconfined_cronjob_t admin_crontab_t }; - domain_use_interactive_fds($1_dbusd_t) -+ domain_read_all_domains_state($1_dbusd_t) + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) - files_read_etc_files($1_dbusd_t) - files_list_home($1_dbusd_t) -@@ -145,6 +147,8 @@ - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) + # Transition from the user domain to the derived domain. +- domtrans_pattern($2, crontab_exec_t, crontab_t) ++ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) -+ term_use_all_terms($1_dbusd_t) -+ - userdom_read_user_home_content_files($1_dbusd_t) + # crontab shows up in user ps +- ps_process_pattern($2, crontab_t) +- allow $2 crontab_t:process signal; ++ ps_process_pattern($2, admin_crontab_t) ++ allow $2 admin_crontab_t:process signal; - ifdef(`hide_broken_symptoms', ` -@@ -160,6 +164,10 @@ - ') + # Run helper programs as the user domain +- #corecmd_bin_domtrans(crontab_t, $2) +- #corecmd_shell_domtrans(crontab_t, $2) +- corecmd_exec_bin(crontab_t) +- corecmd_exec_shell(crontab_t) ++ #corecmd_bin_domtrans(admin_crontab_t, $2) ++ #corecmd_shell_domtrans(admin_crontab_t, $2) ++ corecmd_exec_bin(admin_crontab_t) ++ corecmd_exec_shell(admin_crontab_t) optional_policy(` -+ gnome_read_gconf_home_files($1_dbusd_t) + gen_require(` +@@ -261,6 +277,7 @@ + allow $1 system_cronjob_t:fifo_file rw_file_perms; + allow $1 system_cronjob_t:process sigchld; + ++ domain_auto_trans(crond_t, $2, $1) + allow $1 crond_t:fifo_file rw_file_perms; + allow $1 crond_t:fd use; + allow $1 crond_t:process sigchld; +@@ -343,6 +360,24 @@ + + ######################################## + ## ++## Allow read/write unix stream sockets from the system cron jobs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_rw_system_stream_sockets',` ++ gen_require(` ++ type system_cronjob_t; + ') + -+ optional_policy(` - hal_dbus_chat($1_dbusd_t) - ') ++ allow $1 system_cronjob_t:unix_stream_socket { read write }; ++') ++ ++######################################## ++## + ## Read and write a cron daemon unnamed pipe. + ## + ## +@@ -361,7 +396,7 @@ -@@ -185,10 +193,12 @@ - type system_dbusd_t, system_dbusd_t; - type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; -+ attribute dbusd_unconfined; + ######################################## + ## +-## Read, and write cron daemon TCP sockets. ++## Dontaudit Read, and write cron daemon TCP sockets. + ## + ## + ## +@@ -369,7 +404,7 @@ + ## + ## + # +-interface(`cron_rw_tcp_sockets',` ++interface(`cron_dontaudit_rw_tcp_sockets',` + gen_require(` + type crond_t; ') +@@ -416,6 +451,42 @@ - # SE-DBus specific permissions -- allow $1 { system_dbusd_t self }:dbus send_msg; -+ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg; -+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; - - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - files_search_var_lib($1) -@@ -197,6 +207,10 @@ - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) + ######################################## + ## ++## Execute cron in the cron system domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_domtrans',` ++ gen_require(` ++ type system_cronjob_t, crond_exec_t; ++ ') + -+ optional_policy(` -+ rpm_script_dbus_chat($1) ++ domtrans_pattern($1,crond_exec_t,system_cronjob_t) ++') ++ ++######################################## ++## ++## Execute crond_exec_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cron_exec',` ++ gen_require(` ++ type crond_exec_t; + ') - ') ++ ++ can_exec($1,crond_exec_t) ++') ++ ++######################################## ++## + ## Inherit and use a file descriptor + ## from system cron jobs. + ## +@@ -481,11 +552,14 @@ + # + interface(`cron_read_system_job_tmp_files',` + gen_require(` +- type system_cronjob_tmp_t; ++ type system_cronjob_tmp_t, cron_var_run_t; + ') - ####################################### -@@ -244,6 +258,35 @@ + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; + ') ######################################## - ## -+## Chat on user/application specific DBUS. +@@ -506,3 +580,101 @@ + + dontaudit $1 system_cronjob_tmp_t:file append; + ') ++ ++ ++######################################## ++## ++## Do not audit attempts to write temporary ++## files from the system cron jobs. +## -+## ++## +## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## ++## Domain to not audit. ++## +## ++# ++interface(`cron_dontaudit_write_system_job_tmp_files',` ++ gen_require(` ++ type system_cronjob_tmp_t; ++ type cron_var_run_t; ++ type system_cronjob_var_run_t; ++ ') ++ ++ dontaudit $1 system_cronjob_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; ++ ') ++ ++######################################## ++## ++## Read temporary files from the system cron jobs. ++## +## +## +## Domain allowed access. +## +## +# -+template(`dbus_chat_user_bus',` ++interface(`cron_read_system_job_lib_files',` + gen_require(` -+ type $1_t; -+ type $1_dbusd_t; -+ class dbus send_msg; ++ type system_cronjob_var_lib_t; + ') + -+ allow $2 $1_dbusd_t:dbus send_msg; -+ allow $1_dbusd_t $2:dbus send_msg; -+ allow $2 $1_t:dbus send_msg; -+ allow $1_t $2:dbus send_msg; -+') + -+######################################## -+## - ## Read dbus configuration. - ## - ## -@@ -318,3 +361,77 @@ - - allow $1 system_dbusd_t:dbus *; - ') ++ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ++') + +######################################## +## -+## Allow unconfined access to the system DBUS. ++## Manage files from the system cron jobs. +## +## +## @@ -12233,331 +9699,495 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dbus_unconfined',` ++interface(`cron_manage_system_job_lib_files',` + gen_require(` -+ attribute dbusd_unconfined; ++ type system_cronjob_var_lib_t; + ') + -+ typeattribute $1 dbusd_unconfined; ++ ++ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) +') + +######################################## +## -+## Create a domain for processes -+## which can be started by the system dbus ++## Manage pid files used by cron +## +## +## -+## Type to be used as a domain. ++## Domain allowed access. +## +## -+## ++# ++interface(`cron_manage_pid_files',` ++ gen_require(` ++ type crond_var_run_t; ++ ') ++ ++ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ++') ++ ++######################################## ++## ++## Execute crond server in the nscd domain. ++## ++## +## -+## Type of the program to be used as an entry point to this domain. ++## The type of the process performing this action. +## +## +# -+interface(`dbus_system_domain',` ++interface(`cron_initrc_domtrans',` + gen_require(` -+ type system_dbusd_t; -+ role system_r; -+ ') ++ type crond_initrc_exec_t; ++') + -+ domain_type($1) -+ domain_entry_file($1, $2) ++ init_labeled_script_domtrans($1, crond_initrc_exec_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.8/policy/modules/services/cron.te +--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cron.te 2009-03-05 15:25:24.000000000 -0500 +@@ -38,6 +38,10 @@ + type cron_var_lib_t; + files_type(cron_var_lib_t) + ++# var/lib files ++type cron_var_run_t; ++files_type(cron_var_run_t) ++ + # var/log files + type cron_log_t; + logging_log_file(cron_log_t) +@@ -56,8 +60,13 @@ + domain_interactive_fd(crond_t) + domain_cron_exemption_source(crond_t) + ++type crond_initrc_exec_t; ++init_script_file(crond_initrc_exec_t) ++ + type crond_tmp_t; + files_tmp_file(crond_tmp_t) ++files_poly_parent(crond_tmp_t) ++mta_system_content(crond_tmp_t) + + type crond_var_run_t; + files_pid_file(crond_var_run_t) +@@ -70,10 +79,11 @@ + typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; + + cron_common_crontab_template(crontab) +-typealias crontab_t alias { user_crontab_t staff_crontab_t }; ++typealias crontab_t alias { user_crontab_t staff_crontab_t unconfined_crontab_t }; + typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; + typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; + typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; ++allow admin_crontab_t crond_t:process signal; + + type system_cron_spool_t, cron_spool_type; + files_type(system_cron_spool_t) +@@ -103,6 +113,13 @@ + files_type(user_cron_spool_t) + ubac_constrained(user_cron_spool_t) + ++type system_cronjob_var_lib_t; ++files_type(system_cronjob_var_lib_t) ++typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; ++ ++type system_cronjob_var_run_t; ++files_pid_file(system_cronjob_var_run_t) ++ + ######################################## + # + # Admin crontab local policy +@@ -130,7 +147,7 @@ + # Cron daemon local policy + # + +-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; ++allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; + dontaudit crond_t self:capability { sys_resource sys_tty_config }; + allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow crond_t self:process { setexec setfscreate }; +@@ -146,22 +163,23 @@ + allow crond_t self:msg { send receive }; + allow crond_t self:key { search write link }; + +-allow crond_t crond_var_run_t:file manage_file_perms; ++manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) + files_pid_filetrans(crond_t,crond_var_run_t,file) + +-allow crond_t cron_spool_t:dir rw_dir_perms; +-allow crond_t cron_spool_t:file read_file_perms; ++manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) + + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) + manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) + files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) + +-allow crond_t system_cron_spool_t:dir list_dir_perms; +-allow crond_t system_cron_spool_t:file read_file_perms; ++list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) ++read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) + + kernel_read_kernel_sysctls(crond_t) ++kernel_read_fs_sysctls(crond_t) + kernel_search_key(crond_t) + ++dev_read_kmsg(crond_t) + dev_read_sysfs(crond_t) + selinux_get_fs_mount(crond_t) + selinux_validate_context(crond_t) +@@ -174,6 +192,7 @@ + + fs_getattr_all_fs(crond_t) + fs_search_auto_mountpoints(crond_t) ++fs_list_inotifyfs(crond_t) + + # need auth_chkpwd to check for locked accounts. + auth_domtrans_chk_passwd(crond_t) +@@ -183,7 +202,11 @@ + corecmd_read_bin_symlinks(crond_t) + + domain_use_interactive_fds(crond_t) ++domain_subj_id_change_exemption(crond_t) ++domain_role_change_exemption(crond_t) + ++files_read_usr_files(crond_t) ++files_read_etc_runtime_files(crond_t) + files_read_etc_files(crond_t) + files_read_generic_spool(crond_t) + files_list_usr(crond_t) +@@ -192,10 +215,15 @@ + files_search_default(crond_t) + + init_rw_utmp(crond_t) ++init_spec_domtrans_script(crond_t) + + auth_use_nsswitch(crond_t) + ++logging_send_audit_msgs(crond_t) + logging_send_syslog_msg(crond_t) ++logging_set_loginuid(crond_t) ++ ++rpc_search_nfs_state_data(crond_t) + + seutil_read_config(crond_t) + seutil_read_default_contexts(crond_t) +@@ -208,6 +236,7 @@ + userdom_list_user_home_dirs(crond_t) + + mta_send_mail(crond_t) ++mta_system_content(cron_spool_t) + + ifdef(`distro_debian',` + # pam_limits is used +@@ -227,21 +256,43 @@ + ') + ') + ++tunable_policy(`allow_polyinstantiation',` ++ files_polyinstantiate_all(crond_t) ++') ++ ++optional_policy(` ++ apache_search_sys_content(crond_t) ++') ++ + optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) + ') + ++optional_policy(` ++ # these should probably be unconfined_crond_t ++ init_dbus_send_script(crond_t) ++') ++ ++optional_policy(` ++ mono_domtrans(crond_t) ++') + -+ role system_r types $1; + tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; + ') + + optional_policy(` ++ amanda_search_var_lib(crond_t) ++') + -+ domtrans_pattern(system_dbusd_t, $2, $1) ++optional_policy(` + amavis_search_lib(crond_t) + ') + + optional_policy(` +- hal_dbus_send(crond_t) ++ hal_dbus_chat(crond_t) ++ hal_dbus_chat(system_cronjob_t) + ') + + optional_policy(` +@@ -268,8 +319,8 @@ + # System cron process domain + # + +-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid }; +-allow system_cronjob_t self:process { signal_perms setsched }; ++allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; ++allow system_cronjob_t self:process { signal_perms getsched setsched }; + allow system_cronjob_t self:fifo_file rw_fifo_file_perms; + allow system_cronjob_t self:passwd rootok; + +@@ -283,7 +334,14 @@ + allow system_cronjob_t cron_var_lib_t:file manage_file_perms; + files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) + ++allow system_cronjob_t cron_var_run_t:file manage_file_perms; ++files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) + -+ dbus_system_bus_client($1) -+ dbus_connect_system_bus($1) + allow system_cronjob_t system_cron_spool_t:file read_file_perms; + -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+ '); -+') ++# anacron forces the following ++allow system_cronjob_t system_cron_spool_t:file { write setattr }; + -+######################################## -+## -+## Dontaudit Read, and write system dbus TCP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` -+ gen_require(` -+ type system_dbusd_t; -+ ') + # The entrypoint interface is not used as this is not + # a regular entrypoint. Since crontab files are + # not directly executed, crond must ensure that +@@ -314,9 +372,13 @@ + filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) + files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) + ++# var/lib files for system_crond ++files_search_var_lib(system_cronjob_t) ++manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + -+ allow $1 system_dbusd_t:tcp_socket { read write }; -+ allow $1 system_dbusd_t:fd use; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.7/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dbus.te 2009-03-03 17:11:59.000000000 -0500 -@@ -9,14 +9,15 @@ - # - # Delcarations - # -- -+attribute dbusd_unconfined; - attribute session_bus_type; + # Read from /var/spool/cron. + allow system_cronjob_t cron_spool_t:dir list_dir_perms; +-allow system_cronjob_t cron_spool_t:file read_file_perms; ++allow system_cronjob_t cron_spool_t:file rw_file_perms; - type dbusd_etc_t; --files_type(dbusd_etc_t) -+files_config_file(dbusd_etc_t) + kernel_read_kernel_sysctls(system_cronjob_t) + kernel_read_system_state(system_cronjob_t) +@@ -370,7 +432,8 @@ + init_read_utmp(system_cronjob_t) + init_dontaudit_rw_utmp(system_cronjob_t) + # prelink tells init to restart it self, we either need to allow or dontaudit +-init_write_initctl(system_cronjob_t) ++init_telinit(system_cronjob_t) ++init_spec_domtrans_script(system_cronjob_t) - type dbusd_exec_t; - corecmd_executable_file(dbusd_exec_t) -+typealias dbusd_exec_t alias system_dbusd_exec_t; + auth_use_nsswitch(system_cronjob_t) - type session_dbusd_tmp_t; - typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; -@@ -31,11 +32,25 @@ - files_tmp_file(system_dbusd_tmp_t) +@@ -378,6 +441,7 @@ + libs_exec_ld_so(system_cronjob_t) - type system_dbusd_var_lib_t; --files_pid_file(system_dbusd_var_lib_t) -+files_type(system_dbusd_var_lib_t) + logging_read_generic_logs(system_cronjob_t) ++logging_send_audit_msgs(system_cronjob_t) + logging_send_syslog_msg(system_cronjob_t) - type system_dbusd_var_run_t; - files_pid_file(system_dbusd_var_run_t) + miscfiles_read_localization(system_cronjob_t) +@@ -418,6 +482,10 @@ + ') -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) + optional_policy(` ++ dbus_system_bus_client(system_cronjob_t) +') + -+ifdef(`enable_mls',` -+ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) -+ mls_fd_use_all_levels(system_dbusd_t) -+ mls_rangetrans_target(system_dbusd_t) -+ mls_file_read_all_levels(system_dbusd_t) -+ mls_socket_write_all_levels(system_dbusd_t) -+ mls_socket_read_to_clearance(system_dbusd_t) -+ mls_dbus_recv_all_levels(system_dbusd_t) ++optional_policy(` + ftp_read_log(system_cronjob_t) + ') + +@@ -428,11 +496,20 @@ + ') + + optional_policy(` ++ lpd_list_spool(system_cronjob_t) +') + - ############################## - # - # System bus local policy -@@ -45,7 +60,7 @@ - # cjp: dac_override should probably go in a distro_debian - allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; - dontaudit system_dbusd_t self:capability sys_tty_config; --allow system_dbusd_t self:process { getattr signal_perms setcap }; -+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; - allow system_dbusd_t self:fifo_file rw_fifo_file_perms; - allow system_dbusd_t self:dbus { send_msg acquire_svc }; - allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; -@@ -53,6 +68,8 @@ - # Receive notifications of policy reloads and enforcing status changes. - allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - -+can_exec(system_dbusd_t, dbusd_exec_t) ++optional_policy(` ++ mono_domtrans(system_cronjob_t) ++') + - allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; - read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) -@@ -75,6 +92,8 @@ ++optional_policy(` + mrtg_append_create_logs(system_cronjob_t) + ') - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) -+fs_list_inotifyfs(system_dbusd_t) -+fs_dontaudit_list_nfs(system_dbusd_t) + optional_policy(` + mta_send_mail(system_cronjob_t) ++ mta_system_content(system_cron_spool_t) + ') - selinux_get_fs_mount(system_dbusd_t) - selinux_validate_context(system_dbusd_t) -@@ -91,9 +110,9 @@ - corecmd_list_bin(system_dbusd_t) - corecmd_read_bin_pipes(system_dbusd_t) - corecmd_read_bin_sockets(system_dbusd_t) --corecmd_exec_bin(system_dbusd_t) + optional_policy(` +@@ -447,6 +524,7 @@ + prelink_read_cache(system_cronjob_t) + prelink_manage_log(system_cronjob_t) + prelink_delete_cache(system_cronjob_t) ++ prelink_manage_var_lib(system_cronjob_t) + ') - domain_use_interactive_fds(system_dbusd_t) -+domain_read_all_domains_state(system_dbusd_t) + optional_policy(` +@@ -460,8 +538,7 @@ + ') - files_read_etc_files(system_dbusd_t) - files_list_home(system_dbusd_t) -@@ -101,6 +120,8 @@ + optional_policy(` +- # cjp: why? +- squid_domtrans(system_cronjob_t) ++ spamassassin_manage_lib_files(system_cronjob_t) + ') + + optional_policy(` +@@ -469,24 +546,17 @@ + ') + + optional_policy(` ++ unconfined_dbus_send(crond_t) ++ unconfined_shell_domtrans(crond_t) ++ unconfined_domain(crond_t) + unconfined_domain(system_cronjob_t) +- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) +-') +- +-ifdef(`TODO',` +-ifdef(`mta.te', ` +-allow system_cronjob_t mail_spool_t:lnk_file read; +-allow mta_user_agent system_cronjob_t:fd use; +-r_dir_file(system_mail_t, crond_tmp_t) + ') +-') dnl end TODO + + ######################################## + # + # User cronjobs local policy + # + +-allow cronjob_t self:capability dac_override; + allow cronjob_t self:process { signal_perms setsched }; + allow cronjob_t self:fifo_file rw_fifo_file_perms; + allow cronjob_t self:unix_stream_socket create_stream_socket_perms; +@@ -570,6 +640,9 @@ + userdom_manage_user_home_content_sockets(cronjob_t) + #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) + ++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++ + tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.8/policy/modules/services/cups.fc +--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/cups.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -5,27 +5,38 @@ + /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) ++ ++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - init_use_fds(system_dbusd_t) - init_use_script_ptys(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) -+init_domtrans_script(system_dbusd_t) + /etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - logging_send_audit_msgs(system_dbusd_t) - logging_send_syslog_msg(system_dbusd_t) -@@ -128,9 +149,34 @@ - ') + /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - optional_policy(` -+ gnome_exec_gconf(system_dbusd_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_domtrans(system_dbusd_t) -+') -+ -+optional_policy(` -+ polkit_domtrans_auth(system_dbusd_t) -+ polkit_search_lib(system_dbusd_t) -+') ++/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + -+optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) - ') + /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) - optional_policy(` - udev_read_db(system_dbusd_t) - ') -+ -+optional_policy(` -+ gen_require(` -+ type unconfined_dbusd_t; -+ ') -+ unconfined_domain(unconfined_dbusd_t) -+ unconfined_execmem_domtrans(unconfined_dbusd_t) -+ -+ optional_policy(` -+ xserver_rw_shm(unconfined_dbusd_t) -+ ') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.7/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dcc.te 2009-03-03 17:11:59.000000000 -0500 -@@ -137,6 +137,7 @@ +-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) +-/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) ++/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) - corenet_all_recvfrom_unlabeled(dcc_client_t) - corenet_all_recvfrom_netlabel(dcc_client_t) -+corenet_udp_bind_generic_node(dcc_client_t) - corenet_udp_sendrecv_generic_if(dcc_client_t) - corenet_udp_sendrecv_generic_node(dcc_client_t) - corenet_udp_sendrecv_all_ports(dcc_client_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.7/policy/modules/services/devicekit.fc ---- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/devicekit.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,7 @@ -+ -+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) -+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -+ -+/var/lib/DeviceKit-power(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) -+ -+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.7/policy/modules/services/devicekit.if ---- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/devicekit.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,177 @@ -+ -+## policy for devicekit -+ -+######################################## -+## -+## Execute a domain transition to run devicekit. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`devicekit_domtrans',` -+ gen_require(` -+ type devicekit_t; -+ type devicekit_exec_t; -+ ') -+ -+ domtrans_pattern($1,devicekit_exec_t,devicekit_t) -+') -+ -+ -+######################################## -+## -+## Read devicekit PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_read_pid_files',` -+ gen_require(` -+ type devicekit_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) -+') + /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + + /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) + /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) ++# keep as separate lines to ensure proper sorting ++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + -+######################################## -+## -+## Manage devicekit var_run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_manage_var_run',` -+ gen_require(` -+ type devicekit_var_run_t; -+ ') + /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) + /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) +@@ -33,7 +44,7 @@ + + /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) + /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +-/usr/share/hplip/hpssd\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) ++/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) + + /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +@@ -43,10 +54,19 @@ + /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + + /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) ++/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) + ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) + -+ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) -+ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) -+ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) -+') ++/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + ++/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + -+######################################## -+## -+## Send and receive messages from -+## devicekit over dbus. ++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.8/policy/modules/services/cups.if +--- nsaserefpolicy/policy/modules/services/cups.if 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cups.if 2009-03-05 15:25:24.000000000 -0500 +@@ -20,6 +20,30 @@ + + ######################################## + ## ++## Setup cups to transtion to the cups backend domain +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`devicekit_dbus_chat',` ++interface(`cups_backend',` + gen_require(` -+ type devicekit_t; -+ class dbus send_msg; ++ type cupsd_t; + ') + -+ allow $1 devicekit_t:dbus send_msg; -+ allow devicekit_t $1:dbus send_msg; -+') ++ domtrans_pattern(cupsd_t, $2, $1) + -+######################################## -+## -+## Send signal devicekit power -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`devicekit_power_signal',` -+ gen_require(` -+ type devicekit_power_t; -+ ') ++ allow cupsd_t $1:process signal; ++ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; + -+ allow $1 devicekit_power_t:process signal; ++ cups_read_config($1) ++ cups_append_log($1) +') + +######################################## +## -+## Send and receive messages from -+## devicekit power over dbus. + ## Connect to cupsd over an unix domain stream socket. + ## + ## +@@ -212,6 +236,25 @@ + + ######################################## + ## ++## Append cups log files. +## +## +## @@ -12565,451 +10195,647 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`devicekit_power_dbus_chat',` ++interface(`cups_append_log',` + gen_require(` -+ type devicekit_power_t; -+ class dbus send_msg; ++ type cupsd_log_t; + ') + -+ allow $1 devicekit_power_t:dbus send_msg; -+ allow devicekit_power_t $1:dbus send_msg; ++ logging_search_logs($1) ++ append_files_pattern($1, cupsd_log_t, cupsd_log_t) +') + +######################################## +## -+## All of the rules required to administrate -+## an devicekit environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the devicekit domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`devicekit_admin',` -+ gen_require(` -+ type devicekit_t; -+ ') -+ -+ allow $1 devicekit_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, devicekit_t, devicekit_t) -+ -+ -+ devicekit_manage_var_run($1) -+ -+') + ## Write cups log files. + ## + ## +@@ -247,3 +290,66 @@ + files_search_pids($1) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) + ') + +######################################## +## -+## Send to devicekit over a unix domain -+## datagram socket. ++## All of the rules required to administrate ++## an cups environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the cups domain. ++## ++## ++## +# -+interface(`devicekit_dgram_send',` ++interface(`cups_admin',` + gen_require(` -+ type devicekit_t; ++ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; ++ type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_config_var_run_t, cupsd_lpd_var_run_t; ++ type cupsd_var_run_t, ptal_etc_t; ++ type ptal_var_run_t, hplip_var_run_t; ++ type cupsd_initrc_exec_t; + ') + -+ allow $1 devicekit_t:unix_dgram_socket sendto; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.7/policy/modules/services/devicekit.te ---- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/devicekit.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,138 @@ -+policy_module(devicekit,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type devicekit_t; -+type devicekit_exec_t; -+dbus_system_domain(devicekit_t, devicekit_exec_t) -+ -+permissive devicekit_t; -+ -+type devicekit_power_t; -+type devicekit_power_exec_t; -+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) ++ allow $1 cupsd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cupsd_t) ++ ++ init_labeled_script_domtrans($1, cupsd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 cupsd_initrc_exec_t system_r; ++ allow $2 system_r; + -+permissive devicekit_power_t; ++ files_list_tmp($1) ++ admin_pattern($1, cupsd_tmp_t) + -+type devicekit_var_run_t; -+files_pid_file(devicekit_var_run_t) ++ admin_pattern($1, cupsd_lpd_tmp_t) + -+type devicekit_var_lib_t; -+files_type(devicekit_var_lib_t) ++ files_list_etc($1) ++ admin_pattern($1, cupsd_etc_t) + -+# -+# DeviceKit local policy -+# -+allow devicekit_t self:unix_dgram_socket create_socket_perms; ++ admin_pattern($1, ptal_etc_t) + -+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) ++ files_list_spool($1) ++ admin_pattern($1, cupsd_spool_t) + -+dev_read_sysfs(devicekit_t) -+dev_read_urand(devicekit_t) ++ logging_list_logs($1) ++ admin_pattern($1, cupsd_log_t) + -+files_read_etc_files(devicekit_t) ++ files_list_pids($1) ++ admin_pattern($1, cupsd_var_run_t) + -+fs_list_inotifyfs(devicekit_t) ++ admin_pattern($1, ptal_var_run_t) + -+miscfiles_read_localization(devicekit_t) ++ admin_pattern($1, cupsd_config_var_run_t) + -+optional_policy(` -+ dbus_system_bus_client(devicekit_t) -+') ++ admin_pattern($1, cupsd_lpd_var_run_t) + -+optional_policy(` -+ udev_read_db(devicekit_t) ++ admin_pattern($1, hplip_var_run_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.8/policy/modules/services/cups.te +--- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cups.te 2009-03-05 15:25:24.000000000 -0500 +@@ -20,9 +20,18 @@ + type cupsd_etc_t; + files_config_file(cupsd_etc_t) + ++type cupsd_initrc_exec_t; ++init_script_file(cupsd_initrc_exec_t) + -+# -+# DeviceKit-Power local policy -+# -+allow devicekit_power_t self:capability { sys_tty_config dac_override }; -+allow devicekit_power_t self:fifo_file rw_fifo_file_perms; -+allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -+files_search_var_lib(devicekit_power_t) -+ -+corecmd_exec_bin(devicekit_power_t) -+corecmd_exec_shell(devicekit_power_t) -+ -+consoletype_exec(devicekit_power_t) -+ -+domain_read_all_domains_state(devicekit_power_t) -+ -+kernel_read_system_state(devicekit_power_t) -+kernel_rw_kernel_sysctl(devicekit_power_t) -+kernel_rw_hotplug_sysctls(devicekit_power_t) -+kernel_write_proc_files(devicekit_power_t) -+ -+dev_rw_generic_usb_dev(devicekit_power_t) -+dev_rw_netcontrol(devicekit_power_t) -+dev_rw_sysfs(devicekit_power_t) -+ -+files_read_etc_files(devicekit_power_t) -+files_read_usr_files(devicekit_power_t) -+ -+fs_list_inotifyfs(devicekit_power_t) -+ -+term_use_all_terms(devicekit_power_t) -+ -+auth_use_nsswitch(devicekit_power_t) ++type cupsd_interface_t; ++files_type(cupsd_interface_t) + -+miscfiles_read_localization(devicekit_power_t) + type cupsd_rw_etc_t; + files_config_file(cupsd_rw_etc_t) + ++type cupsd_lock_t; ++files_lock_file(cupsd_lock_t) + -+userdom_read_all_users_state(devicekit_power_t) + type cupsd_log_t; + logging_log_file(cupsd_log_t) + +@@ -48,6 +57,10 @@ + type hplip_t; + type hplip_exec_t; + init_daemon_domain(hplip_t, hplip_exec_t) ++# For CUPS to run as a backend ++cups_backend(hplip_t, hplip_exec_t) ++domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) ++read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) + + type hplip_etc_t; + files_config_file(hplip_etc_t) +@@ -65,6 +78,16 @@ + type ptal_var_run_t; + files_pid_file(ptal_var_run_t) + ++type cups_pdf_t; ++type cups_pdf_exec_t; ++domain_type(cups_pdf_t) ++domain_entry_file(cups_pdf_t, cups_pdf_exec_t) ++cups_backend(cups_pdf_t, cups_pdf_exec_t) ++role system_r types cups_pdf_t; + -+optional_policy(` -+ hal_domtrans_mac(devicekit_power_t) -+ hal_write_log(devicekit_power_t) -+ hal_manage_pid_dirs(devicekit_power_t) -+ hal_manage_pid_files(devicekit_power_t) -+ hal_dbus_chat(devicekit_power_t) -+') ++type cups_pdf_tmp_t; ++files_tmp_file(cups_pdf_tmp_t) + -+optional_policy(` -+ cron_initrc_domtrans(devicekit_power_t) -+') + ifdef(`enable_mcs',` + init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) + ') +@@ -79,13 +102,14 @@ + # + + # /usr/lib/cups/backend/serial needs sys_admin(?!) +-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; ++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; +-allow cupsd_t self:process { setsched signal_perms }; +-allow cupsd_t self:fifo_file rw_file_perms; ++allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; ++allow cupsd_t self:fifo_file rw_fifo_file_perms; + allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow cupsd_t self:unix_dgram_socket create_socket_perms; + allow cupsd_t self:netlink_selinux_socket create_socket_perms; ++allow cupsd_t self:shm create_shm_perms; + allow cupsd_t self:tcp_socket create_stream_socket_perms; + allow cupsd_t self:udp_socket create_socket_perms; + allow cupsd_t self:appletalk_socket create_socket_perms; +@@ -97,6 +121,9 @@ + read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) + files_search_etc(cupsd_t) + ++manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) ++can_exec(cupsd_t, cupsd_interface_t) + -+optional_policy(` -+ polkit_domtrans_auth(devicekit_power_t) -+ polkit_read_lib(devicekit_power_t) -+ polkit_read_reload(devicekit_power_t) -+') + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) +@@ -104,8 +131,11 @@ + + # allow cups to execute its backend scripts + can_exec(cupsd_t, cupsd_exec_t) +-allow cupsd_t cupsd_exec_t:dir search; +-allow cupsd_t cupsd_exec_t:lnk_file read; ++allow cupsd_t cupsd_exec_t:dir search_dir_perms; ++allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; + -+optional_policy(` -+ dbus_system_bus_client(devicekit_power_t) -+ allow devicekit_power_t devicekit_t:dbus send_msg; -+ allow devicekit_t devicekit_power_t:dbus send_msg; ++allow cupsd_t cupsd_lock_t:file manage_file_perms; ++files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + + manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + allow cupsd_t cupsd_log_t:dir setattr; +@@ -116,13 +146,20 @@ + manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) + files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) + ++# This whole section needs to be moved to a smbspool policy ++# smbspool seems to be iterating through all existing tmp files. ++# Looking for kerberos files ++files_getattr_all_tmp_files(cupsd_t) ++userdom_read_user_tmp_files(cupsd_t) ++files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + -+ optional_policy(` -+ consolekit_dbus_chat(devicekit_power_t) + allow cupsd_t cupsd_var_run_t:dir setattr; + manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) + manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) ++manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t) + files_pid_filetrans(cupsd_t, cupsd_var_run_t, file) + +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +- ++allow cupsd_t hplip_t:process {signal sigkill }; + allow cupsd_t hplip_var_run_t:file read_file_perms; + + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) +@@ -149,44 +186,49 @@ + corenet_tcp_bind_reserved_port(cupsd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) + corenet_tcp_connect_all_ports(cupsd_t) ++corenet_tcp_connect_smbd_port(cupsd_t) + corenet_sendrecv_hplip_client_packets(cupsd_t) + corenet_sendrecv_ipp_client_packets(cupsd_t) + corenet_sendrecv_ipp_server_packets(cupsd_t) ++corenet_tcp_bind_all_rpc_ports(cupsd_t) + + dev_rw_printer(cupsd_t) + dev_read_urand(cupsd_t) + dev_read_sysfs(cupsd_t) +-dev_read_usbfs(cupsd_t) ++dev_rw_input_dev(cupsd_t) #447878 ++dev_rw_generic_usb_dev(cupsd_t) ++dev_rw_usbfs(cupsd_t) + dev_getattr_printer_dev(cupsd_t) + + domain_read_all_domains_state(cupsd_t) + + fs_getattr_all_fs(cupsd_t) + fs_search_auto_mountpoints(cupsd_t) ++fs_read_anon_inodefs_files(cupsd_t) + ++mls_fd_use_all_levels(cupsd_t) + mls_file_downgrade(cupsd_t) + mls_file_write_all_levels(cupsd_t) + mls_file_read_all_levels(cupsd_t) ++mls_rangetrans_target(cupsd_t) + mls_socket_write_all_levels(cupsd_t) + + term_use_unallocated_ttys(cupsd_t) + term_search_ptys(cupsd_t) + +-auth_domtrans_chk_passwd(cupsd_t) +-auth_dontaudit_read_pam_pid(cupsd_t) +- + # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp + corecmd_exec_shell(cupsd_t) + corecmd_exec_bin(cupsd_t) + + domain_use_interactive_fds(cupsd_t) + ++files_list_spool(cupsd_t) + files_read_etc_files(cupsd_t) + files_read_etc_runtime_files(cupsd_t) + # read python modules + files_read_usr_files(cupsd_t) + # for /var/lib/defoma +-files_search_var_lib(cupsd_t) ++files_read_var_lib_files(cupsd_t) + files_list_world_readable(cupsd_t) + files_read_world_readable_files(cupsd_t) + files_read_world_readable_symlinks(cupsd_t) +@@ -195,15 +237,16 @@ + files_read_var_symlinks(cupsd_t) + # for /etc/printcap + files_dontaudit_write_etc_files(cupsd_t) +-# smbspool seems to be iterating through all existing tmp files. +-# redhat bug #214953 +-# cjp: this might be a broken behavior +-files_dontaudit_getattr_all_tmp_files(cupsd_t) + + selinux_compute_access_vector(cupsd_t) ++selinux_validate_context(cupsd_t) + + init_exec_script_files(cupsd_t) ++init_read_utmp(cupsd_t) + ++auth_domtrans_chk_passwd(cupsd_t) ++auth_dontaudit_read_pam_pid(cupsd_t) ++auth_rw_faillog(cupsd_t) + auth_use_nsswitch(cupsd_t) + + # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* +@@ -217,17 +260,21 @@ + miscfiles_read_fonts(cupsd_t) + + seutil_read_config(cupsd_t) ++sysnet_exec_ifconfig(cupsd_t) + +-sysnet_read_config(cupsd_t) +- ++files_dontaudit_list_home(cupsd_t) + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) + userdom_dontaudit_search_user_home_content(cupsd_t) + + # Write to /var/spool/cups. + lpd_manage_spool(cupsd_t) ++lpd_read_config(cupsd_t) ++lpd_exec_lpr(cupsd_t) ++lpd_relabel_spool(cupsd_t) + + ifdef(`enable_mls',` +- lpd_relabel_spool(cupsd_t) ++ mls_trusted_object(cupsd_var_run_t) ++ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh) + ') + + optional_policy(` +@@ -244,8 +291,16 @@ + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` ++ avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` -+ networkmanager_dbus_chat(devicekit_power_t) -+ ') + hal_dbus_chat(cupsd_t) + ') + + optional_policy(` -+ rpm_dbus_chat(devicekit_power_t) ++ unconfined_dbus_chat(cupsd_t) + ') + ') + + optional_policy(` +@@ -261,6 +316,10 @@ + ') + + optional_policy(` ++ mta_send_mail(cupsd_t) +') + +optional_policy(` -+ bootloader_domtrans(devicekit_power_t) -+') -+ -+optional_policy(` -+ fstools_domtrans(devicekit_power_t) + # cups execs smbtool which reads samba_etc_t files + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) +@@ -279,7 +338,7 @@ + # Cups configuration daemon local policy + # + +-allow cupsd_config_t self:capability { chown sys_tty_config }; ++allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; + dontaudit cupsd_config_t self:capability sys_tty_config; + allow cupsd_config_t self:process signal_perms; + allow cupsd_config_t self:fifo_file rw_fifo_file_perms; +@@ -311,7 +370,7 @@ + files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) + + kernel_read_system_state(cupsd_config_t) +-kernel_read_kernel_sysctls(cupsd_config_t) ++kernel_read_all_sysctls(cupsd_config_t) + + corenet_all_recvfrom_unlabeled(cupsd_config_t) + corenet_all_recvfrom_netlabel(cupsd_config_t) +@@ -324,6 +383,7 @@ + dev_read_sysfs(cupsd_config_t) + dev_read_urand(cupsd_config_t) + dev_read_rand(cupsd_config_t) ++dev_rw_generic_usb_dev(cupsd_config_t) + + fs_getattr_all_fs(cupsd_config_t) + fs_search_auto_mountpoints(cupsd_config_t) +@@ -341,13 +401,14 @@ + files_read_var_symlinks(cupsd_config_t) + + # Alternatives asks for this +-init_getattr_script_files(cupsd_config_t) ++init_getattr_all_script_files(cupsd_config_t) + + auth_use_nsswitch(cupsd_config_t) + + logging_send_syslog_msg(cupsd_config_t) + + miscfiles_read_localization(cupsd_config_t) ++miscfiles_read_hwdata(cupsd_config_t) + + seutil_dontaudit_search_config(cupsd_config_t) + +@@ -359,14 +420,16 @@ + lpd_read_config(cupsd_config_t) + + ifdef(`distro_redhat',` +- init_getattr_script_files(cupsd_config_t) +- + optional_policy(` + rpm_read_db(cupsd_config_t) + ') + ') + + optional_policy(` ++ term_use_generic_ptys(cupsd_config_t) +') + +optional_policy(` -+ vbetool_domtrans(devicekit_power_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.7/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dhcp.if 2009-03-03 17:11:59.000000000 -0500 -@@ -22,6 +22,25 @@ + cron_system_entry(cupsd_config_t, cupsd_config_exec_t) + ') - ######################################## - ## -+## Execute dhcp server in the dhcp domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dhcpd_initrc_domtrans',` -+ gen_require(` -+ type dhcpd_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) -+') -+ -+######################################## -+## - ## All of the rules required to administrate - ## an dhcp environment - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.7/policy/modules/services/dnsmasq.fc ---- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dnsmasq.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -5,3 +5,4 @@ - /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) - /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -+/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.7/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dnsmasq.if 2009-03-03 17:11:59.000000000 -0500 -@@ -22,6 +22,25 @@ +@@ -382,6 +445,7 @@ + optional_policy(` + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) ++ hal_dontaudit_use_fds(hplip_t) + ') - ######################################## - ## -+## Execute dnsmasq server in the dnsmasq domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+# -+interface(`dnsmasq_initrc_domtrans',` -+ gen_require(` -+ type dnsmasq_initrc_exec_t; -+ ') + optional_policy(` +@@ -491,7 +555,10 @@ + allow hplip_t self:udp_socket create_socket_perms; + allow hplip_t self:rawip_socket create_socket_perms; + +-allow hplip_t cupsd_etc_t:dir search; ++allow hplip_t cupsd_etc_t:dir search_dir_perms; ++manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) ++files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) + + cups_stream_connect(hplip_t) + +@@ -500,6 +567,10 @@ + read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) + files_search_etc(hplip_t) + ++fs_rw_anon_inodefs_files(hplip_t) + -+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) -+') ++read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + -+######################################## -+## - ## Send dnsmasq a signal - ## - ## -@@ -39,6 +58,26 @@ - allow $1 dnsmasq_t:process signal; - ') + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) + files_pid_filetrans(hplip_t, hplip_var_run_t, file) + +@@ -529,7 +600,8 @@ + dev_read_urand(hplip_t) + dev_read_rand(hplip_t) + dev_rw_generic_usb_dev(hplip_t) +-dev_read_usbfs(hplip_t) ++dev_rw_usbfs(hplip_t) ++ + + fs_getattr_all_fs(hplip_t) + fs_search_auto_mountpoints(hplip_t) +@@ -553,7 +625,9 @@ + userdom_dontaudit_search_user_home_dirs(hplip_t) + userdom_dontaudit_search_user_home_content(hplip_t) + +-lpd_read_config(cupsd_t) ++ ++lpd_read_config(hplip_t) ++lpd_manage_spool(hplip_t) + optional_policy(` + dbus_system_bus_client(hplip_t) +@@ -635,3 +709,49 @@ + optional_policy(` + udev_read_db(ptal_t) + ') + +######################################## -+## -+## Send dnsmasq a signull -+## -+## -+## -+## Domain allowed access. -+## -+## +# ++# cups_pdf local policy +# -+interface(`dnsmasq_signull',` -+ gen_require(` -+ type dnsmasq_t; -+ ') + -+ allow $1 dnsmasq_t:process signull; -+') ++allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override }; + - ######################################## - ## - ## Send dnsmasq a kill signal. -@@ -60,6 +99,44 @@ - - ######################################## - ## -+## Delete dnsmasq pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_delete_pid_files',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') ++allow cups_pdf_t self:fifo_file rw_file_perms; ++allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; + -+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) -+') ++files_read_etc_files(cups_pdf_t) ++files_read_usr_files(cups_pdf_t) + -+######################################## -+## -+## Read dnsmasq pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# -+interface(`dnsmasq_read_pid_files',` -+ gen_require(` -+ type dnsmasq_var_run_t; -+ ') ++kernel_read_system_state(cups_pdf_t) + -+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ++auth_use_nsswitch(cups_pdf_t) ++ ++corecmd_exec_shell(cups_pdf_t) ++corecmd_exec_bin(cups_pdf_t) ++ ++miscfiles_read_localization(cups_pdf_t) ++ ++manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) ++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) ++ ++userdom_home_filetrans_user_home_dir(cups_pdf_t) ++userdom_manage_user_home_content_dirs(cups_pdf_t) ++userdom_manage_user_home_content_files(cups_pdf_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(cups_pdf_t) ++ fs_manage_nfs_files(cups_pdf_t) +') + -+######################################## -+## - ## All of the rules required to administrate - ## an dnsmasq environment - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.7/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dnsmasq.te 2009-03-03 17:11:59.000000000 -0500 -@@ -69,21 +69,22 @@ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(cups_pdf_t) ++ fs_manage_cifs_files(cups_pdf_t) ++') ++ ++lpd_manage_spool(cups_pdf_t) ++ ++manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) ++miscfiles_read_fonts(cups_pdf_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.8/policy/modules/services/cvs.if +--- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cvs.if 2009-03-05 15:25:24.000000000 -0500 +@@ -15,7 +15,9 @@ + type cvs_data_t; + ') - # allow access to dnsmasq.conf - files_read_etc_files(dnsmasq_t) -+files_read_etc_runtime_files(dnsmasq_t) +- allow $1 cvs_data_t:file { getattr read }; ++ list_dirs_pattern($1, cvs_data_t, cvs_data_t) ++ read_files_pattern($1, cvs_data_t, cvs_data_t) ++ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) + ') - fs_getattr_all_fs(dnsmasq_t) - fs_search_auto_mountpoints(dnsmasq_t) + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.8/policy/modules/services/cvs.te +--- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/cvs.te 2009-03-05 15:25:24.000000000 -0500 +@@ -112,4 +112,5 @@ + read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) + manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) ++ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.6.8/policy/modules/services/dbus.fc +--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dbus.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -4,6 +4,9 @@ + /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) -+auth_use_nsswitch(dnsmasq_t) ++/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) ++/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + - logging_send_syslog_msg(dnsmasq_t) + /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - miscfiles_read_localization(dnsmasq_t) + /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.8/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dbus.if 2009-03-05 15:25:24.000000000 -0500 +@@ -44,6 +44,7 @@ --sysnet_read_config(dnsmasq_t) -- - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) + attribute session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; ++ type $1_t; + ') - optional_policy(` -- nis_use_ypbind(dnsmasq_t) -+ cron_manage_pid_files(dnsmasq_t) - ') + ############################## +@@ -91,7 +92,7 @@ + allow $3 $1_dbusd_t:process { sigkill signal }; - optional_policy(` -@@ -96,4 +97,5 @@ + # cjp: this seems very broken +- corecmd_bin_domtrans($1_dbusd_t, $3) ++ corecmd_bin_domtrans($1_dbusd_t, $1_t) + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; +@@ -117,6 +118,7 @@ + dev_read_urand($1_dbusd_t) - optional_policy(` - virt_manage_lib_files(dnsmasq_t) -+ virt_read_pid_files(dnsmasq_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.7/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dovecot.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -6,6 +6,7 @@ - /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + domain_use_interactive_fds($1_dbusd_t) ++ domain_read_all_domains_state($1_dbusd_t) - /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) -+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) + files_read_etc_files($1_dbusd_t) + files_list_home($1_dbusd_t) +@@ -145,6 +147,8 @@ + seutil_read_config($1_dbusd_t) + seutil_read_default_contexts($1_dbusd_t) - # - # /usr -@@ -17,19 +18,22 @@ ++ term_use_all_terms($1_dbusd_t) ++ + userdom_read_user_home_content_files($1_dbusd_t) - ifdef(`distro_debian', ` - /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') + ifdef(`hide_broken_symptoms', ` +@@ -160,6 +164,10 @@ + ') - ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) - ') + optional_policy(` ++ gnome_read_gconf_home_files($1_dbusd_t) ++ ') ++ ++ optional_policy(` + hal_dbus_chat($1_dbusd_t) + ') - # - # /var - # - /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) --# this is a hard link to /var/lib/dovecot/ssl-parameters.dat --/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) -+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) +@@ -185,10 +193,12 @@ + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t, system_dbusd_var_lib_t; + class dbus send_msg; ++ attribute dbusd_unconfined; + ') - /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + # SE-DBus specific permissions +- allow $1 { system_dbusd_t self }:dbus send_msg; ++ allow $1 { system_dbusd_t self dbusd_unconfined }:dbus send_msg; ++ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; -+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) +@@ -197,6 +207,10 @@ + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + dbus_read_config($1) + - /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.7/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dovecot.if 2009-03-03 17:11:59.000000000 -0500 -@@ -21,7 +21,46 @@ ++ optional_policy(` ++ rpm_script_dbus_chat($1) ++ ') + ') + + ####################################### +@@ -244,6 +258,35 @@ ######################################## ## --## Do not audit attempts to delete dovecot lib files. -+## Connect to dovecot auth unix domain stream socket. ++## Chat on user/application specific DBUS. ++## ++## ++## ++## The prefix of the domain (e.g., user ++## is the prefix for user_t). +## ++## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`dovecot_auth_stream_connect',` ++template(`dbus_chat_user_bus',` + gen_require(` -+ type dovecot_auth_t, dovecot_var_run_t; ++ type $1_t; ++ type $1_dbusd_t; ++ class dbus send_msg; + ') + -+ allow $1 dovecot_var_run_t:dir search; -+ allow $1 dovecot_var_run_t:sock_file write; -+ allow $1 dovecot_auth_t:unix_stream_socket connectto; ++ allow $2 $1_dbusd_t:dbus send_msg; ++ allow $1_dbusd_t $2:dbus send_msg; ++ allow $2 $1_t:dbus send_msg; ++ allow $1_t $2:dbus send_msg; +') + +######################################## +## -+## Execute dovecot_deliver in the dovecot_deliver domain. + ## Read dbus configuration. + ## + ## +@@ -318,3 +361,77 @@ + + allow $1 system_dbusd_t:dbus *; + ') ++ ++######################################## ++## ++## Allow unconfined access to the system DBUS. +## +## +## @@ -13017,305 +10843,387 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`dovecot_domtrans_deliver',` ++interface(`dbus_unconfined',` + gen_require(` -+ type dovecot_deliver_t, dovecot_deliver_exec_t; ++ attribute dbusd_unconfined; + ') + -+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ++ typeattribute $1 dbusd_unconfined; +') + -+####################################### -+## -+## Do not audit attempts to d`elete dovecot lib files. - ## - ## - ## -@@ -36,3 +75,60 @@ - - dontaudit $1 dovecot_var_lib_t:file unlink; - ') -+ +######################################## +## -+## All of the rules required to administrate -+## an dovecot environment ++## Create a domain for processes ++## which can be started by the system dbus +## +## +## -+## Domain allowed access. ++## Type to be used as a domain. +## +## -+## ++## +## -+## The role to be allowed to manage the dovecot domain. ++## Type of the program to be used as an entry point to this domain. +## +## -+## +# -+interface(`dovecot_admin',` ++interface(`dbus_system_domain',` + gen_require(` -+ type dovecot_t, dovecot_etc_t, dovecot_log_t; -+ type dovecot_spool_t, dovecot_var_lib_t; -+ type dovecot_var_run_t; -+ -+ type dovecot_cert_t, dovecot_passwd_t; -+ type dovecot_initrc_exec_t; ++ type system_dbusd_t; ++ role system_r; + ') + -+ allow $1 dovecot_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, dovecot_t) -+ -+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 dovecot_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, dovecot_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, dovecot_log_t) -+ -+ files_list_spool($1) -+ admin_pattern($1, dovecot_spool_t) ++ domain_type($1) ++ domain_entry_file($1, $2) + -+ files_list_var_lib($1) -+ admin_pattern($1, dovecot_var_lib_t) ++ role system_r types $1; + -+ files_list_pids($1) -+ admin_pattern($1, dovecot_var_run_t) ++ domtrans_pattern(system_dbusd_t, $2, $1) + -+ admin_pattern($1, dovecot_cert_t) ++ dbus_system_bus_client($1) ++ dbus_connect_system_bus($1) + -+ admin_pattern($1, dovecot_passwd_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ++ '); +') + ++######################################## ++## ++## Dontaudit Read, and write system dbus TCP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ++ gen_require(` ++ type system_dbusd_t; ++ ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.7/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/dovecot.te 2009-03-03 17:11:59.000000000 -0500 -@@ -15,12 +15,21 @@ - domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) - role system_r types dovecot_auth_t; ++ allow $1 system_dbusd_t:tcp_socket { read write }; ++ allow $1 system_dbusd_t:fd use; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.8/policy/modules/services/dbus.te +--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dbus.te 2009-03-05 15:25:24.000000000 -0500 +@@ -9,14 +9,15 @@ + # + # Delcarations + # +- ++attribute dbusd_unconfined; + attribute session_bus_type; -+type dovecot_deliver_t; -+type dovecot_deliver_exec_t; -+domain_type(dovecot_deliver_t) -+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) -+role system_r types dovecot_deliver_t; -+ - type dovecot_cert_t; - files_type(dovecot_cert_t) + type dbusd_etc_t; +-files_type(dbusd_etc_t) ++files_config_file(dbusd_etc_t) - type dovecot_etc_t; - files_config_file(dovecot_etc_t) + type dbusd_exec_t; + corecmd_executable_file(dbusd_exec_t) ++typealias dbusd_exec_t alias system_dbusd_exec_t; -+type dovecot_initrc_exec_t; -+init_script_file(dovecot_initrc_exec_t) -+ - type dovecot_passwd_t; - files_type(dovecot_passwd_t) + type session_dbusd_tmp_t; + typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; +@@ -31,11 +32,25 @@ + files_tmp_file(system_dbusd_tmp_t) -@@ -31,9 +40,15 @@ - type dovecot_var_lib_t; - files_type(dovecot_var_lib_t) + type system_dbusd_var_lib_t; +-files_pid_file(system_dbusd_var_lib_t) ++files_type(system_dbusd_var_lib_t) -+type dovecot_var_log_t; -+logging_log_file(dovecot_var_log_t) -+ - type dovecot_var_run_t; - files_pid_file(dovecot_var_run_t) + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) -+type dovecot_auth_tmp_t; -+files_tmp_file(dovecot_auth_tmp_t) ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mcs_systemhigh) ++') + - ######################################## - # - # dovecot local policy -@@ -58,6 +73,10 @@ - - can_exec(dovecot_t, dovecot_exec_t) - -+# log files -+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -+logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++ifdef(`enable_mls',` ++ init_ranged_daemon_domain(system_dbusd_t, dbusd_exec_t,s0 - mls_systemhigh) ++ mls_fd_use_all_levels(system_dbusd_t) ++ mls_rangetrans_target(system_dbusd_t) ++ mls_file_read_all_levels(system_dbusd_t) ++ mls_socket_write_all_levels(system_dbusd_t) ++ mls_socket_read_to_clearance(system_dbusd_t) ++ mls_dbus_recv_all_levels(system_dbusd_t) ++') + - manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) - manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -@@ -85,6 +104,7 @@ - dev_read_urand(dovecot_t) - - fs_getattr_all_fs(dovecot_t) -+fs_getattr_all_dirs(dovecot_t) - fs_search_auto_mountpoints(dovecot_t) - fs_list_inotifyfs(dovecot_t) - -@@ -98,7 +118,7 @@ - files_dontaudit_list_default(dovecot_t) - # Dovecot now has quota support and it uses getmntent() to find the mountpoints. - files_read_etc_runtime_files(dovecot_t) --files_getattr_all_mountpoints(dovecot_t) -+files_search_all_mountpoints(dovecot_t) - - init_getattr_utmp(dovecot_t) - -@@ -120,7 +140,7 @@ - mta_manage_spool(dovecot_t) - - optional_policy(` -- kerberos_use(dovecot_t) -+ kerberos_keytab_template(dovecot, dovecot_t) - ') - - optional_policy(` -@@ -140,25 +160,35 @@ - # dovecot auth local policy + ############################## # + # System bus local policy +@@ -45,7 +60,7 @@ + # cjp: dac_override should probably go in a distro_debian + allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; + dontaudit system_dbusd_t self:capability sys_tty_config; +-allow system_dbusd_t self:process { getattr signal_perms setcap }; ++allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; + allow system_dbusd_t self:dbus { send_msg acquire_svc }; + allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; +@@ -53,6 +68,8 @@ + # Receive notifications of policy reloads and enforcing status changes. + allow system_dbusd_t self:netlink_selinux_socket { create bind read }; --allow dovecot_auth_t self:capability { setgid setuid }; -+allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; - allow dovecot_auth_t self:process signal_perms; - allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; - allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; - allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; - --allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; -+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - --allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; -+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) ++can_exec(system_dbusd_t, dbusd_exec_t) + -+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) -+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; + read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) + read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) +@@ -75,6 +92,8 @@ - # Allow dovecot to create and read SSL parameters file - manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) - files_search_var_lib(dovecot_t) -+files_read_var_symlinks(dovecot_t) + fs_getattr_all_fs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) ++fs_list_inotifyfs(system_dbusd_t) ++fs_dontaudit_list_nfs(system_dbusd_t) - allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_auth_stream_connect(dovecot_auth_t) + selinux_get_fs_mount(system_dbusd_t) + selinux_validate_context(system_dbusd_t) +@@ -91,9 +110,9 @@ + corecmd_list_bin(system_dbusd_t) + corecmd_read_bin_pipes(system_dbusd_t) + corecmd_read_bin_sockets(system_dbusd_t) +-corecmd_exec_bin(system_dbusd_t) - kernel_read_all_sysctls(dovecot_auth_t) - kernel_read_system_state(dovecot_auth_t) + domain_use_interactive_fds(system_dbusd_t) ++domain_read_all_domains_state(system_dbusd_t) -+logging_send_audit_msgs(dovecot_auth_t) -+logging_send_syslog_msg(dovecot_auth_t) -+ - dev_read_urand(dovecot_auth_t) + files_read_etc_files(system_dbusd_t) + files_list_home(system_dbusd_t) +@@ -101,6 +120,8 @@ - auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -167,6 +197,7 @@ - files_read_etc_files(dovecot_auth_t) - files_read_etc_runtime_files(dovecot_auth_t) - files_search_pids(dovecot_auth_t) -+files_read_usr_files(dovecot_auth_t) - files_read_usr_symlinks(dovecot_auth_t) - files_search_tmp(dovecot_auth_t) - files_read_var_lib_files(dovecot_t) -@@ -182,5 +213,58 @@ + init_use_fds(system_dbusd_t) + init_use_script_ptys(system_dbusd_t) ++init_bin_domtrans_spec(system_dbusd_t) ++init_domtrans_script(system_dbusd_t) + + logging_send_audit_msgs(system_dbusd_t) + logging_send_syslog_msg(system_dbusd_t) +@@ -128,9 +149,34 @@ ') optional_policy(` -- logging_send_syslog_msg(dovecot_auth_t) -+ mysql_search_db(dovecot_auth_t) -+ mysql_stream_connect(dovecot_auth_t) - ') ++ gnome_exec_gconf(system_dbusd_t) ++') + +optional_policy(` -+ nis_authenticate(dovecot_auth_t) ++ networkmanager_initrc_domtrans(system_dbusd_t) +') + +optional_policy(` -+ postfix_manage_private_sockets(dovecot_auth_t) -+ postfix_search_spool(dovecot_auth_t) ++ polkit_domtrans_auth(system_dbusd_t) ++ polkit_search_lib(system_dbusd_t) +') + -+# for gssapi (kerberos) -+userdom_list_user_tmp(dovecot_auth_t) -+userdom_read_user_tmp_files(dovecot_auth_t) -+userdom_read_user_tmp_symlinks(dovecot_auth_t) ++optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) + ') + + optional_policy(` + udev_read_db(system_dbusd_t) + ') ++ ++optional_policy(` ++ gen_require(` ++ type unconfined_dbusd_t; ++ ') ++ unconfined_domain(unconfined_dbusd_t) ++ unconfined_execmem_domtrans(unconfined_dbusd_t) ++ ++ optional_policy(` ++ xserver_rw_shm(unconfined_dbusd_t) ++ ') ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.8/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dcc.te 2009-03-05 15:25:24.000000000 -0500 +@@ -137,6 +137,7 @@ + + corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) ++corenet_udp_bind_generic_node(dcc_client_t) + corenet_udp_sendrecv_generic_if(dcc_client_t) + corenet_udp_sendrecv_generic_node(dcc_client_t) + corenet_udp_sendrecv_all_ports(dcc_client_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.8/policy/modules/services/devicekit.fc +--- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/devicekit.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,7 @@ ++ ++/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) ++ ++/var/lib/DeviceKit-power(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) ++ ++/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.8/policy/modules/services/devicekit.if +--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/devicekit.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,177 @@ ++ ++## policy for devicekit + +######################################## ++## ++## Execute a domain transition to run devicekit. ++## ++## ++## ++## Domain allowed to transition. ++## ++## +# -+# dovecot deliver local policy -+# -+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; ++interface(`devicekit_domtrans',` ++ gen_require(` ++ type devicekit_t; ++ type devicekit_exec_t; ++ ') + -+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; -+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ++ domtrans_pattern($1,devicekit_exec_t,devicekit_t) ++') + -+kernel_read_all_sysctls(dovecot_deliver_t) -+kernel_read_system_state(dovecot_deliver_t) + -+files_read_etc_files(dovecot_deliver_t) -+files_read_etc_runtime_files(dovecot_deliver_t) ++######################################## ++## ++## Read devicekit PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_read_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') + -+auth_use_nsswitch(dovecot_deliver_t) ++ files_search_pids($1) ++ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++') + -+logging_send_syslog_msg(dovecot_deliver_t) ++######################################## ++## ++## Manage devicekit var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_manage_var_run',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') + -+miscfiles_read_localization(dovecot_deliver_t) ++ manage_dirs_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++ manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t) ++') + -+dovecot_auth_stream_connect(dovecot_deliver_t) + -+files_search_tmp(dovecot_deliver_t) -+fs_getattr_all_fs(dovecot_deliver_t) ++######################################## ++## ++## Send and receive messages from ++## devicekit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_dbus_chat',` ++ gen_require(` ++ type devicekit_t; ++ class dbus send_msg; ++ ') + -+userdom_manage_user_home_content_dirs(dovecot_deliver_t) -+userdom_manage_user_home_content_files(dovecot_deliver_t) -+userdom_manage_user_home_content_symlinks(dovecot_deliver_t) -+userdom_manage_user_home_content_pipes(dovecot_deliver_t) -+userdom_manage_user_home_content_sockets(dovecot_deliver_t) -+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) ++ allow $1 devicekit_t:dbus send_msg; ++ allow devicekit_t $1:dbus send_msg; ++') + -+optional_policy(` -+ mta_manage_spool(dovecot_deliver_t) ++######################################## ++## ++## Send signal devicekit power ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_power_signal',` ++ gen_require(` ++ type devicekit_power_t; ++ ') ++ ++ allow $1 devicekit_power_t:process signal; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.7/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/exim.if 2009-03-03 17:11:59.000000000 -0500 -@@ -97,6 +97,26 @@ - - ######################################## - ## -+## Allow the specified domain to manage exim's log files. ++######################################## ++## ++## Send and receive messages from ++## devicekit power over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`devicekit_power_dbus_chat',` ++ gen_require(` ++ type devicekit_power_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 devicekit_power_t:dbus send_msg; ++ allow devicekit_power_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an devicekit environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the devicekit domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## +## +# -+interface(`exim_manage_log',` ++interface(`devicekit_admin',` + gen_require(` -+ type exim_log_t; ++ type devicekit_t; + ') + -+ manage_files_pattern($1, exim_log_t, exim_log_t) -+ logging_search_logs($1) -+') ++ allow $1 devicekit_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, devicekit_t, devicekit_t) ++ + -+######################################## -+## - ## Allow the specified domain to append - ## exim log files. - ## -@@ -154,3 +174,23 @@ - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) - ') ++ devicekit_manage_var_run($1) ++ ++') + +######################################## +## -+## Create, read, write, and delete -+## exim spool dirs. ++## Send to devicekit over a unix domain ++## datagram socket. +## +## +## @@ -13323,345 +11231,230 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`exim_manage_spool_dirs',` ++interface(`devicekit_dgram_send',` + gen_require(` -+ type exim_spool_t; ++ type devicekit_t; + ') + -+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) -+ files_search_spool($1) ++ allow $1 devicekit_t:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.7/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/exim.te 2009-03-03 17:11:59.000000000 -0500 -@@ -21,9 +21,20 @@ - ## - gen_tunable(exim_manage_user_files, false) - -+## -+##

