diff --git a/.cvsignore b/.cvsignore index ef4def8..1cdef7f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -201,3 +201,8 @@ serefpolicy-3.7.7.tgz serefpolicy-3.7.8.tgz setroubleshoot-2.2.58.tar.gz serefpolicy-3.7.9.tgz +serefpolicy-3.7.11.tgz +serefpolicy-3.7.12.tgz +serefpolicy-3.7.13.tgz +serefpolicy-3.7.14.tgz +serefpolicy-3.7.15.tgz diff --git a/booleans-targeted.conf b/booleans-targeted.conf index ed1af2d..da42381 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -258,3 +258,11 @@ init_upstart = true # Allow mount to mount any file/dir # allow_mount_anyfile = true + +# Allow confined domains to communicate with ncsd via shared memory +# +nscd_use_shm = true + +# Allow fenced domain to connect to the network using TCP. +# +fenced_can_network_connect=false diff --git a/modules-minimum.conf b/modules-minimum.conf index 95a5e3f..117ca3f 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # @@ -160,6 +167,13 @@ automount = module avahi = module # Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: services # Module: bind # # Berkeley internet name domain DNS server. @@ -819,7 +833,6 @@ ktalk = module # kudzu = base - # Layer: services # Module: ldap # @@ -827,6 +840,13 @@ kudzu = base # ldap = module +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + # Layer: system # Module: libraries # @@ -1454,7 +1474,14 @@ seunshare = module # shorewall = base -# Layer: apps +# Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module + +# Layer: admin # Module: sectoolm # # Policy for sectool-mechanism @@ -1497,10 +1524,17 @@ slocate = module # smartmon = module +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + # Layer: admin # Module: smoltclient # -# The Fedora hardware profiler client +#The Fedora hardware profiler client # smoltclient = module @@ -1956,6 +1990,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/modules-mls.conf b/modules-mls.conf index bb5cb43..236334f 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -33,11 +33,11 @@ alsa = base ada = module # Layer: services -# Module: cgroup +# Module: cachefilesd # -# Tools and libraries to control and monitor control groups +# CacheFiles userspace management daemon # -cgroup = module +cachefilesd = module # Layer: apps # Module: cpufreqselector @@ -46,6 +46,13 @@ cgroup = module # cpufreqselector = module +# Layer: apps +# Module: chrome +# +# chrome sandbox +# +chrome = module + # Layer: modules # Module: awstats # @@ -139,6 +146,13 @@ automount = module avahi = module # Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: services # Module: bind # # Berkeley internet name domain DNS server. @@ -219,13 +233,20 @@ certwatch = module certmaster = module # Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: services # Module: chronyd # # Daemon for maintaining clock time # chronyd = module -# Layer: services +q# Layer: services # Module: cipe # # Encrypted tunnel daemon @@ -433,12 +454,26 @@ domain = base # dovecot = module +# Layer: services +# Module: git +# +# Policy for the stupid content tracker +# +git = module + +# Layer: apps +# Module: gitosis +# +# Policy for gitosis +# +gitosis = module + # Layer: apps # Module: gpg # # Policy for GNU Privacy Guard and related programs. # -gpg = off +gpg = module # Layer: services # Module: gpsd @@ -507,6 +542,20 @@ finger = module # firstboot = base +# Layer: apps +# Module: firewallgui +# +# policy for system-config-firewall +# +firewallgui = module + +# Layer: services +# Module: fprintd +# +# finger print server +# +fprintd = module + # Layer: system # Module: fstools # @@ -570,6 +619,13 @@ plymouthd = module # policykit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # @@ -693,6 +749,13 @@ kdump = module kdumpgui = module # Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services # Module: kerberos # # MIT Kerberos admin and KDC @@ -802,7 +865,7 @@ lvm = base # Layer: admin # Module: mcelog # -# Policy for mcelog. +# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. # mcelog = base @@ -871,6 +934,20 @@ mount = base # mozilla = module +# Layer: services +# Module: ntop +# +# Policy for ntop +# +ntop = module + +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + # Layer: apps # Module: nsplugin # @@ -1143,6 +1220,13 @@ razor = module readahead = base # Layer: services +# Module: rgmanager +# +# Red Hat Resource Group Manager +# +rgmanager = module + +# Layer: services # Module: rhgb # # X windows login display manager @@ -1214,6 +1298,13 @@ rshd = module rsync = module # Layer: services +# Module: rtkit +# +# Real Time Kit Daemon +# +rtkit = module + +# Layer: services # Module: rwho # # who is logged in on local machines @@ -1234,6 +1325,13 @@ sasl = module # sendmail = base +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + # Layer: services # Module: samba # @@ -1244,6 +1342,13 @@ sendmail = base samba = module # Layer: apps +# Module: sandbox +# +# Experimental policy for running apps within a sandbox +# +sandbox = module + +# Layer: apps # Module: sambagui # # policy for system-config-samba @@ -1527,6 +1632,13 @@ timidity = off tftp = module # Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services # Module: uucp # # Unix to Unix Copy @@ -1711,6 +1823,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # @@ -1903,3 +2022,9 @@ rhcs = module # shorewall = base +# Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 95a5e3f..117ca3f 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: services +# Module: cachefilesd +# +# CacheFiles userspace management daemon +# +cachefilesd = module + # Layer: apps # Module: cpufreqselector # @@ -160,6 +167,13 @@ automount = module avahi = module # Layer: services +# Module: boinc +# +# Berkeley Open Infrastructure for Network Computing +# +boinc = module + +# Layer: services # Module: bind # # Berkeley internet name domain DNS server. @@ -819,7 +833,6 @@ ktalk = module # kudzu = base - # Layer: services # Module: ldap # @@ -827,6 +840,13 @@ kudzu = base # ldap = module +# Layer: services +# Module: likewise +# +# Likewise Active Directory support for UNIX +# +likewise = module + # Layer: system # Module: libraries # @@ -1454,7 +1474,14 @@ seunshare = module # shorewall = base -# Layer: apps +# Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module + +# Layer: admin # Module: sectoolm # # Policy for sectool-mechanism @@ -1497,10 +1524,17 @@ slocate = module # smartmon = module +# Layer: services +# Module: smokeping +# +# Latency Logging and Graphing System +# +smokeping = module + # Layer: admin # Module: smoltclient # -# The Fedora hardware profiler client +#The Fedora hardware profiler client # smoltclient = module @@ -1956,6 +1990,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/nsadiff b/nsadiff index 6cc0190..115cf3c 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.9 > /tmp/diff +diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.15 > /tmp/diff diff --git a/policy-F13.patch b/policy-F13.patch index 2f5d1d0..5f9b2f0 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1,16 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.7.9/Changelog ---- nsaserefpolicy/Changelog 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/Changelog 2010-02-16 15:08:37.000000000 -0500 -@@ -1,6 +1,5 @@ - - X object manager revisions from Eamon Walsh. - - Added modules: -- chronyd (Miroslav Grepl) - cobbler (Dominick Grift) - dbadm (KaiGai Kohei) - nut (Stefan Schulze Frielinghaus, Miroslav Grepl) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.9/Makefile +diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.15/Makefile --- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.9/Makefile 2010-02-16 15:36:04.000000000 -0500 ++++ serefpolicy-3.7.15/Makefile 2010-03-18 10:44:42.000000000 -0400 @@ -244,7 +244,7 @@ appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) @@ -20,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.9/M net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.9/policy/global_tunables +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.15/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/global_tunables 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/global_tunables 2010-03-18 10:44:42.000000000 -0400 @@ -61,15 +61,6 @@ ## @@ -58,51 +48,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.9/policy/modules/admin/alsa.if ---- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/alsa.if 2010-02-16 15:08:37.000000000 -0500 -@@ -76,6 +76,26 @@ - - ######################################## - ## -+## Manage alsa writable config files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`alsa_manage_rw_config',` -+ gen_require(` -+ type alsa_etc_rw_t; -+ ') -+ -+ allow $1 alsa_etc_rw_t:dir list_dir_perms; -+ manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) -+ read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) -+') -+ -+######################################## -+## - ## Read alsa lib files. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.9/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/alsa.te 2010-02-16 15:08:37.000000000 -0500 -@@ -51,6 +51,8 @@ - files_read_etc_files(alsa_t) - files_read_usr_files(alsa_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.15/policy/modules/admin/acct.te +--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/admin/acct.te 2010-03-18 10:44:42.000000000 -0400 +@@ -43,6 +43,7 @@ + fs_getattr_xattr_fs(acct_t) -+term_dontaudit_use_console(alsa_t) -+ - auth_use_nsswitch(alsa_t) + term_dontaudit_use_console(acct_t) ++term_dontaudit_use_generic_ptys(acct_t) - init_use_fds(alsa_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.9/policy/modules/admin/anaconda.te + corecmd_exec_bin(acct_t) + corecmd_exec_shell(acct_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.15/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/anaconda.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/anaconda.te 2010-03-18 10:44:42.000000000 -0400 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -120,21 +79,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.9/policy/modules/admin/brctl.te ---- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/brctl.te 2010-02-16 15:08:37.000000000 -0500 -@@ -21,7 +21,7 @@ - allow brctl_t self:unix_dgram_socket create_socket_perms; - allow brctl_t self:tcp_socket create_socket_perms; - --kernel_load_module(brctl_t) -+kernel_request_load_module(brctl_t) - kernel_read_network_state(brctl_t) - kernel_read_sysctl(brctl_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.9/policy/modules/admin/certwatch.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.15/policy/modules/admin/certwatch.te --- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/certwatch.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/certwatch.te 2010-03-18 10:44:42.000000000 -0400 @@ -36,7 +36,7 @@ miscfiles_read_localization(certwatch_t) @@ -144,9 +91,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.9/policy/modules/admin/consoletype.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.15/policy/modules/admin/consoletype.if +--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/admin/consoletype.if 2010-03-18 10:44:42.000000000 -0400 +@@ -19,6 +19,9 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit consoletype_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.15/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/consoletype.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/consoletype.te 2010-03-18 10:44:42.000000000 -0400 @@ -10,7 +10,6 @@ type consoletype_exec_t; application_executable_file(consoletype_exec_t) @@ -155,67 +115,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.9/policy/modules/admin/dmesg.te ---- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/dmesg.te 2010-02-16 15:08:37.000000000 -0500 -@@ -9,6 +9,7 @@ - type dmesg_t; - type dmesg_exec_t; - init_system_domain(dmesg_t, dmesg_exec_t) -+cron_system_entry(dmesg_t, dmesg_exec_t) - - ######################################## - # -@@ -20,12 +21,16 @@ - - allow dmesg_t self:process signal_perms; - -+kernel_read_system_state(dmesg_t) - kernel_read_kernel_sysctls(dmesg_t) - kernel_read_ring_buffer(dmesg_t) - kernel_clear_ring_buffer(dmesg_t) - kernel_change_ring_buffer_level(dmesg_t) - kernel_list_proc(dmesg_t) - kernel_read_proc_symlinks(dmesg_t) -+dev_read_kmsg(dmesg_t) -+ -+mls_process_read_all_levels(dmesg_t) - - dev_read_sysfs(dmesg_t) - -@@ -35,7 +40,7 @@ - - domain_use_interactive_fds(dmesg_t) - --files_list_etc(dmesg_t) -+files_read_etc_files(dmesg_t) - # for when /usr is not mounted: - files_dontaudit_search_isid_type_dirs(dmesg_t) - -@@ -57,3 +62,6 @@ - optional_policy(` - udev_read_db(dmesg_t) - ') -+ -+#mcelog needs -+dev_read_raw_memory(dmesg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.9/policy/modules/admin/firstboot.te ---- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/firstboot.te 2010-02-16 15:08:37.000000000 -0500 -@@ -91,8 +91,12 @@ - userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) - - optional_policy(` -+ dbus_system_bus_client(firstboot_t) -+ -+ optional_policy(` - hal_dbus_chat(firstboot_t) - ') -+') - - optional_policy(` - nis_use_ypbind(firstboot_t) -@@ -105,7 +109,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.15/policy/modules/admin/firstboot.te +--- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/admin/firstboot.te 2010-03-18 10:44:42.000000000 -0400 +@@ -109,7 +109,7 @@ optional_policy(` unconfined_domtrans(firstboot_t) # The big hammer @@ -224,9 +127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.9/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/kismet.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.15/policy/modules/admin/kismet.te +--- nsaserefpolicy/policy/modules/admin/kismet.te 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/kismet.te 2010-03-18 10:44:42.000000000 -0400 @@ -45,6 +45,7 @@ manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t) manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t) @@ -235,27 +138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir }) manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) -@@ -53,7 +54,8 @@ - - manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) - manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) --files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) -+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) -+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file }) - - manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) - manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) -@@ -69,6 +71,7 @@ - - kernel_search_debugfs(kismet_t) - kernel_read_system_state(kismet_t) -+kernel_read_network_state(kismet_t) - - corecmd_exec_bin(kismet_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.9/policy/modules/admin/logrotate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.15/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/logrotate.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/logrotate.te 2010-03-18 10:44:42.000000000 -0400 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -273,7 +158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) -@@ -116,8 +117,9 @@ +@@ -108,6 +109,7 @@ + + logging_manage_all_logs(logrotate_t) + logging_send_syslog_msg(logrotate_t) ++logging_send_audit_msgs(logrotate_t) + # cjp: why is this needed? + logging_exec_all_logs(logrotate_t) + +@@ -116,8 +118,9 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) @@ -284,7 +177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -137,6 +139,10 @@ +@@ -137,6 +140,10 @@ ') optional_policy(` @@ -295,13 +188,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota acct_domtrans(logrotate_t) acct_manage_data(logrotate_t) acct_exec_data(logrotate_t) -@@ -149,6 +155,16 @@ +@@ -149,6 +156,14 @@ ') optional_policy(` -+ asterisk_exec(logrotate_t) -+ asterisk_stream_connect(logrotate_t) -+ asterisk_manage_lib_files(logrotate_t) ++ asterisk_domtrans(logrotate_t) +') + +optional_policy(` @@ -312,7 +203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota consoletype_exec(logrotate_t) ') -@@ -157,11 +173,15 @@ +@@ -157,11 +172,15 @@ ') optional_policy(` @@ -329,7 +220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota ') optional_policy(` -@@ -183,6 +203,15 @@ +@@ -183,6 +202,15 @@ ') optional_policy(` @@ -345,99 +236,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota slrnpull_manage_spool(logrotate_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.9/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/logwatch.te 2010-02-16 15:08:37.000000000 -0500 -@@ -93,6 +93,13 @@ - sysnet_exec_ifconfig(logwatch_t) - - userdom_dontaudit_search_user_home_dirs(logwatch_t) -+tunable_policy(`use_nfs_home_dirs',` -+ fs_list_nfs(logwatch_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_list_cifs(logwatch_t) -+') - - mta_send_mail(logwatch_t) - -@@ -136,4 +143,5 @@ +@@ -191,5 +219,9 @@ + ') optional_policy(` - samba_read_log(logwatch_t) -+ samba_read_share_files(logwatch_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.9/policy/modules/admin/mcelog.fc ---- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,2 @@ -+ -+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.9/policy/modules/admin/mcelog.if ---- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,21 @@ -+ -+## policy for mcelog -+ -+######################################## -+## -+## Execute a domain transition to run mcelog. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`mcelog_domtrans',` -+ gen_require(` -+ type mcelog_t, mcelog_exec_t; -+ ') -+ -+ domtrans_pattern($1, mcelog_exec_t, mcelog_t) ++ su_exec(logrotate_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.9/policy/modules/admin/mcelog.te ---- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,32 @@ -+ -+policy_module(mcelog,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type mcelog_t; -+type mcelog_exec_t; -+application_domain(mcelog_t, mcelog_exec_t) -+cron_system_entry(mcelog_t, mcelog_exec_t) -+ -+permissive mcelog_t; -+ -+######################################## -+# -+# mcelog local policy -+# -+ -+allow mcelog_t self:capability sys_admin; -+ -+kernel_read_system_state(mcelog_t) -+ -+dev_read_raw_memory(mcelog_t) -+dev_read_kmsg(mcelog_t) -+ -+files_read_etc_files(mcelog_t) -+ -+miscfiles_read_localization(mcelog_t) -+ -+logging_send_syslog_msg(mcelog_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.9/policy/modules/admin/mrtg.te ++optional_policy(` + varnishd_manage_log(logrotate_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.15/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/mrtg.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/mrtg.te 2010-03-18 10:44:42.000000000 -0400 @@ -116,6 +116,7 @@ userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) @@ -446,9 +257,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.9/policy/modules/admin/netutils.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.15/policy/modules/admin/netutils.fc +--- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/admin/netutils.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -9,6 +9,7 @@ + /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + ++/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) + /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.15/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/netutils.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/netutils.te 2010-03-18 10:44:42.000000000 -0400 @@ -44,6 +44,7 @@ allow netutils_t self:packet_socket create_socket_perms; allow netutils_t self:udp_socket create_socket_perms; @@ -465,7 +287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil userdom_use_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) -@@ -146,6 +148,13 @@ +@@ -146,11 +148,22 @@ ') ') @@ -479,7 +301,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil optional_policy(` munin_append_log(ping_t) ') -@@ -211,3 +220,10 @@ + + optional_policy(` ++ nagios_rw_inerited_tmp_files(ping_t) ++') ++ ++optional_policy(` + pcmcia_use_cardmgr_fds(ping_t) + ') + +@@ -211,3 +224,10 @@ dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) files_read_usr_files(traceroute_t) @@ -490,29 +321,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_use_all_ttys(traceroute_t) + term_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.9/policy/modules/admin/portage.te ---- nsaserefpolicy/policy/modules/admin/portage.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/portage.te 2010-02-16 15:08:37.000000000 -0500 -@@ -196,7 +196,7 @@ - # - for rsync and distfile fetching - # - --allow portage_fetch_t self:capability { dac_override fowner fsetid }; -+allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice }; - allow portage_fetch_t self:process signal; - allow portage_fetch_t self:unix_stream_socket create_socket_perms; - allow portage_fetch_t self:tcp_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.9/policy/modules/admin/prelink.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.15/policy/modules/admin/prelink.fc --- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/prelink.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/prelink.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) /etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.9/policy/modules/admin/prelink.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.15/policy/modules/admin/prelink.if --- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/prelink.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/prelink.if 2010-03-18 10:44:42.000000000 -0400 @@ -21,6 +21,25 @@ ######################################## @@ -553,9 +372,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.9/policy/modules/admin/prelink.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.15/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/prelink.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/prelink.te 2010-03-18 10:44:42.000000000 -0400 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -620,7 +439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +118,58 @@ +@@ -99,5 +118,59 @@ ') optional_policy(` @@ -661,7 +480,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +files_read_etc_files(prelink_cron_system_t) + +files_search_var_lib(prelink_cron_system_t) -+files_search_var_log(prelink_cron_system_t) + +init_chat(prelink_cron_system_t) +init_exec(prelink_cron_system_t) @@ -670,6 +488,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink + +libs_exec_ld_so(prelink_cron_system_t) + ++logging_search_logs(prelink_cron_system_t) ++ +miscfiles_read_localization(prelink_cron_system_t) + +optional_policy(` @@ -679,9 +499,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +optional_policy(` + rpm_read_db(prelink_cron_system_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.9/policy/modules/admin/quota.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.15/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/quota.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/quota.te 2010-03-18 10:44:42.000000000 -0400 @@ -39,6 +39,7 @@ kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) @@ -690,9 +510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.9/policy/modules/admin/readahead.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.15/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/readahead.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/readahead.te 2010-03-18 10:44:42.000000000 -0400 @@ -52,6 +52,7 @@ files_list_non_security(readahead_t) @@ -710,9 +530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) fs_dontaudit_search_ramfs(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.9/policy/modules/admin/rpm.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.15/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/rpm.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/rpm.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,18 +1,19 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -763,9 +583,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc # SuSE ifdef(`distro_suse', ` /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.9/policy/modules/admin/rpm.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.15/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/rpm.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/rpm.if 2010-03-18 10:44:42.000000000 -0400 @@ -13,11 +13,36 @@ interface(`rpm_domtrans',` gen_require(` @@ -951,7 +771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +364,51 @@ +@@ -219,7 +364,71 @@ ') files_search_tmp($1) @@ -960,6 +780,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) +') + ++##################################### ++## ++## Allow the specified domain to append ++## to rpm tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_append_tmp',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++') ++ +######################################## +## +## Create, read, write, and delete RPM @@ -1003,7 +843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -241,6 +430,25 @@ +@@ -241,6 +450,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -1029,7 +869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -265,6 +473,48 @@ +@@ -265,6 +493,48 @@ ######################################## ## @@ -1078,7 +918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +533,120 @@ +@@ -283,3 +553,120 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1190,7 +1030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +## +## +# -+interface(`rpm_inerited_fifo',` ++interface(`rpm_inherited_fifo',` + gen_require(` + attribute rpm_transition_domain; + ') @@ -1199,21 +1039,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.9/policy/modules/admin/rpm.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.15/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/rpm.te 2010-02-16 15:08:37.000000000 -0500 -@@ -14,6 +14,10 @@ - domain_system_change_exemption(rpm_t) - domain_interactive_fd(rpm_t) - role system_r types rpm_t; ++++ serefpolicy-3.7.15/policy/modules/admin/rpm.te 2010-03-18 10:44:42.000000000 -0400 +@@ -1,6 +1,8 @@ + + policy_module(rpm, 1.10.0) + +attribute rpm_transition_domain; + + ######################################## + # + # Declarations +@@ -15,6 +17,9 @@ + domain_interactive_fd(rpm_t) + role system_r types rpm_t; + +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) - ++ type rpm_file_t; files_type(rpm_file_t) -@@ -31,11 +35,18 @@ + +@@ -31,11 +36,18 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1232,7 +1080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) -@@ -52,8 +63,9 @@ +@@ -52,8 +64,9 @@ # rpm Local policy # @@ -1244,7 +1092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; -@@ -68,6 +80,8 @@ +@@ -68,6 +81,8 @@ allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -1253,7 +1101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -83,12 +97,21 @@ +@@ -83,12 +98,21 @@ manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -1275,7 +1123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te corecmd_exec_all_executables(rpm_t) -@@ -108,12 +131,15 @@ +@@ -108,12 +132,15 @@ dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1292,7 +1140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te fs_search_auto_mountpoints(rpm_t) mls_file_read_all_levels(rpm_t) -@@ -132,6 +158,8 @@ +@@ -132,6 +159,8 @@ # for installing kernel packages storage_raw_read_fixed_disk(rpm_t) @@ -1301,7 +1149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) auth_dontaudit_read_shadow(rpm_t) -@@ -155,6 +183,7 @@ +@@ -155,6 +184,7 @@ files_exec_etc_files(rpm_t) init_domtrans_script(rpm_t) @@ -1309,7 +1157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,7 +203,19 @@ +@@ -174,7 +204,19 @@ ') optional_policy(` @@ -1330,7 +1178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -182,36 +223,19 @@ +@@ -182,36 +224,19 @@ ') optional_policy(` @@ -1371,7 +1219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +246,15 @@ +@@ -222,12 +247,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1387,7 +1235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +266,9 @@ +@@ -239,6 +267,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1397,7 +1245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te dev_list_sysfs(rpm_script_t) -@@ -254,7 +284,9 @@ +@@ -254,7 +285,9 @@ fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) @@ -1407,7 +1255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +304,19 @@ +@@ -272,14 +305,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1427,7 +1275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +328,10 @@ +@@ -291,8 +329,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1438,7 +1286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +347,15 @@ +@@ -308,12 +348,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1454,7 +1302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -326,13 +368,22 @@ +@@ -326,13 +369,22 @@ ') optional_policy(` @@ -1478,192 +1326,223 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.9/policy/modules/admin/shorewall.fc ---- nsaserefpolicy/policy/modules/admin/shorewall.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -4,8 +4,11 @@ - /etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) - /etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.15/policy/modules/admin/shorewall.te +--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-03-08 14:49:44.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/shorewall.te 2010-03-18 10:44:42.000000000 -0400 +@@ -87,7 +87,7 @@ --/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) -+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0) - /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) + sysnet_domtrans_ifconfig(shorewall_t) - /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) - /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) -+ -+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.9/policy/modules/admin/shorewall.if ---- nsaserefpolicy/policy/modules/admin/shorewall.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.if 2010-02-16 15:08:37.000000000 -0500 -@@ -75,6 +75,46 @@ - rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) - ') +-userdom_dontaudit_list_user_home_dirs(shorewall_t) ++userdom_dontaudit_list_admin_dir(shorewall_t) -+###################################### + optional_policy(` + iptables_domtrans(shorewall_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.15/policy/modules/admin/shutdown.fc +--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,5 @@ ++/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) ++ ++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.15/policy/modules/admin/shutdown.if +--- nsaserefpolicy/policy/modules/admin/shutdown.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,118 @@ ++ ++## policy for shutdown ++ ++######################################## +## -+## Read shorewall /var/lib files. ++## Execute a domain transition to run shutdown. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed to transition. ++## +## +# -+interface(`shorewall_read_var_lib',` -+ gen_require(` -+ type shorewall_t; -+ ') ++interface(`shutdown_domtrans',` ++ gen_require(` ++ type shutdown_t, shutdown_exec_t; ++ ') + -+ files_search_var_lib($1) -+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ domtrans_pattern($1, shutdown_exec_t, shutdown_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit shutdown_t $1:socket_class_set { read write }; ++ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ++ ') +') + -+####################################### ++ ++######################################## +## -+## Read and write shorewall /var/lib files. ++## Execute shutdown in the shutdown domain, and ++## allow the specified role the shutdown domain. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the shutdown domain. ++## +## +# -+interface(`shorewall_rw_var_lib',` -+ gen_require(` -+ type shorewall_t; -+ ') ++interface(`shutdown_run',` ++ gen_require(` ++ type shutdown_t; ++ ') + -+ files_search_var_lib($1) -+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) -+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ shutdown_domtrans($1) ++ role $2 types shutdown_t; +') + - ####################################### - ## - ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.9/policy/modules/admin/shorewall.te ---- nsaserefpolicy/policy/modules/admin/shorewall.