-+## Allow exim to connect to databases (postgres, mysql) -+##

-+##
-+gen_tunable(exim_can_connect_db, false) + - type exim_t; - type exim_exec_t; - init_daemon_domain(exim_t, exim_exec_t) -+mta_mailserver(exim_t, exim_exec_t) -+mta_mailserver_user_agent(exim_t) -+application_executable_file(exim_exec_t) -+mta_agent_executable(exim_exec_t) - - type exim_log_t; - logging_log_file(exim_log_t) -@@ -42,10 +53,12 @@ - # exim local policy - # - --allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; -+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; -+allow exim_t self:process { setrlimit setpgid }; - allow exim_t self:fifo_file rw_fifo_file_perms; - allow exim_t self:unix_stream_socket create_stream_socket_perms; - allow exim_t self:tcp_socket create_stream_socket_perms; -+allow exim_t self:udp_socket create_socket_perms; - - can_exec(exim_t,exim_exec_t) - -@@ -66,12 +79,15 @@ - files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) - - kernel_read_kernel_sysctls(exim_t) -- - kernel_dontaudit_read_system_state(exim_t) -+kernel_read_network_state(exim_t) - - corecmd_search_bin(exim_t) - - corenet_all_recvfrom_unlabeled(exim_t) -+corenet_all_recvfrom_netlabel(exim_t) -+corenet_udp_sendrecv_generic_if(exim_t) -+corenet_udp_sendrecv_generic_node(exim_t) - corenet_tcp_sendrecv_generic_if(exim_t) - corenet_tcp_sendrecv_generic_node(exim_t) - corenet_tcp_sendrecv_all_ports(exim_t) -@@ -82,6 +98,8 @@ - corenet_tcp_connect_smtp_port(exim_t) - corenet_tcp_connect_ldap_port(exim_t) - corenet_tcp_connect_inetd_child_port(exim_t) -+# connect to spamassassin -+corenet_tcp_connect_spamd_port(exim_t) - - dev_read_rand(exim_t) - dev_read_urand(exim_t) -@@ -89,20 +107,27 @@ - # Init script handling - domain_use_interactive_fds(exim_t) - -+files_search_usr(exim_t) -+files_search_var(exim_t) - files_read_etc_files(exim_t) -+files_read_etc_runtime_files(exim_t) - - auth_use_nsswitch(exim_t) - - logging_send_syslog_msg(exim_t) - - miscfiles_read_localization(exim_t) -+miscfiles_read_certs(exim_t) - --sysnet_dns_name_resolve(exim_t) -+fs_getattr_xattr_fs(exim_t) -+fs_list_inotifyfs(exim_t) - - userdom_dontaudit_search_user_home_dirs(exim_t) - - mta_read_aliases(exim_t) --mta_rw_spool(exim_t) -+mta_read_config(exim_t) -+mta_manage_spool(exim_t) -+mta_mailserver_delivery(exim_t) - - tunable_policy(`exim_read_user_files',` - userdom_read_user_home_content_files(exim_t) -@@ -114,3 +139,62 @@ - userdom_read_user_tmp_files(exim_t) - userdom_write_user_tmp_files(exim_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.8/policy/modules/services/devicekit.te +--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/devicekit.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,138 @@ ++policy_module(devicekit,1.0.0) + -+tunable_policy(`exim_can_connect_db',` -+ corenet_tcp_connect_mysqld_port(exim_t) -+ corenet_sendrecv_mysqld_client_packets(exim_t) -+ corenet_tcp_connect_postgresql_port(exim_t) -+ corenet_sendrecv_postgresql_client_packets(exim_t) -+') ++######################################## ++# ++# Declarations ++# + -+optional_policy(` -+ dovecot_auth_stream_connect(exim_t) -+') ++type devicekit_t; ++type devicekit_exec_t; ++dbus_system_domain(devicekit_t, devicekit_exec_t) + -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ mysql_stream_connect(exim_t) -+ ') -+') ++permissive devicekit_t; + -+optional_policy(` -+ tunable_policy(`exim_can_connect_db',` -+ postgresql_stream_connect(exim_t) -+') -+') ++type devicekit_power_t; ++type devicekit_power_exec_t; ++dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + -+optional_policy(` -+ kerberos_keytab_template(exim, exim_t) -+') ++permissive devicekit_power_t; + -+optional_policy(` -+ mailman_read_data_files(exim_t) -+ mailman_domtrans(exim_t) -+') ++type devicekit_var_run_t; ++files_pid_file(devicekit_var_run_t) ++ ++type devicekit_var_lib_t; ++files_type(devicekit_var_lib_t) ++ ++# ++# DeviceKit local policy ++# ++allow devicekit_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) ++files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir }) ++ ++dev_read_sysfs(devicekit_t) ++dev_read_urand(devicekit_t) ++ ++files_read_etc_files(devicekit_t) ++ ++fs_list_inotifyfs(devicekit_t) ++ ++miscfiles_read_localization(devicekit_t) + +optional_policy(` -+ procmail_domtrans(exim_t) ++ dbus_system_bus_client(devicekit_t) +') + +optional_policy(` -+ sasl_connect(exim_t) ++ udev_read_db(devicekit_t) +') + ++# ++# DeviceKit-Power local policy ++# ++allow devicekit_power_t self:capability { sys_tty_config dac_override }; ++allow devicekit_power_t self:fifo_file rw_fifo_file_perms; ++allow devicekit_power_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) ++manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) ++files_search_var_lib(devicekit_power_t) ++ ++corecmd_exec_bin(devicekit_power_t) ++corecmd_exec_shell(devicekit_power_t) ++ ++consoletype_exec(devicekit_power_t) ++ ++domain_read_all_domains_state(devicekit_power_t) ++ ++kernel_read_system_state(devicekit_power_t) ++kernel_rw_kernel_sysctl(devicekit_power_t) ++kernel_rw_hotplug_sysctls(devicekit_power_t) ++kernel_write_proc_files(devicekit_power_t) ++ ++dev_rw_generic_usb_dev(devicekit_power_t) ++dev_rw_netcontrol(devicekit_power_t) ++dev_rw_sysfs(devicekit_power_t) ++ ++files_read_etc_files(devicekit_power_t) ++files_read_usr_files(devicekit_power_t) ++ ++fs_list_inotifyfs(devicekit_power_t) ++ ++term_use_all_terms(devicekit_power_t) ++ ++auth_use_nsswitch(devicekit_power_t) ++ ++miscfiles_read_localization(devicekit_power_t) ++ ++userdom_read_all_users_state(devicekit_power_t) ++ +optional_policy(` -+ cron_read_pipes(exim_t) -+ cron_rw_system_job_pipes(exim_t) ++ hal_domtrans_mac(devicekit_power_t) ++ hal_write_log(devicekit_power_t) ++ hal_manage_pid_dirs(devicekit_power_t) ++ hal_manage_pid_files(devicekit_power_t) ++ hal_dbus_chat(devicekit_power_t) +') + +optional_policy(` -+ cyrus_stream_connect(exim_t) ++ cron_initrc_domtrans(devicekit_power_t) +') + +optional_policy(` -+ clamav_domtrans_clamscan(exim_t) -+ clamav_stream_connect(exim_t) ++ polkit_domtrans_auth(devicekit_power_t) ++ polkit_read_lib(devicekit_power_t) ++ polkit_read_reload(devicekit_power_t) +') + +optional_policy(` -+ spamassassin_exec(exim_t) -+ spamassassin_exec_client(exim_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.7/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ftp.te 2009-03-03 17:43:31.000000000 -0500 -@@ -26,7 +26,7 @@ - ## - ##

- ## Allow ftp servers to use cifs --## used for public file transfer services. -+## for public file transfer services. - ##

- ##
- gen_tunable(allow_ftpd_use_cifs, false) -@@ -34,13 +34,20 @@ - ## - ##

- ## Allow ftp servers to use nfs --## used for public file transfer services. -+## for public file transfer services. - ##