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.te 2010-02-16 15:08:37.000000000 -0500 -@@ -29,6 +29,9 @@ - type shorewall_var_lib_t; - files_type(shorewall_var_lib_t) - -+type shorewall_log_t; -+logging_log_file(shorewall_log_t) ++######################################## ++## ++## Role access for shutdown ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`shutdown_role',` ++ gen_require(` ++ type shutdown_t; ++ ') + - ######################################## - # - # shorewall local policy -@@ -49,6 +52,10 @@ - manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) - files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) - -+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) ++ role $1 types shutdown_t; + - manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) - manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) - files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) -@@ -80,6 +87,8 @@ - - sysnet_domtrans_ifconfig(shorewall_t) - -+userdom_dontaudit_list_admin_dir(shorewall_t) ++ shutdown_domtrans($2) + - optional_policy(` - iptables_domtrans(shorewall_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.9/policy/modules/admin/smoltclient.fc ---- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,4 @@ ++ ps_process_pattern($2, shutdown_t) ++ allow $2 shutdown_t:process signal; ++') + -+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0) ++######################################## ++## ++## Recieve sigchld from shutdown ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`shutdown_send_sigchld',` ++ gen_require(` ++ type shutdown_t; ++ ') + ++ allow shutdown_t $1:process signal; ++') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.9/policy/modules/admin/smoltclient.if ---- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1 @@ -+## The Fedora hardware profiler client -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.9/policy/modules/admin/smoltclient.te ---- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,66 @@ -+policy_module(smoltclient,1.0.0) ++######################################## ++## ++## Send and receive messages from ++## shutdown over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shutdown_dbus_chat',` ++ gen_require(` ++ type shutdown_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 shutdown_t:dbus send_msg; ++ allow shutdown_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.15/policy/modules/admin/shutdown.te +--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,57 @@ ++policy_module(shutdown,1.0.0) + +######################################## +# +# Declarations +# + -+type smoltclient_t; -+type smoltclient_exec_t; -+application_domain(smoltclient_t, smoltclient_exec_t) -+cron_system_entry(smoltclient_t, smoltclient_exec_t) ++type shutdown_t; ++type shutdown_exec_t; ++application_domain(shutdown_t, shutdown_exec_t) ++role system_r types shutdown_t; + -+type smoltclient_tmp_t; -+files_tmp_file(smoltclient_tmp_t) ++type shutdown_etc_t; ++files_config_file(shutdown_etc_t) ++ ++type shutdown_var_run_t; ++files_pid_file(shutdown_var_run_t) ++ ++permissive shutdown_t; + +######################################## +# -+# Local policy ++# shutdown local policy +# -+allow smoltclient_t self:process { setsched getsched }; -+ -+allow smoltclient_t self:fifo_file rw_fifo_file_perms; -+allow smoltclient_t self:tcp_socket create_socket_perms; -+allow smoltclient_t self:udp_socket create_socket_perms; + -+can_exec(smoltclient_t, smoltclient_tmp_t) -+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t) -+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file }) ++allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; ++allow shutdown_t self:process { fork signal }; + -+kernel_read_system_state(smoltclient_t) -+kernel_read_network_state(smoltclient_t) -+kernel_read_kernel_sysctls(smoltclient_t) ++allow shutdown_t self:fifo_file manage_fifo_file_perms; ++allow shutdown_t self:unix_stream_socket create_stream_socket_perms; + -+corecmd_exec_bin(smoltclient_t) -+corecmd_exec_shell(smoltclient_t) ++manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) ++files_etc_filetrans(shutdown_t, shutdown_etc_t, file) + -+corenet_tcp_connect_http_port(smoltclient_t) ++manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) ++files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) + -+dev_read_sysfs(smoltclient_t) ++files_read_etc_files(shutdown_t) ++files_read_generic_pids(shutdown_t) + -+fs_getattr_all_fs(smoltclient_t) -+fs_getattr_all_dirs(smoltclient_t) ++term_use_all_terms(shutdown_t) + -+files_getattr_generic_locks(smoltclient_t) -+files_read_etc_files(smoltclient_t) -+files_read_usr_files(smoltclient_t) ++auth_use_nsswitch(shutdown_t) ++auth_write_login_records(shutdown_t) + -+auth_use_nsswitch(smoltclient_t) ++init_dontaudit_write_utmp(shutdown_t) ++init_read_utmp(shutdown_t) ++init_telinit(shutdown_t) + -+logging_send_syslog_msg(smoltclient_t) -+ -+miscfiles_read_localization(smoltclient_t) -+ -+optional_policy(` -+ dbus_system_bus_client(smoltclient_t) -+') ++logging_send_audit_msgs(shutdown_t) + -+optional_policy(` -+ hal_dbus_chat(smoltclient_t) -+') ++miscfiles_read_localization(shutdown_t) + +optional_policy(` -+ rpm_exec(smoltclient_t) -+ rpm_read_db(smoltclient_t) ++ dbus_system_bus_client(shutdown_t) ++ dbus_connect_system_bus(shutdown_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.9/policy/modules/admin/sudo.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.15/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/sudo.if 2010-02-16 15:08:37.000000000 -0500 -@@ -78,7 +78,7 @@ ++++ serefpolicy-3.7.15/policy/modules/admin/sudo.if 2010-03-18 10:44:42.000000000 -0400 +@@ -73,12 +73,16 @@ + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) + ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_sudo_t $3:socket_class_set { read write }; ++ ') ++ + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; @@ -1672,7 +1551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) -@@ -135,6 +135,9 @@ +@@ -135,6 +139,9 @@ userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content($1_sudo_t) @@ -1682,9 +1561,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.9/policy/modules/admin/tmpreaper.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.15/policy/modules/admin/su.if +--- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/su.if 2010-03-18 10:44:42.000000000 -0400 +@@ -58,6 +58,10 @@ + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; + ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_su_t $2:socket_class_set { read write }; ++') ++ + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) +@@ -183,6 +187,10 @@ + + # Transition from the user domain to this domain. + domtrans_pattern($3, su_exec_t, $1_su_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_su_t $3:socket_class_set { read write }; ++') ++ + + ps_process_pattern($3, $1_su_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/tmpreaper.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te 2010-03-18 10:44:42.000000000 -0400 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1707,33 +1611,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap kismet_manage_log(tmpreaper_t) ') -@@ -60,5 +68,9 @@ +@@ -60,5 +68,15 @@ ') optional_policy(` ++ sandbox_list(tmpreaper_t) ++ sandbox_delete_dirs(tmpreaper_t) ++ sandbox_delete_files(tmpreaper_t) ++') ++ ++optional_policy(` + rpm_manage_cache(tmpreaper_t) +') + +optional_policy(` unconfined_domain(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.9/policy/modules/admin/usermanage.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.15/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/usermanage.if 2010-02-16 15:08:37.000000000 -0500 -@@ -113,6 +113,12 @@ ++++ serefpolicy-3.7.15/policy/modules/admin/usermanage.if 2010-03-18 10:44:42.000000000 -0400 +@@ -18,6 +18,10 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit chfn_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -63,6 +67,10 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) ++ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit groupadd_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -113,6 +121,10 @@ files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) + +ifdef(`hide_broken_symptoms', ` -+ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms; -+ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms; -+ dontaudit passwd_t $1:tcp_socket rw_socket_perms; ++ dontaudit passwd_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +@@ -247,6 +259,9 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit useradd_t $1:socket_class_set { read write }; +') ') ######################################## -@@ -274,6 +280,11 @@ +@@ -274,6 +289,11 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -1745,9 +1685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_run(useradd_t, $2) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.9/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/usermanage.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.15/policy/modules/admin/usermanage.te +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/usermanage.te 2010-03-18 10:44:42.000000000 -0400 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1789,19 +1729,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -498,10 +502,8 @@ +@@ -498,12 +502,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories +-userdom_manage_user_home_dirs(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) mta_manage_spool(useradd_t) -@@ -525,6 +527,12 @@ +@@ -527,6 +527,12 @@ ') optional_policy(` @@ -1814,44 +1756,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman puppet_rw_tmp(useradd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.9/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/admin/vbetool.te 2010-02-16 15:08:37.000000000 -0500 -@@ -15,15 +15,20 @@ - # Local policy - # - --allow vbetool_t self:capability { sys_tty_config sys_admin }; -+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; - allow vbetool_t self:process execmem; - - dev_wx_raw_memory(vbetool_t) - dev_read_raw_memory(vbetool_t) - dev_rwx_zero(vbetool_t) --dev_read_sysfs(vbetool_t) -+dev_rw_sysfs(vbetool_t) -+dev_rw_xserver_misc(vbetool_t) -+dev_rw_mtrr(vbetool_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.15/policy/modules/admin/vbetool.te +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/vbetool.te 2010-03-18 10:44:42.000000000 -0400 +@@ -25,7 +25,13 @@ + dev_rw_xserver_misc(vbetool_t) + dev_rw_mtrr(vbetool_t) +domain_mmap_low_type(vbetool_t) +tunable_policy(`mmap_low_allowed',` domain_mmap_low(vbetool_t) +') ++ ++mls_file_read_all_levels(vbetool_t) ++mls_file_write_all_levels(vbetool_t) term_use_unallocated_ttys(vbetool_t) -@@ -34,3 +39,8 @@ - hal_write_log(vbetool_t) - hal_dontaudit_append_lib_files(vbetool_t) - ') -+ -+optional_policy(` -+ xserver_exec_pid(vbetool_t) -+ xserver_write_pid(vbetool_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.9/policy/modules/admin/vpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.15/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/admin/vpn.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/admin/vpn.te 2010-03-18 10:44:42.000000000 -0400 +@@ -31,7 +31,7 @@ + allow vpnc_t self:rawip_socket create_socket_perms; + allow vpnc_t self:unix_dgram_socket create_socket_perms; + allow vpnc_t self:unix_stream_socket create_socket_perms; +-allow vpnc_t self:tun_socket create; ++allow vpnc_t self:tun_socket { create_socket_perms }; + # cjp: this needs to be fixed + allow vpnc_t self:socket create_socket_perms; + @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1868,28 +1801,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.9/policy/modules/apps/cdrecord.te ---- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/cdrecord.te 2010-02-16 15:08:37.000000000 -0500 -@@ -32,6 +32,8 @@ - allow cdrecord_t self:unix_dgram_socket create_socket_perms; - allow cdrecord_t self:unix_stream_socket create_stream_socket_perms; - -+corecmd_exec_bin(cdrecord_t) -+ - # allow searching for cdrom-drive - dev_list_all_dev_nodes(cdrecord_t) - dev_read_sysfs(cdrecord_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.9/policy/modules/apps/chrome.fc +@@ -115,3 +117,7 @@ + networkmanager_dbus_chat(vpnc_t) + ') + ') ++ ++optional_policy(` ++ networkmanager_attach_tun_iface(vpnc_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.15/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/chrome.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/chrome.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.9/policy/modules/apps/chrome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.15/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/chrome.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,86 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/chrome.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,90 @@ + +## policy for chrome + @@ -1910,6 +1839,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + + domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; ++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) ++') +') + + @@ -1976,10 +1909,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.9/policy/modules/apps/chrome.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.15/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/chrome.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,82 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/chrome.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,84 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -2003,7 +1936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +# +# chrome_sandbox local policy +# -+allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid }; ++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:fifo_file manage_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; @@ -2025,9 +1958,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + +dev_read_urand(chrome_sandbox_t) ++dev_read_sysfs(chrome_sandbox_t) + +files_read_etc_files(chrome_sandbox_t) + ++fs_dontaudit_getattr_all_fs(chrome_sandbox_t) ++ +userdom_rw_user_tmpfs_files(chrome_sandbox_t) +userdom_use_user_ptys(chrome_sandbox_t) +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) @@ -2061,10 +1997,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.9/policy/modules/apps/cpufreqselector.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.15/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/cpufreqselector.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/cpufreqselector.te 2010-03-18 10:44:42.000000000 -0400 @@ -26,7 +26,7 @@ dev_rw_sysfs(cpufreqselector_t) @@ -2074,11 +2009,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.9/policy/modules/apps/execmem.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.15/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/execmem.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,43 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/execmem.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,45 @@ ++ +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2121,10 +2058,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.9/policy/modules/apps/execmem.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.15/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/execmem.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,108 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/execmem.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,118 @@ +## execmem domain + +######################################## @@ -2189,7 +2126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + allow $1_execmem_t self:process { execmem execstack }; + allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; + domtrans_pattern($3, execmem_exec_t, $1_execmem_t) -+ ++ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_execmem_t $3:socket_class_set { read write }; ++') + files_execmod_tmp($1_execmem_t) + + optional_policy(` @@ -2206,6 +2145,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + ') + + optional_policy(` ++ mozilla_exec_domtrans($3, $1_execmem_t) ++ ') ++ ++ optional_policy(` ++ mplayer_exec_domtrans($3, $1_execmem_t) ++ ') ++ ++ optional_policy(` + xserver_role($2, $1_execmem_t) + ') +') @@ -2233,9 +2180,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.9/policy/modules/apps/execmem.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.15/policy/modules/apps/execmem.te --- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/execmem.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/execmem.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,11 @@ + +policy_module(execmem, 1.0.0) @@ -2248,16 +2195,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.9/policy/modules/apps/firewallgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.15/policy/modules/apps/firewallgui.fc --- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.9/policy/modules/apps/firewallgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.15/policy/modules/apps/firewallgui.if --- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,23 @@ + +## policy for firewallgui @@ -2282,9 +2229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.9/policy/modules/apps/firewallgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.15/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,66 @@ + +policy_module(firewallgui,1.0.0) @@ -2352,9 +2299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.9/policy/modules/apps/gitosis.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.15/policy/modules/apps/gitosis.if --- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/gitosis.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gitosis.if 2010-03-18 10:44:42.000000000 -0400 @@ -43,3 +43,47 @@ role $2 types gitosis_t; ') @@ -2403,9 +2350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis. + manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) + manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.9/policy/modules/apps/gnome.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.15/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/gnome.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gnome.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,8 +1,28 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) @@ -2437,9 +2384,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.9/policy/modules/apps/gnome.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.15/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/gnome.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gnome.if 2010-03-18 10:44:42.000000000 -0400 @@ -74,6 +74,24 @@ ######################################## @@ -2465,7 +2412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -84,10 +102,207 @@ +@@ -84,10 +102,246 @@ # interface(`gnome_manage_config',` gen_require(` @@ -2600,6 +2547,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + +######################################## +## ++## Append gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## +## manage gconf home files +## +## @@ -2676,9 +2641,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + + allow $1 gnome_home_type:file rw_inherited_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.9/policy/modules/apps/gnome.te ++ ++######################################## ++## ++## Send and receive messages from ++## gconf system service over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_dbus_chat_gconfdefault',` ++ gen_require(` ++ type gconfdefaultsm_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 gconfdefaultsm_t:dbus send_msg; ++ allow gconfdefaultsm_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.15/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/gnome.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gnome.te 2010-03-18 10:44:42.000000000 -0400 @@ -7,18 +7,33 @@ # @@ -2827,18 +2813,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.9/policy/modules/apps/gpg.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.15/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/gpg.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gpg.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.9/policy/modules/apps/gpg.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.15/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/gpg.if 2010-03-18 10:44:42.000000000 -0400 +@@ -52,11 +52,8 @@ + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors ++ dontaudit gpg_t $2:socket_class_set { read write }; + dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; +- dontaudit gpg_t $2:tcp_socket rw_socket_perms; +- dontaudit gpg_t $2:udp_socket rw_socket_perms; +- dontaudit gpg_t $2:unix_stream_socket rw_socket_perms; +- dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms; + ') + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.15/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/gpg.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/gpg.te 2010-03-18 10:44:42.000000000 -0400 @@ -20,6 +20,7 @@ typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; application_domain(gpg_t, gpg_exec_t) @@ -2864,7 +2866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s allow gpg_t self:process { signal setrlimit getcap setcap setpgid }; allow gpg_t self:fifo_file rw_fifo_file_perms; -@@ -130,10 +132,10 @@ +@@ -112,6 +114,7 @@ + # sign/encrypt user files + userdom_manage_user_tmp_files(gpg_t) + userdom_manage_user_home_content_files(gpg_t) ++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + + mta_write_config(gpg_t) + +@@ -130,10 +133,10 @@ xserver_rw_xdm_pipes(gpg_t) ') @@ -2879,257 +2889,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.9/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/java.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -2,15 +2,17 @@ - # /opt +@@ -184,6 +187,7 @@ # - /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) --/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + # GPG agent local policy + # ++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + # rlimit: gpg-agent wants to prevent coredumps + allow gpg_agent_t self:process setrlimit; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.15/policy/modules/apps/java.fc +--- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/java.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -9,6 +9,7 @@ # # /usr # +/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0) /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +22,16 @@ - /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) --/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) -+ -+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) -+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) +@@ -30,5 +31,9 @@ + /usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + + /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +- + /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) + +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.9/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/java.if 2010-02-16 15:08:37.000000000 -0500 -@@ -30,6 +30,7 @@ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.15/policy/modules/apps/java.if +--- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/java.if 2010-03-18 10:44:42.000000000 -0400 +@@ -72,6 +72,7 @@ - allow java_t $2:unix_stream_socket connectto; - allow java_t $2:unix_stream_socket { read write }; -+ allow java_t $2:tcp_socket { read write }; - ') + domain_interactive_fd($1_java_t) - ######################################## -@@ -71,24 +72,130 @@ ++ userdom_unpriv_usertype($1, $1_java_t) + userdom_manage_tmpfs_role($2, $1_java_t) - ######################################## - ## --## Execute the java program in the unconfined java domain. -+## Execute java in the java domain, and -+## allow the specified role the java domain. - ## - ## - ## --## Domain allowed access. -+## The type of the process performing this action. - ## - ## - ## - ## --## Role allowed access. -+## The role to be allowed the java domain. -+## -+## -+# -+interface(`java_run',` -+ gen_require(` -+ type java_t; -+ ') -+ -+ java_domtrans($1) -+ role $2 types java_t; -+') -+ -+######################################## -+## -+## Execute java in the unconfined java domain, and -+## allow the specified role the unconfined java domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the java domain. - ## - ## - # - interface(`java_run_unconfined',` - gen_require(` - type unconfined_java_t; -+ type java_t; - ') + allow $1_java_t self:process { ptrace signal getsched execmem execstack }; +@@ -82,7 +83,7 @@ + + domtrans_pattern($3, java_exec_t, $1_java_t) + +- corecmd_bin_domtrans($1_java_t, $3) ++ corecmd_bin_domtrans($1_java_t, $1_t) + + dev_dontaudit_append_rand($1_java_t) + +@@ -179,6 +180,7 @@ java_domtrans_unconfined($1) role $2 types unconfined_java_t; -+ role $2 types java_t; + nsplugin_role_notrans($2, unconfined_java_t) -+') -+ -+######################################## -+## -+## Execute the java program in the java domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`java_exec',` -+ gen_require(` -+ type java_exec_t; -+ ') -+ -+ can_exec($1, java_exec_t) -+') -+ -+####################################### -+## -+## The role template for the java module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for java applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`java_role_template',` -+ gen_require(` -+ type java_exec_t; -+ ') -+ -+ type $1_java_t; -+ domain_type($1_java_t) -+ domain_entry_file($1_java_t, java_exec_t) -+ role $2 types $1_java_t; -+ -+ domain_interactive_fd($1_java_t) -+ -+ userdom_unpriv_usertype($1, $1_java_t) -+ userdom_manage_tmpfs_role($2, $1_java_t) -+ -+ allow $1_java_t self:process { ptrace signal getsched execmem execstack }; -+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; -+ dontaudit $1_java_t $3:tcp_socket { read write }; -+ -+ domtrans_pattern($3, java_exec_t, $1_java_t) -+ dev_dontaudit_append_rand($1_java_t) + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.15/policy/modules/apps/java.te +--- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/java.te 2010-03-18 10:44:42.000000000 -0400 +@@ -147,6 +147,14 @@ + + init_dbus_chat_script(unconfined_java_t) + ++ files_execmod_all_files(unconfined_java_t) + -+ fs_dontaudit_rw_tmpfs_files($1_java_t) -+ corecmd_bin_domtrans($1_java_t, $1_t) ++ init_dbus_chat_script(unconfined_java_t) + -+ files_execmod_all_files($1_java_t) + unconfined_domain_noaudit(unconfined_java_t) + unconfined_dbus_chat(unconfined_java_t) + + optional_policy(` -+ xserver_role($1_r, $1_java_t) ++ rpm_domtrans(unconfined_java_t) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.9/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/java.te 2010-02-16 15:08:37.000000000 -0500 -@@ -20,6 +20,8 @@ - typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; - typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; - -+role system_r types java_t; -+ - type java_tmp_t; - files_tmp_file(java_tmp_t) - ubac_constrained(java_tmp_t) -@@ -32,9 +34,6 @@ - typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; - typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; - --type unconfined_java_t; --init_system_domain(unconfined_java_t, java_exec_t) -- - ######################################## - # - # Local policy -@@ -80,6 +79,7 @@ - dev_write_sound(java_t) - dev_read_urand(java_t) - dev_read_rand(java_t) -+dev_dontaudit_append_rand(java_t) - - files_read_etc_files(java_t) - files_read_usr_files(java_t) -@@ -134,17 +134,5 @@ - xserver_user_x_domain_template(java, java_t, java_tmpfs_t) - ') - --######################################## --# --# Unconfined java local policy --# -- --optional_policy(` -- # execheap is needed for itanium/BEA jrocket -- allow unconfined_java_t self:process { execstack execmem execheap }; - -- init_dbus_chat_script(unconfined_java_t) - -- unconfined_domain_noaudit(unconfined_java_t) -- unconfined_dbus_chat(unconfined_java_t) --') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.9/policy/modules/apps/kdumpgui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.15/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.9/policy/modules/apps/kdumpgui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.15/policy/modules/apps/kdumpgui.if --- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-kdump policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.9/policy/modules/apps/kdumpgui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.15/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,68 @@ +policy_module(kdumpgui,1.0.0) + @@ -3199,15 +3049,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui +optional_policy(` + policykit_dbus_chat(kdumpgui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.9/policy/modules/apps/livecd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.15/policy/modules/apps/livecd.fc --- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/livecd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/livecd.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,2 @@ + +/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.9/policy/modules/apps/livecd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.15/policy/modules/apps/livecd.if --- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/livecd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/livecd.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,52 @@ + +## policy for livecd @@ -3261,9 +3111,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i + usermanage_run_chfn(livecd_t, $2) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.9/policy/modules/apps/livecd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.15/policy/modules/apps/livecd.te --- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/livecd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/livecd.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,27 @@ +policy_module(livecd, 1.0.0) + @@ -3292,11 +3142,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t + +seutil_domtrans_setfiles_mac(livecd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.9/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/loadkeys.te 2010-02-16 15:08:37.000000000 -0500 -@@ -40,8 +40,12 @@ - miscfiles_read_localization(loadkeys_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.15/policy/modules/apps/loadkeys.if +--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/loadkeys.if 2010-03-18 10:44:42.000000000 -0400 +@@ -17,6 +17,9 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) ++ifdef(`hide_broken_symptoms', ` ++ dontaudit loadkeys_t $1:socket_class_set { read write }; ++') + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.15/policy/modules/apps/loadkeys.te +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/loadkeys.te 2010-03-18 10:44:42.000000000 -0400 +@@ -40,8 +40,12 @@ + miscfiles_read_localization(loadkeys_t) userdom_use_user_ttys(loadkeys_t) -userdom_list_user_home_dirs(loadkeys_t) @@ -3309,159 +3172,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys +ifdef(`hide_broken_symptoms',` + dev_dontaudit_rw_lvm_control(loadkeys_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.9/policy/modules/apps/mono.fc ---- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/mono.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1 +1 @@ --/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0) -+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.9/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/mono.if 2010-02-16 15:08:37.000000000 -0500 -@@ -21,6 +21,105 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.15/policy/modules/apps/mono.if +--- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/mono.if 2010-03-18 10:44:42.000000000 -0400 +@@ -40,10 +40,10 @@ + domain_interactive_fd($1_mono_t) + application_type($1_mono_t) - ######################################## - ## -+## Read and write to mono shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`mono_rw_shm',` -+ gen_require(` -+ type mono_t; -+ ') -+ -+ allow $1 mono_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Execute mono in the mono domain, and -+## allow the specified role the mono domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+## -+## -+## The role to be allowed the mono domain. -+## -+## -+# -+interface(`mono_run',` -+ gen_require(` -+ type mono_t; -+ ') -+ -+ mono_domtrans($1) -+ role $2 types mono_t; -+') -+ -+####################################### -+## -+## The role template for the mono module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for mono applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`mono_role_template',` -+ gen_require(` -+ type mono_exec_t; -+ ') -+ -+ type $1_mono_t; -+ domain_type($1_mono_t) -+ domain_entry_file($1_mono_t, mono_exec_t) -+ role $2 types $1_mono_t; -+ -+ domain_interactive_fd($1_mono_t) -+ application_type($1_mono_t) -+ + userdom_unpriv_usertype($1, $1_mono_t) -+ userdom_manage_tmpfs_role($2, $1_mono_t) -+ -+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; -+ -+ domtrans_pattern($3, mono_exec_t, $1_mono_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_mono_t) -+ corecmd_bin_domtrans($1_mono_t, $1_t) -+ -+ optional_policy(` -+ xserver_role($1_r, $1_mono_t) -+ ') -+') -+ -+######################################## -+## - ## Execute the mono program in the caller domain. - ## - ## -@@ -31,7 +130,7 @@ - # - interface(`mono_exec',` - gen_require(` -- type mono_t, mono_exec_t; -+ type mono_exec_t; - ') - - corecmd_search_bin($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.9/policy/modules/apps/mono.te ---- nsaserefpolicy/policy/modules/apps/mono.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/mono.te 2010-02-16 15:08:37.000000000 -0500 -@@ -15,7 +15,7 @@ - # Local policy - # + userdom_manage_tmpfs_role($2, $1_mono_t) --allow mono_t self:process { execheap execmem }; -+allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; - - init_dbus_chat_script(mono_t) - -@@ -42,7 +42,12 @@ - ') + allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; +- + allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; - optional_policy(` -- unconfined_domain_noaudit(mono_t) -+ unconfined_domain(mono_t) - unconfined_dbus_chat(mono_t) - unconfined_dbus_connect(mono_t) -+ application_type(mono_t) -+') -+ -+optional_policy(` -+ xserver_rw_shm(mono_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.9/policy/modules/apps/mozilla.fc + domtrans_pattern($3, mono_exec_t, $1_mono_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.15/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -3478,9 +3206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.9/policy/modules/apps/mozilla.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.15/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.if 2010-03-18 10:44:42.000000000 -0400 @@ -48,6 +48,12 @@ mozilla_dbus_chat($2) @@ -3503,7 +3231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -186,3 +192,22 @@ +@@ -186,3 +192,57 @@ allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -3526,9 +3254,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + allow $1 mozilla_home_t:file execmod; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.9/policy/modules/apps/mozilla.te ++######################################## ++## ++## Execute mozilla_exec_t ++## in the specified domain. ++## ++## ++##

++## Execute a mozilla_exec_t ++## in the specified domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`mozilla_exec_domtrans',` ++ gen_require(` ++ type mozilla_exec_t; ++ ') ++ ++ allow $2 mozilla_exec_t:file entrypoint; ++ domtrans_pattern($1, mozilla_exec_t, $2) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.15/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.te 2010-03-18 10:44:42.000000000 -0400 @@ -91,6 +91,7 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) @@ -3587,9 +3350,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +optional_policy(` thunderbird_domtrans(mozilla_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.9/policy/modules/apps/nsplugin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.7.15/policy/modules/apps/mplayer.if +--- nsaserefpolicy/policy/modules/apps/mplayer.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/mplayer.if 2010-03-18 10:44:42.000000000 -0400 +@@ -102,3 +102,39 @@ + read_files_pattern($1, mplayer_home_t, mplayer_home_t) + userdom_search_user_home_dirs($1) + ') ++ ++######################################## ++## ++## Execute mplayer_exec_t ++## in the specified domain. ++## ++## ++##

++## Execute a mplayer_exec_t ++## in the specified domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`mplayer_exec_domtrans',` ++ gen_require(` ++ type mplayer_exec_t; ++ ') ++ ++ allow $2 mplayer_exec_t:file entrypoint; ++ domtrans_pattern($1, mplayer_exec_t, $2) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.15/policy/modules/apps/nsplugin.fc --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -3601,10 +3407,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.9/policy/modules/apps/nsplugin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.15/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,358 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,390 @@ + +## policy for nsplugin + @@ -3706,16 +3512,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + can_exec($2, nsplugin_rw_t) + + #Leaked File Descriptors -+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; ++ifdef(`hide_broken_symptoms', ` ++ dontaudit nsplugin_t $2:socket_class_set { read write }; ++ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit nsplugin_config_t $2:socket_class_set { read write }; ++ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; ++') + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; + allow nsplugin_t $2:sem rw_sem_perms; @@ -3772,6 +3574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + + domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) ++ +') + +####################################### @@ -3963,10 +3766,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $1 nsplugin_t:sem rw_sem_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.9/policy/modules/apps/nsplugin.te ++######################################## ++## ++## Execute nsplugin_exec_t ++## in the specified domain. ++## ++## ++##