- ##
- gen_tunable(allow_ftpd_use_nfs, false) - - ## - ##

-+## Allow ftp servers to use connect to mysql database -+##

-+##
-+gen_tunable(ftpd_connect_db, false) -+ -+## -+##

- ## Allow ftp to read and write files in the user home directories - ##

- ##
-@@ -131,6 +138,7 @@ - - dev_read_sysfs(ftpd_t) - dev_read_urand(ftpd_t) -+fs_list_inotifyfs(ftpd_t) - - corecmd_exec_bin(ftpd_t) - -@@ -160,6 +168,7 @@ - - fs_search_auto_mountpoints(ftpd_t) - fs_getattr_all_fs(ftpd_t) -+fs_search_fusefs_dirs(ftpd_t) - - auth_use_nsswitch(ftpd_t) - auth_domtrans_chk_passwd(ftpd_t) -@@ -222,9 +231,15 @@ - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) - userdom_manage_user_home_content_symlinks(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) ++ dbus_system_bus_client(devicekit_power_t) ++ allow devicekit_power_t devicekit_t:dbus send_msg; ++ allow devicekit_t devicekit_power_t:dbus send_msg; + -+ auth_read_all_dirs_except_shadow(ftpd_t) -+ auth_read_all_files_except_shadow(ftpd_t) -+ auth_read_all_symlinks_except_shadow(ftpd_t) - ') - -+# Needed for permissive mode, to make sure everything gets labeled correctly -+userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) ++ optional_policy(` ++ consolekit_dbus_chat(devicekit_power_t) ++ ') + - tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` - fs_manage_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) -@@ -258,7 +273,26 @@ - ') - - optional_policy(` -- kerberos_read_keytab(ftpd_t) -+ kerberos_keytab_template(ftpd, ftpd_t) -+ kerberos_manage_host_rcache(ftpd_t) -+ selinux_validate_context(ftpd_t) -+') ++ optional_policy(` ++ networkmanager_dbus_chat(devicekit_power_t) ++ ') + -+optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ mysql_stream_connect(ftpd_t) ++ optional_policy(` ++ rpm_dbus_chat(devicekit_power_t) + ') +') + +optional_policy(` -+ tunable_policy(`ftpd_connect_db',` -+ postgresql_stream_connect(ftpd_t) -+ ') ++ bootloader_domtrans(devicekit_power_t) +') + -+tunable_policy(`ftpd_connect_db',` -+ corenet_tcp_connect_mysqld_port(ftpd_t) -+ corenet_tcp_connect_postgresql_port(ftpd_t) - ') - - optional_policy(` -@@ -270,6 +304,14 @@ - ') - - optional_policy(` -+ dbus_system_bus_client(ftpd_t) -+ optional_policy(` -+ oddjob_dbus_chat(ftpd_t) -+ oddjob_domtrans_mkhomedir(ftpd_t) -+ ') ++optional_policy(` ++ fstools_domtrans(devicekit_power_t) +') + +optional_policy(` - seutil_sigchld_newrole(ftpd_t) - ') ++ vbetool_domtrans(devicekit_power_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.8/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dhcp.if 2009-03-05 15:25:24.000000000 -0500 +@@ -22,6 +22,25 @@ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.7/policy/modules/services/gnomeclock.fc ---- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/gnomeclock.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,3 @@ -+ -+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.7/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/gnomeclock.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,69 @@ -+ -+## policy for gnomeclock -+ -+######################################## -+## -+## Execute a domain transition to run gnomeclock. + ######################################## + ## ++## Execute dhcp server in the dhcp domain. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`gnomeclock_domtrans',` ++# ++interface(`dhcpd_initrc_domtrans',` + gen_require(` -+ type gnomeclock_t; -+ type gnomeclock_exec_t; ++ type dhcpd_initrc_exec_t; + ') + -+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) ++ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) +') + -+ +######################################## +## -+## Execute gnomeclock in the gnomeclock domain, and -+## allow the specified role the gnomeclock domain. + ## All of the rules required to administrate + ## an dhcp environment + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.8/policy/modules/services/dnsmasq.fc +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -5,3 +5,4 @@ + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) ++/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.8/policy/modules/services/dnsmasq.if +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.if 2009-03-05 15:25:24.000000000 -0500 +@@ -22,6 +22,25 @@ + + ######################################## + ## ++## Execute dnsmasq server in the dnsmasq domain. +## +## +## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gnomeclock domain. ++## The type of the process performing this action. +## +## +# -+interface(`gnomeclock_run',` ++# ++interface(`dnsmasq_initrc_domtrans',` + gen_require(` -+ type gnomeclock_t; ++ type dnsmasq_initrc_exec_t; + ') + -+ gnomeclock_domtrans($1) -+ role $2 types gnomeclock_t; ++ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) +') + ++######################################## ++## + ## Send dnsmasq a signal + ## + ## +@@ -39,6 +58,26 @@ + allow $1 dnsmasq_t:process signal; + ') + + +######################################## +## -+## Send and receive messages from -+## gnomeclock over dbus. ++## Send dnsmasq a signull +## +## +## @@ -13669,89 +11462,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`gnomeclock_dbus_chat',` -+ gen_require(` -+ type gnomeclock_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 gnomeclock_t:dbus send_msg; -+ allow gnomeclock_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.7/policy/modules/services/gnomeclock.te ---- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/gnomeclock.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,51 @@ -+policy_module(gnomeclock, 1.0.0) -+######################################## -+# -+# Declarations -+# -+ -+type gnomeclock_t; -+type gnomeclock_exec_t; -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) -+ -+######################################## -+# -+# gnomeclock local policy +# -+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -+allow gnomeclock_t self:process { getattr getsched }; -+allow gnomeclock_t self:fifo_file rw_fifo_file_perms; -+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; -+ -+corecmd_exec_bin(gnomeclock_t) -+ -+userdom_ptrace_all_users(gnomeclock_t) -+ -+files_read_etc_files(gnomeclock_t) -+files_read_usr_files(gnomeclock_t) -+ -+miscfiles_manage_localization(gnomeclock_t) -+miscfiles_etc_filetrans_localization(gnomeclock_t) -+ -+fs_list_inotifyfs(gnomeclock_t) -+ -+auth_use_nsswitch(gnomeclock_t) -+ -+miscfiles_read_localization(gnomeclock_t) -+ -+userdom_read_all_users_state(gnomeclock_t) -+ -+optional_policy(` -+ consolekit_dbus_chat(gnomeclock_t) -+') -+ -+optional_policy(` -+ clock_domtrans(gnomeclock_t) -+') ++interface(`dnsmasq_signull',` ++ gen_require(` ++ type dnsmasq_t; ++ ') + -+optional_policy(` -+ polkit_domtrans_auth(gnomeclock_t) -+ polkit_read_lib(gnomeclock_t) -+ polkit_read_reload(gnomeclock_t) ++ allow $1 dnsmasq_t:process signull; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.7/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/hal.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -5,6 +5,7 @@ - /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) - - /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) -+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) - /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) - /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) - /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.7/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/hal.if 2009-03-03 17:11:59.000000000 -0500 -@@ -20,6 +20,24 @@ + ######################################## + ## + ## Send dnsmasq a kill signal. +@@ -60,6 +99,44 @@ ######################################## ## -+## Execute hal mac in the hal mac domain. ++## Delete dnsmasq pid files +## +## +## @@ -13759,39 +11486,140 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`hal_domtrans_mac',` ++# ++interface(`dnsmasq_delete_pid_files',` + gen_require(` -+ type hald_mac_t, hald_mac_exec_t; ++ type dnsmasq_var_run_t; + ') + -+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) ++ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## - ## Get the attributes of a hal process. ++## Read dnsmasq pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`dnsmasq_read_pid_files',` ++ gen_require(` ++ type dnsmasq_var_run_t; ++ ') ++ ++ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an dnsmasq environment ## - ## -@@ -51,10 +69,7 @@ - type hald_t; - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.8/policy/modules/services/dnsmasq.te +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dnsmasq.te 2009-03-05 15:25:24.000000000 -0500 +@@ -69,21 +69,22 @@ -- allow $1 hald_t:dir list_dir_perms; -- read_files_pattern($1, hald_t, hald_t) -- read_lnk_files_pattern($1, hald_t, hald_t) -- dontaudit $1 hald_t:process ptrace; -+ ps_process_pattern($1, hald_t) + # allow access to dnsmasq.conf + files_read_etc_files(dnsmasq_t) ++files_read_etc_runtime_files(dnsmasq_t) + + fs_getattr_all_fs(dnsmasq_t) + fs_search_auto_mountpoints(dnsmasq_t) + ++auth_use_nsswitch(dnsmasq_t) ++ + logging_send_syslog_msg(dnsmasq_t) + + miscfiles_read_localization(dnsmasq_t) + +-sysnet_read_config(dnsmasq_t) +- + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) + + optional_policy(` +- nis_use_ypbind(dnsmasq_t) ++ cron_manage_pid_files(dnsmasq_t) ') - ######################################## -@@ -340,3 +355,41 @@ - files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; + optional_policy(` +@@ -96,4 +97,5 @@ + + optional_policy(` + virt_manage_lib_files(dnsmasq_t) ++ virt_read_pid_files(dnsmasq_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.6.8/policy/modules/services/dovecot.fc +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-11-11 16:13:47.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dovecot.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -6,6 +6,7 @@ + /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) + + /etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) ++/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) + + # + # /usr +@@ -17,19 +18,22 @@ + + ifdef(`distro_debian', ` + /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) + ') + + ifdef(`distro_redhat', ` + /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ') + + # + # /var + # + /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +-# this is a hard link to /var/lib/dovecot/ssl-parameters.dat +-/var/run/dovecot/login/ssl-parameters.dat gen_context(system_u:object_r:dovecot_var_lib_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + + /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) ++ + /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.6.8/policy/modules/services/dovecot.if +--- nsaserefpolicy/policy/modules/services/dovecot.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dovecot.if 2009-03-05 15:25:24.000000000 -0500 +@@ -21,7 +21,46 @@ + + ######################################## + ## +-## Do not audit attempts to delete dovecot lib files. ++## Connect to dovecot auth unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dovecot_auth_stream_connect',` ++ gen_require(` ++ type dovecot_auth_t, dovecot_var_run_t; ++ ') ++ ++ allow $1 dovecot_var_run_t:dir search; ++ allow $1 dovecot_var_run_t:sock_file write; ++ allow $1 dovecot_auth_t:unix_stream_socket connectto; ++') + +######################################## +## -+## Manage hald PID dirs. ++## Execute dovecot_deliver in the dovecot_deliver domain. +## +## +## @@ -13799,682 +11627,651 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`hal_manage_pid_dirs',` ++interface(`dovecot_domtrans_deliver',` + gen_require(` -+ type hald_var_run_t; ++ type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + -+ files_search_pids($1) -+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) ++ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) +') + ++####################################### ++## ++## Do not audit attempts to d`elete dovecot lib files. + ## + ## + ## +@@ -36,3 +75,60 @@ + + dontaudit $1 dovecot_var_lib_t:file unlink; + ') ++ +######################################## +## -+## Manage hald PID files. ++## All of the rules required to administrate ++## an dovecot environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the dovecot domain. ++## ++## ++## +# -+interface(`hal_manage_pid_files',` ++interface(`dovecot_admin',` + gen_require(` -+ type hald_var_run_t; ++ type dovecot_t, dovecot_etc_t, dovecot_log_t; ++ type dovecot_spool_t, dovecot_var_lib_t; ++ type dovecot_var_run_t; ++ ++ type dovecot_cert_t, dovecot_passwd_t; ++ type dovecot_initrc_exec_t; + ') + -+ files_search_pids($1) -+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) ++ allow $1 dovecot_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, dovecot_t) ++ ++ init_labeled_script_domtrans($1, dovecot_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 dovecot_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_etc($1) ++ admin_pattern($1, dovecot_etc_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, dovecot_log_t) ++ ++ files_list_spool($1) ++ admin_pattern($1, dovecot_spool_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, dovecot_var_lib_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, dovecot_var_run_t) ++ ++ admin_pattern($1, dovecot_cert_t) ++ ++ admin_pattern($1, dovecot_passwd_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.7/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/hal.te 2009-03-03 17:11:59.000000000 -0500 -@@ -49,6 +49,15 @@ - type hald_var_lib_t; - files_type(hald_var_lib_t) - -+typealias hald_log_t alias pmtools_log_t; -+typealias hald_var_run_t alias pmtools_var_run_t; + -+type hald_dccm_t; -+type hald_dccm_exec_t; -+domain_type(hald_dccm_t) -+domain_entry_file(hald_dccm_t, hald_dccm_exec_t) -+role system_r types hald_dccm_t; + - ######################################## - # - # Local policy -@@ -143,11 +152,16 @@ - files_getattr_all_dirs(hald_t) - files_read_kernel_img(hald_t) - files_rw_lock_dirs(hald_t) -+files_read_generic_pids(hald_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.8/policy/modules/services/dovecot.te +--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/dovecot.te 2009-03-05 15:25:24.000000000 -0500 +@@ -15,12 +15,21 @@ + domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) + role system_r types dovecot_auth_t; - fs_getattr_all_fs(hald_t) - fs_search_all(hald_t) - fs_list_inotifyfs(hald_t) - fs_list_auto_mountpoints(hald_t) -+fs_mount_dos_fs(hald_t) -+fs_unmount_dos_fs(hald_t) -+fs_manage_dos_files(hald_t) ++type dovecot_deliver_t; ++type dovecot_deliver_exec_t; ++domain_type(dovecot_deliver_t) ++domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) ++role system_r types dovecot_deliver_t; + - files_getattr_all_mountpoints(hald_t) + type dovecot_cert_t; + files_type(dovecot_cert_t) - mls_file_read_all_levels(hald_t) -@@ -195,6 +209,7 @@ - seutil_read_file_contexts(hald_t) + type dovecot_etc_t; + files_config_file(dovecot_etc_t) - sysnet_read_config(hald_t) -+sysnet_domtrans_dhcpc(hald_t) ++type dovecot_initrc_exec_t; ++init_script_file(dovecot_initrc_exec_t) ++ + type dovecot_passwd_t; + files_type(dovecot_passwd_t) - userdom_dontaudit_use_unpriv_user_fds(hald_t) - userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +292,13 @@ - ') +@@ -31,9 +40,15 @@ + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) - optional_policy(` -+ polkit_domtrans_auth(hald_t) -+ polkit_domtrans_resolve(hald_t) -+ polkit_read_lib(hald_t) -+ polkit_read_reload(hald_t) -+') ++type dovecot_var_log_t; ++logging_log_file(dovecot_var_log_t) + -+optional_policy(` - rpc_search_nfs_state_data(hald_t) - ') - -@@ -301,12 +323,16 @@ - virt_manage_images(hald_t) - ') + type dovecot_var_run_t; + files_pid_file(dovecot_var_run_t) -+optional_policy(` -+ xserver_read_pid(hald_t) -+') ++type dovecot_auth_tmp_t; ++files_tmp_file(dovecot_auth_tmp_t) + ######################################## # - # Hal acl local policy - # + # dovecot local policy +@@ -58,6 +73,10 @@ --allow hald_acl_t self:capability { dac_override fowner }; -+allow hald_acl_t self:capability { dac_override fowner sys_resource }; - allow hald_acl_t self:process { getattr signal }; - allow hald_acl_t self:fifo_file rw_fifo_file_perms; + can_exec(dovecot_t, dovecot_exec_t) -@@ -321,6 +347,7 @@ - manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) - manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) - files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) -+allow hald_t hald_var_run_t:dir mounton; ++# log files ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++ + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) + manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -85,6 +104,7 @@ + dev_read_urand(dovecot_t) - corecmd_exec_bin(hald_acl_t) + fs_getattr_all_fs(dovecot_t) ++fs_getattr_all_dirs(dovecot_t) + fs_search_auto_mountpoints(dovecot_t) + fs_list_inotifyfs(dovecot_t) -@@ -339,6 +366,8 @@ +@@ -98,7 +118,7 @@ + files_dontaudit_list_default(dovecot_t) + # Dovecot now has quota support and it uses getmntent() to find the mountpoints. + files_read_etc_runtime_files(dovecot_t) +-files_getattr_all_mountpoints(dovecot_t) ++files_search_all_mountpoints(dovecot_t) - storage_getattr_removable_dev(hald_acl_t) - storage_setattr_removable_dev(hald_acl_t) -+storage_getattr_fixed_disk_dev(hald_acl_t) -+storage_setattr_fixed_disk_dev(hald_acl_t) + init_getattr_utmp(dovecot_t) - auth_use_nsswitch(hald_acl_t) +@@ -120,7 +140,7 @@ + mta_manage_spool(dovecot_t) -@@ -346,12 +375,18 @@ + optional_policy(` +- kerberos_use(dovecot_t) ++ kerberos_keytab_template(dovecot, dovecot_t) + ') - miscfiles_read_localization(hald_acl_t) + optional_policy(` +@@ -140,25 +160,35 @@ + # dovecot auth local policy + # -+optional_policy(` -+ polkit_domtrans_auth(hald_acl_t) -+ polkit_read_lib(hald_acl_t) -+ polkit_read_reload(hald_acl_t) -+') +-allow dovecot_auth_t self:capability { setgid setuid }; ++allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; + allow dovecot_auth_t self:process signal_perms; + allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; + allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; + allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; + +-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; ++allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; + +-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; ++read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) + - ######################################## - # - # Local hald mac policy - # ++manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) ++manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) ++files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) --allow hald_mac_t self:capability { setgid setuid }; -+allow hald_mac_t self:capability { setgid setuid sys_admin }; + # Allow dovecot to create and read SSL parameters file + manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) + files_search_var_lib(dovecot_t) ++files_read_var_symlinks(dovecot_t) - domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) - allow hald_t hald_mac_t:process signal; -@@ -374,6 +409,8 @@ + allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; ++manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_auth_stream_connect(dovecot_auth_t) - auth_use_nsswitch(hald_mac_t) + kernel_read_all_sysctls(dovecot_auth_t) + kernel_read_system_state(dovecot_auth_t) -+logging_send_syslog_msg(hald_mac_t) ++logging_send_audit_msgs(dovecot_auth_t) ++logging_send_syslog_msg(dovecot_auth_t) + - miscfiles_read_localization(hald_mac_t) + dev_read_urand(dovecot_auth_t) - ######################################## -@@ -418,3 +455,49 @@ - files_read_usr_files(hald_keymap_t) + auth_domtrans_chk_passwd(dovecot_auth_t) +@@ -167,6 +197,7 @@ + files_read_etc_files(dovecot_auth_t) + files_read_etc_runtime_files(dovecot_auth_t) + files_search_pids(dovecot_auth_t) ++files_read_usr_files(dovecot_auth_t) + files_read_usr_symlinks(dovecot_auth_t) + files_search_tmp(dovecot_auth_t) + files_read_var_lib_files(dovecot_t) +@@ -182,5 +213,58 @@ + ') - miscfiles_read_localization(hald_keymap_t) -+ -+# This is caused by a bug in hald and PolicyKit. -+# Should be removed when this is fixed -+cron_read_system_job_lib_files(hald_t) -+ -+######################################## -+# -+# Local hald dccm policy -+# -+allow hald_dccm_t self:capability { net_bind_service }; -+allow hald_dccm_t self:process getsched; -+allow hald_dccm_t self:tcp_socket create_stream_socket_perms; -+allow hald_dccm_t self:udp_socket create_socket_perms; -+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; -+ -+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) -+allow hald_t hald_dccm_t:process signal; -+allow hald_dccm_t hald_t:unix_stream_socket connectto; -+ -+corenet_all_recvfrom_unlabeled(hald_dccm_t) -+corenet_all_recvfrom_netlabel(hald_dccm_t) -+corenet_tcp_sendrecv_generic_if(hald_dccm_t) -+corenet_udp_sendrecv_generic_if(hald_dccm_t) -+corenet_tcp_sendrecv_generic_node(hald_dccm_t) -+corenet_udp_sendrecv_generic_node(hald_dccm_t) -+corenet_tcp_sendrecv_all_ports(hald_dccm_t) -+corenet_udp_sendrecv_all_ports(hald_dccm_t) -+corenet_tcp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_generic_node(hald_dccm_t) -+corenet_udp_bind_dhcpc_port(hald_dccm_t) -+corenet_tcp_bind_ftps_port(hald_dccm_t) -+corenet_tcp_bind_dccm_port(hald_dccm_t) -+ -+kernel_search_network_sysctl(hald_dccm_t) -+ -+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -+files_search_var_lib(hald_dccm_t) -+ -+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) -+ -+files_read_usr_files(hald_dccm_t) -+ -+miscfiles_read_localization(hald_dccm_t) -+ -+permissive hald_dccm_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.7/policy/modules/services/ifplugd.fc ---- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ifplugd.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,9 @@ -+ -+/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) -+ -+/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) -+ -+/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) -+ -+/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.7/policy/modules/services/ifplugd.if ---- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ifplugd.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,194 @@ -+## policy for ifplugd -+ -+######################################## -+## -+## Execute a domain transition to run ifplugd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ifplugd_domtrans',` -+ gen_require(` -+ type ifplugd_t, ifplugd_exec_t; -+ ') + optional_policy(` +- logging_send_syslog_msg(dovecot_auth_t) ++ mysql_search_db(dovecot_auth_t) ++ mysql_stream_connect(dovecot_auth_t) + ') + -+ domtrans_pattern($1,ifplugd_exec_t,ifplugd_t) ++optional_policy(` ++ nis_authenticate(dovecot_auth_t) +') + -+######################################## -+## -+## Read and write ifplugd UDP sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ifplugd_rw_udp_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') -+ -+ allow $1 ifplugd_t:udp_socket { read write }; ++optional_policy(` ++ postfix_manage_private_sockets(dovecot_auth_t) ++ postfix_search_spool(dovecot_auth_t) +') + ++# for gssapi (kerberos) ++userdom_list_user_tmp(dovecot_auth_t) ++userdom_read_user_tmp_files(dovecot_auth_t) ++userdom_read_user_tmp_symlinks(dovecot_auth_t) ++ +######################################## -+## -+## Read and write ifplugd packet sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`ifplugd_rw_packet_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++# dovecot deliver local policy ++# ++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; + -+ allow $1 ifplugd_t:packet_socket { read write }; -+') ++allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; ++allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; + -+######################################## -+## -+## Read and write ifplugd netlink -+## routing sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ifplugd_rw_routing_sockets',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++kernel_read_all_sysctls(dovecot_deliver_t) ++kernel_read_system_state(dovecot_deliver_t) + -+ allow $1 ifplugd_t:netlink_route_socket { read write }; -+') ++files_read_etc_files(dovecot_deliver_t) ++files_read_etc_runtime_files(dovecot_deliver_t) + -+######################################## -+## -+## Send a generic signal to ifplugd -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ifplugd_signal',` -+ gen_require(` -+ type ifplugd_t; -+ ') ++auth_use_nsswitch(dovecot_deliver_t) + -+ allow $1 ifplugd_t:process signal; ++logging_send_syslog_msg(dovecot_deliver_t) ++ ++miscfiles_read_localization(dovecot_deliver_t) ++ ++dovecot_auth_stream_connect(dovecot_deliver_t) ++ ++files_search_tmp(dovecot_deliver_t) ++fs_getattr_all_fs(dovecot_deliver_t) ++ ++userdom_manage_user_home_content_dirs(dovecot_deliver_t) ++userdom_manage_user_home_content_files(dovecot_deliver_t) ++userdom_manage_user_home_content_symlinks(dovecot_deliver_t) ++userdom_manage_user_home_content_pipes(dovecot_deliver_t) ++userdom_manage_user_home_content_sockets(dovecot_deliver_t) ++userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) ++ ++optional_policy(` ++ mta_manage_spool(dovecot_deliver_t) +') + -+######################################## -+## -+## Read ifplugd etc configuration files. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.6.8/policy/modules/services/exim.if +--- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/exim.if 2009-03-05 15:25:24.000000000 -0500 +@@ -97,6 +97,26 @@ + + ######################################## + ## ++## Allow the specified domain to manage exim's log files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## ++## +# -+interface(`ifplugd_read_etc',` -+ gen_require(` -+ type ifplugd_etc_t; -+ ') ++interface(`exim_manage_log',` ++ gen_require(` ++ type exim_log_t; ++ ') + -+ files_search_etc($1) -+ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) ++ manage_files_pattern($1, exim_log_t, exim_log_t) ++ logging_search_logs($1) +') + +######################################## +## -+## Manage ifplugd etc configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`ifplugd_manage_etc',` -+ gen_require(` -+ type ifplugd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) -+ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + ## Allow the specified domain to append + ## exim log files. + ## +@@ -154,3 +174,23 @@ + manage_files_pattern($1, exim_spool_t, exim_spool_t) + files_search_spool($1) + ') + -+') -+ +######################################## +## -+## Read ifplugd PID files. ++## Create, read, write, and delete ++## exim spool dirs. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`ifplugd_read_pid_files',` -+ gen_require(` -+ type ifplugd_var_run_t; -+ ') ++interface(`exim_manage_spool_dirs',` ++ gen_require(` ++ type exim_spool_t; ++ ') + -+ files_search_pids($1) -+ allow $1 ifplugd_var_run_t:file read_file_perms; ++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ files_search_spool($1) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.8/policy/modules/services/exim.te +--- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/exim.te 2009-03-05 15:25:24.000000000 -0500 +@@ -21,9 +21,20 @@ + ## + gen_tunable(exim_manage_user_files, false) + ++## ++##

++## Allow exim to connect to databases (postgres, mysql) ++##

++##
++gen_tunable(exim_can_connect_db, false) + -+######################################## -+## -+## All of the rules required to administrate -+## an ifplugd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the ifplugd domain. -+## -+## -+## -+## -+# -+interface(`ifplugd_admin',` -+ gen_require(` -+ type ifplugd_t, ifplugd_etc_t; -+ type ifplugd_var_run_t, ifplugd_initrc_exec_t; -+ ') + type exim_t; + type exim_exec_t; + init_daemon_domain(exim_t, exim_exec_t) ++mta_mailserver(exim_t, exim_exec_t) ++mta_mailserver_user_agent(exim_t) ++application_executable_file(exim_exec_t) ++mta_agent_executable(exim_exec_t) + + type exim_log_t; + logging_log_file(exim_log_t) +@@ -42,10 +53,12 @@ + # exim local policy + # + +-allow exim_t self:capability { dac_override dac_read_search setuid setgid fowner chown }; ++allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource }; ++allow exim_t self:process { setrlimit setpgid }; + allow exim_t self:fifo_file rw_fifo_file_perms; + allow exim_t self:unix_stream_socket create_stream_socket_perms; + allow exim_t self:tcp_socket create_stream_socket_perms; ++allow exim_t self:udp_socket create_socket_perms; + + can_exec(exim_t,exim_exec_t) + +@@ -66,12 +79,15 @@ + files_pid_filetrans(exim_t, exim_var_run_t, { file dir }) + + kernel_read_kernel_sysctls(exim_t) +- + kernel_dontaudit_read_system_state(exim_t) ++kernel_read_network_state(exim_t) + + corecmd_search_bin(exim_t) + + corenet_all_recvfrom_unlabeled(exim_t) ++corenet_all_recvfrom_netlabel(exim_t) ++corenet_udp_sendrecv_generic_if(exim_t) ++corenet_udp_sendrecv_generic_node(exim_t) + corenet_tcp_sendrecv_generic_if(exim_t) + corenet_tcp_sendrecv_generic_node(exim_t) + corenet_tcp_sendrecv_all_ports(exim_t) +@@ -82,6 +98,8 @@ + corenet_tcp_connect_smtp_port(exim_t) + corenet_tcp_connect_ldap_port(exim_t) + corenet_tcp_connect_inetd_child_port(exim_t) ++# connect to spamassassin ++corenet_tcp_connect_spamd_port(exim_t) + + dev_read_rand(exim_t) + dev_read_urand(exim_t) +@@ -89,20 +107,27 @@ + # Init script handling + domain_use_interactive_fds(exim_t) + ++files_search_usr(exim_t) ++files_search_var(exim_t) + files_read_etc_files(exim_t) ++files_read_etc_runtime_files(exim_t) + + auth_use_nsswitch(exim_t) + + logging_send_syslog_msg(exim_t) + + miscfiles_read_localization(exim_t) ++miscfiles_read_certs(exim_t) + +-sysnet_dns_name_resolve(exim_t) ++fs_getattr_xattr_fs(exim_t) ++fs_list_inotifyfs(exim_t) + + userdom_dontaudit_search_user_home_dirs(exim_t) + + mta_read_aliases(exim_t) +-mta_rw_spool(exim_t) ++mta_read_config(exim_t) ++mta_manage_spool(exim_t) ++mta_mailserver_delivery(exim_t) + + tunable_policy(`exim_read_user_files',` + userdom_read_user_home_content_files(exim_t) +@@ -114,3 +139,62 @@ + userdom_read_user_tmp_files(exim_t) + userdom_write_user_tmp_files(exim_t) + ') + -+ allow $1 ifplugd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ifplugd_t) ++tunable_policy(`exim_can_connect_db',` ++ corenet_tcp_connect_mysqld_port(exim_t) ++ corenet_sendrecv_mysqld_client_packets(exim_t) ++ corenet_tcp_connect_postgresql_port(exim_t) ++ corenet_sendrecv_postgresql_client_packets(exim_t) ++') + -+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 ifplugd_initrc_exec_t system_r; -+ allow $2 system_r; ++optional_policy(` ++ dovecot_auth_stream_connect(exim_t) ++') + -+ files_list_etc($1) -+ admin_pattern($1, ifplugd_etc_t) ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ mysql_stream_connect(exim_t) ++ ') ++') + -+ files_list_pids($1) -+ admin_pattern($1, ifplugd_var_run_t) -+ ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ postgresql_stream_connect(exim_t) ++') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.7/policy/modules/services/ifplugd.te ---- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ifplugd.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,89 @@ -+policy_module(ifplugd,1.0.0) + -+######################################## -+# -+# Declarations -+# ++optional_policy(` ++ kerberos_keytab_template(exim, exim_t) ++') + -+type ifplugd_t; -+type ifplugd_exec_t; -+init_daemon_domain(ifplugd_t, ifplugd_exec_t) ++optional_policy(` ++ mailman_read_data_files(exim_t) ++ mailman_domtrans(exim_t) ++') + -+type ifplugd_initrc_exec_t; -+init_script_file(ifplugd_initrc_exec_t) ++optional_policy(` ++ procmail_domtrans(exim_t) ++') + -+# config files -+type ifplugd_etc_t; -+files_type(ifplugd_etc_t) ++optional_policy(` ++ sasl_connect(exim_t) ++') + -+# pid files -+type ifplugd_var_run_t; -+files_pid_file(ifplugd_var_run_t) ++optional_policy(` ++ cron_read_pipes(exim_t) ++ cron_rw_system_job_pipes(exim_t) ++') + -+######################################## -+# -+# ifplugd local policy -+# ++optional_policy(` ++ cyrus_stream_connect(exim_t) ++') + -+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; -+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -+allow ifplugd_t self:process { signal signull }; ++optional_policy(` ++ clamav_domtrans_clamscan(exim_t) ++ clamav_stream_connect(exim_t) ++') + -+allow ifplugd_t self:fifo_file rw_fifo_file_perms; -+allow ifplugd_t self:tcp_socket create_stream_socket_perms; -+allow ifplugd_t self:udp_socket create_socket_perms; -+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; -+allow ifplugd_t self:packet_socket create_socket_perms; ++optional_policy(` ++ spamassassin_exec(exim_t) ++ spamassassin_exec_client(exim_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.8/policy/modules/services/ftp.te +--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ftp.te 2009-03-05 15:25:24.000000000 -0500 +@@ -26,7 +26,7 @@ + ## + ##

+ ## Allow ftp servers to use cifs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ##
+ gen_tunable(allow_ftpd_use_cifs, false) +@@ -34,13 +34,20 @@ + ## + ##

+ ## Allow ftp servers to use nfs +-## used for public file transfer services. ++## for public file transfer services. + ##

+ ##
+ gen_tunable(allow_ftpd_use_nfs, false) + + ## + ##

++## Allow ftp servers to use connect to mysql database ++##

++##
++gen_tunable(ftpd_connect_db, false) + -+# pid file -+manage_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) -+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) -+files_pid_filetrans(ifplugd_t,ifplugd_var_run_t, { file sock_file }) ++## ++##