++## Execute a nsplugin_exec_t ++## in the specified domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`nsplugin_exec_domtrans',` ++ gen_require(` ++ type nsplugin_exec_t; ++ ') ++ ++ allow $2 nsplugin_exec_t:file entrypoint; ++ domtrans_pattern($1, nsplugin_exec_t, $2) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.15/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,296 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4118,7 +3956,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +userdom_read_user_tmp_files(nsplugin_t) +userdom_write_user_tmp_sockets(nsplugin_t) +userdom_dontaudit_append_user_home_content_files(nsplugin_t) -+userdom_dontaudit_delete_user_home_content_files(nsplugin_t) + +optional_policy(` + alsa_read_rw_config(nsplugin_t) @@ -4263,17 +4100,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.9/policy/modules/apps/openoffice.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.15/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.9/policy/modules/apps/openoffice.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.15/policy/modules/apps/openoffice.if --- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,92 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,129 @@ +## Openoffice + +####################################### @@ -4362,14 +4199,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + + allow $3 $1_openoffice_t:process { signal sigkill }; + allow $1_openoffice_t $3:unix_stream_socket connectto; -+ optional_policy(` -+ xserver_common_x_domain_template($1, $1_openoffice_t) ++ ++ optional_policy(` ++ xserver_role($2, $1_openoffice_t) ++ ') ++') ++ ++######################################## ++## ++## Execute openoffice_exec_t ++## in the specified domain. ++## ++## ++##

++## Execute a openoffice_exec_t ++## in the specified domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`openoffice_exec_domtrans',` ++ gen_require(` ++ type openoffice_exec_t; + ') ++ ++ allow $2 openoffice_exec_t:file entrypoint; ++ domtrans_pattern($1, openoffice_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.9/policy/modules/apps/openoffice.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.15/policy/modules/apps/openoffice.te --- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,11 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,17 @@ + +policy_module(openoffice, 1.0.0) + @@ -4381,9 +4255,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +type openoffice_t; +type openoffice_exec_t; +application_domain(openoffice_t, openoffice_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.9/policy/modules/apps/podsleuth.te ++ ++######################################## ++# ++# Unconfined java local policy ++# ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.15/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/podsleuth.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/podsleuth.te 2010-03-18 10:44:42.000000000 -0400 @@ -50,6 +50,7 @@ fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) @@ -4407,51 +4287,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut optional_policy(` dbus_system_bus_client(podsleuth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.9/policy/modules/apps/ptchown.if ---- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/ptchown.if 2010-02-16 15:08:37.000000000 -0500 -@@ -18,3 +18,27 @@ - domtrans_pattern($1, ptchown_exec_t, ptchown_t) - ') - -+######################################## -+## -+## Execute ptchown in the ptchown domain, and -+## allow the specified role the ptchown domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the ptchown domain. -+## -+## -+# -+interface(`ptchown_run',` -+ gen_require(` -+ type ptchown_t; -+ ') -+ -+ ptchown_domtrans($1) -+ role $2 types ptchown_t; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.9/policy/modules/apps/pulseaudio.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.15/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1 +1,7 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -1 +1,9 @@ +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) + ++/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) ++ +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.9/policy/modules/apps/pulseaudio.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.15/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.if 2010-03-18 10:44:42.000000000 -0400 +@@ -18,7 +18,7 @@ + interface(`pulseaudio_role',` + gen_require(` + type pulseaudio_t, pulseaudio_exec_t, print_spool_t; +- class dbus { send_msg }; ++ class dbus { acquire_svc send_msg }; + ') + + role $1 types pulseaudio_t; @@ -29,7 +29,7 @@ ps_process_pattern($2, pulseaudio_t) @@ -4555,24 +4415,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud - allow $1 pulseaudio_t:unix_stream_socket connectto; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.9/policy/modules/apps/pulseaudio.te ---- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.te 2010-02-16 15:08:37.000000000 -0500 -@@ -11,6 +11,12 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.15/policy/modules/apps/pulseaudio.te +--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.te 2010-03-18 10:44:42.000000000 -0400 +@@ -8,24 +8,52 @@ + + type pulseaudio_t; + type pulseaudio_exec_t; ++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t) application_domain(pulseaudio_t, pulseaudio_exec_t) role system_r types pulseaudio_t; -+type pulseaudio_var_run_t; -+files_pid_file(pulseaudio_var_run_t) -+ +type pulseaudio_home_t; +userdom_user_home_content(pulseaudio_home_t) + ++type pulseaudio_tmpfs_t; ++files_tmpfs_file(pulseaudio_tmpfs_t) ++ ++type pulseaudio_var_lib_t; ++files_type(pulseaudio_var_lib_t) ++ ++type pulseaudio_var_run_t; ++files_pid_file(pulseaudio_var_run_t) ++ ######################################## # # pulseaudio local policy -@@ -18,7 +24,7 @@ - + # +- ++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; allow pulseaudio_t self:fifo_file rw_file_perms; -allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms; @@ -4580,40 +4451,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; -@@ -26,6 +32,7 @@ - - can_exec(pulseaudio_t, pulseaudio_exec_t) - -+kernel_getattr_proc(pulseaudio_t) - kernel_read_system_state(pulseaudio_t) - kernel_read_kernel_sysctls(pulseaudio_t) - -@@ -63,12 +70,23 @@ - miscfiles_read_localization(pulseaudio_t) - - optional_policy(` -- gnome_manage_config(pulseaudio_t) -+ bluetooth_stream_connect(pulseaudio_t) - ') + allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; ++userdom_search_user_home_dirs(pulseaudio_t) ++userdom_search_admin_dir(pulseaudio_t) ++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) ++ ++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) ++manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) ++files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) ++ +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) + -+userdom_search_user_home_dirs(pulseaudio_t) -+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) -+ + can_exec(pulseaudio_t, pulseaudio_exec_t) + ++kernel_getattr_proc(pulseaudio_t) + kernel_read_system_state(pulseaudio_t) + kernel_read_kernel_sysctls(pulseaudio_t) + +@@ -67,10 +95,7 @@ + ') + optional_policy(` +- gnome_manage_config(pulseaudio_t) +-') +- +-optional_policy(` + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) dbus_system_bus_client(pulseaudio_t) dbus_session_bus_client(pulseaudio_t) -+ dbus_connect_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) -@@ -88,6 +106,10 @@ + dbus_connect_session_bus(pulseaudio_t) +@@ -93,6 +118,10 @@ ') optional_policy(` @@ -4624,7 +4496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -98,6 +120,8 @@ +@@ -103,6 +132,9 @@ ') optional_policy(` @@ -4632,126 +4504,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) ++ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.9/policy/modules/apps/qemu.fc ---- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/qemu.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,2 +1,2 @@ --/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) --/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.9/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/qemu.if 2010-02-16 15:08:37.000000000 -0500 -@@ -40,6 +40,10 @@ - - qemu_domtrans($1) - role $2 types qemu_t; -+ -+ optional_policy(` -+ samba_run_smb(qemu_t, $2, $3) -+ ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.15/policy/modules/apps/qemu.if +--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/qemu.if 2010-03-18 10:44:42.000000000 -0400 +@@ -127,12 +127,14 @@ + template(`qemu_role',` + gen_require(` + type qemu_t, qemu_exec_t; ++ type qemu_config_t, qemu_config_exec_t; + ') + + role $1 types { qemu_t qemu_config_t }; + + domtrans_pattern($2, qemu_exec_t, qemu_t) + domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) ++ allow qemu_t $2:process signull; ') ######################################## -@@ -211,3 +215,188 @@ - # xserver_xdm_rw_shm($1_t) - ') - ') -+ -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+interface(`qemu_role_notrans',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ role $1 types qemu_t; -+') -+ -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`qemu_role',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ qemu_role_notrans($1, $2, $3) -+ -+ domtrans_pattern($3, qemu_exec_t, qemu_t) -+ domtrans_pattern($3, qemu_config_exec_t, qemu_config_t) -+') -+ -+######################################## -+## -+## Set the schedule on qemu. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qemu_setsched',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ allow $1 qemu_t:process setsched; -+') -+ -+######################################## -+## +@@ -273,6 +275,67 @@ + + ######################################## + ## +## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit @@ -4804,171 +4580,70 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if +# +interface(`qemu_unconfined_role',` + gen_require(` -+ type qemu_unconfined_t; ++ type unconfined_qemu_t; ++ type qemu_t; + ') -+ role $1 types qemu_unconfined_t; ++ role $1 types unconfined_qemu_t; ++ role $1 types qemu_t; +') + +######################################## +## -+## Manage qemu temporary dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qemu_manage_tmp_dirs',` -+ gen_require(` -+ type qemu_tmp_t; -+ ') -+ -+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) -+ ') -+ -+######################################## -+## -+## Manage qemu temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+ # -+interface(`qemu_manage_tmp_files',` -+ gen_require(` -+ type qemu_tmp_t; -+ ') -+ -+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.9/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/qemu.te 2010-02-16 15:08:37.000000000 -0500 -@@ -13,15 +13,46 @@ - ## - gen_tunable(qemu_full_network, false) + ## Manage qemu temporary dirs. + ## + ## +@@ -306,3 +369,4 @@ -+## -+##