+ ## Allow ftp to read and write files in the user home directories + ##

+ ##
+@@ -131,6 +138,7 @@ + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) ++fs_list_inotifyfs(ftpd_t) + + corecmd_exec_bin(ftpd_t) + +@@ -160,6 +168,7 @@ + + fs_search_auto_mountpoints(ftpd_t) + fs_getattr_all_fs(ftpd_t) ++fs_search_fusefs_dirs(ftpd_t) + + auth_use_nsswitch(ftpd_t) + auth_domtrans_chk_passwd(ftpd_t) +@@ -222,9 +231,15 @@ + userdom_manage_user_home_content_dirs(ftpd_t) + userdom_manage_user_home_content_files(ftpd_t) + userdom_manage_user_home_content_symlinks(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + -+# config files -+read_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) -+exec_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) ++ auth_read_all_dirs_except_shadow(ftpd_t) ++ auth_read_all_files_except_shadow(ftpd_t) ++ auth_read_all_symlinks_except_shadow(ftpd_t) + ') + ++# Needed for permissive mode, to make sure everything gets labeled correctly ++userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file }) + -+kernel_read_system_state(ifplugd_t) -+kernel_read_network_state(ifplugd_t) -+kernel_search_network_sysctl(ifplugd_t) -+kernel_rw_net_sysctls(ifplugd_t) -+kernel_read_kernel_sysctls(ifplugd_t) + tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) +@@ -258,7 +273,26 @@ + ') + + optional_policy(` +- kerberos_read_keytab(ftpd_t) ++ kerberos_keytab_template(ftpd, ftpd_t) ++ kerberos_manage_host_rcache(ftpd_t) ++ selinux_validate_context(ftpd_t) ++') + -+# reading of hardware information -+dev_read_sysfs(ifplugd_t) ++optional_policy(` ++ tunable_policy(`ftpd_connect_db',` ++ mysql_stream_connect(ftpd_t) ++ ') ++') + -+corecmd_exec_shell(ifplugd_t) -+corecmd_exec_bin(ifplugd_t) ++optional_policy(` ++ tunable_policy(`ftpd_connect_db',` ++ postgresql_stream_connect(ftpd_t) ++ ') ++') + -+domain_read_confined_domains_state(ifplugd_t) -+domain_dontaudit_read_all_domains_state(ifplugd_t) ++tunable_policy(`ftpd_connect_db',` ++ corenet_tcp_connect_mysqld_port(ftpd_t) ++ corenet_tcp_connect_postgresql_port(ftpd_t) + ') + + optional_policy(` +@@ -270,6 +304,14 @@ + ') + + optional_policy(` ++ dbus_system_bus_client(ftpd_t) ++ optional_policy(` ++ oddjob_dbus_chat(ftpd_t) ++ oddjob_domtrans_mkhomedir(ftpd_t) ++ ') ++') + -+auth_use_nsswitch(ifplugd_t) ++optional_policy(` + seutil_sigchld_newrole(ftpd_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.8/policy/modules/services/gnomeclock.fc +--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,3 @@ + -+libs_use_ld_so(ifplugd_t) -+libs_use_shared_libs(ifplugd_t) -+miscfiles_read_localization(ifplugd_t) ++/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + -+logging_send_syslog_msg(ifplugd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.8/policy/modules/services/gnomeclock.if +--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,69 @@ + -+netutils_domtrans(ifplugd_t) -+# transition to ifconfig & dhcpc -+sysnet_domtrans_ifconfig(ifplugd_t) -+sysnet_domtrans_dhcpc(ifplugd_t) ++## policy for gnomeclock + -+sysnet_delete_dhcpc_pid(ifplugd_t) -+sysnet_read_dhcpc_pid(ifplugd_t) -+sysnet_signal_dhcpc(ifplugd_t) -+#sysnet_kill_dhcpc(ifplugd_t) -+#sysnet_manage_config(ifplugd_t) -+#sysnet_read_dhcp_config(ifplugd_t) -+#sysnet_search_dhcp_state(ifplugd_t) ++######################################## ++## ++## Execute a domain transition to run gnomeclock. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gnomeclock_domtrans',` ++ gen_require(` ++ type gnomeclock_t; ++ type gnomeclock_exec_t; ++ ') + -+optional_policy(` -+ consoletype_exec(ifplugd_t) ++ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) +') + -+permissive ifplugd_t; -+ + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.7/policy/modules/services/kerberos.fc ---- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/kerberos.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -21,6 +21,7 @@ - /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - /var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) - - /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) - /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.7/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/kerberos.te 2009-03-03 17:11:59.000000000 -0500 -@@ -290,6 +290,7 @@ - corenet_tcp_sendrecv_generic_node(kpropd_t) - corenet_tcp_sendrecv_all_ports(kpropd_t) - corenet_tcp_bind_generic_node(kpropd_t) -+corenet_tcp_bind_kprop_port(kpropd_t) - - dev_read_urand(kpropd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.7/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.if 2009-03-03 17:11:59.000000000 -0500 -@@ -63,6 +63,25 @@ - - ######################################## - ## -+## Allow domain to manage kerneloops tmp files ++######################################## ++## ++## Execute gnomeclock in the gnomeclock domain, and ++## allow the specified role the gnomeclock domain. +## +## +## -+## Domain to not audit. ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the gnomeclock domain. +## +## +# -+interface(`kerneloops_manage_tmp_files',` ++interface(`gnomeclock_run',` + gen_require(` -+ type kerneloops_tmp_t; ++ type gnomeclock_t; + ') + -+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) -+ files_search_tmp($1) ++ gnomeclock_domtrans($1) ++ role $2 types gnomeclock_t; +') + ++ +######################################## +## - ## All of the rules required to administrate - ## an kerneloops environment - ## -@@ -81,6 +100,7 @@ - interface(`kerneloops_admin',` - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; -+ type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; -@@ -90,4 +110,7 @@ - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; - allow $2 system_r; -+ -+ admin_pattern($1, kerneloops_tmp_t) - ') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.7/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/kerneloops.te 2009-03-04 14:40:13.000000000 -0500 -@@ -13,6 +13,9 @@ - type kerneloops_initrc_exec_t; - init_script_file(kerneloops_initrc_exec_t) - -+type kerneloops_tmp_t; -+files_tmp_file(kerneloops_tmp_t) -+ - ######################################## - # - # kerneloops local policy -@@ -23,6 +26,9 @@ - allow kerneloops_t self:fifo_file rw_file_perms; - allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; - -+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) -+files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) -+ - kernel_read_ring_buffer(kerneloops_t) - - # Init script handling -@@ -46,6 +52,5 @@ - sysnet_dns_name_resolve(kerneloops_t) - - optional_policy(` -- dbus_system_bus_client(kerneloops_t) -- dbus_connect_system_bus(kerneloops_t) -+ dbus_system_domain(kerneloops_t, kerneloops_exec_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.7/policy/modules/services/ktalk.te ---- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ktalk.te 2009-03-03 17:11:59.000000000 -0500 -@@ -69,6 +69,7 @@ - files_read_etc_files(ktalkd_t) - - term_search_ptys(ktalkd_t) -+term_use_all_terms(ktalkd_t) - - auth_use_nsswitch(ktalkd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.6.7/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ldap.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(ldap, 1.9.3) -+policy_module(ldap, 1.9.2) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.7/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/mailman.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -31,3 +31,4 @@ - /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) - /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - ') -+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.7/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mailman.if 2009-03-03 17:11:59.000000000 -0500 -@@ -31,6 +31,12 @@ - allow mailman_$1_t self:tcp_socket create_stream_socket_perms; - allow mailman_$1_t self:udp_socket create_socket_perms; - -+ files_search_spool(mailman_$1_t) -+ -+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) -+ - manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) - manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) -@@ -64,6 +70,7 @@ - corenet_sendrecv_smtp_client_packets(mailman_$1_t) - - fs_getattr_xattr_fs(mailman_$1_t) -+ fs_list_inotifyfs(mailman_$1_t) - - corecmd_exec_all_executables(mailman_$1_t) - -@@ -191,6 +198,7 @@ - ') - - read_files_pattern($1, mailman_data_t, mailman_data_t) -+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) - ') - - ####################################### -@@ -209,6 +217,7 @@ - type mailman_data_t; - ') - -+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) - ') - -@@ -250,6 +259,25 @@ - - ####################################### - ## -+## read -+## mailman logs. ++## Send and receive messages from ++## gnomeclock over dbus. +## +## +## @@ -14482,103 +12279,89 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`mailman_read_log',` ++interface(`gnomeclock_dbus_chat',` + gen_require(` -+ type mailman_log_t; ++ type gnomeclock_t; ++ class dbus send_msg; + ') + -+ read_files_pattern($1, mailman_log_t, mailman_log_t) ++ allow $1 gnomeclock_t:dbus send_msg; ++ allow gnomeclock_t $1:dbus send_msg; +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.8/policy/modules/services/gnomeclock.te +--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/gnomeclock.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,51 @@ ++policy_module(gnomeclock, 1.0.0) ++######################################## ++# ++# Declarations ++# + -+####################################### -+## - ## Append to mailman logs. - ## - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.7/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mailman.te 2009-03-03 17:11:59.000000000 -0500 -@@ -53,10 +53,8 @@ - apache_use_fds(mailman_cgi_t) - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) -- -- optional_policy(` -- nscd_socket_use(mailman_cgi_t) -- ') -+ apache_read_config(mailman_cgi_t) -+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) - ') - - ######################################## -@@ -65,15 +63,31 @@ - # - - allow mailman_mail_t self:unix_dgram_socket create_socket_perms; -+allow mailman_mail_t initrc_t:process signal; -+allow mailman_mail_t self:process { signal signull }; -+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; ++type gnomeclock_t; ++type gnomeclock_exec_t; ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + -+files_search_spool(mailman_mail_t) -+fs_rw_anon_inodefs_files(mailman_mail_t) -+fs_list_inotifyfs(mailman_mail_t) ++######################################## ++# ++# gnomeclock local policy ++# ++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; ++allow gnomeclock_t self:process { getattr getsched }; ++allow gnomeclock_t self:fifo_file rw_fifo_file_perms; ++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + -+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) -+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) - - mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -+mta_dontaudit_rw_queue(mailman_mail_t) - --ifdef(`TODO',` - optional_policy(` -- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; -- # do we really need this? -- allow mailman_mail_t qmail_lspawn_t:fifo_file write; -+ courier_read_spool(mailman_mail_t) - ') ++corecmd_exec_bin(gnomeclock_t) ++ ++userdom_ptrace_all_users(gnomeclock_t) ++ ++files_read_etc_files(gnomeclock_t) ++files_read_usr_files(gnomeclock_t) ++ ++miscfiles_manage_localization(gnomeclock_t) ++miscfiles_etc_filetrans_localization(gnomeclock_t) ++ ++fs_list_inotifyfs(gnomeclock_t) ++ ++auth_use_nsswitch(gnomeclock_t) ++ ++miscfiles_read_localization(gnomeclock_t) ++ ++userdom_read_all_users_state(gnomeclock_t) ++ ++optional_policy(` ++ consolekit_dbus_chat(gnomeclock_t) ++') + +optional_policy(` -+ postfix_search_spool(mailman_mail_t) ++ clock_domtrans(gnomeclock_t) +') + +optional_policy(` -+ cron_read_pipes(mailman_mail_t) - ') - - ######################################## -@@ -99,11 +113,15 @@ - # for su - seutil_dontaudit_search_config(mailman_queue_t) - -+su_exec(mailman_queue_t) ++ polkit_domtrans_auth(gnomeclock_t) ++ polkit_read_lib(gnomeclock_t) ++ polkit_read_reload(gnomeclock_t) ++') + - # some of the following could probably be changed to dontaudit, someone who - # knows mailman well should test this out and send the changes - userdom_search_user_home_dirs(mailman_queue_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.8/policy/modules/services/hal.fc +--- nsaserefpolicy/policy/modules/services/hal.fc 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/hal.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -5,6 +5,7 @@ + /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) --su_exec(mailman_queue_t) -+optional_policy(` -+ apache_read_config(mailman_queue_t) -+') + /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) ++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) + /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) + /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) + /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.8/policy/modules/services/hal.if +--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/hal.if 2009-03-05 15:25:24.000000000 -0500 +@@ -20,6 +20,24 @@ - optional_policy(` - cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.6.7/policy/modules/services/mailscanner.fc ---- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mailscanner.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,2 @@ -+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.6.7/policy/modules/services/mailscanner.if ---- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mailscanner.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,59 @@ -+## Anti-Virus and Anti-Spam Filter -+ -+######################################## -+## -+## Search mailscanner spool directories. + ######################################## + ## ++## Execute hal mac in the hal mac domain. +## +## +## @@ -14586,18 +12369,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`mailscanner_search_spool',` ++interface(`hal_domtrans_mac',` + gen_require(` -+ type mailscanner_spool_t; ++ type hald_mac_t, hald_mac_exec_t; + ') + -+ files_search_spool($1) -+ allow $1 mailscanner_spool_t:dir search_dir_perms; ++ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) +') + +######################################## +## -+## read mailscanner spool files. + ## Get the attributes of a hal process. + ## + ## +@@ -51,10 +69,7 @@ + type hald_t; + ') + +- allow $1 hald_t:dir list_dir_perms; +- read_files_pattern($1, hald_t, hald_t) +- read_lnk_files_pattern($1, hald_t, hald_t) +- dontaudit $1 hald_t:process ptrace; ++ ps_process_pattern($1, hald_t) + ') + + ######################################## +@@ -340,3 +355,41 @@ + files_search_pids($1) + allow $1 hald_var_run_t:file rw_file_perms; + ') ++ ++######################################## ++## ++## Manage hald PID dirs. +## +## +## @@ -14605,19 +12409,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`mailscanner_read_spool',` ++interface(`hal_manage_pid_dirs',` + gen_require(` -+ type mailscanner_spool_t; ++ type hald_var_run_t; + ') + -+ files_search_spool($1) -+ read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) ++ files_search_pids($1) ++ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) +') + +######################################## +## -+## Create, read, write, and delete -+## mailscanner spool files. ++## Manage hald PID files. +## +## +## @@ -14625,900 +12428,1024 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`mailscanner_manage_spool',` ++interface(`hal_manage_pid_files',` + gen_require(` -+ type mailscanner_spool_t; ++ type hald_var_run_t; + ') + -+ files_search_spool($1) -+ manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) ++ files_search_pids($1) ++ manage_files_pattern($1, hald_var_run_t, hald_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.6.7/policy/modules/services/mailscanner.te ---- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mailscanner.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,5 @@ -+ -+policy_module(mailscanner, 1.0.0) -+ -+type mailscanner_spool_t; -+files_type(mailscanner_spool_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.7/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/mta.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,4 +1,4 @@ --/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) - /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) -@@ -10,10 +10,13 @@ - ') - - /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - - /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - -@@ -22,7 +25,3 @@ - /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) - /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -- --#ifdef(`postfix.te', `', ` --#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) --#') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.7/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mta.if 2009-03-03 17:11:59.000000000 -0500 -@@ -130,6 +130,15 @@ - sendmail_create_log($1_mail_t) - ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.8/policy/modules/services/hal.te +--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/hal.te 2009-03-05 15:25:24.000000000 -0500 +@@ -49,6 +49,15 @@ + type hald_var_lib_t; + files_type(hald_var_lib_t) -+ optional_policy(` -+ exim_read_log($1_mail_t) -+ exim_append_log($1_mail_t) -+ exim_manage_spool_files($1_mail_t) -+') ++typealias hald_log_t alias pmtools_log_t; ++typealias hald_var_run_t alias pmtools_var_run_t; ++ ++type hald_dccm_t; ++type hald_dccm_exec_t; ++domain_type(hald_dccm_t) ++domain_entry_file(hald_dccm_t, hald_dccm_exec_t) ++role system_r types hald_dccm_t; + -+ optional_policy(` -+ uucp_manage_spool($1_mail_t) -+ ') - ') - - ######################################## -@@ -302,11 +311,13 @@ - allow $1 mail_spool_t:dir list_dir_perms; - create_files_pattern($1, mail_spool_t, mail_spool_t) - read_files_pattern($1, mail_spool_t, mail_spool_t) -+ append_files_pattern($1, mail_spool_t, mail_spool_t) - create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - optional_policy(` - dovecot_manage_spool($1) -+ dovecot_domtrans_deliver($1) - ') - - optional_policy(` -@@ -341,6 +352,7 @@ - # apache should set close-on-exec - apache_dontaudit_rw_stream_sockets($1) - apache_dontaudit_rw_sys_script_stream_sockets($1) -+ apache_append_log($1) - ') - ') - -@@ -591,8 +603,8 @@ - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; -- allow $1 mail_spool_t:lnk_file read; -- allow $1 mail_spool_t:file getattr; -+ getattr_files_pattern($1, mail_spool_t, mail_spool_t) -+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - ######################################## -@@ -612,7 +624,7 @@ - ') - - files_dontaudit_search_spool($1) -- dontaudit $1 mail_spool_t:dir search; -+ dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read; - dontaudit $1 mail_spool_t:file getattr; - ') -@@ -665,7 +677,7 @@ - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file setattr; -- rw_files_pattern($1, mail_spool_t, mail_spool_t) -+ manage_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.7/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mta.te 2009-03-03 17:11:59.000000000 -0500 -@@ -47,34 +47,49 @@ # + # Local policy +@@ -143,11 +152,16 @@ + files_getattr_all_dirs(hald_t) + files_read_kernel_img(hald_t) + files_rw_lock_dirs(hald_t) ++files_read_generic_pids(hald_t) - # newalias required this, not sure if it is needed in 'if' file --allow system_mail_t self:capability { dac_override }; -+allow system_mail_t self:capability { dac_override fowner }; -+allow system_mail_t self:fifo_file rw_fifo_file_perms; - - read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) -+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - - allow system_mail_t mta_exec_type:file entrypoint; - --allow system_mail_t mailcontent_type:file read_file_perms; -+can_exec(system_mail_t, mta_exec_type) -+ -+files_read_all_tmp_files(system_mail_t) - - kernel_read_system_state(system_mail_t) - kernel_read_network_state(system_mail_t) - -+dev_read_sysfs(system_mail_t) - dev_read_rand(system_mail_t) - dev_read_urand(system_mail_t) - -+fs_rw_anon_inodefs_files(system_mail_t) -+fs_list_inotifyfs(system_mail_t) -+ -+selinux_getattr_fs(system_mail_t) + fs_getattr_all_fs(hald_t) + fs_search_all(hald_t) + fs_list_inotifyfs(hald_t) + fs_list_auto_mountpoints(hald_t) ++fs_mount_dos_fs(hald_t) ++fs_unmount_dos_fs(hald_t) ++fs_manage_dos_files(hald_t) + - init_use_script_ptys(system_mail_t) + files_getattr_all_mountpoints(hald_t) - userdom_use_user_terminals(system_mail_t) - userdom_dontaudit_search_user_home_dirs(system_mail_t) -+userdom_dontaudit_list_admin_dir(system_mail_t) -+ -+logging_append_all_logs(system_mail_t) + mls_file_read_all_levels(hald_t) +@@ -195,6 +209,7 @@ + seutil_read_file_contexts(hald_t) - optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) -+ apache_search_bugzilla_dirs(system_mail_t) + sysnet_read_config(hald_t) ++sysnet_domtrans_dhcpc(hald_t) - # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) + userdom_dontaudit_use_unpriv_user_fds(hald_t) + userdom_dontaudit_search_user_home_dirs(hald_t) +@@ -277,6 +292,13 @@ ') optional_policy(` -@@ -88,6 +103,13 @@ - optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) -+ cron_rw_system_stream_sockets(system_mail_t) ++ polkit_domtrans_auth(hald_t) ++ polkit_domtrans_resolve(hald_t) ++ polkit_read_lib(hald_t) ++ polkit_read_reload(hald_t) +') + +optional_policy(` -+ courier_manage_spool_dirs(system_mail_t) -+ courier_manage_spool_files(system_mail_t) -+ courier_rw_spool_pipes(system_mail_t) + rpc_search_nfs_state_data(hald_t) ') - optional_policy(` -@@ -95,16 +117,16 @@ +@@ -301,12 +323,16 @@ + virt_manage_images(hald_t) ') - optional_policy(` -- logrotate_read_tmp_files(system_mail_t) -+ exim_domtrans(system_mail_t) -+ exim_manage_log(system_mail_t) - ') ++optional_policy(` ++ xserver_read_pid(hald_t) ++') ++ + ######################################## + # + # Hal acl local policy + # - optional_policy(` -- logwatch_read_tmp_files(system_mail_t) -+ logrotate_read_tmp_files(system_mail_t) - ') +-allow hald_acl_t self:capability { dac_override fowner }; ++allow hald_acl_t self:capability { dac_override fowner sys_resource }; + allow hald_acl_t self:process { getattr signal }; + allow hald_acl_t self:fifo_file rw_fifo_file_perms; - optional_policy(` -- # newaliases runs as system_mail_t when the sendmail initscript does a restart -- milter_getattr_all_sockets(system_mail_t) -+ logwatch_read_tmp_files(system_mail_t) - ') +@@ -321,6 +347,7 @@ + manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) ++allow hald_t hald_var_run_t:dir mounton; - optional_policy(` -@@ -132,10 +154,6 @@ - # compatability for old default main.cf - postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) - ') -- -- optional_policy(` -- cron_rw_tcp_sockets(system_mail_t) -- ') - ') + corecmd_exec_bin(hald_acl_t) - optional_policy(` -@@ -155,6 +173,19 @@ - ') +@@ -339,6 +366,8 @@ - optional_policy(` -+ clamav_stream_connect(system_mail_t) -+ clamav_append_log(system_mail_t) + storage_getattr_removable_dev(hald_acl_t) + storage_setattr_removable_dev(hald_acl_t) ++storage_getattr_fixed_disk_dev(hald_acl_t) ++storage_setattr_fixed_disk_dev(hald_acl_t) + + auth_use_nsswitch(hald_acl_t) + +@@ -346,12 +375,18 @@ + + miscfiles_read_localization(hald_acl_t) + ++optional_policy(` ++ polkit_domtrans_auth(hald_acl_t) ++ polkit_read_lib(hald_acl_t) ++ polkit_read_reload(hald_acl_t) +') + -+optional_policy(` -+ fail2ban_append_log(system_mail_t) + ######################################## + # + # Local hald mac policy + # + +-allow hald_mac_t self:capability { setgid setuid }; ++allow hald_mac_t self:capability { setgid setuid sys_admin }; + + domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) + allow hald_t hald_mac_t:process signal; +@@ -374,6 +409,8 @@ + + auth_use_nsswitch(hald_mac_t) + ++logging_send_syslog_msg(hald_mac_t) ++ + miscfiles_read_localization(hald_mac_t) + + ######################################## +@@ -418,3 +455,49 @@ + files_read_usr_files(hald_keymap_t) + + miscfiles_read_localization(hald_keymap_t) ++ ++# This is caused by a bug in hald and PolicyKit. ++# Should be removed when this is fixed ++cron_read_system_job_lib_files(hald_t) ++ ++######################################## ++# ++# Local hald dccm policy ++# ++allow hald_dccm_t self:capability { net_bind_service }; ++allow hald_dccm_t self:process getsched; ++allow hald_dccm_t self:tcp_socket create_stream_socket_perms; ++allow hald_dccm_t self:udp_socket create_socket_perms; ++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) ++allow hald_t hald_dccm_t:process signal; ++allow hald_dccm_t hald_t:unix_stream_socket connectto; ++ ++corenet_all_recvfrom_unlabeled(hald_dccm_t) ++corenet_all_recvfrom_netlabel(hald_dccm_t) ++corenet_tcp_sendrecv_generic_if(hald_dccm_t) ++corenet_udp_sendrecv_generic_if(hald_dccm_t) ++corenet_tcp_sendrecv_generic_node(hald_dccm_t) ++corenet_udp_sendrecv_generic_node(hald_dccm_t) ++corenet_tcp_sendrecv_all_ports(hald_dccm_t) ++corenet_udp_sendrecv_all_ports(hald_dccm_t) ++corenet_tcp_bind_generic_node(hald_dccm_t) ++corenet_udp_bind_generic_node(hald_dccm_t) ++corenet_udp_bind_dhcpc_port(hald_dccm_t) ++corenet_tcp_bind_ftps_port(hald_dccm_t) ++corenet_tcp_bind_dccm_port(hald_dccm_t) ++ ++kernel_search_network_sysctl(hald_dccm_t) ++ ++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++files_search_var_lib(hald_dccm_t) ++ ++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) ++ ++files_read_usr_files(hald_dccm_t) ++ ++miscfiles_read_localization(hald_dccm_t) ++ ++permissive hald_dccm_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.fc serefpolicy-3.6.8/policy/modules/services/ifplugd.fc +--- nsaserefpolicy/policy/modules/services/ifplugd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ifplugd.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,9 @@ ++ ++/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0) ++ ++/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0) ++ ++/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) ++ ++/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.if serefpolicy-3.6.8/policy/modules/services/ifplugd.if +--- nsaserefpolicy/policy/modules/services/ifplugd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ifplugd.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,194 @@ ++## policy for ifplugd ++ ++######################################## ++## ++## Execute a domain transition to run ifplugd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ifplugd_domtrans',` ++ gen_require(` ++ type ifplugd_t, ifplugd_exec_t; + ') + -+ optional_policy(` -+ spamd_stream_connect(system_mail_t) ++ domtrans_pattern($1,ifplugd_exec_t,ifplugd_t) +') + -+optional_policy(` - smartmon_read_tmp_files(system_mail_t) - ') - -@@ -174,6 +205,23 @@ - ') - ') - -+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) ++######################################## ++## ++## Read and write ifplugd UDP sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_udp_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+init_stream_connect_script(mailserver_delivery) -+init_rw_script_stream_sockets(mailserver_delivery) ++ allow $1 ifplugd_t:udp_socket { read write }; ++') ++ ++######################################## ++## ++## Read and write ifplugd packet sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_packet_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') ++ ++ allow $1 ifplugd_t:packet_socket { read write }; ++') ++ ++######################################## ++## ++## Read and write ifplugd netlink ++## routing sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_rw_routing_sockets',` ++ gen_require(` ++ type ifplugd_t; ++ ') ++ ++ allow $1 ifplugd_t:netlink_route_socket { read write }; ++') ++ ++######################################## ++## ++## Send a generic signal to ifplugd ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ifplugd_signal',` ++ gen_require(` ++ type ifplugd_t; ++ ') + -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(mailserver_delivery) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) ++ allow $1 ifplugd_t:process signal; +') + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(mailserver_delivery) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) ++######################################## ++## ++## Read ifplugd etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`ifplugd_read_etc',` ++ gen_require(` ++ type ifplugd_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) +') + - ######################################## - # - # User send mail local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.7/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/munin.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,4 +1,5 @@ - /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) -+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - - /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) -@@ -6,6 +7,8 @@ - /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - - /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) --/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) -+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) --/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++######################################## ++## ++## Manage ifplugd etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`ifplugd_manage_etc',` ++ gen_require(` ++ type ifplugd_etc_t; ++ ') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.7/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/munin.if 2009-03-03 17:11:59.000000000 -0500 -@@ -80,3 +80,76 @@ - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; - ') ++ files_search_etc($1) ++ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) ++ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) + ++') ++ +######################################## +## -+## Allow the specified domain to append -+## to munin log files. ++## Read ifplugd PID files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## ++## +# -+interface(`munin_append_log',` -+ gen_require(` -+ type munin_log_t; -+ ') ++interface(`ifplugd_read_pid_files',` ++ gen_require(` ++ type ifplugd_var_run_t; ++ ') + -+ logging_search_logs($1) -+ allow $1 munin_log_t:dir list_dir_perms; -+ append_files_pattern($1, munin_log_t, munin_log_t) ++ files_search_pids($1) ++ allow $1 ifplugd_var_run_t:file read_file_perms; +') + +######################################## +## -+## All of the rules required to administrate -+## an munin environment ++## All of the rules required to administrate ++## an ifplugd environment +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +## -+## -+## The role to be allowed to manage the munin domain. -+## ++## ++## The role to be allowed to manage the ifplugd domain. ++## +## +## ++## +# -+interface(`munin_admin',` -+ gen_require(` -+ type munin_t, munin_etc_t, munin_tmp_t; -+ type munin_log_t, munin_var_lib_t, munin_var_run_t; -+ type httpd_munin_content_t; -+ type munin_initrc_exec_t; -+ ') -+ -+ allow $1 munin_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, munin_t) -+ -+ init_labeled_script_domtrans($1, munin_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 munin_initrc_exec_t system_r; -+ allow $2 system_r; ++interface(`ifplugd_admin',` ++ gen_require(` ++ type ifplugd_t, ifplugd_etc_t; ++ type ifplugd_var_run_t, ifplugd_initrc_exec_t; ++ ') + -+ files_list_tmp($1) -+ admin_pattern($1, munin_tmp_t) ++ allow $1 ifplugd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ifplugd_t) + -+ logging_list_logs($1) -+ admin_pattern($1, munin_log_t) ++ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 ifplugd_initrc_exec_t system_r; ++ allow $2 system_r; + + files_list_etc($1) -+ admin_pattern($1, munin_etc_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, munin_var_lib_t) ++ admin_pattern($1, ifplugd_etc_t) + + files_list_pids($1) -+ admin_pattern($1, munin_var_run_t) -+ -+ admin_pattern($1, httpd_munin_content_t) ++ admin_pattern($1, ifplugd_var_run_t) ++ +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ifplugd.te serefpolicy-3.6.8/policy/modules/services/ifplugd.te +--- nsaserefpolicy/policy/modules/services/ifplugd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ifplugd.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,89 @@ ++policy_module(ifplugd,1.0.0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.7/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/munin.te 2009-03-03 17:11:59.000000000 -0500 -@@ -13,6 +13,9 @@ - type munin_etc_t alias lrrd_etc_t; - files_config_file(munin_etc_t) - -+type munin_initrc_exec_t; -+init_script_file(munin_initrc_exec_t) ++######################################## ++# ++# Declarations ++# + - type munin_log_t alias lrrd_log_t; - logging_log_file(munin_log_t) - -@@ -30,21 +33,25 @@ - # Local policy - # - --allow munin_t self:capability { setgid setuid }; -+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; - dontaudit munin_t self:capability sys_tty_config; - allow munin_t self:process { getsched setsched signal_perms }; - allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; - allow munin_t self:tcp_socket create_stream_socket_perms; - allow munin_t self:udp_socket create_socket_perms; -+allow munin_t self:fifo_file manage_fifo_file_perms; ++type ifplugd_t; ++type ifplugd_exec_t; ++init_daemon_domain(ifplugd_t, ifplugd_exec_t) + -+can_exec(munin_t, munin_exec_t) - - allow munin_t munin_etc_t:dir list_dir_perms; - read_files_pattern(munin_t, munin_etc_t, munin_etc_t) - read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) - files_search_etc(munin_t) - --allow munin_t munin_log_t:file manage_file_perms; --logging_log_filetrans(munin_t, munin_log_t, file) -+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) -+manage_files_pattern(munin_t, munin_log_t, munin_log_t) -+logging_log_filetrans(munin_t, munin_log_t, { file dir }) - - manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) - manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) -@@ -61,9 +68,11 @@ - files_pid_filetrans(munin_t, munin_var_run_t, file) - - kernel_read_system_state(munin_t) --kernel_read_kernel_sysctls(munin_t) -+kernel_read_network_state(munin_t) -+kernel_read_all_sysctls(munin_t) - - corecmd_exec_bin(munin_t) -+corecmd_exec_shell(munin_t) - - corenet_all_recvfrom_unlabeled(munin_t) - corenet_all_recvfrom_netlabel(munin_t) -@@ -73,24 +82,36 @@ - corenet_udp_sendrecv_generic_node(munin_t) - corenet_tcp_sendrecv_all_ports(munin_t) - corenet_udp_sendrecv_all_ports(munin_t) -+corenet_tcp_bind_munin_port(munin_t) -+corenet_tcp_connect_munin_port(munin_t) -+corenet_tcp_connect_http_port(munin_t) -+corenet_tcp_bind_generic_node(munin_t) - - dev_read_sysfs(munin_t) - dev_read_urand(munin_t) -+fs_list_inotifyfs(munin_t) - - domain_use_interactive_fds(munin_t) -+domain_read_all_domains_state(munin_t) - - files_read_etc_files(munin_t) - files_read_etc_runtime_files(munin_t) - files_read_usr_files(munin_t) -+files_list_spool(munin_t) - - fs_getattr_all_fs(munin_t) - fs_search_auto_mountpoints(munin_t) - -+auth_use_nsswitch(munin_t) ++type ifplugd_initrc_exec_t; ++init_script_file(ifplugd_initrc_exec_t) ++ ++# config files ++type ifplugd_etc_t; ++files_type(ifplugd_etc_t) ++ ++# pid files ++type ifplugd_var_run_t; ++files_pid_file(ifplugd_var_run_t) ++ ++######################################## ++# ++# ifplugd local policy ++# + - logging_send_syslog_msg(munin_t) -+logging_read_all_logs(munin_t) - -+miscfiles_read_fonts(munin_t) - miscfiles_read_localization(munin_t) - --sysnet_read_config(munin_t) -+sysnet_exec_ifconfig(munin_t) -+netutils_domtrans_ping(munin_t) - - userdom_dontaudit_use_unpriv_user_fds(munin_t) - userdom_dontaudit_search_user_home_dirs(munin_t) -@@ -105,7 +126,31 @@ - ') - - optional_policy(` -- nis_use_ypbind(munin_t) -+ fstools_domtrans(munin_t) -+') ++allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; ++dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; ++allow ifplugd_t self:process { signal signull }; + -+optional_policy(` -+ mta_read_config(munin_t) -+ mta_send_mail(munin_t) -+ mta_read_queue(munin_t) -+') ++allow ifplugd_t self:fifo_file rw_fifo_file_perms; ++allow ifplugd_t self:tcp_socket create_stream_socket_perms; ++allow ifplugd_t self:udp_socket create_socket_perms; ++allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms; ++allow ifplugd_t self:packet_socket create_socket_perms; + -+optional_policy(` -+ mysql_read_config(munin_t) -+ mysql_stream_connect(munin_t) -+') ++# pid file ++manage_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) ++manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t,ifplugd_var_run_t) ++files_pid_filetrans(ifplugd_t,ifplugd_var_run_t, { file sock_file }) + -+optional_policy(` -+ postfix_list_spool(munin_t) -+ postfix_getattr_spool_files(munin_t) -+') ++# config files ++read_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) ++exec_files_pattern(ifplugd_t,ifplugd_etc_t,ifplugd_etc_t) + -+optional_policy(` -+ rpc_search_nfs_state_data(munin_t) -+') ++kernel_read_system_state(ifplugd_t) ++kernel_read_network_state(ifplugd_t) ++kernel_search_network_sysctl(ifplugd_t) ++kernel_rw_net_sysctls(ifplugd_t) ++kernel_read_kernel_sysctls(ifplugd_t) ++ ++# reading of hardware information ++dev_read_sysfs(ifplugd_t) ++ ++corecmd_exec_shell(ifplugd_t) ++corecmd_exec_bin(ifplugd_t) ++ ++domain_read_confined_domains_state(ifplugd_t) ++domain_dontaudit_read_all_domains_state(ifplugd_t) ++ ++auth_use_nsswitch(ifplugd_t) ++ ++libs_use_ld_so(ifplugd_t) ++libs_use_shared_libs(ifplugd_t) ++miscfiles_read_localization(ifplugd_t) ++ ++logging_send_syslog_msg(ifplugd_t) ++ ++netutils_domtrans(ifplugd_t) ++# transition to ifconfig & dhcpc ++sysnet_domtrans_ifconfig(ifplugd_t) ++sysnet_domtrans_dhcpc(ifplugd_t) ++ ++sysnet_delete_dhcpc_pid(ifplugd_t) ++sysnet_read_dhcpc_pid(ifplugd_t) ++sysnet_signal_dhcpc(ifplugd_t) ++#sysnet_kill_dhcpc(ifplugd_t) ++#sysnet_manage_config(ifplugd_t) ++#sysnet_read_dhcp_config(ifplugd_t) ++#sysnet_search_dhcp_state(ifplugd_t) + +optional_policy(` -+ sendmail_read_log(munin_t) - ') - - optional_policy(` -@@ -115,3 +160,10 @@ - optional_policy(` - udev_read_db(munin_t) - ') ++ consoletype_exec(ifplugd_t) ++') + -+#============= http munin policy ============== -+apache_content_template(munin) ++permissive ifplugd_t; + -+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.7/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mysql.