-+## Allow qemu to use usb devices -+##

-+## -+gen_tunable(qemu_use_usb, true) -+ -+## -+##

-+## Allow qemu to use nfs file systems -+##

-+## -+gen_tunable(qemu_use_nfs, true) -+ -+## -+##

-+## Allow qemu to use cifs/Samba file systems -+##

-+## -+gen_tunable(qemu_use_cifs, true) -+ -+## -+##

-+## Allow qemu to user serial/parallell communication ports -+##

-+## -+gen_tunable(qemu_use_comm, false) -+ + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) + ') + - type qemu_exec_t; --qemu_domain_template(qemu) -+virt_domain_template(qemu) - application_domain(qemu_t, qemu_exec_t) - role system_r types qemu_t; - --######################################## --# --# qemu local policy --# +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.15/policy/modules/apps/qemu.te +--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/qemu.te 2010-03-18 10:44:42.000000000 -0400 +@@ -50,6 +50,8 @@ + # + # qemu local policy + # +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) -+ -+userdom_search_user_home_content(qemu_t) -+userdom_read_user_tmpfs_files(qemu_t) -+userdom_signull_unpriv_users(qemu_t) - tunable_policy(`qemu_full_network',` - allow qemu_t self:udp_socket create_socket_perms; -@@ -35,6 +66,44 @@ - corenet_tcp_connect_all_ports(qemu_t) + userdom_search_user_home_content(qemu_t) + userdom_read_user_tmpfs_files(qemu_t) +@@ -100,6 +102,10 @@ + xen_rw_image_files(qemu_t) ') -+tunable_policy(`qemu_use_comm',` -+ term_use_unallocated_ttys(qemu_t) -+ dev_rw_printer(qemu_t) -+') -+ -+tunable_policy(`qemu_use_nfs',` -+ fs_manage_nfs_dirs(qemu_t) -+ fs_manage_nfs_files(qemu_t) -+') -+ -+tunable_policy(`qemu_use_cifs',` -+ fs_manage_cifs_dirs(qemu_t) -+ fs_manage_cifs_files(qemu_t) -+') -+ -+tunable_policy(`qemu_use_usb',` -+ dev_rw_usbfs(qemu_t) -+ fs_manage_dos_dirs(qemu_t) -+ fs_manage_dos_files(qemu_t) -+') -+ -+optional_policy(` -+ samba_domtrans_smbd(qemu_t) -+') -+ -+optional_policy(` -+ virt_manage_images(qemu_t) -+ virt_append_log(qemu_t) -+') -+ -+optional_policy(` -+ xen_rw_image_files(qemu_t) -+') -+ +optional_policy(` + xen_rw_image_files(qemu_t) +') + ######################################## # - # qemu_unconfined local policy -@@ -44,6 +113,10 @@ - type qemu_unconfined_t; - domain_type(qemu_unconfined_t) - unconfined_domain_noaudit(qemu_unconfined_t) -+ userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t) + # Unconfined qemu local policy +@@ -110,6 +116,9 @@ + typealias unconfined_qemu_t alias qemu_unconfined_t; + application_type(unconfined_qemu_t) + unconfined_domain_noaudit(unconfined_qemu_t) ++ userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t) ++ userdom_unpriv_usertype(unconfined, unconfined_qemu_t) -+ application_type(qemu_unconfined_t) -+ role unconfined_r types qemu_unconfined_t; - allow qemu_unconfined_t self:process { execstack execmem }; -+ allow qemu_unconfined_t qemu_exec_t:file execmod; + allow unconfined_qemu_t self:process { execstack execmem }; ++ allow unconfined_qemu_t qemu_exec_t:file execmod; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.9/policy/modules/apps/sambagui.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.15/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1 @@ +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.9/policy/modules/apps/sambagui.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.15/policy/modules/apps/sambagui.if --- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,2 @@ +## system-config-samba policy + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.9/policy/modules/apps/sambagui.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.15/policy/modules/apps/sambagui.te --- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,66 @@ +policy_module(sambagui,1.0.0) + @@ -5036,15 +4711,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +optional_policy(` + policykit_dbus_chat(sambagui_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.9/policy/modules/apps/sandbox.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.15/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.9/policy/modules/apps/sandbox.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.15/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,230 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.if 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,250 @@ + +## policy for sandbox + @@ -5127,6 +4802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + type $1_t, sandbox_domain; + domain_type($1_t) + ++ mls_rangetrans_target($1_t) ++ + type $1_file_t, sandbox_file_type; + files_type($1_file_t) + @@ -5228,7 +4905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +## +## +## -+## Domain to not audit. ++## Domain allowed access +## +## +# @@ -5246,7 +4923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +## +## +## -+## Domain to not audit. ++## Domain allowed access +## +## +# @@ -5264,7 +4941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +## +## +## -+## Domain to not audit. ++## Domain allowed access +## +## +# @@ -5275,10 +4952,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.9/policy/modules/apps/sandbox.te ++ ++######################################## ++## ++## allow domain to list sandbox dirs ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_list',` ++ gen_require(` ++ attribute sandbox_file_type; ++ ') ++ ++ allow $1 sandbox_file_type:dir list_dir_perms; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.15/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,364 @@ ++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,365 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -5363,6 +5058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +logging_send_audit_msgs(sandbox_xserver_t) + +userdom_use_user_terminals(sandbox_xserver_t) ++userdom_dontaudit_search_user_home_content(sandbox_xserver_t) + +xserver_entry_type(sandbox_xserver_t) + @@ -5643,160 +5339,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.9/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/screen.if 2010-02-16 15:08:37.000000000 -0500 -@@ -141,6 +141,7 @@ - userdom_create_user_pty($1_screen_t) - userdom_user_home_domtrans($1_screen_t, $3) - userdom_setattr_user_ptys($1_screen_t) -+ userdom_setattr_user_ttys($1_screen_t) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.9/policy/modules/apps/sectoolm.fc ---- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,6 @@ -+ -+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) -+ -+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) -+ -+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.9/policy/modules/apps/sectoolm.if ---- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,3 @@ -+ -+## policy for sectool-mechanism -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.9/policy/modules/apps/sectoolm.te ---- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,118 @@ -+ -+policy_module(sectoolm,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sectoolm_t; -+type sectoolm_exec_t; -+dbus_system_domain(sectoolm_t, sectoolm_exec_t) -+ -+# /var/lib files -+type sectool_var_lib_t; -+files_type(sectool_var_lib_t) -+ -+# log files -+type sectool_var_log_t; -+logging_log_file(sectool_var_log_t) -+ -+# tmp files -+type sectool_tmp_t; -+files_tmp_file(sectool_tmp_t) -+ -+######################################## -+# -+# sectool local policy -+# -+ -+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; -+allow sectoolm_t self:process { getcap getsched signull setsched }; -+dontaudit sectoolm_t self:process { execstack execmem }; -+ -+allow sectoolm_t self:fifo_file rw_fifo_file_perms; -+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; -+ -+# tmp files -+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) -+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir }) -+ -+# var/lib files -+manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) -+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t) -+files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir }) -+ -+# log files -+manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t) -+logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file }) -+ -+corecmd_exec_bin(sectoolm_t) -+corecmd_exec_shell(sectoolm_t) -+ -+kernel_read_net_sysctls(sectoolm_t) -+kernel_read_network_state(sectoolm_t) -+kernel_read_kernel_sysctls(sectoolm_t) -+ -+dev_read_sysfs(sectoolm_t) -+dev_read_urand(sectoolm_t) -+ -+dev_getattr_all_blk_files(sectoolm_t) -+dev_getattr_all_chr_files(sectoolm_t) -+ -+# selinux test -+selinux_validate_context(sectoolm_t) -+ -+fs_getattr_all_fs(sectoolm_t) -+fs_list_noxattr_fs(sectoolm_t) -+ -+files_getattr_all_pipes(sectoolm_t) -+files_getattr_all_sockets(sectoolm_t) -+files_read_all_files(sectoolm_t) -+files_read_all_symlinks(sectoolm_t) -+ -+auth_use_nsswitch(sectoolm_t) -+ -+libs_exec_ld_so(sectoolm_t) -+ -+logging_send_syslog_msg(sectoolm_t) -+ -+# tcp_wrappers test -+application_exec_all(sectoolm_t) -+ -+domain_getattr_all_domains(sectoolm_t) -+domain_read_all_domains_state(sectoolm_t) -+ -+userdom_users_dgram_send(sectoolm_t) -+userdom_dgram_send(sectoolm_t) -+userdom_manage_user_tmp_sockets(sectoolm_t) -+ -+# tests related to network -+hostname_exec(sectoolm_t) -+iptables_domtrans(sectoolm_t) -+sysnet_domtrans_ifconfig(sectoolm_t) -+ -+optional_policy(` -+ mount_exec(sectoolm_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(sectoolm_t) -+') -+ -+# suid test using -+# rpm -Vf option -+optional_policy(` -+ prelink_domtrans(sectoolm_t) -+') -+ -+optional_policy(` -+ rpm_exec(sectoolm_t) -+ rpm_append_log(sectoolm_t) -+ rpm_manage_pid_files(sectoolm_t) -+ rpm_pid_filetrans(sectoolm_t) -+ rpm_dontaudit_manage_db(sectoolm_t) -+') -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.9/policy/modules/apps/seunshare.if ---- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/seunshare.if 2010-02-16 15:08:37.000000000 -0500 -@@ -2,59 +2,14 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.15/policy/modules/apps/seunshare.if +--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/seunshare.if 2010-03-18 10:44:42.000000000 -0400 +@@ -2,30 +2,12 @@ ######################################## ## @@ -5823,18 +5369,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar -## allow the specified role the seunshare domain. -## -## --## --## Domain allowed access. --## --## --## +## ## --## Role allowed access. +-## Domain allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## + ## +@@ -33,48 +15,34 @@ + ## Role allowed access. + ## + ## -# -interface(`seunshare_run',` - gen_require(` @@ -5857,10 +5403,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar -## -## Role access for seunshare -## - ## +-## +-## +-## Role allowed access. +-## +-## + ## ## - ## Role allowed access. -@@ -66,15 +21,28 @@ + ## User domain for the role. ## ## # @@ -5876,6 +5426,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; ++ ++ mls_process_set_level($1_seunshare_t) - seunshare_domtrans($1) + domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) @@ -5890,14 +5442,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; + + ifdef(`hide_broken_symptoms', ` -+ dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms; -+ dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms; -+ dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms; ++ dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.9/policy/modules/apps/seunshare.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.15/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/seunshare.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/seunshare.te 2010-03-18 10:44:42.000000000 -0400 @@ -6,40 +6,39 @@ # Declarations # @@ -5956,9 +5506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.9/policy/modules/apps/slocate.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.15/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/slocate.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/slocate.te 2010-03-18 10:44:42.000000000 -0400 @@ -30,6 +30,7 @@ manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) @@ -5975,9 +5525,127 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. # getpwnam auth_use_nsswitch(locate_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.9/policy/modules/apps/vmware.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.15/policy/modules/apps/userhelper.fc +--- nsaserefpolicy/policy/modules/apps/userhelper.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -7,3 +7,4 @@ + # /usr + # + /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) ++/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.15/policy/modules/apps/userhelper.if +--- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.if 2010-03-18 10:44:42.000000000 -0400 +@@ -260,3 +260,51 @@ + + can_exec($1, userhelper_exec_t) + ') ++ ++####################################### ++## ++## The role template for the consolehelper module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for consolehelper applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`userhelper_console_role_template',` ++ gen_require(` ++ type consolehelper_exec_t; ++ attribute consolehelper_domain; ++ ') ++ ++ type $1_consolehelper_t, consolehelper_domain; ++ domain_type($1_consolehelper_t) ++ domain_entry_file($1_consolehelper_t, consolehelper_exec_t) ++ role $2 types $1_consolehelper_t; ++ ++ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) ++ ++ auth_use_pam($1_consolehelper_t) ++ ++ optional_policy(` ++ shutdown_run($1_consolehelper_t, $2) ++ shutdown_send_sigchld($3) ++ ') ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.15/policy/modules/apps/userhelper.te +--- nsaserefpolicy/policy/modules/apps/userhelper.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.te 2010-03-18 10:44:42.000000000 -0400 +@@ -7,9 +7,51 @@ + # + + attribute userhelper_type; ++attribute consolehelper_domain; + + type userhelper_conf_t; + files_type(userhelper_conf_t) + + type userhelper_exec_t; + application_executable_file(userhelper_exec_t) ++ ++type consolehelper_exec_t; ++application_executable_file(consolehelper_exec_t) ++ ++######################################## ++# ++# consolehelper local policy ++# ++ ++allow consolehelper_domain self:capability { setgid setuid }; ++ ++dontaudit consolehelper_domain userhelper_conf_t:file write; ++read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) ++ ++# Init script handling ++domain_use_interactive_fds(consolehelper_domain) ++ ++# internal communication is often done using fifo and unix sockets. ++allow consolehelper_domain self:fifo_file rw_fifo_file_perms; ++allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_kernel_sysctls(consolehelper_domain) ++ ++corecmd_exec_bin(consolehelper_domain) ++ ++files_read_etc_files(consolehelper_domain) ++ ++auth_search_pam_console_data(consolehelper_domain) ++ ++init_read_utmp(consolehelper_domain) ++ ++miscfiles_read_localization(consolehelper_domain) ++ ++userhelper_exec(consolehelper_domain) ++ ++userdom_use_user_ptys(consolehelper_domain) ++userdom_use_user_ttys(consolehelper_domain) ++ ++optional_policy(` ++ xserver_stream_connect(consolehelper_domain) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.15/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/vmware.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/vmware.if 2010-03-18 10:44:42.000000000 -0400 @@ -84,3 +84,22 @@ logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) @@ -6001,9 +5669,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i + can_exec($1, vmware_host_exec_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.9/policy/modules/apps/vmware.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.15/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/apps/vmware.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/vmware.te 2010-03-18 10:44:42.000000000 -0400 @@ -29,6 +29,10 @@ type vmware_host_exec_t; init_daemon_domain(vmware_host_t, vmware_host_exec_t) @@ -6015,178 +5683,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t type vmware_host_pid_t alias vmware_var_run_t; files_pid_file(vmware_host_pid_t) -@@ -80,6 +84,11 @@ +@@ -79,6 +83,12 @@ + # cjp: the ro and rw files should be split up manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) - ++manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t) ++ +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t) +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir }) -+ + manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t) - files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.9/policy/modules/apps/wine.fc ---- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/wine.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,4 +1,22 @@ --/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -+ -+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -+ -+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) -+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) -+ -+ -+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) - --/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) --/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.9/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/wine.if 2010-02-16 15:08:37.000000000 -0500 -@@ -43,3 +43,121 @@ - wine_domtrans($1) - role $2 types wine_t; - ') -+ -+####################################### -+## -+## The per role template for the wine module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for wine applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`wine_role',` -+ gen_require(` -+ type wine_exec_t; -+ ') -+ -+ role $1 types wine_t; -+ -+ domain_auto_trans($2, wine_exec_t, wine_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.15/policy/modules/apps/wine.if +--- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/wine.if 2010-03-18 10:44:42.000000000 -0400 +@@ -35,6 +35,8 @@ + role $1 types wine_t; + + domain_auto_trans($2, wine_exec_t, wine_t) + # Unrestricted inheritance from the caller. + allow $2 wine_t:process { noatsecure siginh rlimitinh }; -+ allow wine_t $2:fd use; -+ allow wine_t $2:process { sigchld signull }; -+ allow wine_t $2:unix_stream_socket connectto; -+ -+ # Allow the user domain to signal/ps. -+ ps_process_pattern($2, wine_t) -+ allow $2 wine_t:process signal_perms; -+ -+ allow $2 wine_t:fd use; -+ allow $2 wine_t:shm { associate getattr }; -+ allow $2 wine_t:shm { unix_read unix_write }; -+ allow $2 wine_t:unix_stream_socket connectto; -+ -+ # X access, Home files -+ manage_dirs_pattern($2, wine_home_t, wine_home_t) -+ manage_files_pattern($2, wine_home_t, wine_home_t) -+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t) -+ relabel_dirs_pattern($2, wine_home_t, wine_home_t) -+ relabel_files_pattern($2, wine_home_t, wine_home_t) -+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) -+') -+ -+####################################### -+## -+## The role template for the wine module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for wine applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+template(`wine_role_template',` -+ gen_require(` -+ type wine_exec_t; -+ ') -+ -+ type $1_wine_t; -+ domain_type($1_wine_t) -+ domain_entry_file($1_wine_t, wine_exec_t) -+ role $2 types $1_wine_t; -+ -+ userdom_unpriv_usertype($1, $1_wine_t) -+ userdom_manage_tmpfs_role($2, $1_wine_t) -+ + allow wine_t $2:fd use; + allow wine_t $2:process { sigchld signull }; + allow wine_t $2:unix_stream_socket connectto; +@@ -103,7 +105,14 @@ + userdom_unpriv_usertype($1, $1_wine_t) + userdom_manage_tmpfs_role($2, $1_wine_t) + +- domain_mmap_low($1_wine_t) + domain_mmap_low_type($1_wine_t) + tunable_policy(`mmap_low_allowed',` + domain_mmap_low($1_wine_t) + ') + -+ allow $1_wine_t self:process { execmem execstack }; -+ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; -+ domtrans_pattern($3, wine_exec_t, $1_wine_t) -+ corecmd_bin_domtrans($1_wine_t, $1_t) -+ -+ optional_policy(` -+ xserver_role($1_r, $1_wine_t) -+ ') -+ + tunable_policy(`wine_mmap_zero_ignore',` + allow $1_wine_t self:memprotect mmap_zero; + ') -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.9/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/apps/wine.te 2010-02-16 15:08:37.000000000 -0500 + + optional_policy(` + xserver_role($1_r, $1_wine_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.15/policy/modules/apps/wine.te +--- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/apps/wine.te 2010-03-18 10:44:42.000000000 -0400 @@ -1,6 +1,14 @@ - policy_module(wine, 1.6.0) + policy_module(wine, 1.6.1) +## +##

@@ -6199,96 +5742,88 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ######################################## # # Declarations -@@ -9,20 +17,48 @@ - type wine_t; - type wine_exec_t; - application_domain(wine_t, wine_exec_t) -+role system_r types wine_t; -+ -+type wine_tmp_t; -+files_tmp_file(wine_tmp_t) -+ubac_constrained(wine_tmp_t) - - ######################################## - # - # Local policy - # +@@ -30,7 +38,13 @@ + manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) + files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -+allow wine_t self:process { execstack execmem execheap }; -+allow wine_t self:fifo_file manage_fifo_file_perms; -+ -+can_exec(wine_t, wine_exec_t) -+ -+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -+files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir }) -+ +-domain_mmap_low(wine_t) +domain_mmap_low_type(wine_t) +tunable_policy(`mmap_low_allowed',` + domain_mmap_low(wine_t) +') -+ -+files_execmod_all_files(wine_t) -+ - userdom_use_user_terminals(wine_t) ++tunable_policy(`wine_mmap_zero_ignore',` ++ dontaudit wine_t self:memprotect mmap_zero; ++') + + files_execmod_all_files(wine_t) + +@@ -41,6 +55,10 @@ + ') optional_policy(` -- allow wine_t self:process { execstack execmem execheap }; -- unconfined_domain_noaudit(wine_t) -- files_execmod_all_files(wine_t) -- -- optional_policy(` -- hal_dbus_chat(wine_t) -- ') -+ hal_dbus_chat(wine_t) -+') -+ -+optional_policy(` -+ unconfined_domain(wine_t) ++ policykit_dbus_chat(wine_t) +') + +optional_policy(` -+ xserver_read_xdm_pid(wine_t) -+ xserver_rw_shm(wine_t) -+') -+ -+tunable_policy(`wine_mmap_zero_ignore',` -+ allow wine_t self:memprotect mmap_zero; + unconfined_domain_noaudit(wine_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.9/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/corecommands.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -44,15 +44,17 @@ - /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) - /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) -+/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) -+ - /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) - /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.15/policy/modules/apps/wm.if +--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/apps/wm.if 2010-03-18 10:44:42.000000000 -0400 +@@ -30,6 +30,7 @@ + template(`wm_role_template',` + gen_require(` + type wm_exec_t; ++ class dbus send_msg; + ') - /etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + type $1_wm_t; +@@ -42,6 +43,12 @@ + allow $1_wm_t self:shm create_shm_perms; + + allow $1_wm_t $3:unix_stream_socket connectto; ++ allow $3 $1_wm_t:unix_stream_socket connectto; ++ allow $3 $1_wm_t:process signal; ++ allow $1_wm_t $3:process signull; ++ ++ allow $1_wm_t $3:dbus send_msg; ++ allow $3 $1_wm_t:dbus send_msg; --/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) --/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) + domtrans_pattern($3, wm_exec_t, $1_wm_t) - /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -55,6 +62,8 @@ + files_read_etc_files($1_wm_t) + files_read_usr_files($1_wm_t) -@@ -64,6 +66,7 @@ - /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) ++ fs_getattr_tmpfs($1_wm_t) ++ + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) +@@ -72,11 +81,18 @@ - /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -+/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) + optional_policy(` + dbus_system_bus_client($1_wm_t) ++ dbus_session_bus_client($1_wm_t) ++ ') ++ ++ optional_policy(` ++ pulseaudio_stream_connect($1_wm_t) + ') - /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + optional_policy(` + xserver_role($2, $1_wm_t) ++ xserver_manage_core_devices($1_wm_t) + ') ++ + ') -@@ -144,6 +147,9 @@ + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.15/policy/modules/kernel/corecommands.fc +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/corecommands.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -147,6 +147,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6298,31 +5833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -214,6 +220,7 @@ - /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) -@@ -228,12 +235,15 @@ - /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) - -@@ -323,3 +333,21 @@ +@@ -331,3 +334,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -6344,10 +5855,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.9/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/corecommands.if 2010-02-16 15:08:37.000000000 -0500 -@@ -893,6 +893,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.15/policy/modules/kernel/corecommands.if +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/corecommands.if 2010-03-18 10:44:42.000000000 -0400 +@@ -931,6 +931,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) @@ -6355,33 +5866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## -@@ -918,6 +919,25 @@ - - ######################################## - ##