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -12,6 +12,8 @@ - # - /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.8/policy/modules/services/kerberos.fc +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/kerberos.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -21,6 +21,7 @@ + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) -+ - /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) + /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.8/policy/modules/services/kerberos.te +--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/kerberos.te 2009-03-05 15:25:24.000000000 -0500 +@@ -290,6 +290,7 @@ + corenet_tcp_sendrecv_generic_node(kpropd_t) + corenet_tcp_sendrecv_all_ports(kpropd_t) + corenet_tcp_bind_generic_node(kpropd_t) ++corenet_tcp_bind_kprop_port(kpropd_t) - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.7/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mysql.if 2009-03-03 17:11:59.000000000 -0500 -@@ -161,6 +161,25 @@ - allow $1 mysqld_db_t:sock_file rw_sock_file_perms; - ') + dev_read_urand(kpropd_t) -+##################################### -+## -+## Search MySQL PID files. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.8/policy/modules/services/kerneloops.if +--- nsaserefpolicy/policy/modules/services/kerneloops.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/kerneloops.if 2009-03-05 15:25:24.000000000 -0500 +@@ -63,6 +63,25 @@ + + ######################################## + ## ++## Allow domain to manage kerneloops tmp files +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain to not audit. ++## +## -+## +# -+interface(`mysql_search_pid_files',` -+ gen_require(` -+ type mysqld_var_run_t; -+ ') ++interface(`kerneloops_manage_tmp_files',` ++ gen_require(` ++ type kerneloops_tmp_t; ++ ') + -+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ++ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t) ++ files_search_tmp($1) +') + - ######################################## - ## - ## Write to the MySQL log. -@@ -177,7 +196,7 @@ ++######################################## ++## + ## All of the rules required to administrate + ## an kerneloops environment + ## +@@ -81,6 +100,7 @@ + interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t, kerneloops_initrc_exec_t; ++ type kerneloops_tmp_t; ') - logging_search_logs($1) -- allow $1 mysqld_log_t:file { write_file_perms setattr }; -+ allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; + allow $1 kerneloops_t:process { ptrace signal_perms }; +@@ -90,4 +110,7 @@ + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; + allow $2 system_r; ++ ++ admin_pattern($1, kerneloops_tmp_t) ') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.8/policy/modules/services/kerneloops.te +--- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/kerneloops.te 2009-03-05 15:25:24.000000000 -0500 +@@ -13,6 +13,9 @@ + type kerneloops_initrc_exec_t; + init_script_file(kerneloops_initrc_exec_t) ++type kerneloops_tmp_t; ++files_tmp_file(kerneloops_tmp_t) ++ ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.7/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/mysql.te 2009-03-03 17:11:59.000000000 -0500 -@@ -10,6 +10,10 @@ - type mysqld_exec_t; - init_daemon_domain(mysqld_t, mysqld_exec_t) + # + # kerneloops local policy +@@ -23,8 +26,13 @@ + allow kerneloops_t self:fifo_file rw_file_perms; + allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; -+type mysqld_safe_t; -+type mysqld_safe_exec_t; -+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) ++manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) ++files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) + - type mysqld_var_run_t; - files_pid_file(mysqld_var_run_t) + kernel_read_ring_buffer(kerneloops_t) -@@ -30,7 +34,7 @@ ++fs_list_inotifyfs(kerneloops_t) ++ + # Init script handling + domain_use_interactive_fds(kerneloops_t) - ######################################## - # --# Local policy -+# Local mysqld policy - # +@@ -46,6 +54,5 @@ + sysnet_dns_name_resolve(kerneloops_t) - allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; -@@ -121,3 +125,36 @@ optional_policy(` - udev_read_db(mysqld_t) +- dbus_system_bus_client(kerneloops_t) +- dbus_connect_system_bus(kerneloops_t) ++ dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.8/policy/modules/services/ktalk.te +--- nsaserefpolicy/policy/modules/services/ktalk.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ktalk.te 2009-03-05 15:25:24.000000000 -0500 +@@ -69,6 +69,7 @@ + files_read_etc_files(ktalkd_t) + + term_search_ptys(ktalkd_t) ++term_use_all_terms(ktalkd_t) + + auth_use_nsswitch(ktalkd_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.8/policy/modules/services/mailman.fc +--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/mailman.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -31,3 +31,4 @@ + /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) + /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + ') ++/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.8/policy/modules/services/mailman.if +--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mailman.if 2009-03-05 15:25:24.000000000 -0500 +@@ -31,6 +31,12 @@ + allow mailman_$1_t self:tcp_socket create_stream_socket_perms; + allow mailman_$1_t self:udp_socket create_socket_perms; + ++ files_search_spool(mailman_$1_t) + -+####################################### -+# -+# Local mysqld_safe policy -+# -+ -+domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) -+ -+allow mysqld_safe_t self:capability { dac_override fowner chown }; -+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -+ -+append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -+ -+mysql_read_config(mysqld_safe_t) -+mysql_search_pid_files(mysqld_safe_t) -+mysql_write_log(mysqld_safe_t) -+ -+kernel_read_system_state(mysqld_safe_t) -+ -+files_read_etc_files(mysqld_safe_t) -+files_read_usr_files(mysqld_safe_t) -+ -+dev_list_sysfs(mysqld_safe_t) -+ -+corecmd_exec_bin(mysqld_safe_t) -+ -+libs_use_ld_so(mysqld_safe_t) -+libs_use_shared_libs(mysqld_safe_t) -+ -+miscfiles_read_localization(mysqld_safe_t) -+ -+permissive mysqld_safe_t; ++ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) ++ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) ++ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.7/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/nagios.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,16 +1,19 @@ - /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) - /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) -+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) + manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) + manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t) +@@ -64,6 +70,7 @@ + corenet_sendrecv_smtp_client_packets(mailman_$1_t) - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + fs_getattr_xattr_fs(mailman_$1_t) ++ fs_list_inotifyfs(mailman_$1_t) --/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) --/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + corecmd_exec_all_executables(mailman_$1_t) - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+ -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +@@ -191,6 +198,7 @@ + ') - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) --/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) + read_files_pattern($1, mailman_data_t, mailman_data_t) ++ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) ') -+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.7/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/nagios.if 2009-03-03 17:11:59.000000000 -0500 -@@ -44,7 +44,7 @@ - ######################################## - ## --## Execute the nagios CGI with -+## Execute the nagios NRPE with - ## a domain transition. - ## - ## -@@ -53,18 +53,37 @@ - ## - ## - # --interface(`nagios_domtrans_cgi',` -+interface(`nagios_domtrans_nrpe',` - gen_require(` -- type nagios_cgi_t, nagios_cgi_exec_t; -+ type nrpe_t, nrpe_exec_t; + ####################################### +@@ -209,6 +217,7 @@ + type mailman_data_t; ') -- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) -+ domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) ') - ######################################## +@@ -250,6 +259,25 @@ + + ####################################### ## --## Execute the nagios NRPE with --## a domain transition. -+## Do not audit attempts to read and write -+## NAGIOS unnamed pipes. ++## read ++## mailman logs. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`nagios_dontaudit_rw_pipes',` -+ ++interface(`mailman_read_log',` + gen_require(` -+ type nagios_t; ++ type mailman_log_t; + ') + -+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; ++ read_files_pattern($1, mailman_log_t, mailman_log_t) +') + -+######################################## ++####################################### +## -+## Search nagios spool directories. + ## Append to mailman logs. ## ## - ## -@@ -72,10 +91,63 @@ - ## - ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.8/policy/modules/services/mailman.te +--- nsaserefpolicy/policy/modules/services/mailman.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mailman.te 2009-03-05 15:25:24.000000000 -0500 +@@ -53,10 +53,8 @@ + apache_use_fds(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) +- +- optional_policy(` +- nscd_socket_use(mailman_cgi_t) +- ') ++ apache_read_config(mailman_cgi_t) ++ apache_dontaudit_rw_stream_sockets(mailman_cgi_t) + ') + + ######################################## +@@ -65,15 +63,31 @@ # --interface(`nagios_domtrans_nrpe',` -+interface(`nagios_search_spool',` - gen_require(` -- type nrpe_t, nrpe_exec_t; -+ type nagios_spool_t; - ') -- domtrans_pattern($1, nrpe_exec_t, nrpe_t) -+ allow $1 nagios_spool_t:dir search_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an nagios environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the nagios domain. -+## -+## -+## -+# -+interface(`nagios_admin',` -+ gen_require(` -+ type nagios_t, nrpe_t; -+ type nagios_tmp_t, nagios_log_t; -+ type nagios_etc_t, nrpe_etc_t; -+ type nagios_spool_t, nagios_var_run_t; -+ type nagios_initrc_exec_t; -+ ') -+ -+ allow $1 nagios_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nagios_t) -+ -+ init_labeled_script_domtrans($1, nagios_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 nagios_initrc_exec_t system_r; -+ allow $2 system_r; + allow mailman_mail_t self:unix_dgram_socket create_socket_perms; ++allow mailman_mail_t initrc_t:process signal; ++allow mailman_mail_t self:process { signal signull }; ++allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; + -+ files_list_tmp($1) -+ admin_pattern($1, nagios_tmp_t) ++files_search_spool(mailman_mail_t) ++fs_rw_anon_inodefs_files(mailman_mail_t) ++fs_list_inotifyfs(mailman_mail_t) + -+ logging_list_logs($1) -+ admin_pattern($1, nagios_log_t) ++manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) + + mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) ++mta_dontaudit_rw_queue(mailman_mail_t) + +-ifdef(`TODO',` + optional_policy(` +- allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; +- # do we really need this? +- allow mailman_mail_t qmail_lspawn_t:fifo_file write; ++ courier_read_spool(mailman_mail_t) + ') + -+ files_list_etc($1) -+ admin_pattern($1, nagios_etc_t) ++optional_policy(` ++ postfix_search_spool(mailman_mail_t) ++') + -+ files_list_spool($1) -+ admin_pattern($1, nagios_spool_t) ++optional_policy(` ++ cron_read_pipes(mailman_mail_t) + ') + + ######################################## +@@ -99,11 +113,15 @@ + # for su + seutil_dontaudit_search_config(mailman_queue_t) + ++su_exec(mailman_queue_t) + -+ files_list_pids($1) -+ admin_pattern($1, nagios_var_run_t) + # some of the following could probably be changed to dontaudit, someone who + # knows mailman well should test this out and send the changes + userdom_search_user_home_dirs(mailman_queue_t) + +-su_exec(mailman_queue_t) ++optional_policy(` ++ apache_read_config(mailman_queue_t) ++') + + optional_policy(` + cron_system_entry(mailman_queue_t, mailman_queue_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.8/policy/modules/services/mta.fc +--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/mta.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,4 +1,4 @@ +-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) + /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +@@ -10,10 +10,13 @@ + ') + + /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + ++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +@@ -22,7 +25,3 @@ + /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +- +-#ifdef(`postfix.te', `', ` +-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-#') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.8/policy/modules/services/mta.if +--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mta.if 2009-03-05 15:25:24.000000000 -0500 +@@ -130,6 +130,15 @@ + sendmail_create_log($1_mail_t) + ') + ++ optional_policy(` ++ exim_read_log($1_mail_t) ++ exim_append_log($1_mail_t) ++ exim_manage_spool_files($1_mail_t) ++') + -+ admin_pattern($1, nrpe_etc_t) ++ optional_policy(` ++ uucp_manage_spool($1_mail_t) ++ ') ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.7/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nagios.te 2009-03-03 17:11:59.000000000 -0500 -@@ -10,13 +10,12 @@ - type nagios_exec_t; - init_daemon_domain(nagios_t, nagios_exec_t) --type nagios_cgi_t; --type nagios_cgi_exec_t; --init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) -- - type nagios_etc_t; - files_config_file(nagios_etc_t) + ######################################## +@@ -302,11 +311,13 @@ + allow $1 mail_spool_t:dir list_dir_perms; + create_files_pattern($1, mail_spool_t, mail_spool_t) + read_files_pattern($1, mail_spool_t, mail_spool_t) ++ append_files_pattern($1, mail_spool_t, mail_spool_t) + create_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -+type nagios_initrc_exec_t; -+init_script_file(nagios_initrc_exec_t) -+ - type nagios_log_t; - logging_log_file(nagios_log_t) + optional_policy(` + dovecot_manage_spool($1) ++ dovecot_domtrans_deliver($1) + ') -@@ -26,6 +25,9 @@ - type nagios_var_run_t; - files_pid_file(nagios_var_run_t) + optional_policy(` +@@ -341,6 +352,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') -+type nagios_spool_t; -+files_type(nagios_spool_t) -+ - type nrpe_t; - type nrpe_exec_t; - init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -60,6 +62,8 @@ - manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) - files_pid_filetrans(nagios_t, nagios_var_run_t, file) +@@ -591,8 +603,8 @@ -+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -+ - kernel_read_system_state(nagios_t) - kernel_read_kernel_sysctls(nagios_t) + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; +- allow $1 mail_spool_t:lnk_file read; +- allow $1 mail_spool_t:file getattr; ++ getattr_files_pattern($1, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') -@@ -127,39 +131,34 @@ - # - # Nagios CGI local policy + ######################################## +@@ -612,7 +624,7 @@ + ') + + files_dontaudit_search_spool($1) +- dontaudit $1 mail_spool_t:dir search; ++ dontaudit $1 mail_spool_t:dir search_dir_perms; + dontaudit $1 mail_spool_t:lnk_file read; + dontaudit $1 mail_spool_t:file getattr; + ') +@@ -665,7 +677,7 @@ + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; + allow $1 mail_spool_t:file setattr; +- rw_files_pattern($1, mail_spool_t, mail_spool_t) ++ manage_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.8/policy/modules/services/mta.te +--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mta.te 2009-03-05 15:25:24.000000000 -0500 +@@ -47,34 +47,49 @@ # -+apache_content_template(nagios) -+typealias httpd_nagios_script_t alias nagios_cgi_t; -+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; --allow nagios_cgi_t self:process signal_perms; --allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; + # newalias required this, not sure if it is needed in 'if' file +-allow system_mail_t self:capability { dac_override }; ++allow system_mail_t self:capability { dac_override fowner }; ++allow system_mail_t self:fifo_file rw_fifo_file_perms; --read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) ++read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) --allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + allow system_mail_t mta_exec_type:file entrypoint; --allow nagios_cgi_t nagios_log_t:dir list_dir_perms; --read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) --read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +-allow system_mail_t mailcontent_type:file read_file_perms; ++can_exec(system_mail_t, mta_exec_type) ++ ++files_read_all_tmp_files(system_mail_t) --kernel_read_system_state(nagios_cgi_t) -+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + kernel_read_system_state(system_mail_t) + kernel_read_network_state(system_mail_t) --corecmd_exec_bin(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) ++dev_read_sysfs(system_mail_t) + dev_read_rand(system_mail_t) + dev_read_urand(system_mail_t) --domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++fs_rw_anon_inodefs_files(system_mail_t) ++fs_list_inotifyfs(system_mail_t) ++ ++selinux_getattr_fs(system_mail_t) ++ + init_use_script_ptys(system_mail_t) --files_read_etc_files(nagios_cgi_t) --files_read_etc_runtime_files(nagios_cgi_t) --files_read_kernel_symbol_table(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) + userdom_use_user_terminals(system_mail_t) + userdom_dontaudit_search_user_home_dirs(system_mail_t) ++userdom_dontaudit_list_admin_dir(system_mail_t) ++ ++logging_append_all_logs(system_mail_t) --logging_send_syslog_msg(nagios_cgi_t) --logging_search_logs(nagios_cgi_t) -- --miscfiles_read_localization(nagios_cgi_t) + optional_policy(` + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) ++ apache_search_bugzilla_dirs(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) ++ apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t) + ') + + optional_policy(` +@@ -88,6 +103,13 @@ + optional_policy(` + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) ++ cron_rw_system_stream_sockets(system_mail_t) ++') ++ ++optional_policy(` ++ courier_manage_spool_dirs(system_mail_t) ++ courier_manage_spool_files(system_mail_t) ++ courier_rw_spool_pipes(system_mail_t) + ') + + optional_policy(` +@@ -95,16 +117,16 @@ + ') + + optional_policy(` +- logrotate_read_tmp_files(system_mail_t) ++ exim_domtrans(system_mail_t) ++ exim_manage_log(system_mail_t) + ') + + optional_policy(` +- logwatch_read_tmp_files(system_mail_t) ++ logrotate_read_tmp_files(system_mail_t) + ') + + optional_policy(` +- # newaliases runs as system_mail_t when the sendmail initscript does a restart +- milter_getattr_all_sockets(system_mail_t) ++ logwatch_read_tmp_files(system_mail_t) + ') + + optional_policy(` +@@ -132,10 +154,6 @@ + # compatability for old default main.cf + postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) + ') - --optional_policy(` -- apache_append_log(nagios_cgi_t) --') -+logging_send_syslog_msg(httpd_nagios_script_t) +- optional_policy(` +- cron_rw_tcp_sockets(system_mail_t) +- ') + ') - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.7/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/networkmanager.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,12 +1,25 @@ -+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) -+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + optional_policy(` +@@ -155,6 +173,19 @@ + ') + + optional_policy(` ++ clamav_stream_connect(system_mail_t) ++ clamav_append_log(system_mail_t) ++') + - /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) - /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++optional_policy(` ++ fail2ban_append_log(system_mail_t) ++ ') ++ ++ optional_policy(` ++ spamd_stream_connect(system_mail_t) ++') ++ ++optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') - /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) - /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +@@ -174,6 +205,23 @@ + ') + ') + ++read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) ++ ++init_stream_connect_script(mailserver_delivery) ++init_rw_script_stream_sockets(mailserver_delivery) ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(mailserver_delivery) ++ fs_manage_cifs_files(mailserver_delivery) ++ fs_manage_cifs_symlinks(mailserver_delivery) ++') + -+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) -+/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(mailserver_delivery) ++ fs_manage_nfs_files(mailserver_delivery) ++ fs_manage_nfs_symlinks(mailserver_delivery) ++') ++ + ######################################## + # + # User send mail local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.8/policy/modules/services/munin.fc +--- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/munin.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,4 +1,5 @@ + /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) ++/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) -+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) - /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + /usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +@@ -6,6 +7,8 @@ + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) - /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) - /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0) ++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) + /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +-/var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) ++/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) ++/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.7/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/networkmanager.if 2009-03-03 17:11:59.000000000 -0500 -@@ -118,6 +118,24 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.6.8/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/munin.if 2009-03-05 15:25:24.000000000 -0500 +@@ -80,3 +80,76 @@ - ######################################## - ## -+## Execute NetworkManager scripts with an automatic domain transition to initrc. + dontaudit $1 munin_var_lib_t:dir search_dir_perms; + ') ++ ++######################################## ++## ++## Allow the specified domain to append ++## to munin log files. +## +## +## @@ -15526,28 +13453,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`networkmanager_initrc_domtrans',` ++interface(`munin_append_log',` + gen_require(` -+ type NetworkManager_initrc_exec_t; ++ type munin_log_t; + ') + -+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ++ logging_search_logs($1) ++ allow $1 munin_log_t:dir list_dir_perms; ++ append_files_pattern($1, munin_log_t, munin_log_t) +') + +######################################## +## - ## Read NetworkManager PID files. - ## - ## -@@ -134,3 +152,30 @@ - files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; - ') -+ -+######################################## -+## -+## Execute NetworkManager in the NetworkManager domain, and -+## allow the specified role the NetworkManager domain. ++## All of the rules required to administrate ++## an munin environment +## +## +## @@ -15556,422 +13475,605 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed the NetworkManager domain. ++## The role to be allowed to manage the munin domain. +## +## +## +# -+interface(`networkmanager_run',` ++interface(`munin_admin',` + gen_require(` -+ type NetworkManager_t, NetworkManager_exec_t; ++ type munin_t, munin_etc_t, munin_tmp_t; ++ type munin_log_t, munin_var_lib_t, munin_var_run_t; ++ type httpd_munin_content_t; ++ type munin_initrc_exec_t; + ') + -+ networkmanager_domtrans($1) -+ role $2 types NetworkManager_t; ++ allow $1 munin_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, munin_t) ++ ++ init_labeled_script_domtrans($1, munin_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 munin_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, munin_tmp_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, munin_log_t) ++ ++ files_list_etc($1) ++ admin_pattern($1, munin_etc_t) ++ ++ files_list_var_lib($1) ++ admin_pattern($1, munin_var_lib_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, munin_var_run_t) ++ ++ admin_pattern($1, httpd_munin_content_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.7/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/networkmanager.te 2009-03-03 17:11:59.000000000 -0500 -@@ -19,6 +19,9 @@ - type NetworkManager_tmp_t; - files_tmp_file(NetworkManager_tmp_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.8/policy/modules/services/munin.te +--- nsaserefpolicy/policy/modules/services/munin.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/munin.te 2009-03-05 15:25:24.000000000 -0500 +@@ -13,6 +13,9 @@ + type munin_etc_t alias lrrd_etc_t; + files_config_file(munin_etc_t) -+type NetworkManager_var_lib_t; -+files_type(NetworkManager_var_lib_t) ++type munin_initrc_exec_t; ++init_script_file(munin_initrc_exec_t) + - type NetworkManager_var_run_t; - files_pid_file(NetworkManager_var_run_t) - -@@ -33,9 +36,9 @@ + type munin_log_t alias lrrd_log_t; + logging_log_file(munin_log_t) - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; --allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; -+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; - allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; - allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -@@ -51,8 +54,10 @@ - manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) - logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) +@@ -30,21 +33,25 @@ + # Local policy + # --rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) --files_search_tmp(NetworkManager_t) -+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) -+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) +-allow munin_t self:capability { setgid setuid }; ++allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; + dontaudit munin_t self:capability sys_tty_config; + allow munin_t self:process { getsched setsched signal_perms }; + allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow munin_t self:unix_dgram_socket { create_socket_perms sendto }; + allow munin_t self:tcp_socket create_stream_socket_perms; + allow munin_t self:udp_socket create_socket_perms; ++allow munin_t self:fifo_file manage_fifo_file_perms; + -+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - - manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) - manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +68,8 @@ - kernel_read_network_state(NetworkManager_t) - kernel_read_kernel_sysctls(NetworkManager_t) - kernel_load_module(NetworkManager_t) -+kernel_read_debugfs(NetworkManager_t) -+kernel_rw_net_sysctls(NetworkManager_t) - - corenet_all_recvfrom_unlabeled(NetworkManager_t) - corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +88,18 @@ - corenet_sendrecv_isakmp_server_packets(NetworkManager_t) - corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) - corenet_sendrecv_all_client_packets(NetworkManager_t) -+corenet_rw_tun_tap_dev(NetworkManager_t) -+corenet_getattr_ppp_dev(NetworkManager_t) - - dev_read_sysfs(NetworkManager_t) - dev_read_rand(NetworkManager_t) - dev_read_urand(NetworkManager_t) -+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) -+dev_getattr_all_chr_files(NetworkManager_t) - - fs_getattr_all_fs(NetworkManager_t) - fs_search_auto_mountpoints(NetworkManager_t) -+fs_list_inotifyfs(NetworkManager_t) - - mls_file_read_all_levels(NetworkManager_t) ++can_exec(munin_t, munin_exec_t) -@@ -98,15 +110,19 @@ + allow munin_t munin_etc_t:dir list_dir_perms; + read_files_pattern(munin_t, munin_etc_t, munin_etc_t) + read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t) + files_search_etc(munin_t) - domain_use_interactive_fds(NetworkManager_t) - domain_read_confined_domains_state(NetworkManager_t) --domain_dontaudit_read_all_domains_state(NetworkManager_t) +-allow munin_t munin_log_t:file manage_file_perms; +-logging_log_filetrans(munin_t, munin_log_t, file) ++manage_dirs_pattern(munin_t, munin_log_t, munin_log_t) ++manage_files_pattern(munin_t, munin_log_t, munin_log_t) ++logging_log_filetrans(munin_t, munin_log_t, { file dir }) - files_read_etc_files(NetworkManager_t) - files_read_etc_runtime_files(NetworkManager_t) - files_read_usr_files(NetworkManager_t) + manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) + manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) +@@ -61,9 +68,11 @@ + files_pid_filetrans(munin_t, munin_var_run_t, file) -+storage_getattr_fixed_disk_dev(NetworkManager_t) -+ - init_read_utmp(NetworkManager_t) -+init_dontaudit_write_utmp(NetworkManager_t) - init_domtrans_script(NetworkManager_t) + kernel_read_system_state(munin_t) +-kernel_read_kernel_sysctls(munin_t) ++kernel_read_network_state(munin_t) ++kernel_read_all_sysctls(munin_t) -+auth_use_nsswitch(NetworkManager_t) -+ - logging_send_syslog_msg(NetworkManager_t) + corecmd_exec_bin(munin_t) ++corecmd_exec_shell(munin_t) - miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +132,40 @@ + corenet_all_recvfrom_unlabeled(munin_t) + corenet_all_recvfrom_netlabel(munin_t) +@@ -73,24 +82,36 @@ + corenet_udp_sendrecv_generic_node(munin_t) + corenet_tcp_sendrecv_all_ports(munin_t) + corenet_udp_sendrecv_all_ports(munin_t) ++corenet_tcp_bind_munin_port(munin_t) ++corenet_tcp_connect_munin_port(munin_t) ++corenet_tcp_connect_http_port(munin_t) ++corenet_tcp_bind_generic_node(munin_t) - seutil_read_config(NetworkManager_t) + dev_read_sysfs(munin_t) + dev_read_urand(munin_t) ++fs_list_inotifyfs(munin_t) --sysnet_domtrans_ifconfig(NetworkManager_t) --sysnet_domtrans_dhcpc(NetworkManager_t) --sysnet_signal_dhcpc(NetworkManager_t) --sysnet_read_dhcpc_pid(NetworkManager_t) -+sysnet_etc_filetrans_config(NetworkManager_t) - sysnet_delete_dhcpc_pid(NetworkManager_t) --sysnet_search_dhcp_state(NetworkManager_t) --# in /etc created by NetworkManager will be labelled net_conf_t. -+sysnet_domtrans_dhcpc(NetworkManager_t) -+sysnet_domtrans_ifconfig(NetworkManager_t) -+sysnet_kill_dhcpc(NetworkManager_t) - sysnet_manage_config(NetworkManager_t) --sysnet_etc_filetrans_config(NetworkManager_t) -+sysnet_read_dhcp_config(NetworkManager_t) -+sysnet_read_dhcpc_pid(NetworkManager_t) -+sysnet_delete_dhcpc_state(NetworkManager_t) -+sysnet_read_dhcpc_state(NetworkManager_t) -+sysnet_signal_dhcpc(NetworkManager_t) + domain_use_interactive_fds(munin_t) ++domain_read_all_domains_state(munin_t) -+userdom_stream_connect(NetworkManager_t) - userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) - userdom_dontaudit_use_user_ttys(NetworkManager_t) - # Read gnome-keyring - userdom_read_user_home_content_files(NetworkManager_t) -+userdom_dgram_send(NetworkManager_t) -+ -+cron_read_system_job_lib_files(NetworkManager_t) + files_read_etc_files(munin_t) + files_read_etc_runtime_files(munin_t) + files_read_usr_files(munin_t) ++files_list_spool(munin_t) + + fs_getattr_all_fs(munin_t) + fs_search_auto_mountpoints(munin_t) + ++auth_use_nsswitch(munin_t) + -+optional_policy(` -+ avahi_domtrans(NetworkManager_t) -+ avahi_kill(NetworkManager_t) -+ avahi_signal(NetworkManager_t) -+ avahi_signull(NetworkManager_t) -+') + logging_send_syslog_msg(munin_t) ++logging_read_all_logs(munin_t) - optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) -+ bind_kill(NetworkManager_t) - bind_signal(NetworkManager_t) -+ bind_signull(NetworkManager_t) - ') ++miscfiles_read_fonts(munin_t) + miscfiles_read_localization(munin_t) - optional_policy(` -@@ -146,8 +177,25 @@ +-sysnet_read_config(munin_t) ++sysnet_exec_ifconfig(munin_t) ++netutils_domtrans_ping(munin_t) + + userdom_dontaudit_use_unpriv_user_fds(munin_t) + userdom_dontaudit_search_user_home_dirs(munin_t) +@@ -105,7 +126,31 @@ ') optional_policy(` -- dbus_system_bus_client(NetworkManager_t) -- dbus_connect_system_bus(NetworkManager_t) -+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) +- nis_use_ypbind(munin_t) ++ fstools_domtrans(munin_t) ++') + -+ optional_policy(` -+ consolekit_dbus_chat(NetworkManager_t) -+ ') ++optional_policy(` ++ mta_read_config(munin_t) ++ mta_send_mail(munin_t) ++ mta_read_queue(munin_t) +') + +optional_policy(` -+ dnsmasq_read_pid_files(NetworkManager_t) -+ dnsmasq_delete_pid_files(NetworkManager_t) -+ dnsmasq_domtrans(NetworkManager_t) -+ dnsmasq_initrc_domtrans(NetworkManager_t) -+ dnsmasq_kill(NetworkManager_t) -+ dnsmasq_signal(NetworkManager_t) -+ dnsmasq_signull(NetworkManager_t) ++ mysql_read_config(munin_t) ++ mysql_stream_connect(munin_t) +') + +optional_policy(` -+ hal_write_log(NetworkManager_t) ++ postfix_list_spool(munin_t) ++ postfix_getattr_spool_files(munin_t) ++') ++ ++optional_policy(` ++ rpc_search_nfs_state_data(munin_t) ++') ++ ++optional_policy(` ++ sendmail_read_log(munin_t) ') optional_policy(` -@@ -155,23 +203,50 @@ - ') - +@@ -115,3 +160,10 @@ optional_policy(` -- nis_use_ypbind(NetworkManager_t) -+ iptables_domtrans(NetworkManager_t) + udev_read_db(munin_t) ') ++ ++#============= http munin policy ============== ++apache_content_template(munin) ++ ++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.8/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mysql.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -12,6 +12,8 @@ + # + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) - optional_policy(` -- nscd_socket_use(NetworkManager_t) -+ nscd_domtrans(NetworkManager_t) - nscd_signal(NetworkManager_t) -+ nscd_signull(NetworkManager_t) -+ nscd_kill(NetworkManager_t) -+ nscd_initrc_domtrans(NetworkManager_t) -+') ++/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + -+optional_policy(` -+ # Dispatcher starting and stoping ntp -+ ntp_initrc_domtrans(NetworkManager_t) - ') + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) - optional_policy(` - openvpn_domtrans(NetworkManager_t) -+ openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) -+ openvpn_signull(NetworkManager_t) + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.6.8/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mysql.if 2009-03-05 15:25:24.000000000 -0500 +@@ -161,6 +161,25 @@ + allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') - optional_policy(` -+ polkit_domtrans_auth(NetworkManager_t) -+ polkit_read_lib(NetworkManager_t) -+ polkit_read_reload(NetworkManager_t) -+ userdom_read_all_users_state(NetworkManager_t) -+') ++##################################### ++## ++## Search MySQL PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`mysql_search_pid_files',` ++ gen_require(` ++ type mysqld_var_run_t; ++ ') + -+optional_policy(` -+ ppp_initrc_domtrans(NetworkManager_t) - ppp_domtrans(NetworkManager_t) - ppp_read_pid_files(NetworkManager_t) -+ ppp_kill(NetworkManager_t) - ppp_signal(NetworkManager_t) -+ ppp_signull(NetworkManager_t) -+ ppp_read_config(NetworkManager_t) ++ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) +') + -+optional_policy(` -+ rpm_exec(NetworkManager_t) -+ rpm_read_db(NetworkManager_t) -+ rpm_dontaudit_manage_db(NetworkManager_t) + ######################################## + ## + ## Write to the MySQL log. +@@ -177,7 +196,7 @@ + ') + + logging_search_logs($1) +- allow $1 mysqld_log_t:file { write_file_perms setattr }; ++ allow $1 mysqld_log_t:file { write_file_perms setattr getattr }; ') - optional_policy(` -@@ -184,7 +259,9 @@ + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.8/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/mysql.te 2009-03-05 15:25:24.000000000 -0500 +@@ -10,6 +10,10 @@ + type mysqld_exec_t; + init_daemon_domain(mysqld_t, mysqld_exec_t) + ++type mysqld_safe_t; ++type mysqld_safe_exec_t; ++init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) ++ + type mysqld_var_run_t; + files_pid_file(mysqld_var_run_t) + +@@ -30,7 +34,7 @@ + + ######################################## + # +-# Local policy ++# Local mysqld policy + # + allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; +@@ -121,3 +125,36 @@ optional_policy(` - vpn_domtrans(NetworkManager_t) -+ vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) -+ vpn_signull(NetworkManager_t) + udev_read_db(mysqld_t) ') ++ ++####################################### ++# ++# Local mysqld_safe policy ++# ++ ++domtrans_pattern(mysqld_safe_t,mysqld_exec_t,mysqld_t) ++ ++allow mysqld_safe_t self:capability { dac_override fowner chown }; ++allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; ++ ++append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) ++ ++mysql_read_config(mysqld_safe_t) ++mysql_search_pid_files(mysqld_safe_t) ++mysql_write_log(mysqld_safe_t) ++ ++kernel_read_system_state(mysqld_safe_t) ++ ++files_read_etc_files(mysqld_safe_t) ++files_read_usr_files(mysqld_safe_t) ++ ++dev_list_sysfs(mysqld_safe_t) ++ ++corecmd_exec_bin(mysqld_safe_t) ++ ++libs_use_ld_so(mysqld_safe_t) ++libs_use_shared_libs(mysqld_safe_t) ++ ++miscfiles_read_localization(mysqld_safe_t) ++ ++permissive mysqld_safe_t; ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.8/policy/modules/services/nagios.fc +--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/nagios.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,16 +1,19 @@ + /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) + /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) ++/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.7/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/nis.