-+## Read all executable files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`corecmd_read_all_executables',` -+ gen_require(` -+ attribute exec_type; -+ ') -+ -+ read_files_pattern($1, exec_type, exec_type) -+') -+ -+######################################## -+## - ## Execute all executable files. - ## - ## -@@ -973,6 +993,7 @@ +@@ -1030,6 +1031,7 @@ type bin_t; ') @@ -6389,37 +5874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.9/policy/modules/kernel/corenetwork.if.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/kernel/corenetwork.if.in 2010-02-16 15:08:37.000000000 -0500 -@@ -1705,6 +1705,24 @@ - - ######################################## - ## -+## dontaudit Read and write the TUN/TAP virtual network device. -+## -+## -+## -+## The domain allowed access. -+## -+## -+# -+interface(`corenet_dontaudit_rw_tun_tap_dev',` -+ gen_require(` -+ type tun_tap_device_t; -+ ') -+ -+ dontaudit $1 tun_tap_device_t:chr_file { read write }; -+') -+ -+######################################## -+## - ## Getattr the point-to-point device. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.9/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/corenetwork.te.in 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in 2010-03-18 10:44:42.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6428,71 +5885,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -81,23 +82,27 @@ +@@ -79,6 +80,7 @@ + network_port(audit, tcp,60,s0) + network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) ++network_port(boinc, tcp,31416,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) --network_port(chronyd, udp,323,s0) - network_port(clamd, tcp,3310,s0) + network_port(chronyd, udp,323,s0) +@@ -86,6 +88,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(cobbler, tcp,25151,s0) +network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0) network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) - network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) -+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) - network_port(dbskkd, tcp,1178,s0) - network_port(dcc, udp,6276,s0, udp,6277,s0) - network_port(dccm, tcp,5679,s0, udp,5679,s0) --network_port(dhcpc, udp,68,s0) --network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) -+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) -+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) - network_port(dict, tcp,2628,s0) + network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) +@@ -98,7 +101,9 @@ network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) -+network_port(epmap, udp,135,s0, tcp,135,s0) + network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -110,12 +115,16 @@ - network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) - network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port - network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy -+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0) -+network_port(chronyd, udp,323,s0) - network_port(i18n_input, tcp,9010,s0) - network_port(imaze, tcp,5323,s0, udp,5323,s0) - network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) - network_port(innd, tcp,119,s0) - network_port(ipmi, udp,623,s0, udp,664,s0) - network_port(ipp, tcp,631,s0, udp,631,s0) -+portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) -+portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0) - network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) - network_port(ircd, tcp,6667,s0) - network_port(isakmp, udp,500,s0) -@@ -131,8 +140,9 @@ +@@ -132,32 +137,43 @@ network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(lirc, tcp,8765,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon --network_port(mail, tcp,2000,s0) -+network_port(mail, tcp,2000,s0, tcp,3905,s0) + network_port(mail, tcp,2000,s0, tcp,3905,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -@@ -141,21 +151,29 @@ + network_port(msnp, tcp,1863,s0, udp,1863,s0) ++network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) + network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) + network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) --network_port(netsupport, tcp,5405,s0, udp,5405,s0) -+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) ++network_port(netport, tcp,3129,s0, udp,3129,s0) + network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) +network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) @@ -6518,7 +5955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -175,33 +193,38 @@ +@@ -177,16 +193,18 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -6526,8 +5963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) --network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) -+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) +-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) ++network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) network_port(spamd, tcp,783,s0) @@ -6538,75 +5975,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) - network_port(telnetd, tcp,23,s0) - network_port(tftp, udp,69,s0) --network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) -+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) - network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0) - network_port(transproxy, tcp,8081,s0) --network_port(ups, tcp,3493,s0) - type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon - network_port(uucpd, tcp,540,s0) -+network_port(ups, tcp,3493,s0) +@@ -201,7 +219,7 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) - network_port(virt_migration, tcp,49152,s0) -+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0) - network_port(vnc, tcp,5900,s0) -+# Reserve 100 ports for vnc/virt machines -+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0) + network_port(virt_migration, tcp,49152-49216,s0) +-network_port(vnc, tcp,5900,s0) ++network_port(vnc, tcp,5900-5999,s0) network_port(wccp, udp,2048,s0) --network_port(whois, tcp,43,s0, udp,43,s0) -+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) + network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) - network_port(xen, tcp,8002,s0) - network_port(xfs, tcp,7100,s0) -@@ -230,6 +253,8 @@ - type node_t, node_type; - sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh) - -+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t }; -+ - # network_node examples: - #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255) - #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.9/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/devices.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -16,13 +16,16 @@ - /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) - /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) - /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0) - /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) - /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) -@@ -61,6 +64,7 @@ - /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) - /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) - /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) -@@ -80,6 +84,7 @@ - /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) - /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) - /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -101,6 +106,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.15/policy/modules/kernel/devices.fc +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/devices.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -108,6 +108,7 @@ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) @@ -6614,124 +5995,90 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -142,6 +148,7 @@ - /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) -+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) - - /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) - -@@ -159,6 +166,8 @@ - /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) - -+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) -+ - /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) - /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.9/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/devices.if 2010-02-16 15:08:37.000000000 -0500 -@@ -436,6 +436,24 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.15/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/devices.if 2010-03-18 10:44:42.000000000 -0400 +@@ -934,6 +934,42 @@ ######################################## ## -+## Dontaudit getattr for generic character device files. ++## rw all inherited character device files. +## +## +## -+## Domain to dontaudit access. ++## Domain allowed access. +## +## +# -+interface(`dev_rw_generic_chr_files',` ++interface(`dev_rw_all_inherited_chr_files',` + gen_require(` -+ type device_t; ++ attribute device_node; + ') + -+ allow $1 device_t:chr_file rw_chr_file_perms; ++ allow $1 device_node:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## - ## Dontaudit setattr for generic character device files. - ## - ## -@@ -801,6 +819,24 @@ - - ######################################## - ## -+## Dontaudit write on all block file device nodes. ++## rw all inherited blk device files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_write_all_blk_files',` ++interface(`dev_rw_all_inherited_blk_files',` + gen_require(` + attribute device_node; + ') + -+ dontaudit $1 device_node:blk_file write; ++ allow $1 device_node:blk_file rw_inherited_blk_file_perms; +') + +######################################## +## - ## Dontaudit read on all character file device nodes. + ## Delete all block device files. ## ## -@@ -819,6 +855,24 @@ +@@ -2597,6 +2633,7 @@ + type mtrr_device_t; + ') + ++ dontaudit $1 mtrr_device_t:file write; + dontaudit $1 mtrr_device_t:chr_file write; + ') + +@@ -3440,6 +3477,24 @@ ######################################## ## -+## Dontaudit write on all character file device nodes. ++## Associate a file to a sysfs filesystem. +## -+## ++## +## -+## Domain to not audit. ++## The type of the file to be associated to sysfs. +## +## +# -+interface(`dev_dontaudit_write_all_chr_files',` ++interface(`dev_associate_sysfs',` + gen_require(` -+ attribute device_node; ++ type sysfs_t; + ') + -+ dontaudit $1 device_node:chr_file write; ++ allow $1 sysfs_t:filesystem associate; +') + +######################################## +## - ## Create all block device files. + ## Get the attributes of sysfs directories. ## ## -@@ -855,6 +909,42 @@ +@@ -3733,6 +3788,24 @@ ######################################## ## -+## rw all inherited character device files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_all_inherited_chr_files',` -+ gen_require(` -+ attribute device_node; -+ ') -+ -+ allow $1 device_node:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## -+## rw all inherited blk device files. ++## Read USB monitor devices. +## +## +## @@ -6739,117 +6086,116 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +## +## +# -+interface(`dev_rw_all_inherited_blk_files',` ++interface(`dev_read_usbmon_dev',` + gen_require(` -+ attribute device_node; ++ type device_t, usbmon_device_t; + ') + -+ allow $1 device_node:blk_file rw_inherited_blk_file_perms; ++ read_chr_files_pattern($1, device_t, usbmon_device_t) +') + +######################################## +## - ## Delete all block device files. + ## Mount a usbfs filesystem. ## ## -@@ -1380,6 +1470,42 @@ - rw_chr_files_pattern($1, device_t, crypt_device_t) - ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.15/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/devices.te 2010-03-18 10:44:42.000000000 -0400 +@@ -210,7 +210,7 @@ + files_mountpoint(sysfs_t) + fs_type(sysfs_t) + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) +- ++ + # + # Type for /dev/tpm + # +@@ -239,6 +239,12 @@ + dev_node(usb_device_t) -+####################################### -+## -+## Set the attributes of the dlm control devices. -+## -+## -+## -+## Domain allowed access. -+## -+## + # ++# usb_device_t is the type for /dev/usbmon +# -+interface(`dev_setattr_dlm_control',` -+ gen_require(` -+ type device_t, kvm_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t) -+') ++type usbmon_device_t; ++dev_node(usbmon_device_t) + -+####################################### -+## -+## Read and write the the dlm control device -+## -+## -+## -+## Domain allowed access. -+## -+## +# -+interface(`dev_rw_dlm_control',` -+ gen_require(` -+ type device_t, dlm_control_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, dlm_control_device_t) -+') + # userio_device_t is the type for /dev/uio[0-9]+ + # + type userio_device_t; +@@ -289,5 +295,6 @@ + # + + allow devices_unconfined_type self:capability sys_rawio; +-allow devices_unconfined_type device_node:{ blk_file chr_file } *; ++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; + allow devices_unconfined_type mtrr_device_t:file *; + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.15/policy/modules/kernel/domain.if +--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/domain.if 2010-03-18 10:44:42.000000000 -0400 +@@ -611,7 +611,7 @@ + ######################################## ## - ## getattr the dri devices. -@@ -1710,6 +1836,24 @@ +-## Get the attributes of all domains of all domains. ++## Get the attributes of all domains. + ## + ## + ## +@@ -630,7 +630,7 @@ ######################################## ## -+## Write to the kernel messages device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_write_kmsg',` -+ gen_require(` -+ type device_t, kmsg_device_t; -+ ') -+ -+ write_chr_files_pattern($1, device_t, kmsg_device_t) -+') -+ -+######################################## -+## - ## Get the attributes of the ksm devices. +-## Get the attributes of all domains of all domains. ++## Dontaudit geting the attributes of all domains. ## ## -@@ -1999,6 +2143,24 @@ + ## +@@ -1372,18 +1372,34 @@ + ## + ## + # +-interface(`domain_mmap_low',` ++interface(`domain_mmap_low_type',` + gen_require(` + attribute mmap_low_domain_type; + ') + +- allow $1 self:memprotect mmap_zero; +- + typeattribute $1 mmap_low_domain_type; + ') ######################################## ## -+## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Ability to mmap a low area of the address space, ++## as configured by /proc/sys/kernel/mmap_min_addr. ++## Preventing such mappings helps protect against ++## exploiting null deref bugs in the kernel. +## +## +## -+## Domain allowed access. ++## Domain allowed to mmap low memory. +## +## +# -+interface(`dev_dontaudit_read_memory_dev',` -+ gen_require(` -+ type memory_device_t; -+ ') ++interface(`domain_mmap_low',` + -+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ allow $1 self:memprotect mmap_zero; +') + +######################################## +## - ## Read raw memory devices (e.g. /dev/mem). - ## - ## -@@ -2450,6 +2612,24 @@ + ## Allow specified type to receive labeled + ## networking packets from all domains, over + ## all protocols (TCP, UDP, etc) +@@ -1422,6 +1438,24 @@ ######################################## ## -+## Dontaudit write the memory type range registers (MTRR). ++## Polyinstatiated access to domains. +## +## +## @@ -6857,24 +6203,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +## +## +# -+interface(`dev_dontaudit_write_mtrr',` ++interface(`domain_poly',` + gen_require(` -+ type mtrr_device_t; ++ attribute polydomain; + ') + -+ dontaudit $1 mtrr_device_t:chr_file write; ++ typeattribute $1 polydomain; +') + +######################################## +## - ## Get the attributes of the network control device + ## Unconfined access to domains. ## ## -@@ -3515,6 +3695,24 @@ - - ######################################## - ## -+## Read USB monitor devices. +@@ -1445,3 +1479,22 @@ + typeattribute $1 set_curr_context; + typeattribute $1 process_uncond_exempt; + ') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## all leaked sockets. +## +## +## @@ -6882,369 +6232,81 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +## +## +# -+interface(`dev_read_usbmon_dev',` ++interface(`domain_dontaudit_leaks',` + gen_require(` -+ type device_t, usbmon_device_t; ++ attribute domain; + ') + -+ read_chr_files_pattern($1, device_t, usbmon_device_t) ++ dontaudit $1 domain:socket_class_set { read write }; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.15/policy/modules/kernel/domain.te +--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/domain.te 2010-03-18 10:44:42.000000000 -0400 +@@ -5,6 +5,21 @@ + # + # Declarations + # ++## ++##

++## Allow all domains to use other domains file descriptors ++##

++## ++# ++gen_tunable(allow_domain_fd_use, true) + -+######################################## -+## - ## Mount a usbfs filesystem. - ## - ## -@@ -3703,6 +3901,24 @@ - getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - -+###################################### -+## -+## Read or write userio device. -+## -+## -+## -+## Domain allowed access. -+## -+## ++## ++##

++## Allow all domains to have the kernel load modules ++##

++## +# -+interface(`dev_rw_userio_dev',` -+ gen_require(` -+ type device_t, userio_device_t; -+ ') ++gen_tunable(domain_kernel_load_modules, false) + + # Mark process types as domains + attribute domain; +@@ -15,6 +30,8 @@ + # Domains that are unconfined + attribute unconfined_domain_type; + ++attribute polydomain; + -+ rw_chr_files_pattern($1, device_t, userio_device_t) -+') + # Domains that can mmap low memory. + attribute mmap_low_domain_type; + neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; +@@ -80,14 +97,17 @@ + allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; + allow domain self:file rw_file_perms; + kernel_read_proc_symlinks(domain) ++kernel_read_crypto_sysctls(domain) + - ######################################## - ## - ## Do not audit attempts to get the attributes -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.9/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/devices.te 2010-02-16 15:08:37.000000000 -0500 -@@ -59,6 +59,12 @@ - type crypt_device_t; - dev_node(crypt_device_t) + # Every domain gets the key ring, so we should default + # to no one allowed to look at it; afs kernel support creates + # a keyring + kernel_dontaudit_search_key(domain) + kernel_dontaudit_link_key(domain) ++kernel_dontaudit_search_debugfs(domain) -+# -+# dlm_misc_device_t is the type of /dev/misc/dlm.* -+# -+type dlm_control_device_t; -+dev_node(dlm_control_device_t) -+ - type dri_device_t; - dev_node(dri_device_t) + # create child processes in the domain +-allow domain self:process { fork sigchld }; ++allow domain self:process { fork getsched sigchld }; -@@ -232,6 +238,18 @@ - type usb_device_t; - dev_node(usb_device_t) + # Use trusted objects in /dev + dev_rw_null(domain) +@@ -97,6 +117,13 @@ + # list the root directory + files_list_root(domain) -+# -+# usb_device_t is the type for /dev/usbmon -+# -+type usbmon_device_t; -+dev_node(usbmon_device_t) ++# All executables should be able to search the directory they are in ++corecmd_search_bin(domain) + -+# -+# userio_device_t is the type for /dev/uio[0-9]+ -+# -+type userio_device_t; -+dev_node(userio_device_t) -+ - type v4l_device_t; - dev_node(v4l_device_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.9/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/kernel/domain.if 2010-02-16 15:08:37.000000000 -0500 -@@ -44,34 +44,6 @@ - interface(`domain_type',` - # start with basic domain - domain_base_type($1) -- -- ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_use_fds($1) -- ') -- ') -- -- # send init a sigchld and signull -- optional_policy(` -- init_sigchld($1) -- init_signull($1) -- ') -- -- # these seem questionable: -- -- optional_policy(` -- rpm_use_fds($1) -- rpm_read_pipes($1) -- ') -- -- optional_policy(` -- selinux_dontaudit_getattr_fs($1) -- selinux_dontaudit_read_fs($1) -- ') -- -- optional_policy(` -- seutil_dontaudit_read_config($1) -- ') - ') - - ######################################## -@@ -746,10 +718,6 @@ - dontaudit $1 domain:dir list_dir_perms; - dontaudit $1 domain:lnk_file read_lnk_file_perms; - dontaudit $1 domain:file read_file_perms; -- -- # cjp: these should be removed: -- dontaudit $1 domain:sock_file read_sock_file_perms; -- dontaudit $1 domain:fifo_file read_fifo_file_perms; - ') - - ######################################## -@@ -791,6 +759,24 @@ - - ######################################## - ## -+## Get the scheduler information of all domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_getsched_all_domains',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow $1 domain:process getsched; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## session ID of all domains. - ## -@@ -1039,6 +1025,54 @@ - - ######################################## - ## -+## Get the attributes -+## of all domains unix datagram sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_getattr_all_stream_sockets',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow $1 domain:unix_stream_socket getattr; -+') -+ -+######################################## -+## -+## Get the attributes of all domains -+## unnamed pipes. -+## -+## -+##

-+## Get the attributes of all domains -+## unnamed pipes. -+##

-+##

-+## This is commonly used for domains -+## that can use lsof on all domains. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_getattr_all_pipes',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ allow $1 domain:fifo_file getattr; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the attributes - ## of all domains unnamed pipes. - ## -@@ -1248,18 +1282,34 @@ - ## - ## - # --interface(`domain_mmap_low',` -+interface(`domain_mmap_low_type',` - gen_require(` - attribute mmap_low_domain_type; - ') - -- allow $1 self:memprotect mmap_zero; -- - typeattribute $1 mmap_low_domain_type; - ') - - ######################################## - ## -+## Ability to mmap a low area of the address space, -+## as configured by /proc/sys/kernel/mmap_min_addr. -+## Preventing such mappings helps protect against -+## exploiting null deref bugs in the kernel. -+## -+## -+## -+## Domain allowed to mmap low memory. -+## -+## -+# -+interface(`domain_mmap_low',` -+ -+ allow $1 self:memprotect mmap_zero; -+') -+ -+######################################## -+## - ## Allow specified type to receive labeled - ## networking packets from all domains, over - ## all protocols (TCP, UDP, etc) -@@ -1280,6 +1330,24 @@ - - ######################################## - ## -+## Polyinstatiated access to domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_poly',` -+ gen_require(` -+ attribute polydomain; -+ ') -+ -+ typeattribute $1 polydomain; -+') -+ -+######################################## -+## - ## Unconfined access to domains. - ## - ## -@@ -1304,3 +1372,39 @@ - typeattribute $1 process_uncond_exempt; - ') - -+######################################## -+## -+## Send generic signals to the unconfined domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_unconfined_signal',` -+ gen_require(` -+ attribute unconfined_domain_type; -+ ') -+ -+ allow $1 unconfined_domain_type:process signal; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## all leaked sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`domain_dontaudit_leaks',` -+ gen_require(` -+ attribute domain; -+ ') -+ -+ dontaudit $1 domain:socket_class_set { read write }; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.9/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/kernel/domain.te 2010-02-16 15:08:37.000000000 -0500 -@@ -5,6 +5,21 @@ - # - # Declarations - # -+## -+##