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,9 +1,13 @@ -- -+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) + /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) +-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) ++/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) - /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++ ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) + + ifdef(`distro_debian',` + /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) + ') ++/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.8/policy/modules/services/nagios.if +--- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/nagios.if 2009-03-05 15:25:24.000000000 -0500 +@@ -44,7 +44,7 @@ - /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) - /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.7/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nis.if 2009-03-03 17:11:59.000000000 -0500 -@@ -28,7 +28,7 @@ - type var_yp_t; + ######################################## + ## +-## Execute the nagios CGI with ++## Execute the nagios NRPE with + ## a domain transition. + ## + ## +@@ -53,18 +53,37 @@ + ## + ## + # +-interface(`nagios_domtrans_cgi',` ++interface(`nagios_domtrans_nrpe',` + gen_require(` +- type nagios_cgi_t, nagios_cgi_exec_t; ++ type nrpe_t, nrpe_exec_t; ') -- dontaudit $1 self:capability net_bind_service; -+ allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; -@@ -49,8 +49,8 @@ - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) -- corenet_tcp_bind_reserved_port($1) -- corenet_udp_bind_reserved_port($1) -+ corenet_dontaudit_tcp_bind_all_reserved_ports($1) -+ corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) -@@ -87,6 +87,25 @@ +- domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) ++ domtrans_pattern($1, nrpe_exec_t, nrpe_t) + ') ######################################## ## -+## Use the nis to authenticate passwords +-## Execute the nagios NRPE with +-## a domain transition. ++## Do not audit attempts to read and write ++## NAGIOS unnamed pipes. +## +## +## -+## The type of the process performing this action. ++## Domain to not audit. +## +## -+## +# -+interface(`nis_authenticate',` -+ tunable_policy(`allow_ypbind',` -+ nis_use_ypbind_uncond($1) -+ corenet_tcp_bind_all_rpc_ports($1) -+ corenet_udp_bind_all_rpc_ports($1) ++interface(`nagios_dontaudit_rw_pipes',` ++ ++ gen_require(` ++ type nagios_t; + ') ++ ++ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## - ## Execute ypbind in the ypbind domain. ++## Search nagios spool directories. ## ## -@@ -244,3 +263,130 @@ - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) - ') + ## +@@ -72,10 +91,63 @@ + ## + ## + # +-interface(`nagios_domtrans_nrpe',` ++interface(`nagios_search_spool',` + gen_require(` +- type nrpe_t, nrpe_exec_t; ++ type nagios_spool_t; + ') + +- domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ allow $1 nagios_spool_t:dir search_dir_perms; ++ files_search_spool($1) ++') + +######################################## +## -+## Execute nis server in the nis domain. ++## All of the rules required to administrate ++## an nagios environment +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## -+# -+# -+interface(`nis_initrc_domtrans',` -+ gen_require(` -+ type nis_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, nis_initrc_exec_t) -+') -+ -+######################################## -+## -+## Execute nis server in the nis domain. -+## -+## ++## +## -+## The type of the process performing this action. ++## The role to be allowed to manage the nagios domain. +## +## ++## +# -+interface(`nis_ypbind_initrc_domtrans',` ++interface(`nagios_admin',` + gen_require(` -+ type ypbind_initrc_exec_t; ++ type nagios_t, nrpe_t; ++ type nagios_tmp_t, nagios_log_t; ++ type nagios_etc_t, nrpe_etc_t; ++ type nagios_spool_t, nagios_var_run_t; ++ type nagios_initrc_exec_t; + ') + -+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) -+') ++ allow $1 nagios_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nagios_t) ++ ++ init_labeled_script_domtrans($1, nagios_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 nagios_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, nagios_tmp_t) ++ ++ logging_list_logs($1) ++ admin_pattern($1, nagios_log_t) ++ ++ files_list_etc($1) ++ admin_pattern($1, nagios_etc_t) ++ ++ files_list_spool($1) ++ admin_pattern($1, nagios_spool_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, nagios_var_run_t) ++ ++ admin_pattern($1, nrpe_etc_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.8/policy/modules/services/nagios.te +--- nsaserefpolicy/policy/modules/services/nagios.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nagios.te 2009-03-05 15:25:24.000000000 -0500 +@@ -10,13 +10,12 @@ + type nagios_exec_t; + init_daemon_domain(nagios_t, nagios_exec_t) + +-type nagios_cgi_t; +-type nagios_cgi_exec_t; +-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t) +- + type nagios_etc_t; + files_config_file(nagios_etc_t) + ++type nagios_initrc_exec_t; ++init_script_file(nagios_initrc_exec_t) ++ + type nagios_log_t; + logging_log_file(nagios_log_t) + +@@ -26,6 +25,9 @@ + type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + ++type nagios_spool_t; ++files_type(nagios_spool_t) ++ + type nrpe_t; + type nrpe_exec_t; + init_daemon_domain(nrpe_t, nrpe_exec_t) +@@ -60,6 +62,8 @@ + manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) + files_pid_filetrans(nagios_t, nagios_var_run_t, file) + ++rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) ++ + kernel_read_system_state(nagios_t) + kernel_read_kernel_sysctls(nagios_t) + +@@ -127,39 +131,34 @@ + # + # Nagios CGI local policy + # ++apache_content_template(nagios) ++typealias httpd_nagios_script_t alias nagios_cgi_t; ++typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + +-allow nagios_cgi_t self:process signal_perms; +-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; ++allow httpd_nagios_script_t self:process signal_perms; + +-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + +-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + +-allow nagios_cgi_t nagios_log_t:dir list_dir_perms; +-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) +-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) + +-kernel_read_system_state(nagios_cgi_t) ++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) + +-corecmd_exec_bin(nagios_cgi_t) ++kernel_read_system_state(httpd_nagios_script_t) + +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + +-files_read_etc_files(nagios_cgi_t) +-files_read_etc_runtime_files(nagios_cgi_t) +-files_read_kernel_symbol_table(nagios_cgi_t) ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + +-logging_send_syslog_msg(nagios_cgi_t) +-logging_search_logs(nagios_cgi_t) +- +-miscfiles_read_localization(nagios_cgi_t) +- +-optional_policy(` +- apache_append_log(nagios_cgi_t) +-') ++logging_send_syslog_msg(httpd_nagios_script_t) + + ######################################## + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.8/policy/modules/services/networkmanager.fc +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/networkmanager.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,12 +1,25 @@ ++/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) ++/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++ + /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) + /sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + + /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) + /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++ ++/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) ++/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) + ++/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) + /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) + + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -+######################################## -+## -+## All of the rules required to administrate -+## an nis environment +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.8/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/networkmanager.if 2009-03-05 15:25:24.000000000 -0500 +@@ -118,6 +118,24 @@ + + ######################################## + ## ++## Execute NetworkManager scripts with an automatic domain transition to initrc. +## +## +## +## Domain allowed access. +## +## -+## -+## -+## The role to be allowed to manage the nis domain. -+## -+## -+## +# -+interface(`nis_admin',` ++interface(`networkmanager_initrc_domtrans',` + gen_require(` -+ type ypbind_t, yppasswdd_t; -+ type ypserv_t, ypxfr_t; -+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; -+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -+ type ypbind_initrc_exec_t; -+ type nis_initrc_exec_t; ++ type NetworkManager_initrc_exec_t; + ') + -+ allow $1 ypbind_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypbind_t) -+ -+ allow $1 yppasswdd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, yppasswdd_t) -+ -+ allow $1 ypserv_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypserv_t) -+ -+ allow $1 ypxfr_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ypxfr_t) -+ -+ nis_initrc_domtrans($1) -+ nis_ypbind_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nis_initrc_exec_t system_r; -+ role_transition $2 ypbind_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_tmp($1) -+ admin_pattern($1, ypbind_tmp_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, ypbind_var_run_t) -+ -+ admin_pattern($1, yppasswdd_var_run_t) -+ -+ files_list_etc($1) -+ admin_pattern($1, ypserv_conf_t) -+ -+ admin_pattern($1, ypserv_tmp_t) -+ -+ admin_pattern($1, ypserv_var_run_t) ++ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) +') + ++######################################## ++## + ## Read NetworkManager PID files. + ## + ## +@@ -134,3 +152,30 @@ + files_search_pids($1) + allow $1 NetworkManager_var_run_t:file read_file_perms; + ') + +######################################## +## -+## Execute ypbind in the ypbind domain, and -+## allow the specified role the ypbind domain. ++## Execute NetworkManager in the NetworkManager domain, and ++## allow the specified role the NetworkManager domain. +## +## +## @@ -15980,1847 +14082,1479 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed the ypbind domain. ++## The role to be allowed the NetworkManager domain. +## +## +## +# -+interface(`nis_run_ypbind',` ++interface(`networkmanager_run',` + gen_require(` -+ type ypbind_t; ++ type NetworkManager_t, NetworkManager_exec_t; + ') + -+ nis_domtrans_ypbind($1) -+ role $2 types ypbind_t; ++ networkmanager_domtrans($1) ++ role $2 types NetworkManager_t; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.7/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nis.te 2009-03-03 17:11:59.000000000 -0500 -@@ -13,6 +13,9 @@ - type ypbind_exec_t; - init_daemon_domain(ypbind_t, ypbind_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.8/policy/modules/services/networkmanager.te +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/networkmanager.te 2009-03-05 15:25:24.000000000 -0500 +@@ -19,6 +19,9 @@ + type NetworkManager_tmp_t; + files_tmp_file(NetworkManager_tmp_t) -+type ypbind_initrc_exec_t; -+init_script_file(ypbind_initrc_exec_t) ++type NetworkManager_var_lib_t; ++files_type(NetworkManager_var_lib_t) + - type ypbind_tmp_t; - files_tmp_file(ypbind_tmp_t) + type NetworkManager_var_run_t; + files_pid_file(NetworkManager_var_run_t) -@@ -44,6 +47,9 @@ - type ypxfr_exec_t; - init_daemon_domain(ypxfr_t, ypxfr_exec_t) +@@ -33,9 +36,9 @@ -+type nis_initrc_exec_t; -+init_script_file(nis_initrc_exec_t) -+ - ######################################## - # - # ypbind local policy -@@ -111,6 +117,16 @@ - userdom_dontaudit_search_user_home_dirs(ypbind_t) + # networkmanager will ptrace itself if gdb is installed + # and it receives a unexpected signal (rh bug #204161) +-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; + dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; ++allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; + allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; + allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; +@@ -51,8 +54,10 @@ + manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) + logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - optional_policy(` -+ dbus_system_bus_client(ypbind_t) -+ dbus_connect_system_bus(ypbind_t) -+ init_dbus_chat_script(ypbind_t) -+ -+ optional_policy(` -+ networkmanager_dbus_chat(ypbind_t) -+ ') -+') +-rw_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +-files_search_tmp(NetworkManager_t) ++manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) ++files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file) + -+optional_policy(` - seutil_sigchld_newrole(ypbind_t) - ') ++manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) -@@ -123,6 +139,7 @@ - # yppasswdd local policy - # + manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +@@ -63,6 +68,8 @@ + kernel_read_network_state(NetworkManager_t) + kernel_read_kernel_sysctls(NetworkManager_t) + kernel_load_module(NetworkManager_t) ++kernel_read_debugfs(NetworkManager_t) ++kernel_rw_net_sysctls(NetworkManager_t) -+allow yppasswdd_t self:capability dac_override; - dontaudit yppasswdd_t self:capability sys_tty_config; - allow yppasswdd_t self:fifo_file rw_fifo_file_perms; - allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -153,8 +170,8 @@ - corenet_udp_sendrecv_all_ports(yppasswdd_t) - corenet_tcp_bind_generic_node(yppasswdd_t) - corenet_udp_bind_generic_node(yppasswdd_t) --corenet_tcp_bind_reserved_port(yppasswdd_t) --corenet_udp_bind_reserved_port(yppasswdd_t) -+corenet_tcp_bind_all_rpc_ports(yppasswdd_t) -+corenet_udp_bind_all_rpc_ports(yppasswdd_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) - corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) - corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -241,6 +258,8 @@ - corenet_udp_bind_generic_node(ypserv_t) - corenet_tcp_bind_reserved_port(ypserv_t) - corenet_udp_bind_reserved_port(ypserv_t) -+corenet_tcp_bind_all_rpc_ports(ypserv_t) -+corenet_udp_bind_all_rpc_ports(ypserv_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) - corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -306,6 +325,8 @@ - corenet_udp_bind_generic_node(ypxfr_t) - corenet_tcp_bind_reserved_port(ypxfr_t) - corenet_udp_bind_reserved_port(ypxfr_t) -+corenet_tcp_bind_all_rpc_ports(ypxfr_t) -+corenet_udp_bind_all_rpc_ports(ypxfr_t) - corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) - corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - corenet_tcp_connect_all_ports(ypxfr_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.7/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/nscd.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,3 +1,4 @@ -+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + corenet_all_recvfrom_unlabeled(NetworkManager_t) + corenet_all_recvfrom_netlabel(NetworkManager_t) +@@ -81,13 +88,18 @@ + corenet_sendrecv_isakmp_server_packets(NetworkManager_t) + corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) + corenet_sendrecv_all_client_packets(NetworkManager_t) ++corenet_rw_tun_tap_dev(NetworkManager_t) ++corenet_getattr_ppp_dev(NetworkManager_t) - /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + dev_read_sysfs(NetworkManager_t) + dev_read_rand(NetworkManager_t) + dev_read_urand(NetworkManager_t) ++dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) ++dev_getattr_all_chr_files(NetworkManager_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.7/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nscd.if 2009-03-03 17:11:59.000000000 -0500 -@@ -58,6 +58,42 @@ + fs_getattr_all_fs(NetworkManager_t) + fs_search_auto_mountpoints(NetworkManager_t) ++fs_list_inotifyfs(NetworkManager_t) - ######################################## - ## -+## Send NSCD the kill signal. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nscd_kill',` -+ gen_require(` -+ type nscd_t; -+ ') -+ -+ allow $1 nscd_t:process sigkill; -+') -+ -+######################################## -+## -+## Send signulls to NSCD. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nscd_signull',` -+ gen_require(` -+ type nscd_t; -+ ') + mls_file_read_all_levels(NetworkManager_t) + +@@ -98,15 +110,19 @@ + + domain_use_interactive_fds(NetworkManager_t) + domain_read_confined_domains_state(NetworkManager_t) +-domain_dontaudit_read_all_domains_state(NetworkManager_t) + + files_read_etc_files(NetworkManager_t) + files_read_etc_runtime_files(NetworkManager_t) + files_read_usr_files(NetworkManager_t) + ++storage_getattr_fixed_disk_dev(NetworkManager_t) + -+ allow $1 nscd_t:process signull; -+') + init_read_utmp(NetworkManager_t) ++init_dontaudit_write_utmp(NetworkManager_t) + init_domtrans_script(NetworkManager_t) + ++auth_use_nsswitch(NetworkManager_t) + -+######################################## -+## - ## Use NSCD services by connecting using - ## a unix stream socket. - ## -@@ -70,15 +106,14 @@ - interface(`nscd_socket_use',` - gen_require(` - type nscd_t, nscd_var_run_t; -- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; -+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') + logging_send_syslog_msg(NetworkManager_t) - allow $1 self:unix_stream_socket create_socket_perms; + miscfiles_read_localization(NetworkManager_t) +@@ -116,25 +132,40 @@ - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - dontaudit $1 nscd_t:fd use; -- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -- -+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file { getattr read }; -@@ -198,3 +233,60 @@ - nscd_domtrans($1) - role $2 types nscd_t; - ') + seutil_read_config(NetworkManager_t) + +-sysnet_domtrans_ifconfig(NetworkManager_t) +-sysnet_domtrans_dhcpc(NetworkManager_t) +-sysnet_signal_dhcpc(NetworkManager_t) +-sysnet_read_dhcpc_pid(NetworkManager_t) ++sysnet_etc_filetrans_config(NetworkManager_t) + sysnet_delete_dhcpc_pid(NetworkManager_t) +-sysnet_search_dhcp_state(NetworkManager_t) +-# in /etc created by NetworkManager will be labelled net_conf_t. ++sysnet_domtrans_dhcpc(NetworkManager_t) ++sysnet_domtrans_ifconfig(NetworkManager_t) ++sysnet_kill_dhcpc(NetworkManager_t) + sysnet_manage_config(NetworkManager_t) +-sysnet_etc_filetrans_config(NetworkManager_t) ++sysnet_read_dhcp_config(NetworkManager_t) ++sysnet_read_dhcpc_pid(NetworkManager_t) ++sysnet_delete_dhcpc_state(NetworkManager_t) ++sysnet_read_dhcpc_state(NetworkManager_t) ++sysnet_signal_dhcpc(NetworkManager_t) + ++userdom_stream_connect(NetworkManager_t) + userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) + userdom_dontaudit_use_user_ttys(NetworkManager_t) + # Read gnome-keyring + userdom_read_user_home_content_files(NetworkManager_t) ++userdom_dgram_send(NetworkManager_t) + -+######################################## -+## -+## Execute nscd server in the nscd domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`nscd_initrc_domtrans',` -+ gen_require(` -+ type nscd_initrc_exec_t; -+') ++cron_read_system_job_lib_files(NetworkManager_t) + -+ init_labeled_script_domtrans($1, nscd_initrc_exec_t) ++optional_policy(` ++ avahi_domtrans(NetworkManager_t) ++ avahi_kill(NetworkManager_t) ++ avahi_signal(NetworkManager_t) ++ avahi_signull(NetworkManager_t) +') + + optional_policy(` + bind_domtrans(NetworkManager_t) + bind_manage_cache(NetworkManager_t) ++ bind_kill(NetworkManager_t) + bind_signal(NetworkManager_t) ++ bind_signull(NetworkManager_t) + ') + + optional_policy(` +@@ -146,8 +177,25 @@ + ') + + optional_policy(` +- dbus_system_bus_client(NetworkManager_t) +- dbus_connect_system_bus(NetworkManager_t) ++ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + -+######################################## -+## -+## All of the rules required to administrate -+## an nscd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the nscd domain. -+## -+## -+## -+# -+interface(`nscd_admin',` -+ gen_require(` -+ type nscd_t, nscd_log_t, nscd_var_run_t; -+ type nscd_initrc_exec_t; ++ optional_policy(` ++ consolekit_dbus_chat(NetworkManager_t) + ') -+ -+ allow $1 nscd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, nscd_t) -+ -+ nscd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 nscd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ logging_list_logs($1) -+ admin_pattern($1, nscd_log_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, nscd_var_run_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.7/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nscd.te 2009-03-03 17:11:59.000000000 -0500 -@@ -20,6 +20,9 @@ - type nscd_exec_t; - init_daemon_domain(nscd_t, nscd_exec_t) - -+type nscd_initrc_exec_t; -+init_script_file(nscd_initrc_exec_t) ++optional_policy(` ++ dnsmasq_read_pid_files(NetworkManager_t) ++ dnsmasq_delete_pid_files(NetworkManager_t) ++ dnsmasq_domtrans(NetworkManager_t) ++ dnsmasq_initrc_domtrans(NetworkManager_t) ++ dnsmasq_kill(NetworkManager_t) ++ dnsmasq_signal(NetworkManager_t) ++ dnsmasq_signull(NetworkManager_t) ++') + - type nscd_log_t; - logging_log_file(nscd_log_t) - -@@ -28,14 +31,14 @@ - # Local policy - # ++optional_policy(` ++ hal_write_log(NetworkManager_t) + ') --allow nscd_t self:capability { kill setgid setuid audit_write }; -+allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; --allow nscd_t self:process { getattr setsched signal_perms }; -+allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; - allow nscd_t self:unix_stream_socket create_stream_socket_perms; - allow nscd_t self:unix_dgram_socket create_socket_perms; - allow nscd_t self:netlink_selinux_socket create_socket_perms; --allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ - allow nscd_t self:tcp_socket create_socket_perms; - allow nscd_t self:udp_socket create_socket_perms; + optional_policy(` +@@ -155,23 +203,50 @@ + ') -@@ -50,6 +53,8 @@ - manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) - files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) + optional_policy(` +- nis_use_ypbind(NetworkManager_t) ++ iptables_domtrans(NetworkManager_t) + ') -+can_exec(nscd_t, nscd_exec_t) + optional_policy(` +- nscd_socket_use(NetworkManager_t) ++ nscd_domtrans(NetworkManager_t) + nscd_signal(NetworkManager_t) ++ nscd_signull(NetworkManager_t) ++ nscd_kill(NetworkManager_t) ++ nscd_initrc_domtrans(NetworkManager_t) ++') + - kernel_read_kernel_sysctls(nscd_t) - kernel_list_proc(nscd_t) - kernel_read_proc_symlinks(nscd_t) -@@ -60,6 +65,7 @@ - - fs_getattr_all_fs(nscd_t) - fs_search_auto_mountpoints(nscd_t) -+fs_list_inotifyfs(nscd_t) - - # for when /etc/passwd has just been updated and has the wrong type - auth_getattr_shadow(nscd_t) -@@ -73,6 +79,7 @@ - corenet_udp_sendrecv_generic_node(nscd_t) - corenet_tcp_sendrecv_all_ports(nscd_t) - corenet_udp_sendrecv_all_ports(nscd_t) -+corenet_udp_bind_generic_node(nscd_t) - corenet_tcp_connect_all_ports(nscd_t) - corenet_sendrecv_all_client_packets(nscd_t) - corenet_rw_tun_tap_dev(nscd_t) -@@ -84,12 +91,14 @@ - selinux_compute_relabel_context(nscd_t) - selinux_compute_user_contexts(nscd_t) - domain_use_interactive_fds(nscd_t) -+domain_search_all_domains_state(nscd_t) - - files_read_etc_files(nscd_t) - files_read_generic_tmp_symlinks(nscd_t) - # Needed to read files created by firstboot "/etc/hesiod.conf" - files_read_etc_runtime_files(nscd_t) - -+logging_send_audit_msgs(nscd_t) - logging_send_syslog_msg(nscd_t) ++optional_policy(` ++ # Dispatcher starting and stoping ntp ++ ntp_initrc_domtrans(NetworkManager_t) + ') - miscfiles_read_localization(nscd_t) -@@ -105,6 +114,14 @@ - userdom_dontaudit_search_user_home_dirs(nscd_t) + optional_policy(` + openvpn_domtrans(NetworkManager_t) ++ openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) ++ openvpn_signull(NetworkManager_t) + ') optional_policy(` -+ cron_read_system_job_tmp_files(nscd_t) ++ polkit_domtrans_auth(NetworkManager_t) ++ polkit_read_lib(NetworkManager_t) ++ polkit_read_reload(NetworkManager_t) ++ userdom_read_all_users_state(NetworkManager_t) +') + +optional_policy(` -+ kerberos_use(nscd_t) ++ ppp_initrc_domtrans(NetworkManager_t) + ppp_domtrans(NetworkManager_t) + ppp_read_pid_files(NetworkManager_t) ++ ppp_kill(NetworkManager_t) + ppp_signal(NetworkManager_t) ++ ppp_signull(NetworkManager_t) ++ ppp_read_config(NetworkManager_t) +') + +optional_policy(` - udev_read_db(nscd_t) ++ rpm_exec(NetworkManager_t) ++ rpm_read_db(NetworkManager_t) ++ rpm_dontaudit_manage_db(NetworkManager_t) ') -@@ -112,3 +129,12 @@ - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) + optional_policy(` +@@ -184,7 +259,9 @@ + + optional_policy(` + vpn_domtrans(NetworkManager_t) ++ vpn_kill(NetworkManager_t) + vpn_signal(NetworkManager_t) ++ vpn_signull(NetworkManager_t) ') -+ -+optional_policy(` -+ tunable_policy(`samba_domain_controller',` -+ samba_append_log(nscd_t) -+ samba_dontaudit_use_fds(nscd_t) -+ ') -+ samba_read_config(nscd_t) -+ samba_read_var_files(nscd_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.7/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/ntp.if 2009-03-03 17:11:59.000000000 -0500 -@@ -37,6 +37,32 @@ ######################################## - ## -+## Execute ntp in the ntp domain, and -+## allow the specified role the ntp domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the ntp domain. -+## -+## -+## -+# -+interface(`ntp_run',` -+ gen_require(` -+ type ntpd_t; -+ ') -+ -+ ntp_domtrans($1) -+ role $2 types ntpd_t; -+') -+ -+######################################## -+## - ## Execute ntp server in the ntpd domain. - ## - ## -@@ -56,6 +82,24 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.8/policy/modules/services/nis.fc +--- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/nis.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,9 +1,13 @@ +- ++/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) + /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) + + /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) ++/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) + + /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) + /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.8/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nis.if 2009-03-05 15:25:24.000000000 -0500 +@@ -28,7 +28,7 @@ + type var_yp_t; + ') + +- dontaudit $1 self:capability net_bind_service; ++ allow $1 self:capability net_bind_service; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; +@@ -49,8 +49,8 @@ + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) +- corenet_tcp_bind_reserved_port($1) +- corenet_udp_bind_reserved_port($1) ++ corenet_dontaudit_tcp_bind_all_reserved_ports($1) ++ corenet_dontaudit_udp_bind_all_reserved_ports($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) +@@ -87,6 +87,25 @@ ######################################## ## -+## Execute ntp server in the ntpd domain. ++## Use the nis to authenticate passwords +## +## +## +## The type of the process performing this action. +## +## ++## +# -+interface(`ntp_initrc_domtrans',` -+ gen_require(` -+ type ntpd_initrc_exec_t; ++interface(`nis_authenticate',` ++ tunable_policy(`allow_ypbind',` ++ nis_use_ypbind_uncond($1) ++ corenet_tcp_bind_all_rpc_ports($1) ++ corenet_udp_bind_all_rpc_ports($1) + ') -+ -+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + +######################################## +## - ## All of the rules required to administrate - ## an ntp environment + ## Execute ypbind in the ypbind domain. ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.7/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ntp.te 2009-03-03 17:11:59.000000000 -0500 -@@ -38,10 +38,11 @@ - - # sys_resource and setrlimit is for locking memory - # ntpdate wants sys_nice --allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; -+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; - allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; - allow ntpd_t self:fifo_file rw_fifo_file_perms; -+allow ntpd_t self:shm create_shm_perms; - allow ntpd_t self:unix_dgram_socket create_socket_perms; - allow ntpd_t self:unix_stream_socket create_socket_perms; - allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -52,6 +53,7 @@ - can_exec(ntpd_t,ntpd_exec_t) - - read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) -+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - - allow ntpd_t ntpd_log_t:dir setattr; - manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) -@@ -90,6 +92,9 @@ - - fs_getattr_all_fs(ntpd_t) - fs_search_auto_mountpoints(ntpd_t) -+# Necessary to communicate with gpsd devices -+fs_rw_tmpfs_files(ntpd_t) -+fs_list_inotifyfs(ntpd_t) - - term_use_ptmx(ntpd_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.7/policy/modules/services/nx.te ---- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/nx.te 2009-03-03 17:11:59.000000000 -0500 -@@ -25,6 +25,9 @@ - type nx_server_var_run_t; - files_pid_file(nx_server_var_run_t) - -+type nx_server_home_ssh_t; -+files_type(nx_server_home_ssh_t) -+ - ######################################## - # - # NX server local policy -@@ -44,6 +47,9 @@ - manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) - files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - -+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) -+ - kernel_read_system_state(nx_server_t) - kernel_read_kernel_sysctls(nx_server_t) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.7/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/oddjob.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -1,4 +1,4 @@ --/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - - /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.7/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/oddjob.if 2009-03-03 17:11:59.000000000 -0500 -@@ -44,6 +44,7 @@ - ') - - domtrans_pattern(oddjob_t, $2, $1) -+ domain_user_exemption_target($1) - ') - - ######################################## -@@ -84,3 +85,28 @@ - - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + ## +@@ -244,3 +263,130 @@ + corecmd_search_bin($1) + domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) ') + +######################################## +## -+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. ++## Execute nis server in the nis domain. +## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to allow the oddjob_mkhomedir domain. ++## The type of the process performing this action. +## +## -+## +# -+interface(`oddjob_run_mkhomedir',` ++# ++interface(`nis_initrc_domtrans',` + gen_require(` -+ type oddjob_mkhomedir_t; -+ ') -+ -+ oddjob_domtrans_mkhomedir($1) -+ role $2 types oddjob_mkhomedir_t; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.7/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/oddjob.te 2009-03-03 17:11:59.000000000 -0500 -@@ -10,14 +10,21 @@ - type oddjob_exec_t; - domain_type(oddjob_t) - init_daemon_domain(oddjob_t, oddjob_exec_t) -+domain_obj_id_change_exemption(oddjob_t) -+domain_role_change_exemption(oddjob_t) - domain_subj_id_change_exemption(oddjob_t) - - type oddjob_mkhomedir_t; - type oddjob_mkhomedir_exec_t; - domain_type(oddjob_mkhomedir_t) --init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -+domain_obj_id_change_exemption(oddjob_mkhomedir_t) -+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - -+ifdef(`enable_mcs',` -+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) -+') -+ - # pid files - type oddjob_var_run_t; - files_pid_file(oddjob_var_run_t) -@@ -65,13 +72,32 @@ - # oddjob_mkhomedir local policy - # - -+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; -+allow oddjob_mkhomedir_t self:process setfscreate; - allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; - allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; - - files_read_etc_files(oddjob_mkhomedir_t) - -+kernel_read_system_state(oddjob_mkhomedir_t) -+ -+auth_use_nsswitch(oddjob_mkhomedir_t) -+ -+logging_send_syslog_msg(oddjob_mkhomedir_t) -+ - miscfiles_read_localization(oddjob_mkhomedir_t) - -+selinux_get_fs_mount(oddjob_mkhomedir_t) -+selinux_validate_context(oddjob_mkhomedir_t) -+selinux_compute_access_vector(oddjob_mkhomedir_t) -+selinux_compute_create_context(oddjob_mkhomedir_t) -+selinux_compute_relabel_context(oddjob_mkhomedir_t) -+selinux_compute_user_contexts(oddjob_mkhomedir_t) ++ type nis_initrc_exec_t; ++ ') + -+seutil_read_config(oddjob_mkhomedir_t) -+seutil_read_file_contexts(oddjob_mkhomedir_t) -+seutil_read_default_contexts(oddjob_mkhomedir_t) ++ init_labeled_script_domtrans($1, nis_initrc_exec_t) ++') + - # Add/remove user home directories - userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) - userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.6.7/policy/modules/services/openvpn.fc ---- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/openvpn.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -2,6 +2,7 @@ - # /etc - # - /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) -+/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) - /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.6.7/policy/modules/services/openvpn.if ---- nsaserefpolicy/policy/modules/services/openvpn.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/openvpn.if 2009-03-03 17:11:59.000000000 -0500 -@@ -46,6 +46,24 @@ - - ######################################## - ## -+## Send OPENVPN clients the kill signal. ++######################################## ++## ++## Execute nis server in the nis domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`openvpn_kill',` ++interface(`nis_ypbind_initrc_domtrans',` + gen_require(` -+ type openvpn_t; ++ type ypbind_initrc_exec_t; + ') + -+ allow $1 openvpn_t:process sigkill; ++ init_labeled_script_domtrans($1, ypbind_initrc_exec_t) +') + +######################################## +## - ## Send generic signals to OPENVPN clients. - ## - ## -@@ -64,6 +82,24 @@ - - ######################################## - ## -+## Send signulls to OPENVPN clients. ++## All of the rules required to administrate ++## an nis environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The role to be allowed to manage the nis domain. ++## ++## ++## +# -+interface(`openvpn_signull',` ++interface(`nis_admin',` + gen_require(` -+ type openvpn_t; ++ type ypbind_t, yppasswdd_t; ++ type ypserv_t, ypxfr_t; ++ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; ++ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; ++ type ypbind_initrc_exec_t; ++ type nis_initrc_exec_t; + ') + -+ allow $1 openvpn_t:process signull; ++ allow $1 ypbind_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypbind_t) ++ ++ allow $1 yppasswdd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, yppasswdd_t) ++ ++ allow $1 ypserv_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypserv_t) ++ ++ allow $1 ypxfr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ypxfr_t) ++ ++ nis_initrc_domtrans($1) ++ nis_ypbind_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 nis_initrc_exec_t system_r; ++ role_transition $2 ypbind_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_tmp($1) ++ admin_pattern($1, ypbind_tmp_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, ypbind_var_run_t) ++ ++ admin_pattern($1, yppasswdd_var_run_t) ++ ++ files_list_etc($1) ++ admin_pattern($1, ypserv_conf_t) ++ ++ admin_pattern($1, ypserv_tmp_t) ++ ++ admin_pattern($1, ypserv_var_run_t) +') + ++ +######################################## +## - ## Allow the specified domain to read - ## OpenVPN configuration files. - ## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.7/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/openvpn.te 2009-03-03 17:11:59.000000000 -0500 -@@ -22,6 +22,9 @@ - type openvpn_etc_t; - files_config_file(openvpn_etc_t) - -+type openvpn_etc_rw_t; -+files_config_file(openvpn_etc_rw_t) ++## Execute ypbind in the ypbind domain, and ++## allow the specified role the ypbind domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the ypbind domain. ++## ++## ++## ++# ++interface(`nis_run_ypbind',` ++ gen_require(` ++ type ypbind_t; ++ ') + - type openvpn_initrc_exec_t; - init_script_file(openvpn_initrc_exec_t) - -@@ -40,6 +43,7 @@ - - allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; - allow openvpn_t self:process { signal getsched }; -+allow openvpn_t self:fifo_file rw_fifo_file_perms; - - allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; - allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -47,10 +51,11 @@ - allow openvpn_t self:tcp_socket server_stream_socket_perms; - allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; - --allow openvpn_t openvpn_etc_t:dir list_dir_perms; --can_exec(openvpn_t, openvpn_etc_t) -+manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t) - read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) - read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) -+filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file) -+can_exec(openvpn_t,openvpn_etc_t) - - allow openvpn_t openvpn_var_log_t:file manage_file_perms; - logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -@@ -99,6 +104,8 @@ ++ nis_domtrans_ypbind($1) ++ role $2 types ypbind_t; ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.8/policy/modules/services/nis.te +--- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nis.te 2009-03-05 15:25:24.000000000 -0500 +@@ -13,6 +13,9 @@ + type ypbind_exec_t; + init_daemon_domain(ypbind_t, ypbind_exec_t) - sysnet_dns_name_resolve(openvpn_t) - sysnet_exec_ifconfig(openvpn_t) -+sysnet_write_config(openvpn_t) -+sysnet_etc_filetrans_config(openvpn_t) ++type ypbind_initrc_exec_t; ++init_script_file(ypbind_initrc_exec_t) ++ + type ypbind_tmp_t; + files_tmp_file(ypbind_tmp_t) - userdom_use_user_terminals(openvpn_t) +@@ -44,6 +47,9 @@ + type ypxfr_exec_t; + init_daemon_domain(ypxfr_t, ypxfr_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.7/policy/modules/services/pads.fc ---- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pads.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,12 @@ -+ -+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) -+ -+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) -+ -+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) ++type nis_initrc_exec_t; ++init_script_file(nis_initrc_exec_t) + -+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + ######################################## + # + # ypbind local policy +@@ -111,6 +117,16 @@ + userdom_dontaudit_search_user_home_dirs(ypbind_t) + + optional_policy(` ++ dbus_system_bus_client(ypbind_t) ++ dbus_connect_system_bus(ypbind_t) ++ init_dbus_chat_script(ypbind_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.7/policy/modules/services/pads.if ---- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pads.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,10 @@ -+## SELinux policy for PADS daemon. -+## -+##

-+## PADS is a libpcap based detection engine used to -+## passively detect network assets. It is designed to -+## complement IDS technology by providing context to IDS -+## alerts. -+##

-+##
++ optional_policy(` ++ networkmanager_dbus_chat(ypbind_t) ++ ') ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.7/policy/modules/services/pads.te ---- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pads.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,65 @@ ++optional_policy(` + seutil_sigchld_newrole(ypbind_t) + ') + +@@ -123,6 +139,7 @@ + # yppasswdd local policy + # + ++allow yppasswdd_t self:capability dac_override; + dontaudit yppasswdd_t self:capability sys_tty_config; + allow yppasswdd_t self:fifo_file rw_fifo_file_perms; + allow yppasswdd_t self:process { setfscreate signal_perms }; +@@ -153,8 +170,8 @@ + corenet_udp_sendrecv_all_ports(yppasswdd_t) + corenet_tcp_bind_generic_node(yppasswdd_t) + corenet_udp_bind_generic_node(yppasswdd_t) +-corenet_tcp_bind_reserved_port(yppasswdd_t) +-corenet_udp_bind_reserved_port(yppasswdd_t) ++corenet_tcp_bind_all_rpc_ports(yppasswdd_t) ++corenet_udp_bind_all_rpc_ports(yppasswdd_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) + corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) + corenet_sendrecv_generic_server_packets(yppasswdd_t) +@@ -241,6 +258,8 @@ + corenet_udp_bind_generic_node(ypserv_t) + corenet_tcp_bind_reserved_port(ypserv_t) + corenet_udp_bind_reserved_port(ypserv_t) ++corenet_tcp_bind_all_rpc_ports(ypserv_t) ++corenet_udp_bind_all_rpc_ports(ypserv_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) + corenet_sendrecv_generic_server_packets(ypserv_t) +@@ -306,6 +325,8 @@ + corenet_udp_bind_generic_node(ypxfr_t) + corenet_tcp_bind_reserved_port(ypxfr_t) + corenet_udp_bind_reserved_port(ypxfr_t) ++corenet_tcp_bind_all_rpc_ports(ypxfr_t) ++corenet_udp_bind_all_rpc_ports(ypxfr_t) + corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) + corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) + corenet_tcp_connect_all_ports(ypxfr_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.6.8/policy/modules/services/nscd.fc +--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/nscd.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,3 +1,4 @@ ++/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) + + /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.8/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nscd.if 2009-03-05 15:25:24.000000000 -0500 +@@ -58,6 +58,42 @@ + + ######################################## + ## ++## Send NSCD the kill signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nscd_kill',` ++ gen_require(` ++ type nscd_t; ++ ') + -+policy_module(pads, 0.0.1) ++ allow $1 nscd_t:process sigkill; ++') + +######################################## ++## ++## Send signulls to NSCD. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+# Declarations -+# -+ -+type pads_t; -+type pads_exec_t; -+init_daemon_domain(pads_t, pads_exec_t) -+role system_r types pads_t; -+ -+type pads_initrc_exec_t; -+init_script_file(pads_initrc_exec_t) ++interface(`nscd_signull',` ++ gen_require(` ++ type nscd_t; ++ ') + -+type pads_config_t; -+files_config_file(pads_config_t) ++ allow $1 nscd_t:process signull; ++') + -+type pads_var_run_t; -+files_pid_file(pads_var_run_t) ++######################################## ++## + ## Use NSCD services by connecting using + ## a unix stream socket. + ## +@@ -70,15 +106,14 @@ + interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; +- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; +- ++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + dontaudit $1 nscd_var_run_t:file { getattr read }; +@@ -198,3 +233,60 @@ + nscd_domtrans($1) + role $2 types nscd_t; + ') + +######################################## ++## ++## Execute nscd server in the nscd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## +# -+# Declarations -+# -+ -+allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -+allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -+allow pads_t self:udp_socket { create ioctl }; -+allow pads_t self:unix_dgram_socket { write create connect }; -+ -+allow pads_t pads_config_t:file manage_file_perms; -+files_etc_filetrans(pads_t, pads_config_t, file) -+ -+allow pads_t pads_var_run_t:file manage_file_perms; -+files_pid_filetrans(pads_t, pads_var_run_t, file) -+ -+corecmd_search_bin(pads_t) -+ -+corenet_all_recvfrom_unlabeled(pads_t) -+corenet_all_recvfrom_netlabel(pads_t) -+corenet_tcp_sendrecv_generic_if(pads_t) -+corenet_tcp_sendrecv_generic_node(pads_t) -+ -+corenet_tcp_connect_prelude_port(pads_t) -+ -+dev_read_rand(pads_t) -+dev_read_urand(pads_t) -+ -+kernel_read_sysctl(pads_t) ++interface(`nscd_initrc_domtrans',` ++ gen_require(` ++ type nscd_initrc_exec_t; ++') + -+files_read_etc_files(pads_t) -+files_search_spool(pads_t) ++ init_labeled_script_domtrans($1, nscd_initrc_exec_t) ++') + -+miscfiles_read_localization(pads_t) ++######################################## ++## ++## All of the rules required to administrate ++## an nscd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the nscd domain. ++## ++## ++## ++# ++interface(`nscd_admin',` ++ gen_require(` ++ type nscd_t, nscd_log_t, nscd_var_run_t; ++ type nscd_initrc_exec_t; ++ ') + -+logging_send_syslog_msg(pads_t) ++ allow $1 nscd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, nscd_t) ++ ++ nscd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 nscd_initrc_exec_t system_r; ++ allow $2 system_r; + -+sysnet_dns_name_resolve(pads_t) ++ logging_list_logs($1) ++ admin_pattern($1, nscd_log_t) + -+optional_policy(` -+ prelude_manage_spool(pads_t) ++ files_list_pids($1) ++ admin_pattern($1, nscd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.7/policy/modules/services/pcscd.fc ---- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/pcscd.fc 2009-03-04 08:18:35.000000000 -0500 -@@ -1,5 +1,6 @@ - /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) - /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) - /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -+/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) - - /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.7/policy/modules/services/pcscd.te ---- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pcscd.te 2009-03-04 08:18:14.000000000 -0500 -@@ -27,9 +27,10 @@ - allow pcscd_t self:unix_dgram_socket create_socket_perms; - allow pcscd_t self:tcp_socket create_stream_socket_perms; - -+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) - manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) - manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) --files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file }) -+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - - corenet_all_recvfrom_unlabeled(pcscd_t) - corenet_all_recvfrom_netlabel(pcscd_t) -@@ -57,6 +58,14 @@ - sysnet_dns_name_resolve(pcscd_t) - - optional_policy(` -+ dbus_system_bus_client(pcscd_t) + -+ optional_policy(` -+ hal_dbus_chat(pcscd_t) -+ ') -+') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.8/policy/modules/services/nscd.te +--- nsaserefpolicy/policy/modules/services/nscd.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nscd.te 2009-03-05 15:25:24.000000000 -0500 +@@ -20,6 +20,9 @@ + type nscd_exec_t; + init_daemon_domain(nscd_t, nscd_exec_t) + ++type nscd_initrc_exec_t; ++init_script_file(nscd_initrc_exec_t) + -+optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.7/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pegasus.te 2009-03-03 17:11:59.000000000 -0500 -@@ -30,7 +30,7 @@ + type nscd_log_t; + logging_log_file(nscd_log_t) + +@@ -28,14 +31,14 @@ # Local policy # --allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; - dontaudit pegasus_t self:capability sys_tty_config; - allow pegasus_t self:process signal; - allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -66,6 +66,8 @@ - kernel_read_system_state(pegasus_t) - kernel_search_vm_sysctl(pegasus_t) - kernel_read_net_sysctls(pegasus_t) -+kernel_read_xen_state(pegasus_t) -+kernel_write_xen_state(pegasus_t) - - corenet_all_recvfrom_unlabeled(pegasus_t) - corenet_all_recvfrom_netlabel(pegasus_t) -@@ -96,13 +98,12 @@ +-allow nscd_t self:capability { kill setgid setuid audit_write }; ++allow nscd_t self:capability { kill setgid setuid }; + dontaudit nscd_t self:capability sys_tty_config; +-allow nscd_t self:process { getattr setsched signal_perms }; ++allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; + allow nscd_t self:fifo_file read_fifo_file_perms; + allow nscd_t self:unix_stream_socket create_stream_socket_perms; + allow nscd_t self:unix_dgram_socket create_socket_perms; + allow nscd_t self:netlink_selinux_socket create_socket_perms; +-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ + allow nscd_t self:tcp_socket create_socket_perms; + allow nscd_t self:udp_socket create_socket_perms; - auth_use_nsswitch(pegasus_t) - auth_domtrans_chk_passwd(pegasus_t) -+auth_read_shadow(pegasus_t) +@@ -50,6 +53,8 @@ + manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) + files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) - domain_use_interactive_fds(pegasus_t) - domain_read_all_domains_state(pegasus_t) ++can_exec(nscd_t, nscd_exec_t) ++ + kernel_read_kernel_sysctls(nscd_t) + kernel_list_proc(nscd_t) + kernel_read_proc_symlinks(nscd_t) +@@ -60,6 +65,7 @@ --files_read_etc_files(pegasus_t) --files_list_var_lib(pegasus_t) --files_read_var_lib_files(pegasus_t) -+files_read_all_files(pegasus_t) - files_read_var_lib_symlinks(pegasus_t) + fs_getattr_all_fs(nscd_t) + fs_search_auto_mountpoints(nscd_t) ++fs_list_inotifyfs(nscd_t) - hostname_exec(pegasus_t) -@@ -115,7 +116,6 @@ + # for when /etc/passwd has just been updated and has the wrong type + auth_getattr_shadow(nscd_t) +@@ -73,6 +79,7 @@ + corenet_udp_sendrecv_generic_node(nscd_t) + corenet_tcp_sendrecv_all_ports(nscd_t) + corenet_udp_sendrecv_all_ports(nscd_t) ++corenet_udp_bind_generic_node(nscd_t) + corenet_tcp_connect_all_ports(nscd_t) + corenet_sendrecv_all_client_packets(nscd_t) + corenet_rw_tun_tap_dev(nscd_t) +@@ -84,12 +91,14 @@ + selinux_compute_relabel_context(nscd_t) + selinux_compute_user_contexts(nscd_t) + domain_use_interactive_fds(nscd_t) ++domain_search_all_domains_state(nscd_t) - miscfiles_read_localization(pegasus_t) + files_read_etc_files(nscd_t) + files_read_generic_tmp_symlinks(nscd_t) + # Needed to read files created by firstboot "/etc/hesiod.conf" + files_read_etc_runtime_files(nscd_t) --sysnet_read_config(pegasus_t) - sysnet_domtrans_ifconfig(pegasus_t) ++logging_send_audit_msgs(nscd_t) + logging_send_syslog_msg(nscd_t) - userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -126,6 +126,14 @@ - ') + miscfiles_read_localization(nscd_t) +@@ -105,6 +114,14 @@ + userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` -+ samba_manage_config(pegasus_t) ++ cron_read_system_job_tmp_files(nscd_t) +') + +optional_policy(` -+ ssh_exec(pegasus_t) ++ kerberos_use(nscd_t) +') + +optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) + udev_read_db(nscd_t) ') -@@ -137,3 +145,13 @@ - optional_policy(` - unconfined_signull(pegasus_t) + +@@ -112,3 +129,12 @@ + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) ') + +optional_policy(` -+ virt_domtrans(pegasus_t) -+ virt_manage_config(pegasus_t) -+') -+ -+optional_policy(` -+ xen_stream_connect(pegasus_t) -+ xen_stream_connect_xenstore(pegasus_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.7/policy/modules/services/pingd.fc ---- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pingd.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,11 @@ -+ -+/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) -+ -+/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) -+ -+/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) -+ -+/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.7/policy/modules/services/pingd.if ---- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pingd.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,99 @@ -+## policy for pingd -+ -+######################################## -+## -+## Execute a domain transition to run pingd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`pingd_domtrans',` -+ gen_require(` -+ type pingd_t, pingd_exec_t; ++ tunable_policy(`samba_domain_controller',` ++ samba_append_log(nscd_t) ++ samba_dontaudit_use_fds(nscd_t) + ') -+ -+ domtrans_pattern($1,pingd_exec_t,pingd_t) ++ samba_read_config(nscd_t) ++ samba_read_var_files(nscd_t) +') -+ -+####################################### -+## -+## Read pingd etc configuration files. +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.8/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/ntp.if 2009-03-05 15:25:24.000000000 -0500 +@@ -37,6 +37,32 @@ + + ######################################## + ## ++## Execute ntp in the ntp domain, and ++## allow the specified role the ntp domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## -+# -+interface(`pingd_read_etc',` -+ gen_require(` -+ type pingd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, pingd_etc_t, pingd_etc_t) -+') -+ -+####################################### -+## -+## Manage pingd etc configuration files. -+## -+## -+## -+## Domain allowed access. -+## ++## ++## ++## The role to be allowed the ntp domain. ++## +## ++## +# -+interface(`pingd_manage_etc',` -+ gen_require(` -+ type pingd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) -+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) ++interface(`ntp_run',` ++ gen_require(` ++ type ntpd_t; ++ ') + ++ ntp_domtrans($1) ++ role $2 types ntpd_t; +') + -+####################################### ++######################################## +## -+## All of the rules required to administrate -+## an pingd environment + ## Execute ntp server in the ntpd domain. + ## + ## +@@ -56,6 +82,24 @@ + + ######################################## + ## ++## Execute ntp server in the ntpd domain. +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the pingd domain. -+## ++## ++## The type of the process performing this action. ++## +## -+## +# -+interface(`pingd_admin',` -+ gen_require(` -+ type pingd_t, pingd_etc_t; -+ type pingd_initrc_exec_t, pingd_modules_t; -+ ') -+ -+ allow $1 pingd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, pingd_t) -+ -+ init_labeled_script_domtrans($1, pingd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 pingd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, pingd_etc_t) -+ -+ files_list_usr($1) -+ admin_pattern($1, pingd_modules_t) ++interface(`ntp_initrc_domtrans',` ++ gen_require(` ++ type ntpd_initrc_exec_t; ++ ') + ++ init_labeled_script_domtrans($1, ntpd_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.7/policy/modules/services/pingd.te ---- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pingd.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,54 @@ -+policy_module(pingd,1.0.0) -+ +######################################## -+# -+# Declarations -+# -+ -+type pingd_t; -+type pingd_exec_t; -+init_daemon_domain(pingd_t, pingd_exec_t) -+ -+type pingd_initrc_exec_t; -+init_script_file(pingd_initrc_exec_t) -+ -+# type for config -+type pingd_etc_t; -+files_type(pingd_etc_t); ++## + ## All of the rules required to administrate + ## an ntp environment + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.8/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ntp.te 2009-03-05 15:25:24.000000000 -0500 +@@ -38,10 +38,11 @@ + + # sys_resource and setrlimit is for locking memory + # ntpdate wants sys_nice +-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource }; ++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; + dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; + allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; + allow ntpd_t self:fifo_file rw_fifo_file_perms; ++allow ntpd_t self:shm create_shm_perms; + allow ntpd_t self:unix_dgram_socket create_socket_perms; + allow ntpd_t self:unix_stream_socket create_socket_perms; + allow ntpd_t self:tcp_socket create_stream_socket_perms; +@@ -52,6 +53,7 @@ + can_exec(ntpd_t,ntpd_exec_t) + + read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) ++read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + + allow ntpd_t ntpd_log_t:dir setattr; + manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t) +@@ -90,6 +92,9 @@ + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) ++# Necessary to communicate with gpsd devices ++fs_rw_tmpfs_files(ntpd_t) ++fs_list_inotifyfs(ntpd_t) + + term_use_ptmx(ntpd_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.8/policy/modules/services/nx.te +--- nsaserefpolicy/policy/modules/services/nx.te 2009-01-19 11:07:34.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/nx.te 2009-03-05 15:25:24.000000000 -0500 +@@ -25,6 +25,9 @@ + type nx_server_var_run_t; + files_pid_file(nx_server_var_run_t) + ++type nx_server_home_ssh_t; ++files_type(nx_server_home_ssh_t) + -+# type for pingd modules -+type pingd_modules_t; -+files_type(pingd_modules_t) + ######################################## + # + # NX server local policy +@@ -44,6 +47,9 @@ + manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) + files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) + ++manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) ++ + kernel_read_system_state(nx_server_t) + kernel_read_kernel_sysctls(nx_server_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.6.8/policy/modules/services/oddjob.fc +--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/oddjob.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,4 +1,4 @@ +-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) + + /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.8/policy/modules/services/oddjob.if +--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/oddjob.if 2009-03-05 15:25:24.000000000 -0500 +@@ -44,6 +44,7 @@ + ') + + domtrans_pattern(oddjob_t, $2, $1) ++ domain_user_exemption_target($1) + ') + + ######################################## +@@ -84,3 +85,28 @@ + + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + ') + +######################################## ++## ++## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to allow the oddjob_mkhomedir domain. ++## ++## ++## +# -+# pingd local policy -+# -+ -+allow pingd_t self:capability net_raw; -+allow pingd_t self:tcp_socket create_stream_socket_perms; -+allow pingd_t self:rawip_socket { write read create bind }; -+ -+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) -+ -+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) -+ -+corenet_raw_bind_generic_node(pingd_t) -+corenet_tcp_bind_generic_node(pingd_t) -+corenet_tcp_bind_pingd_port(pingd_t) -+ -+auth_use_nsswitch(pingd_t) -+ -+files_search_usr(pingd_t) -+ -+libs_use_ld_so(pingd_t) -+libs_use_shared_libs(pingd_t) -+miscfiles_read_localization(pingd_t) -+ -+logging_send_syslog_msg(pingd_t) -+ -+permissive pingd_t; -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.6.7/policy/modules/services/pki.fc ---- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pki.fc 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,46 @@ -+ -+/etc/rc\.d/init\.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0) -+/etc/rc\.d/init\.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0) -+/etc/rc\.d/init\.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0) -+/etc/rc\.d/init\.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0) -+/etc/rc\.d/init\.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0) -+/etc/rc\.d/init\.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0) -+ -+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) -+/etc/pki-ca/tomcat5\.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0) -+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) -+/etc/pki-kra/tomcat5\.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0) -+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) -+/etc/pki-ocsp/tomcat5\.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0) -+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) -+/etc/pki-tks/tomcat5\.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0) -+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++interface(`oddjob_run_mkhomedir',` ++ gen_require(` ++ type oddjob_mkhomedir_t; ++ ') + -+/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0) -+/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0) -+/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0) -+/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0) ++ oddjob_domtrans_mkhomedir($1) ++ role $2 types oddjob_mkhomedir_t; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.8/policy/modules/services/oddjob.te +--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/oddjob.te 2009-03-05 15:25:24.000000000 -0500 +@@ -10,14 +10,21 @@ + type oddjob_exec_t; + domain_type(oddjob_t) + init_daemon_domain(oddjob_t, oddjob_exec_t) ++domain_obj_id_change_exemption(oddjob_t) ++domain_role_change_exemption(oddjob_t) + domain_subj_id_change_exemption(oddjob_t) + + type oddjob_mkhomedir_t; + type oddjob_mkhomedir_exec_t; + domain_type(oddjob_mkhomedir_t) +-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) ++domain_obj_id_change_exemption(oddjob_mkhomedir_t) ++init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) + ++ifdef(`enable_mcs',` ++ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t,s0 - mcs_systemhigh) ++') + -+/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) + # pid files + type oddjob_var_run_t; + files_pid_file(oddjob_var_run_t) +@@ -65,13 +72,32 @@ + # oddjob_mkhomedir local policy + # + ++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; ++allow oddjob_mkhomedir_t self:process setfscreate; + allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms; + allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + files_read_etc_files(oddjob_mkhomedir_t) + ++kernel_read_system_state(oddjob_mkhomedir_t) + -+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0) -+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0) -+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0) -+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) -+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0) -+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) ++auth_use_nsswitch(oddjob_mkhomedir_t) + -+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0) -+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0) -+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0) -+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) -+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0) -+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) ++logging_send_syslog_msg(oddjob_mkhomedir_t) + -+/var/run/pki-ca\.pid -- gen_context(system_u:object_r:pki_ca_var_run_t,s0) -+/var/run/pki-kra\.pid -- gen_context(system_u:object_r:pki_kra_var_run_t,s0) -+/var/run/pki-ocsp\.pid -- gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) -+/var/run/pki-ra\.pid -- gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) -+/var/run/pki-tks\.pid -- gen_context(system_u:object_r:pki_tks_var_run_t,s0) -+/var/run/pki-tps\.pid -- gen_context(system_u:object_r:pki_tks_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.6.7/policy/modules/services/pki.if ---- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pki.if 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,643 @@ + miscfiles_read_localization(oddjob_mkhomedir_t) + ++selinux_get_fs_mount(oddjob_mkhomedir_t) ++selinux_validate_context(oddjob_mkhomedir_t) ++selinux_compute_access_vector(oddjob_mkhomedir_t) ++selinux_compute_create_context(oddjob_mkhomedir_t) ++selinux_compute_relabel_context(oddjob_mkhomedir_t) ++selinux_compute_user_contexts(oddjob_mkhomedir_t) + -+## policy for pki ++seutil_read_config(oddjob_mkhomedir_t) ++seutil_read_file_contexts(oddjob_mkhomedir_t) ++seutil_read_default_contexts(oddjob_mkhomedir_t) + -+######################################## -+## -+## Execute pki_ca server in the pki_ca domain. + # Add/remove user home directories + userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) + userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.6.8/policy/modules/services/openvpn.fc +--- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-10-08 19:00:27.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/openvpn.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -2,6 +2,7 @@ + # /etc + # + /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) ++/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + + # +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.6.8/policy/modules/services/openvpn.if +--- nsaserefpolicy/policy/modules/services/openvpn.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/openvpn.if 2009-03-05 15:25:24.000000000 -0500 +@@ -46,6 +46,24 @@ + + ######################################## + ## ++## Send OPENVPN clients the kill signal. +## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`pki_ca_script_domtrans',` ++interface(`openvpn_kill',` + gen_require(` -+ attribute pki_ca_script; ++ type openvpn_t; + ') + -+ init_script_domtrans_spec($1,pki_ca_script) ++ allow $1 openvpn_t:process sigkill; +') + +######################################## +## -+## Create a set of derived types for apache -+## web content. + ## Send generic signals to OPENVPN clients. + ## + ## +@@ -64,6 +82,24 @@ + + ######################################## + ## ++## Send signulls to OPENVPN clients. +## -+## ++## +## -+## The prefix to be used for deriving type names. ++## Domain allowed access. +## +## +# -+template(`pki_ca_template',` ++interface(`openvpn_signull',` + gen_require(` -+ attribute pki_ca_process; -+ attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run; -+ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; -+ type pki_ca_tomcat_exec_t; -+ type $1_port_t; ++ type openvpn_t; + ') -+ ######################################## -+ # -+ # Declarations -+ # -+ -+ type $1_t, pki_ca_process; -+ type $1_exec_t, pki_ca_executable; -+ domain_type($1_t) -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ type $1_script_exec_t, pki_ca_script; -+ init_script_file($1_script_exec_t) -+ -+ type $1_etc_rw_t, pki_ca_config; -+ files_type($1_etc_rw_t) -+ -+ type $1_var_run_t, pki_ca_var_run; -+ files_pid_file($1_var_run_t) -+ -+ type $1_var_lib_t, pki_ca_var_lib; -+ files_type($1_var_lib_t) -+ -+ type $1_log_t, pki_ca_var_log; -+ logging_log_file($1_log_t) -+ -+ ######################################## -+ # -+ # $1 local policy -+ # + -+ # Execstack/execmem caused by java app. -+ allow $1_t self:process { execstack execmem getsched setsched }; -+ -+ ## internal communication is often done using fifo and unix sockets. -+ allow $1_t self:fifo_file rw_file_perms; -+ allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ allow $1_t self:tcp_socket create_stream_socket_perms; -+ allow $1_t self:process signull; -+ -+ allow $1_t $1_port_t:tcp_socket {name_bind name_connect}; -+ -+ corenet_all_recvfrom_unlabeled($1_t) -+ corenet_tcp_sendrecv_generic_if($1_t) -+ corenet_tcp_sendrecv_generic_node($1_t) -+ corenet_tcp_sendrecv_all_ports($1_t) -+ -+ corenet_tcp_bind_generic_node($1_t) -+ corenet_tcp_bind_ocsp_port($1_t) -+ corenet_tcp_connect_ocsp_port($1_t) -+ -+ # This is for /etc/$1/tomcat.conf: -+ can_exec($1_t, pki_ca_tomcat_exec_t) -+ -+ # Init script handling -+ domain_use_interactive_fds($1_t) -+ -+ files_read_etc_files($1_t) -+ -+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) -+ -+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) -+ -+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) -+ -+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) -+ manage_files_pattern($1_t, $1_log_t, $1_log_t) -+ logging_log_filetrans($1_t, $1_log_t, { file dir } ) -+ -+ corecmd_exec_bin($1_t) -+ corecmd_read_bin_symlinks($1_t) -+ corecmd_exec_shell($1_t) -+ -+ dev_list_sysfs($1_t) -+ dev_read_rand($1_t) -+ dev_read_urand($1_t) ++ allow $1 openvpn_t:process signull; ++') + -+ # Java is looking in /tmp for some reason...: -+ files_manage_generic_tmp_dirs($1_t) -+ files_manage_generic_tmp_files($1_t) -+ files_read_usr_files($1_t) -+ files_read_usr_symlinks($1_t) -+ # These are used to read tomcat class files in /var/lib/tomcat -+ files_read_var_lib_files($1_t) -+ files_read_var_lib_symlinks($1_t) ++######################################## ++## + ## Allow the specified domain to read + ## OpenVPN configuration files. + ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.8/policy/modules/services/openvpn.te +--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/openvpn.te 2009-03-05 15:25:24.000000000 -0500 +@@ -22,6 +22,9 @@ + type openvpn_etc_t; + files_config_file(openvpn_etc_t) + ++type openvpn_etc_rw_t; ++files_config_file(openvpn_etc_rw_t) + -+ kernel_read_network_state($1_t) -+ kernel_read_system_state($1_t) -+ kernel_search_network_state($1_t) -+ # audit2allow -+ kernel_signull_unlabeled($1_t) + type openvpn_initrc_exec_t; + init_script_file(openvpn_initrc_exec_t) + +@@ -40,6 +43,7 @@ + + allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; + allow openvpn_t self:process { signal getsched }; ++allow openvpn_t self:fifo_file rw_fifo_file_perms; + + allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; + allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -47,10 +51,11 @@ + allow openvpn_t self:tcp_socket server_stream_socket_perms; + allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; + +-allow openvpn_t openvpn_etc_t:dir list_dir_perms; +-can_exec(openvpn_t, openvpn_etc_t) ++manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t) + read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) + read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) ++filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file) ++can_exec(openvpn_t,openvpn_etc_t) + + allow openvpn_t openvpn_var_log_t:file manage_file_perms; + logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +@@ -99,6 +104,8 @@ + + sysnet_dns_name_resolve(openvpn_t) + sysnet_exec_ifconfig(openvpn_t) ++sysnet_write_config(openvpn_t) ++sysnet_etc_filetrans_config(openvpn_t) + + userdom_use_user_terminals(openvpn_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.6.8/policy/modules/services/pads.fc +--- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pads.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,12 @@ + -+ auth_use_nsswitch($1_t) ++/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) ++/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) + -+ init_dontaudit_write_utmp($1_t) ++/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) + -+ libs_use_ld_so($1_t) -+ libs_use_shared_libs($1_t) ++/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) + -+ miscfiles_read_localization($1_t) ++/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) + -+ ifdef(`targeted_policy',` -+ term_dontaudit_use_unallocated_ttys($1_t) -+ term_dontaudit_use_generic_ptys($1_t) -+ ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.6.8/policy/modules/services/pads.if +--- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pads.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,10 @@ ++## SELinux policy for PADS daemon. ++## ++##

++## PADS is a libpcap based detection engine used to ++## passively detect network assets. It is designed to ++## complement IDS technology by providing context to IDS ++## alerts. ++##

++##
+ -+#This is broken in selinux-policy we need java_exec defined, Will add to policy -+ gen_require(` -+ type java_exec_t; -+ ') -+ can_exec($1_t, java_exec_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.6.8/policy/modules/services/pads.te +--- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pads.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,65 @@ + -+') ++policy_module(pads, 0.0.1) + +######################################## -+## -+## All of the rules required to administrate -+## an pki_ca environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## +# -+interface(`pki_ca_admin',` -+ gen_require(` -+ type pki_ca_tomcat_exec_t; -+ attribute pki_ca_process; -+ attribute pki_ca_config; -+ attribute pki_ca_executable; -+ attribute pki_ca_var_lib; -+ attribute pki_ca_var_log; -+ attribute pki_ca_var_run; -+ attribute pki_ca_pidfiles; -+ attribute pki_ca_script; -+ ') ++# Declarations ++# + -+ allow $1 pki_ca_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_ca_t) ++type pads_t; ++type pads_exec_t; ++init_daemon_domain(pads_t, pads_exec_t) ++role system_r types pads_t; + -+ # Allow pki_ca_t to restart the service -+ pki_ca_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_ca_script system_r; -+ allow $2 system_r; ++type pads_initrc_exec_t; ++init_script_file(pads_initrc_exec_t) + -+ manage_all_pattern($1, pki_ca_config) -+ manage_all_pattern($1, pki_ca_var_run) -+ manage_all_pattern($1, pki_ca_var_lib) -+ manage_all_pattern($1, pki_ca_var_log) -+ manage_all_pattern($1, pki_ca_config) -+ manage_all_pattern($1, pki_ca_tomcat_exec_t) -+') ++type pads_config_t; ++files_config_file(pads_config_t) ++ ++type pads_var_run_t; ++files_pid_file(pads_var_run_t) + +######################################## -+## -+## Execute pki_kra server in the pki_kra domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## +# -+interface(`pki_kra_script_domtrans',` -+ gen_require(` -+ attribute pki_kra_script; -+ ') ++# Declarations ++# + -+ init_script_domtrans_spec($1,pki_kra_script) -+') ++allow pads_t self:capability { dac_override net_raw }; ++allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; ++allow pads_t self:udp_socket { create ioctl }; ++allow pads_t self:unix_dgram_socket { write create connect }; + -+######################################## -+## -+## All of the rules required to administrate -+## an pki_kra environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`pki_kra_admin',` -+ gen_require(` -+ type pki_kra_tomcat_exec_t; -+ attribute pki_kra_process; -+ attribute pki_kra_config; -+ attribute pki_kra_executable; -+ attribute pki_kra_var_lib; -+ attribute pki_kra_var_log; -+ attribute pki_kra_var_run; -+ attribute pki_kra_pidfiles; -+ attribute pki_kra_script; -+ ') ++allow pads_t pads_config_t:file manage_file_perms; ++files_etc_filetrans(pads_t, pads_config_t, file) + -+ allow $1 pki_kra_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_kra_t) ++allow pads_t pads_var_run_t:file manage_file_perms; ++files_pid_filetrans(pads_t, pads_var_run_t, file) + -+ # Allow pki_kra_t to restart the service -+ pki_kra_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_kra_script system_r; -+ allow $2 system_r; ++corecmd_search_bin(pads_t) + -+ manage_all_pattern($1, pki_kra_config) -+ manage_all_pattern($1, pki_kra_var_run) -+ manage_all_pattern($1, pki_kra_var_lib) -+ manage_all_pattern($1, pki_kra_var_log) -+ manage_all_pattern($1, pki_kra_config) -+ manage_all_pattern($1, pki_kra_tomcat_exec_t) -+') ++corenet_all_recvfrom_unlabeled(pads_t) ++corenet_all_recvfrom_netlabel(pads_t) ++corenet_tcp_sendrecv_generic_if(pads_t) ++corenet_tcp_sendrecv_generic_node(pads_t) + -+######################################## -+## -+## Execute pki_ocsp server in the pki_ocsp domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`pki_ocsp_script_domtrans',` -+ gen_require(` -+ attribute pki_ocsp_script; -+ ') ++corenet_tcp_connect_prelude_port(pads_t) + -+ init_script_domtrans_spec($1,pki_ocsp_script) -+') ++dev_read_rand(pads_t) ++dev_read_urand(pads_t) + ++kernel_read_sysctl(pads_t) + -+######################################## -+## -+## All of the rules required to administrate -+## an pki_ocsp environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`pki_ocsp_admin',` -+ gen_require(` -+ type pki_ocsp_tomcat_exec_t; -+ attribute pki_ocsp_process; -+ attribute pki_ocsp_config; -+ attribute pki_ocsp_executable; -+ attribute pki_ocsp_var_lib; -+ attribute pki_ocsp_var_log; -+ attribute pki_ocsp_var_run; -+ attribute pki_ocsp_pidfiles; -+ attribute pki_ocsp_script; -+ ') ++files_read_etc_files(pads_t) ++files_search_spool(pads_t) + -+ allow $1 pki_ocsp_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_ocsp_t) ++miscfiles_read_localization(pads_t) + -+ # Allow pki_ocsp_t to restart the service -+ pki_ocsp_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_ocsp_script system_r; -+ allow $2 system_r; ++logging_send_syslog_msg(pads_t) ++ ++sysnet_dns_name_resolve(pads_t) + -+ manage_all_pattern($1, pki_ocsp_config) -+ manage_all_pattern($1, pki_ocsp_var_run) -+ manage_all_pattern($1, pki_ocsp_var_lib) -+ manage_all_pattern($1, pki_ocsp_var_log) -+ manage_all_pattern($1, pki_ocsp_config) -+ manage_all_pattern($1, pki_ocsp_tomcat_exec_t) ++optional_policy(` ++ prelude_manage_spool(pads_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-3.6.8/policy/modules/services/pcscd.fc +--- nsaserefpolicy/policy/modules/services/pcscd.fc 2008-08-07 11:15:11.000000000 -0400 ++++ serefpolicy-3.6.8/policy/modules/services/pcscd.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -1,5 +1,6 @@ + /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) + /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) ++/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) + + /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.8/policy/modules/services/pcscd.te +--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pcscd.te 2009-03-05 15:25:24.000000000 -0500 +@@ -27,9 +27,10 @@ + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file }) ++files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + + corenet_all_recvfrom_unlabeled(pcscd_t) + corenet_all_recvfrom_netlabel(pcscd_t) +@@ -57,6 +58,14 @@ + sysnet_dns_name_resolve(pcscd_t) + + optional_policy(` ++ dbus_system_bus_client(pcscd_t) + -+######################################## -+## -+## Execute pki_ra server in the pki_ra domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`pki_ra_script_domtrans',` -+ gen_require(` -+ attribute pki_ra_script; ++ optional_policy(` ++ hal_dbus_chat(pcscd_t) + ') ++') + -+ init_script_domtrans_spec($1,pki_ra_script) ++optional_policy(` + openct_stream_connect(pcscd_t) + openct_read_pid_files(pcscd_t) + openct_signull(pcscd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.8/policy/modules/services/pegasus.te +--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pegasus.te 2009-03-05 15:25:24.000000000 -0500 +@@ -30,7 +30,7 @@ + # Local policy + # + +-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; ++allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; + dontaudit pegasus_t self:capability sys_tty_config; + allow pegasus_t self:process signal; + allow pegasus_t self:fifo_file rw_fifo_file_perms; +@@ -66,6 +66,8 @@ + kernel_read_system_state(pegasus_t) + kernel_search_vm_sysctl(pegasus_t) + kernel_read_net_sysctls(pegasus_t) ++kernel_read_xen_state(pegasus_t) ++kernel_write_xen_state(pegasus_t) + + corenet_all_recvfrom_unlabeled(pegasus_t) + corenet_all_recvfrom_netlabel(pegasus_t) +@@ -96,13 +98,12 @@ + + auth_use_nsswitch(pegasus_t) + auth_domtrans_chk_passwd(pegasus_t) ++auth_read_shadow(pegasus_t) + + domain_use_interactive_fds(pegasus_t) + domain_read_all_domains_state(pegasus_t) + +-files_read_etc_files(pegasus_t) +-files_list_var_lib(pegasus_t) +-files_read_var_lib_files(pegasus_t) ++files_read_all_files(pegasus_t) + files_read_var_lib_symlinks(pegasus_t) + + hostname_exec(pegasus_t) +@@ -115,7 +116,6 @@ + + miscfiles_read_localization(pegasus_t) + +-sysnet_read_config(pegasus_t) + sysnet_domtrans_ifconfig(pegasus_t) + + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +@@ -126,6 +126,14 @@ + ') + + optional_policy(` ++ samba_manage_config(pegasus_t) +') + -+######################################## -+## -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving type names. -+## -+## -+# -+template(`pki_ra_template',` -+ gen_require(` -+ attribute pki_ra_process; -+ attribute pki_ra_config, pki_ra_var_lib; -+ attribute pki_ra_executable, pki_ra_script, pki_ra_var_log; -+ ') -+ ######################################## -+ # -+ # Declarations -+ # -+ -+ type $1_t, pki_ra_process; -+ type $1_exec_t, pki_ra_executable; -+ domain_type($1_t) -+ init_daemon_domain($1_t, $1_exec_t) -+ -+ type $1_script_exec_t, pki_ra_script; -+ init_script_file($1_script_exec_t) -+ -+ type $1_etc_rw_t, pki_ra_config; -+ files_type($1_etc_rw_t) -+ -+ type $1_var_lib_t, pki_ra_var_lib; -+ files_type($1_var_lib_t) -+ -+ type $1_log_t, pki_ra_var_log; -+ logging_log_file($1_log_t) -+ -+ ######################################## -+ # -+ # $1 local policy -+ # -+ -+ ## internal communication is often done using fifo and unix sockets. -+ allow $1_t self:fifo_file rw_file_perms; -+ allow $1_t self:unix_stream_socket create_stream_socket_perms; -+ -+ # Init script handling -+ domain_use_interactive_fds($1_t) -+ -+ files_read_etc_files($1_t) -+ -+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) -+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++optional_policy(` ++ ssh_exec(pegasus_t) ++') + -+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++optional_policy(` + seutil_sigchld_newrole(pegasus_t) + seutil_dontaudit_read_config(pegasus_t) + ') +@@ -137,3 +145,13 @@ + optional_policy(` + unconfined_signull(pegasus_t) + ') + -+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) -+ manage_files_pattern($1_t, $1_log_t, $1_log_t) -+ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++optional_policy(` ++ virt_domtrans(pegasus_t) ++ virt_manage_config(pegasus_t) ++') + -+ init_dontaudit_write_utmp($1_t) ++optional_policy(` ++ xen_stream_connect(pegasus_t) ++ xen_stream_connect_xenstore(pegasus_t) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.6.8/policy/modules/services/pingd.fc +--- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pingd.fc 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,11 @@ + -+ libs_use_ld_so($1_t) -+ libs_use_shared_libs($1_t) ++/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0) + -+ miscfiles_read_localization($1_t) ++/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0) + -+ ifdef(`targeted_policy',` -+ term_dontaudit_use_unallocated_ttys($1_t) -+ term_dontaudit_use_generic_ptys($1_t) -+ ') ++/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0) + -+ gen_require(` -+ type httpd_t; -+ ') ++/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0) + -+ allow httpd_t pki_ra_etc_rw_t:file { read getattr }; -+ allow httpd_t pki_ra_log_t:file read; -+ allow httpd_t pki_ra_var_lib_t:lnk_file read; + + -+') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.6.8/policy/modules/services/pingd.if +--- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pingd.if 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,99 @@ ++## policy for pingd + +######################################## +## -+## All of the rules required to administrate -+## an pki_ra environment ++## Execute a domain transition to run pingd. +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`pki_ra_admin',` -+ gen_require(` -+ attribute pki_ra_process; -+ attribute pki_ra_config; -+ attribute pki_ra_executable; -+ attribute pki_ra_var_lib; -+ attribute pki_ra_var_log; -+ attribute pki_ra_script; -+ ') -+ -+ allow $1 pki_ra_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_ra_t) -+ -+ # Allow pki_ra_t to restart the service -+ pki_ra_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_ra_script system_r; -+ allow $2 system_r; -+ -+ manage_all_pattern($1, pki_ra_config) -+ manage_all_pattern($1, pki_ra_var_lib) -+ manage_all_pattern($1, pki_ra_var_log) -+ manage_all_pattern($1, pki_ra_config) -+') -+ -+######################################## +## -+## Execute pki_tks server in the pki_tks domain. ++## Domain allowed to transition. +## -+## -+## -+## The type of the process performing this action. -+## +## +# -+interface(`pki_tks_script_domtrans',` ++interface(`pingd_domtrans',` + gen_require(` -+ attribute pki_tks_script; ++ type pingd_t, pingd_exec_t; + ') + -+ init_script_domtrans_spec($1,pki_tks_script) ++ domtrans_pattern($1,pingd_exec_t,pingd_t) +') + -+ -+######################################## ++####################################### +## -+## All of the rules required to administrate -+## an pki_tks environment ++## Read pingd etc configuration files. +## +## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## ++## ++## Domain allowed access. ++## +## -+## +# -+interface(`pki_tks_admin',` -+ gen_require(` -+ type pki_tks_tomcat_exec_t; -+ attribute pki_tks_process; -+ attribute pki_tks_config; -+ attribute pki_tks_executable; -+ attribute pki_tks_var_lib; -+ attribute pki_tks_var_log; -+ attribute pki_tks_var_run; -+ attribute pki_tks_pidfiles; -+ attribute pki_tks_script; -+ ') -+ -+ allow $1 pki_tks_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_tks_t) -+ -+ # Allow pki_tks_t to restart the service -+ pki_tks_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_tks_script system_r; -+ allow $2 system_r; ++interface(`pingd_read_etc',` ++ gen_require(` ++ type pingd_etc_t; ++ ') + -+ manage_all_pattern($1, pki_tks_config) -+ manage_all_pattern($1, pki_tks_var_run) -+ manage_all_pattern($1, pki_tks_var_lib) -+ manage_all_pattern($1, pki_tks_var_log) -+ manage_all_pattern($1, pki_tks_config) -+ manage_all_pattern($1, pki_tks_tomcat_exec_t) ++ files_search_etc($1) ++ read_files_pattern($1, pingd_etc_t, pingd_etc_t) +') + -+######################################## ++####################################### +## -+## Execute pki_tps server in the pki_tps domain. ++## Manage pingd etc configuration files. +## +## -+## -+## The type of the process performing this action. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`pki_tps_script_domtrans',` -+ gen_require(` -+ attribute pki_tps_script; -+ ') ++interface(`pingd_manage_etc',` ++ gen_require(` ++ type pingd_etc_t; ++ ') + -+ init_script_domtrans_spec($1,pki_tps_script) -+') ++ files_search_etc($1) ++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) ++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t) + ++') + -+######################################## ++####################################### +## -+## All of the rules required to administrate -+## an pki_tps environment ++## All of the rules required to administrate ++## an pingd environment +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## ++## ++## The role to be allowed to manage the pingd domain. ++## +## +## +# -+interface(`pki_tps_admin',` -+ gen_require(` -+ attribute pki_tps_process; -+ attribute pki_tps_config; -+ attribute pki_tps_executable; -+ attribute pki_tps_var_lib; -+ attribute pki_tps_var_log; -+ attribute pki_tps_script; -+ ') -+ -+ allow $1 pki_tps_process:process { ptrace signal_perms }; -+ ps_process_pattern($1, pki_tps_t) -+ -+ # Allow pki_tps_t to restart the service -+ pki_tps_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 pki_tps_script system_r; -+ allow $2 system_r; -+ -+ manage_all_pattern($1, pki_tps_config) -+ manage_all_pattern($1, pki_tps_var_lib) -+ manage_all_pattern($1, pki_tps_var_log) -+ manage_all_pattern($1, pki_tps_config) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.6.7/policy/modules/services/pki.te ---- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pki.te 2009-03-03 17:11:59.000000000 -0500 -@@ -0,0 +1,91 @@ -+policy_module(pki,1.0.0) ++interface(`pingd_admin',` ++ gen_require(` ++ type pingd_t, pingd_etc_t; ++ type pingd_initrc_exec_t, pingd_modules_t; ++ ') + -+attribute pki_ca_config; -+attribute pki_ca_executable; -+attribute pki_ca_var_lib; -+attribute pki_ca_var_log; -+attribute pki_ca_var_run; -+attribute pki_ca_pidfiles; -+attribute pki_ca_script; -+attribute pki_ca_process; ++ allow $1 pingd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pingd_t) + -+type pki_ca_tomcat_exec_t; -+files_type(pki_ca_tomcat_exec_t) ++ init_labeled_script_domtrans($1, pingd_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 pingd_initrc_exec_t system_r; ++ allow $2 system_r; + -+pki_ca_template(pki_ca) ++ files_list_etc($1) ++ admin_pattern($1, pingd_etc_t) + -+attribute pki_kra_config; -+attribute pki_kra_executable; -+attribute pki_kra_var_lib; -+attribute pki_kra_var_log; -+attribute pki_kra_var_run; -+attribute pki_kra_pidfiles; -+attribute pki_kra_script; -+attribute pki_kra_process; ++ files_list_usr($1) ++ admin_pattern($1, pingd_modules_t) + -+type pki_kra_tomcat_exec_t; -+files_type(pki_kra_tomcat_exec_t) ++') + -+pki_ca_template(pki_kra) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.6.8/policy/modules/services/pingd.te +--- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pingd.te 2009-03-05 15:25:24.000000000 -0500 +@@ -0,0 +1,54 @@ ++policy_module(pingd,1.0.0) + ++######################################## ++# ++# Declarations ++# + -+attribute pki_ocsp_config; -+attribute pki_ocsp_executable; -+attribute pki_ocsp_var_lib; -+attribute pki_ocsp_var_log; -+attribute pki_ocsp_var_run; -+attribute pki_ocsp_pidfiles; -+attribute pki_ocsp_script; -+attribute pki_ocsp_process; ++type pingd_t; ++type pingd_exec_t; ++init_daemon_domain(pingd_t, pingd_exec_t) + -+type pki_ocsp_tomcat_exec_t; -+files_type(pki_ocsp_tomcat_exec_t) ++type pingd_initrc_exec_t; ++init_script_file(pingd_initrc_exec_t) + -+pki_ca_template(pki_ocsp) ++# type for config ++type pingd_etc_t; ++files_type(pingd_etc_t); + ++# type for pingd modules ++type pingd_modules_t; ++files_type(pingd_modules_t) + -+attribute pki_ra_config; -+attribute pki_ra_executable; -+attribute pki_ra_var_lib; -+attribute pki_ra_var_log; -+attribute pki_ra_var_run; -+attribute pki_ra_pidfiles; -+attribute pki_ra_script; -+attribute pki_ra_process; ++######################################## ++# ++# pingd local policy ++# + -+type pki_ra_tomcat_exec_t; -+files_type(pki_ra_tomcat_exec_t) ++allow pingd_t self:capability net_raw; ++allow pingd_t self:tcp_socket create_stream_socket_perms; ++allow pingd_t self:rawip_socket { write read create bind }; + -+pki_ra_template(pki_ra) ++read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t) + ++read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) ++mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t) + -+attribute pki_tks_config; -+attribute pki_tks_executable; -+attribute pki_tks_var_lib; -+attribute pki_tks_var_log; -+attribute pki_tks_var_run; -+attribute pki_tks_pidfiles; -+attribute pki_tks_script; -+attribute pki_tks_process; ++corenet_raw_bind_generic_node(pingd_t) ++corenet_tcp_bind_generic_node(pingd_t) ++corenet_tcp_bind_pingd_port(pingd_t) + -+type pki_tks_tomcat_exec_t; -+files_type(pki_tks_tomcat_exec_t) ++auth_use_nsswitch(pingd_t) + -+pki_ca_template(pki_tks) ++files_search_usr(pingd_t) + ++libs_use_ld_so(pingd_t) ++libs_use_shared_libs(pingd_t) ++miscfiles_read_localization(pingd_t) + -+attribute pki_tps_config; -+attribute pki_tps_executable; -+attribute pki_tps_var_lib; -+attribute pki_tps_var_log; -+attribute pki_tps_var_run; -+attribute pki_tps_pidfiles; -+attribute pki_tps_script; -+attribute pki_tps_process; ++logging_send_syslog_msg(pingd_t) + -+type pki_tps_tomcat_exec_t; -+files_type(pki_tps_tomcat_exec_t) ++permissive pingd_t; + -+pki_ra_template(pki_tps) + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.7/policy/modules/services/polkit.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.8/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/polkit.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/polkit.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) @@ -17833,9 +15567,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) + +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.7/policy/modules/services/polkit.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.8/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/polkit.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/polkit.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,241 @@ + +## policy for polkit_auth @@ -18078,9 +15812,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.7/policy/modules/services/polkit.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.8/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/polkit.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/polkit.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,237 @@ +policy_module(polkit_auth, 1.0.0) + @@ -18319,9 +16053,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_ptrace(polkit_resolve_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.7/policy/modules/services/portreserve.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.6.8/policy/modules/services/portreserve.fc --- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/portreserve.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/portreserve.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,12 @@ +# portreserve executable will have: +# label: system_u:object_r:portreserve_exec_t @@ -18335,9 +16069,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.7/policy/modules/services/portreserve.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.6.8/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/portreserve.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/portreserve.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,66 @@ +## policy for portreserve + @@ -18405,9 +16139,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) + read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.7/policy/modules/services/portreserve.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.6.8/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/portreserve.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/portreserve.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,51 @@ +policy_module(portreserve,1.0.0) + @@ -18460,9 +16194,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#init_use_fds(portreserve_t) +#init_use_script_ptys(portreserve_t) +#domain_use_interactive_fds(portreserve_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.7/policy/modules/services/postfix.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.8/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/postfix.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postfix.fc 2009-03-05 15:25:24.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -18476,9 +16210,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.7/policy/modules/services/postfix.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.8/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/postfix.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postfix.if 2009-03-05 15:25:24.000000000 -0500 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -18672,9 +16406,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.7/policy/modules/services/postfix.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/postfix.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postfix.te 2009-03-05 15:25:24.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -19022,9 +16756,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.7/policy/modules/services/postgresql.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.8/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/postgresql.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postgresql.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,6 +2,7 @@ # /etc # @@ -19033,9 +16767,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.7/policy/modules/services/postgresql.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.8/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/postgresql.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postgresql.if 2009-03-05 15:25:24.000000000 -0500 @@ -351,3 +351,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -19083,9 +16817,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + admin_pattern($1, postgresql_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.7/policy/modules/services/postgresql.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/postgresql.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/postgresql.te 2009-03-05 15:25:24.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -19139,9 +16873,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.7/policy/modules/services/ppp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.6.8/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/ppp.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ppp.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,7 +1,7 @@ # # /etc @@ -19162,9 +16896,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /sbin -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.7/policy/modules/services/ppp.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.8/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ppp.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ppp.if 2009-03-05 15:25:24.000000000 -0500 @@ -58,6 +58,25 @@ ######################################## @@ -19265,9 +16999,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, pptp_var_run_t, pptp_var_run_t) + admin_pattern($1, pptp_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.7/policy/modules/services/ppp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.8/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ppp.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ppp.te 2009-03-05 15:25:24.000000000 -0500 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -19403,9 +17137,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -# FIXME: -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.7/policy/modules/services/prelude.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.6.8/policy/modules/services/prelude.fc --- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/prelude.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/prelude.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -19432,9 +17166,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.7/policy/modules/services/prelude.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.6.8/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/prelude.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/prelude.if 2009-03-05 15:25:24.000000000 -0500 @@ -6,7 +6,7 @@ ##
## @@ -19547,9 +17281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.7/policy/modules/services/prelude.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.8/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/prelude.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/prelude.te 2009-03-05 15:25:24.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -19819,10 +17553,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_search_db(httpd_prewikka_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.7/policy/modules/services/procmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/procmail.te 2009-03-03 17:11:59.000000000 -0500 -@@ -92,6 +92,7 @@ ++++ serefpolicy-3.6.8/policy/modules/services/procmail.te 2009-03-05 15:25:24.000000000 -0500 +@@ -77,6 +77,7 @@ + files_read_usr_files(procmail_t) + + logging_send_syslog_msg(procmail_t) ++logging_append_all_logs(procmail_t) + + miscfiles_read_localization(procmail_t) + +@@ -92,6 +93,7 @@ userdom_dontaudit_search_user_home_dirs(procmail_t) mta_manage_spool(procmail_t) @@ -19830,7 +17572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) -@@ -128,6 +129,10 @@ +@@ -128,6 +130,10 @@ ') optional_policy(` @@ -19841,17 +17583,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') -@@ -148,3 +153,7 @@ - spamassassin_domtrans_client(procmail_t) - spamassassin_read_lib_files(procmail_t) - ') -+ -+optional_policy(` -+ mailscanner_read_spool(procmail_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.7/policy/modules/services/psad.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.8/policy/modules/services/psad.fc --- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/psad.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/psad.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,17 @@ + + @@ -19870,9 +17604,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0) + +/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.7/policy/modules/services/psad.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.8/policy/modules/services/psad.if --- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/psad.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/psad.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,304 @@ +## Psad SELinux policy + @@ -20178,9 +17912,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_tmp($1) + admin_pattern($1, psad_tmp_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.7/policy/modules/services/psad.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.8/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/psad.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/psad.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,107 @@ +policy_module(psad,1.0.0) + @@ -20289,9 +18023,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive psad_t; + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.7/policy/modules/services/pyzor.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.8/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pyzor.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pyzor.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -20301,9 +18035,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.7/policy/modules/services/pyzor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.8/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pyzor.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pyzor.if 2009-03-05 15:25:24.000000000 -0500 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -20355,9 +18089,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.7/policy/modules/services/pyzor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.8/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/pyzor.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/pyzor.te 2009-03-05 15:25:24.000000000 -0500 @@ -6,6 +6,38 @@ # Declarations # @@ -20414,9 +18148,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.7/policy/modules/services/radvd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.8/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/radvd.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/radvd.te 2009-03-05 15:25:24.000000000 -0500 @@ -22,7 +22,7 @@ # # Local policy @@ -20426,9 +18160,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:unix_dgram_socket create_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.7/policy/modules/services/razor.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.8/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/razor.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/razor.if 2009-03-05 15:25:24.000000000 -0500 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -20475,9 +18209,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.7/policy/modules/services/razor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.8/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/razor.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/razor.te 2009-03-05 15:25:24.000000000 -0500 @@ -6,6 +6,32 @@ # Declarations # @@ -20517,9 +18251,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.7/policy/modules/services/ricci.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.8/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ricci.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ricci.te 2009-03-05 15:25:24.000000000 -0500 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -20624,9 +18358,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.7/policy/modules/services/rlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.6.8/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/rlogin.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rlogin.te 2009-03-05 15:25:24.000000000 -0500 @@ -91,10 +91,22 @@ remotelogin_signal(rlogind_t) @@ -20652,9 +18386,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_files(rlogind_t) + fs_read_cifs_symlinks(rlogind_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.6.7/policy/modules/services/rpc.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.6.8/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/rpc.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rpc.fc 2009-03-05 15:25:24.000000000 -0500 @@ -13,6 +13,7 @@ # /usr # @@ -20663,9 +18397,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.7/policy/modules/services/rpc.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.8/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/rpc.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rpc.if 2009-03-05 15:25:24.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -20728,9 +18462,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) + manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.7/policy/modules/services/rpc.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.8/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/rpc.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rpc.te 2009-03-05 15:25:24.000000000 -0500 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20794,9 +18528,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.7/policy/modules/services/rshd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.6.8/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/rshd.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rshd.te 2009-03-05 15:25:24.000000000 -0500 @@ -51,7 +51,7 @@ files_list_home(rshd_t) @@ -20806,9 +18540,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_login_pgm_domain(rshd_t) auth_write_login_records(rshd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.7/policy/modules/services/rsync.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.8/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/rsync.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/rsync.te 2009-03-05 15:25:24.000000000 -0500 @@ -119,5 +119,9 @@ tunable_policy(`rsync_export_all_ro',` @@ -20819,9 +18553,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + auth_tunable_read_shadow(rsync_t) ') +auth_can_read_shadow_passwords(rsync_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.7/policy/modules/services/samba.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.8/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/samba.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/samba.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,6 +2,9 @@ # # /etc @@ -20848,9 +18582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.7/policy/modules/services/samba.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.8/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/samba.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/samba.if 2009-03-05 15:25:24.000000000 -0500 @@ -4,6 +4,45 @@ ## from Windows NT servers. ##
@@ -21248,9 +18982,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, samba_unconfined_script_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.7/policy/modules/services/samba.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/samba.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/samba.te 2009-03-05 15:25:24.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -21710,9 +19444,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow winbind_t smbcontrol_t:process signal; + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.7/policy/modules/services/sasl.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.8/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/sasl.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/sasl.te 2009-03-05 15:25:24.000000000 -0500 @@ -107,6 +107,10 @@ ') @@ -21724,9 +19458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(saslauthd_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.7/policy/modules/services/sendmail.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.8/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/sendmail.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/sendmail.if 2009-03-05 15:25:24.000000000 -0500 @@ -149,3 +149,92 @@ logging_log_filetrans($1, sendmail_log_t, file) @@ -21820,9 +19554,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.7/policy/modules/services/sendmail.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/sendmail.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/sendmail.te 2009-03-05 15:25:24.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -21990,18 +19724,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.7/policy/modules/services/setroubleshoot.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.8/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/setroubleshoot.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.7/policy/modules/services/setroubleshoot.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.8/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/setroubleshoot.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.if 2009-03-05 15:25:24.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -22084,9 +19818,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.7/policy/modules/services/setroubleshoot.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/setroubleshoot.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/setroubleshoot.te 2009-03-05 15:25:24.000000000 -0500 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -22172,9 +19906,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.7/policy/modules/services/smartmon.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.8/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/smartmon.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/smartmon.te 2009-03-05 15:25:24.000000000 -0500 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -22232,9 +19966,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.7/policy/modules/services/snmp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.6.8/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/snmp.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/snmp.fc 2009-03-05 15:25:24.000000000 -0500 @@ -20,5 +20,5 @@ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -22242,9 +19976,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.7/policy/modules/services/snmp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.8/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/snmp.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/snmp.te 2009-03-05 15:25:24.000000000 -0500 @@ -71,6 +71,7 @@ corenet_tcp_bind_snmp_port(snmpd_t) corenet_udp_bind_snmp_port(snmpd_t) @@ -22253,9 +19987,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(snmpd_t) dev_read_sysfs(snmpd_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.7/policy/modules/services/snort.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.8/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/snort.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/snort.te 2009-03-05 15:25:24.000000000 -0500 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -22286,9 +20020,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` seutil_sigchld_newrole(snort_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.7/policy/modules/services/spamassassin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.8/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/spamassassin.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/spamassassin.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,15 +1,24 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -22317,9 +20051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.7/policy/modules/services/spamassassin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/spamassassin.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/spamassassin.if 2009-03-05 15:25:24.000000000 -0500 @@ -111,6 +111,7 @@ ') @@ -22406,9 +20140,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.7/policy/modules/services/spamassassin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/spamassassin.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/spamassassin.te 2009-03-05 15:25:24.000000000 -0500 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -22667,9 +20401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.7/policy/modules/services/squid.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.6.8/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/squid.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/squid.fc 2009-03-05 15:25:24.000000000 -0500 @@ -6,7 +6,11 @@ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) @@ -22682,9 +20416,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) /var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.7/policy/modules/services/squid.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.6.8/policy/modules/services/squid.if --- nsaserefpolicy/policy/modules/services/squid.if 2008-11-11 16:13:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/squid.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/squid.if 2009-03-05 15:25:24.000000000 -0500 @@ -21,6 +21,25 @@ ######################################## @@ -22711,9 +20445,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to squid. ##
## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.7/policy/modules/services/squid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.8/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/squid.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/squid.te 2009-03-05 15:25:24.000000000 -0500 @@ -118,6 +118,9 @@ fs_getattr_all_fs(squid_t) @@ -22733,18 +20467,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.7/policy/modules/services/ssh.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.8/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ssh.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ssh.fc 2009-03-05 15:25:24.000000000 -0500 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.7/policy/modules/services/ssh.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ssh.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ssh.if 2009-03-05 15:25:24.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -22973,9 +20707,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + can_exec($1, ssh_agent_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.7/policy/modules/services/ssh.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ssh.te 2009-03-04 12:12:58.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ssh.te 2009-03-05 15:25:24.000000000 -0500 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -23101,9 +20835,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.7/policy/modules/services/stunnel.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.6.8/policy/modules/services/stunnel.fc --- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/stunnel.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/stunnel.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,5 +2,6 @@ /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) @@ -23111,9 +20845,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.6.7/policy/modules/services/stunnel.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.6.8/policy/modules/services/stunnel.te --- nsaserefpolicy/policy/modules/services/stunnel.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/stunnel.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/stunnel.te 2009-03-05 15:25:24.000000000 -0500 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -23131,9 +20865,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_home(stunnel_t) optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.fc serefpolicy-3.6.7/policy/modules/services/sysstat.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.fc serefpolicy-3.6.8/policy/modules/services/sysstat.fc --- nsaserefpolicy/policy/modules/services/sysstat.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/sysstat.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/sysstat.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,6 +1,6 @@ /usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) @@ -23142,9 +20876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.7/policy/modules/services/sysstat.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.8/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/sysstat.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/sysstat.te 2009-03-05 15:25:24.000000000 -0500 @@ -19,13 +19,14 @@ # Local policy # @@ -23161,19 +20895,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.7/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2009-02-16 08:44:12.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/telnet.te 2009-03-03 17:11:59.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(telnet, 1.8.3) -+policy_module(telnet, 1.8.2) - - ######################################## - # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.7/policy/modules/services/tor.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.8/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/tor.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/tor.te 2009-03-05 15:25:24.000000000 -0500 @@ -34,7 +34,7 @@ # tor local policy # @@ -23183,9 +20907,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.7/policy/modules/services/ulogd.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.6.8/policy/modules/services/ulogd.fc --- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ulogd.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ulogd.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) @@ -23197,9 +20921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) + +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.7/policy/modules/services/ulogd.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.8/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ulogd.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ulogd.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,127 @@ +## policy for ulogd + @@ -23328,9 +21052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_usr($1) + admin_pattern($1, ulogd_modules_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.7/policy/modules/services/ulogd.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.6.8/policy/modules/services/ulogd.te --- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/ulogd.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/ulogd.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,51 @@ +policy_module(ulogd,1.0.0) + @@ -23383,18 +21107,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(ulogd_t) + +permissive ulogd_t; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.7/policy/modules/services/uucp.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.8/policy/modules/services/uucp.fc --- nsaserefpolicy/policy/modules/services/uucp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/uucp.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/uucp.fc 2009-03-05 15:25:24.000000000 -0500 @@ -7,3 +7,5 @@ /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) /var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) + +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.7/policy/modules/services/uucp.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.8/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/uucp.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/uucp.te 2009-03-05 15:25:24.000000000 -0500 @@ -10,6 +10,9 @@ inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) role system_r types uucpd_t; @@ -23424,9 +21148,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.7/policy/modules/services/virt.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.8/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/virt.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/virt.fc 2009-03-05 15:25:24.000000000 -0500 @@ -8,5 +8,14 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -23442,9 +21166,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) + +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.7/policy/modules/services/virt.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.8/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/virt.if 2009-03-03 17:18:43.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/virt.if 2009-03-05 15:25:24.000000000 -0500 @@ -2,28 +2,6 @@ ######################################## @@ -23590,9 +21314,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.7/policy/modules/services/virt.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.8/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/virt.te 2009-03-04 07:37:30.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/virt.te 2009-03-05 15:25:24.000000000 -0500 @@ -8,20 +8,18 @@ ## @@ -23707,7 +21431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(virtd_t) -files_list_kernel_modules(virtd_t) +files_read_kernel_modules(virtd_t) -+files_getattr_usr_src_files(virtd_t) ++files_read_usr_src_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_etc_files(virtd_t) @@ -23839,9 +21563,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_domain(virtd_t) + xen_rw_image_files(svirt_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.7/policy/modules/services/w3c.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.8/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/services/w3c.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/w3c.te 2009-03-05 15:25:24.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -23861,9 +21585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.7/policy/modules/services/xserver.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/xserver.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/xserver.fc 2009-03-05 15:25:24.000000000 -0500 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -23931,9 +21655,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.7/policy/modules/services/xserver.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/xserver.if 2009-03-03 17:24:21.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/xserver.if 2009-03-05 15:25:24.000000000 -0500 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -24559,9 +22283,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t $1:dbus send_msg; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.7/policy/modules/services/xserver.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/xserver.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/xserver.te 2009-03-05 15:25:24.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -25268,15 +22992,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# -allow xdm_t user_home_type:file unlink; -') dnl end TODO -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.7/policy/modules/services/zosremote.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.6.8/policy/modules/services/zosremote.fc --- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/zosremote.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/zosremote.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,2 @@ + +/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.7/policy/modules/services/zosremote.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.6.8/policy/modules/services/zosremote.if --- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/zosremote.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/zosremote.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,46 @@ +## policy for z/OS Remote-services Audit dispatcher plugin + @@ -25324,9 +23048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + zos_remote_domtrans($1) + role $2 types zos_remote_t; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.6.7/policy/modules/services/zosremote.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.6.8/policy/modules/services/zosremote.te --- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/services/zosremote.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/services/zosremote.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,33 @@ +policy_module(zosremote,1.0.0) + @@ -25361,9 +23085,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(zos_remote_t) + +logging_send_syslog_msg(zos_remote_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.7/policy/modules/system/application.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.8/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/application.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/application.te 2009-03-05 15:25:24.000000000 -0500 @@ -7,8 +7,18 @@ # Executables to be run by user attribute application_exec_type; @@ -25383,9 +23107,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sudo_sigchld(application_domain_type) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.7/policy/modules/system/authlogin.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/authlogin.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/authlogin.fc 2009-03-05 15:25:24.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -25412,9 +23136,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.7/policy/modules/system/authlogin.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/authlogin.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/authlogin.if 2009-03-05 15:25:24.000000000 -0500 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -25743,9 +23467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_var_filetrans($1,auth_cache_t,{ file dir } ) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.7/policy/modules/system/authlogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/authlogin.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/authlogin.te 2009-03-05 15:25:24.000000000 -0500 @@ -12,7 +12,7 @@ type chkpwd_t, can_read_shadow_passwords; @@ -25825,9 +23549,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(pam_console_t) mls_file_read_all_levels(pam_console_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.7/policy/modules/system/fstools.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.8/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/fstools.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/fstools.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -25841,9 +23565,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.7/policy/modules/system/fstools.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/fstools.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/fstools.te 2009-03-05 15:25:24.000000000 -0500 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -25875,9 +23599,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(fsadm_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.7/policy/modules/system/hostname.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.8/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/hostname.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/hostname.te 2009-03-05 15:25:24.000000000 -0500 @@ -8,7 +8,9 @@ type hostname_t; @@ -25889,9 +23613,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol role system_r types hostname_t; ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.7/policy/modules/system/init.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.8/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/init.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/init.fc 2009-03-05 15:25:24.000000000 -0500 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -25911,9 +23635,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /var # -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.7/policy/modules/system/init.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.8/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/init.if 2009-03-03 18:32:00.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/init.if 2009-03-05 15:25:24.000000000 -0500 @@ -280,6 +280,27 @@ kernel_dontaudit_use_fds($1) ') @@ -26101,9 +23825,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 init_t:unix_dgram_socket sendto; + allow init_t $1:unix_dgram_socket sendto; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.7/policy/modules/system/init.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/init.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/init.te 2009-03-05 15:25:24.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -26389,9 +24113,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xserver_rw_xdm_home_files(daemon) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.7/policy/modules/system/ipsec.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.8/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/ipsec.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/ipsec.fc 2009-03-05 15:25:24.000000000 -0500 @@ -16,6 +16,8 @@ /usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -26409,9 +24133,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.7/policy/modules/system/ipsec.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/ipsec.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/ipsec.te 2009-03-05 15:25:24.000000000 -0500 @@ -55,11 +55,12 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -26528,17 +24252,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t self:netlink_route_socket create_netlink_socket_perms; allow setkey_t ipsec_conf_file_t:dir list_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.7/policy/modules/system/iptables.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.8/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/iptables.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/iptables.fc 2009-03-05 15:25:24.000000000 -0500 @@ -6,3 +6,4 @@ /usr/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.7/policy/modules/system/iptables.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.8/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/iptables.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/iptables.te 2009-03-05 15:25:24.000000000 -0500 @@ -22,12 +22,12 @@ # Iptables local policy # @@ -26562,9 +24286,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(iptables_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.7/policy/modules/system/iscsi.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.8/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/iscsi.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/iscsi.te 2009-03-05 15:25:24.000000000 -0500 @@ -28,7 +28,7 @@ # iscsid local policy # @@ -26583,9 +24307,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_lock_filetrans(iscsid_t,iscsi_lock_t,file) allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.7/policy/modules/system/libraries.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/libraries.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/libraries.fc 2009-03-05 15:25:24.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -26765,9 +24489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.7/policy/modules/system/libraries.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/libraries.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/libraries.te 2009-03-05 15:25:24.000000000 -0500 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -26824,9 +24548,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(ldconfig_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.7/policy/modules/system/locallogin.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.8/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/locallogin.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/locallogin.te 2009-03-05 15:25:24.000000000 -0500 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -26901,9 +24625,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.7/policy/modules/system/logging.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.8/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/logging.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/logging.fc 2009-03-05 15:25:24.000000000 -0500 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -26927,9 +24651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.7/policy/modules/system/logging.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/logging.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/logging.if 2009-03-05 15:25:24.000000000 -0500 @@ -623,7 +623,7 @@ ') @@ -26948,9 +24672,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.7/policy/modules/system/logging.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/logging.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/logging.te 2009-03-05 15:25:24.000000000 -0500 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -27043,9 +24767,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.7/policy/modules/system/lvm.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.6.8/policy/modules/system/lvm.fc --- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/lvm.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/lvm.fc 2009-03-05 15:25:24.000000000 -0500 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -27059,9 +24783,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.7/policy/modules/system/lvm.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/lvm.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/lvm.te 2009-03-05 15:25:24.000000000 -0500 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -27268,9 +24992,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.7/policy/modules/system/miscfiles.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.8/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/miscfiles.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/miscfiles.fc 2009-03-05 15:25:24.000000000 -0500 @@ -35,6 +35,7 @@ /usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -27279,9 +25003,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.7/policy/modules/system/miscfiles.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/miscfiles.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/miscfiles.if 2009-03-05 15:25:24.000000000 -0500 @@ -23,6 +23,45 @@ ######################################## @@ -27337,9 +25061,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit $1 fonts_t:file write; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.7/policy/modules/system/modutils.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/modutils.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/modutils.te 2009-03-05 15:25:24.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -27452,9 +25176,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ################################# -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.7/policy/modules/system/mount.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.8/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/mount.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/mount.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -27463,9 +25187,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.7/policy/modules/system/mount.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.8/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/mount.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/mount.if 2009-03-05 15:25:24.000000000 -0500 @@ -43,9 +43,11 @@ mount_domtrans($1) @@ -27501,9 +25225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 mount_t:process signal; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.7/policy/modules/system/mount.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/mount.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/mount.te 2009-03-05 15:25:24.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -27692,13 +25416,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,4 +228,26 @@ +@@ -194,5 +227,30 @@ + optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) ++ ++ rpc_domtrans_rpcd(unconfined_mount_t) ++ unconfined_domain(unconfined_mount_t) + optional_policy(` + hal_dbus_chat(unconfined_mount_t) -+ ') + ') +') + +######################################## @@ -27717,11 +25445,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) - ') ++') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.7/policy/modules/system/raid.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.8/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/raid.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/raid.te 2009-03-05 15:25:24.000000000 -0500 @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) @@ -27730,9 +25458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.7/policy/modules/system/selinuxutil.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.8/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/selinuxutil.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.fc 2009-03-05 15:25:24.000000000 -0500 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -27771,9 +25499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.7/policy/modules/system/selinuxutil.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/selinuxutil.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.if 2009-03-05 15:25:24.000000000 -0500 @@ -535,6 +535,53 @@ ######################################## @@ -28162,9 +25890,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + hotplug_use_fds($1) +') +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.7/policy/modules/system/selinuxutil.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/selinuxutil.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/selinuxutil.te 2009-03-05 15:25:24.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -28536,9 +26264,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.7/policy/modules/system/setrans.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.8/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/setrans.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/setrans.if 2009-03-05 15:25:24.000000000 -0500 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -28563,9 +26291,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1, setrans_initrc_exec_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.7/policy/modules/system/sysnetwork.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.8/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/sysnetwork.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.fc 2009-03-05 15:25:24.000000000 -0500 @@ -11,8 +11,12 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -28594,9 +26322,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.7/policy/modules/system/sysnetwork.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.8/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/sysnetwork.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.if 2009-03-05 15:25:24.000000000 -0500 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -28765,9 +26493,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + role_transition $1 dhcpc_exec_t system_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.7/policy/modules/system/sysnetwork.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/sysnetwork.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/sysnetwork.te 2009-03-05 15:25:24.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -28951,18 +26679,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.7/policy/modules/system/udev.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.8/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/udev.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/udev.fc 2009-03-05 15:25:24.000000000 -0500 @@ -17,3 +17,5 @@ /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.7/policy/modules/system/udev.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.6.8/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/udev.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/udev.if 2009-03-05 15:25:24.000000000 -0500 @@ -96,6 +96,24 @@ ######################################## @@ -29016,9 +26744,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1 udev_tdb_t:file rw_file_perms; + allow $1 udev_tbl_t:file rw_file_perms; ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.7/policy/modules/system/udev.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-03-02 16:51:45.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/udev.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/udev.te 2009-03-05 15:25:24.000000000 -0500 @@ -55,6 +55,7 @@ can_exec(udev_t, udev_exec_t) @@ -29103,9 +26831,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` xserver_read_xdm_pid(udev_t) ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.7/policy/modules/system/unconfined.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.6.7/policy/modules/system/unconfined.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/unconfined.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,15 +2,28 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -29144,9 +26872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.7/policy/modules/system/unconfined.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/unconfined.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/unconfined.if 2009-03-05 15:25:24.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -29424,9 +27152,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + allow $1 unconfined_r; +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.7/policy/modules/system/unconfined.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/unconfined.te 2009-03-04 13:46:08.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/unconfined.te 2009-03-05 15:25:24.000000000 -0500 @@ -5,6 +5,35 @@ # # Declarations @@ -29771,9 +27499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.7/policy/modules/system/userdomain.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.8/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/userdomain.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/userdomain.fc 2009-03-05 15:25:24.000000000 -0500 @@ -1,4 +1,7 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -29783,9 +27511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.7/policy/modules/system/userdomain.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/userdomain.if 2009-03-04 13:47:45.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/userdomain.if 2009-03-05 15:25:24.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -31629,9 +29357,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 userdomain:key manage_key_perms; +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.7/policy/modules/system/userdomain.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/userdomain.te 2009-03-04 13:46:42.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/userdomain.te 2009-03-05 15:25:24.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -31715,14 +29443,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.7/policy/modules/system/virtual.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.8/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/virtual.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/virtual.fc 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1 @@ +# No application file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.7/policy/modules/system/virtual.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.8/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/virtual.if 2009-03-03 17:46:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/virtual.if 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,99 @@ +## Virtual machine emulator and virtualizer + @@ -31823,9 +29551,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type) + rw_blk_files_pattern($1, virtual_image_type, virtual_image_type) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.7/policy/modules/system/virtual.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.8/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/virtual.te 2009-03-03 17:13:55.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/virtual.te 2009-03-05 15:25:24.000000000 -0500 @@ -0,0 +1,78 @@ + +policy_module(virtualization, 1.1.2) @@ -31905,9 +29633,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_read_xdm_pid(virtualdomain) + xserver_rw_shm(virtualdomain) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.7/policy/modules/system/xen.fc +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.8/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/xen.fc 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/xen.fc 2009-03-05 15:25:24.000000000 -0500 @@ -2,17 +2,10 @@ /usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) @@ -31934,9 +29662,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.7/policy/modules/system/xen.if +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.8/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/xen.if 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/xen.if 2009-03-05 15:25:24.000000000 -0500 @@ -167,11 +167,14 @@ # interface(`xen_stream_connect',` @@ -31978,9 +29706,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xend_var_lib_t:dir search_dir_perms; + rw_files_pattern($1, xen_image_t, xen_image_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.7/policy/modules/system/xen.te +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.7/policy/modules/system/xen.te 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/modules/system/xen.te 2009-03-05 15:25:24.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -32202,9 +29930,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + unconfined_domain(xend_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.7/policy/support/obj_perm_sets.spt +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.6.7/policy/support/obj_perm_sets.spt 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/support/obj_perm_sets.spt 2009-03-05 15:27:08.000000000 -0500 @@ -179,20 +179,20 @@ # # Directory (dir) @@ -32244,6 +29972,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') +@@ -252,13 +252,13 @@ + # + define(`getattr_sock_file_perms',`{ getattr }') + define(`setattr_sock_file_perms',`{ setattr }') +-define(`read_sock_file_perms',`{ getattr read }') +-define(`write_sock_file_perms',`{ getattr write append }') +-define(`rw_sock_file_perms',`{ getattr read write append }') +-define(`create_sock_file_perms',`{ getattr create }') ++define(`read_sock_file_perms',`{ getattr open read }') ++define(`write_sock_file_perms',`{ getattr write open append }') ++define(`rw_sock_file_perms',`{ getattr open read write append }') ++define(`create_sock_file_perms',`{ getattr create open }') + define(`rename_sock_file_perms',`{ getattr rename }') + define(`delete_sock_file_perms',`{ getattr unlink }') +-define(`manage_sock_file_perms',`{ create getattr setattr read write rename link unlink ioctl lock append }') ++define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') + define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }') + define(`relabelto_sock_file_perms',`{ getattr relabelto }') + define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') @@ -312,3 +312,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') @@ -32258,9 +30005,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') + +define(`manage_key_perms', `{ create link read search setattr view write } ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.7/policy/users +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.8/policy/users --- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.7/policy/users 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/policy/users 2009-03-05 15:25:24.000000000 -0500 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -32285,9 +30032,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.7/Rules.modular +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.8/Rules.modular --- nsaserefpolicy/Rules.modular 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/Rules.modular 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/Rules.modular 2009-03-05 15:25:24.000000000 -0500 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -32317,9 +30064,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.7/support/Makefile.devel +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.8/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-11-11 16:13:50.000000000 -0500 -+++ serefpolicy-3.6.7/support/Makefile.devel 2009-03-03 17:11:59.000000000 -0500 ++++ serefpolicy-3.6.8/support/Makefile.devel 2009-03-05 15:25:24.000000000 -0500 @@ -185,8 +185,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" diff --git a/selinux-policy.spec b/selinux-policy.spec index 12f2f7d..1fc09fa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.7 -Release: 2%{?dist} +Version: 3.6.8 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -186,7 +186,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2913. +Based off of reference policy: Checked out revision 2920. %build @@ -319,7 +319,7 @@ if [ $1 -eq 1 ]; then #__eof restorecon -R /root /var/log /var/run 2> /dev/null else -semodule -n -s targeted -r moilscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null +semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null %loadpolicy targeted %relabel targeted fi @@ -432,6 +432,7 @@ SELinux Reference policy mls base module. %saveFileContext mls %post mls +semodule -n -s mls -r mailscanner 2>/dev/null %loadpolicy mls if [ $1 != 1 ]; then @@ -446,6 +447,9 @@ exit 0 %endif %changelog +* Thu Mar 4 2009 Dan Walsh 3.6.8-1 +- Upgrade to latest patches + * Wed Mar 4 2009 Dan Walsh 3.6.7-2 - Fixes for libvirt diff --git a/sources b/sources index 9e7f86c..ea29897 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1ba196a49315403311352d577c40fced serefpolicy-3.6.7.tgz +d68d01d807cbfcdf83ace30919af3172 serefpolicy-3.6.8.tgz