-+## Allow all domains to use other domains file descriptors -+##

-+## -+# -+gen_tunable(allow_domain_fd_use, true) -+ -+## -+##

-+## Allow all domains to have the kernel load modules -+##

-+## -+# -+gen_tunable(domain_kernel_load_modules, false) - - # Mark process types as domains - attribute domain; -@@ -15,6 +30,8 @@ - # Domains that are unconfined - attribute unconfined_domain_type; - -+attribute polydomain; -+ - # Domains that can mmap low memory. - attribute mmap_low_domain_type; - neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; -@@ -80,6 +97,8 @@ - allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; - allow domain self:file rw_file_perms; - kernel_read_proc_symlinks(domain) -+kernel_read_crypto_sysctls(domain) -+ - # Every domain gets the key ring, so we should default - # to no one allowed to look at it; afs kernel support creates - # a keyring -@@ -97,6 +116,13 @@ - # list the root directory - files_list_root(domain) - -+# All executables should be able to search the directory they are in -+corecmd_search_bin(domain) -+ -+tunable_policy(`domain_kernel_load_modules',` -+ kernel_request_load_module(domain) -+') ++tunable_policy(`domain_kernel_load_modules',` ++ kernel_request_load_module(domain) ++') + tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs -@@ -106,6 +132,10 @@ +@@ -106,6 +133,10 @@ ') optional_policy(` @@ -7255,7 +6317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain libs_use_ld_so(domain) libs_use_shared_libs(domain) ') -@@ -118,6 +148,7 @@ +@@ -118,6 +149,7 @@ optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -7263,7 +6325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') ######################################## -@@ -136,6 +167,8 @@ +@@ -136,6 +168,8 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -7272,7 +6334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +186,74 @@ +@@ -153,3 +187,76 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -7306,9 +6368,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +optional_policy(` + rpm_use_fds(domain) + rpm_read_pipes(domain) ++ rpm_search_log(domain) ++ rpm_append_tmp(domain) + rpm_dontaudit_leaks(domain) + rpm_read_script_tmp_files(domain) -+ rpm_inerited_fifo(domain) ++ rpm_inherited_fifo(domain) +') + + @@ -7347,9 +6411,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.9/policy/modules/kernel/files.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.15/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/kernel/files.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/files.fc 2010-03-18 10:44:42.000000000 -0400 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -7383,7 +6447,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -229,6 +236,8 @@ +@@ -93,7 +100,7 @@ + # HOME_ROOT + # expanded by genhomedircon + # +-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) ++HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh) + HOME_ROOT/\.journal <> + HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + HOME_ROOT/lost\+found/.* <> +@@ -205,15 +212,19 @@ + /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/local/lost\+found/.* <> + ++ifndef(`distro_redhat',` + /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) ++') + + /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /usr/lost\+found/.* <> + + /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) + ++ifndef(`distro_redhat',` + /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) + /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ++') + + /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /usr/tmp/.* <> +@@ -229,6 +240,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -7392,10 +6485,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.9/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/files.if 2010-02-16 15:08:37.000000000 -0500 -@@ -932,10 +932,8 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.15/policy/modules/kernel/files.if +--- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/files.if 2010-03-18 10:44:42.000000000 -0400 +@@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -7408,7 +6501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1307,6 +1305,24 @@ +@@ -1428,6 +1426,42 @@ ######################################## ## @@ -7430,10 +6523,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## ++## Write all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir write; ++') ++ ++######################################## ++## ## List the contents of the root directory. ## ## -@@ -1431,6 +1447,24 @@ +@@ -1552,6 +1586,24 @@ ######################################## ## @@ -7458,16 +6569,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -2125,6 +2159,8 @@ - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) -+ files_read_etc_runtime_files($1) -+ files_read_config_files($1) - ') +@@ -1697,6 +1749,24 @@ ######################################## -@@ -2207,6 +2243,24 @@ + ## ++## manage directories in /boot ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_boot_dirs',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir manage_dir_perms; ++') ++ ++######################################## ++## + ## Create a private type object in boot + ## with an automatic type transition + ## +@@ -1740,7 +1810,7 @@ + type boot_t; + ') + +- manage_files_pattern($1, boot_t, boot_t) ++ read_files_pattern($1, boot_t, boot_t) + ') + + ######################################## +@@ -2209,6 +2279,24 @@ + allow $1 etc_t:dir rw_dir_perms; + ') + ++######################################## ++## ++## Do not audit attempts to write to /etc dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_write_etc_dirs',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 etc_t:dir write; ++') ++ + ########################################## + ## + ## Manage generic directories in /etc +@@ -2280,6 +2368,8 @@ + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) ++ files_read_etc_runtime_files($1) ++ files_read_config_files($1) + ') + + ######################################## +@@ -2362,6 +2452,24 @@ ######################################## ## @@ -7492,19 +6662,157 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2612,6 +2666,11 @@ - ') +@@ -2789,6 +2897,101 @@ - delete_files_pattern($1, file_t, file_t) + ######################################## + ## ++## Delete lnk_files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_symlinks',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_lnk_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete fifo files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_fifo_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_fifo_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete sock files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_sock_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_sock_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete blk files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_blk_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_blk_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## ++## Delete chr files on new filesystems ++## that have not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_isid_type_chr_files',` ++ gen_require(` ++ type file_t; ++ ') ++ + delete_chr_files_pattern($1, file_t, file_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete files + ## on new filesystems that have not yet been labeled. + ## +@@ -2899,6 +3102,7 @@ + ') + + allow $1 home_root_t:dir getattr; ++ allow $1 home_root_t:lnk_file getattr; + ') + + ######################################## +@@ -2919,6 +3123,7 @@ + ') + + dontaudit $1 home_root_t:dir getattr; ++ dontaudit $1 home_root_t:lnk_file getattr; ') ######################################## -@@ -3329,6 +3388,64 @@ +@@ -2937,6 +3142,7 @@ + ') + + allow $1 home_root_t:dir search_dir_perms; ++ allow $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2956,6 +3162,7 @@ + ') + + dontaudit $1 home_root_t:dir search_dir_perms; ++ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2975,6 +3182,7 @@ + ') + + dontaudit $1 home_root_t:dir list_dir_perms; ++ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -2993,6 +3201,7 @@ + ') + + allow $1 home_root_t:dir list_dir_perms; ++ allow $1 home_root_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -3520,6 +3729,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -7569,7 +6877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3514,6 +3631,32 @@ +@@ -3705,6 +3972,32 @@ ######################################## ## @@ -7602,38 +6910,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3727,6 +3870,8 @@ +@@ -3918,6 +4211,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) + files_delete_isid_type_dirs($1) + files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) ') ######################################## -@@ -3835,7 +3980,12 @@ +@@ -4026,7 +4326,7 @@ type usr_t; ') - allow $1 usr_t:file delete_file_perms; + delete_files_pattern($1, usr_t, usr_t) -+ delete_lnk_files_pattern($1, usr_t, usr_t) -+ delete_fifo_files_pattern($1, usr_t, usr_t) -+ delete_sock_files_pattern($1, usr_t, usr_t) -+ delete_blk_files_pattern($1, usr_t, usr_t) -+ delete_chr_files_pattern($1, usr_t, usr_t) ') ######################################## -@@ -3874,6 +4024,7 @@ - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ files_read_usr_src_files($1) - ') - - ######################################## -@@ -3898,6 +4049,24 @@ +@@ -4107,6 +4407,24 @@ ######################################## ## @@ -7658,32 +6958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -4518,6 +4687,24 @@ - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## Search the /var/log directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_var_log',` -+ gen_require(` -+ type var_t, var_log_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_log_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. - -@@ -4790,6 +4977,25 @@ +@@ -5032,6 +5350,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -7709,7 +6984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -4849,6 +5055,24 @@ +@@ -5091,6 +5428,24 @@ ######################################## ## @@ -7731,10 +7006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## - ## Create an object in the process ID directory, with a private - ## type using a type transition. + ## Create an object in the process ID directory, with a private type. ## -@@ -4898,6 +5122,24 @@ + ## +@@ -5166,6 +5521,24 @@ ######################################## ## @@ -7759,7 +7034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4951,6 +5193,7 @@ +@@ -5219,6 +5592,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -7767,7 +7042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5019,6 +5262,24 @@ +@@ -5287,6 +5661,24 @@ ######################################## ## @@ -7792,7 +7067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5207,12 +5468,15 @@ +@@ -5475,12 +5867,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7809,7 +7084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5233,3 +5497,212 @@ +@@ -5501,3 +5896,211 @@ typeattribute $1 files_unconfined_type; ') @@ -7830,7 +7105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_dump_core',` ++interface(`files_manage_root_files',` + gen_require(` + type root_t; + ') @@ -7840,11 +7115,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## -+## Create a default directory in / ++## Create a default directory +## +## +##

-+## Create a default_t direcrory in / ++## Create a default_t direcrory +##

+## +## @@ -7856,30 +7131,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +# +interface(`files_create_default_dir',` + gen_require(` -+ type root_t, default_t; ++ type default_t; + ') + + allow $1 default_t:dir create; -+ filetrans_pattern($1, root_t, default_t, dir) +') + +######################################## +## -+## manage generic symbolic links -+## in the /var/run directory. ++## Create, default_t objects with an automatic ++## type transition. +## +## +## +## Domain allowed access. +## +## ++## ++## ++## The class of the object being created. ++## ++## +# -+interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` -+ type var_run_t; -+ ') ++interface(`files_root_filetrans_default',` ++ gen_require(` ++ type root_t, default_t; ++ ') + -+ manage_lnk_files_pattern($1,var_run_t,var_run_t) ++ filetrans_pattern($1, root_t, default_t, $2) +') + +######################################## @@ -7893,17 +7172,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## +## +# -+interface(`files_boot',` ++interface(`files_manage_generic_pids_symlinks',` + gen_require(` -+ type root_t; ++ type var_run_t; + ') + -+ allow $1 root_t:blk_file manage_blk_file_perms; -+ allow $1 root_t:chr_file manage_chr_file_perms; -+ manage_dirs_pattern($1, root_t, root_t) -+ manage_files_pattern($1, root_t, root_t) -+ manage_lnk_files_pattern($1, root_t, root_t) -+ can_exec(kernel_t, root_t) ++ manage_lnk_files_pattern($1,var_run_t,var_run_t) +') + +######################################## @@ -8022,17 +7296,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.9/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/files.te 2010-02-16 15:08:37.000000000 -0500 -@@ -43,6 +43,7 @@ - # - type boot_t; - files_mountpoint(boot_t) -+dev_node(boot_t) - - # default_t is the default type for files that do not - # match any specification in the file_contexts configuration +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.15/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/files.te 2010-03-18 10:44:42.000000000 -0400 +@@ -12,6 +12,7 @@ + attribute mountpoint; + attribute pidfile; + attribute configfile; ++attribute etcfile; + + # For labeling types that are to be polyinstantiated + attribute polydir; @@ -59,6 +60,15 @@ typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -8057,86 +7331,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.9/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/filesystem.if 2010-02-16 15:08:37.000000000 -0500 -@@ -906,7 +906,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.15/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.if 2010-03-18 10:44:42.000000000 -0400 +@@ -1141,7 +1141,7 @@ type cifs_t; ') -- dontaudit $1 cifs_t:file { read write }; +- dontaudit $1 cifs_t:file rw_file_perms; + dontaudit $1 cifs_t:file rw_inherited_file_perms; ') ######################################## -@@ -1459,6 +1459,25 @@ +@@ -1899,6 +1899,7 @@ + ') + + allow $1 inotifyfs_t:dir list_dir_perms; ++ fs_read_anon_inodefs_files($1) + ') ######################################## - ## -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## on a FUSEFS filesystem. - ## -@@ -1613,6 +1632,36 @@ +@@ -2349,7 +2350,7 @@ + type nfs_t; + ') + +- dontaudit $1 nfs_t:file rw_file_perms; ++ dontaudit $1 nfs_t:file rw_inherited_file_perms; + ') ######################################## - ## -+## Create an object in a hugetlbfs filesystem, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+# -+interface(`fs_hugetlbfs_filetrans',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $2 hugetlbfs_t:filesystem associate; -+ filetrans_pattern($1, hugetlbfs_t, $2, $3) -+') +@@ -4549,3 +4550,24 @@ + relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) + relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) + ') + +######################################## +## - ## Search inotifyfs filesystem. - ## - ## -@@ -1649,6 +1698,24 @@ - - ######################################## - ## -+## Dontaudit List inotifyfs filesystem. ++## Do not audit attempts to read or write ++## all leaked filesystems files. +## +## +## @@ -8144,340 +7376,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +## +## +# -+interface(`fs_dontaudit_list_inotifyfs',` ++interface(`fs_dontaudit_leaks',` + gen_require(` -+ type inotifyfs_t; ++ attribute filesystem_type; + ') + -+ dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ dontaudit $1 filesystem_type:file rw_inherited_file_perms; ++ dontaudit $1 filesystem_type:lnk_file { read }; +') + -+######################################## -+## - ## Mount an iso9660 filesystem, which - ## is usually used on CDs. - ## -@@ -2047,7 +2114,7 @@ - type nfs_t; - ') - -- dontaudit $1 nfs_t:file rw_file_perms; -+ dontaudit $1 nfs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -2069,6 +2136,25 @@ - read_lnk_files_pattern($1, nfs_t, nfs_t) - ') - -+######################################## -+## -+## Dontaudit read symbolic links on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_read_nfs_symlinks',` -+ gen_require(` -+ type nfs_t; -+ ') -+ -+ allow $1 nfs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, nfs_t, nfs_t) -+') -+ - ######################################### - ## - ## Read named sockets on a NFS filesystem. -@@ -3458,6 +3544,24 @@ - - ######################################## - ## -+## Read generic tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ read_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## - ## Read and write generic tmpfs files. - ## - ## -@@ -3684,6 +3788,24 @@ - - ######################################## - ## -+## Search the XENFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_xenfs',` -+ gen_require(` -+ type xenfs_t; -+ ') -+ -+ allow $1 xenfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## - ## Mount a XENFS filesystem. - ## - ## -@@ -4181,3 +4303,214 @@ - relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) - ') -+ -+######################################## -+## -+## list dirs on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_list_cgroup_dirs', ` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ list_dirs_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read -+## dirs on a CIFS or SMB filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_cifs_dirs',` -+ gen_require(` -+ type cifs_t; -+ ') -+ -+ dontaudit $1 cifs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Manage dirs on cgroup file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_cgroup_dirs',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ manage_dirs_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Read files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ read_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Read and write files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ rw_files_pattern($1, cgroup_t, cgroup_t) -+') -+######################################## -+## -+## Mount a cgroup filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem mount; -+') -+ -+######################################## -+## -+## Remount a cgroup filesystem This allows -+## some mount options to be changed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_remount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem remount; -+') -+ -+######################################## -+## -+## Unmount a cgroup file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_cgroup_fs', ` -+ gen_require(` -+ type cgroup_t; -+ ') -+ -+ allow $1 cgroup_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Set attributes of files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_setattr_cgroup_files',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ setattr_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Write files on cgroup -+## file systems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_write_cgroup_files', ` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ write_files_pattern($1, cgroup_t, cgroup_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## all leaked filesystems files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_dontaudit_leaks',` -+ gen_require(` -+ attribute filesystem_type; -+ ') -+ -+ dontaudit $1 filesystem_type:file rw_inherited_file_perms; -+ dontaudit $1 filesystem_type:lnk_file { read }; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.9/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/filesystem.te 2010-02-16 15:08:37.000000000 -0500 -@@ -29,6 +29,7 @@ - fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); - fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); -@@ -93,6 +94,8 @@ - type hugetlbfs_t; - fs_type(hugetlbfs_t) - files_mountpoint(hugetlbfs_t) -+files_type(hugetlbfs_t) -+files_poly_parent(hugetlbfs_t) - fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); - - type ibmasmfs_t; -@@ -171,6 +174,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.15/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.te 2010-03-18 10:44:42.000000000 -0400 +@@ -172,6 +172,7 @@ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); @@ -8485,42 +7396,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy allow tmpfs_t noxattrfs:filesystem associate; -@@ -205,6 +209,7 @@ - # - type dosfs_t; - fs_noxattr_type(dosfs_t) -+files_mountpoint(dosfs_t) - allow dosfs_t fs_t:filesystem associate; - genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) - genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) -@@ -216,6 +221,7 @@ - - type fusefs_t; - fs_noxattr_type(fusefs_t) -+files_mountpoint(fusefs_t) - allow fusefs_t self:filesystem associate; - allow fusefs_t fs_t:filesystem associate; - genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) -@@ -228,6 +234,7 @@ - # - type iso9660_t; - fs_noxattr_type(iso9660_t) -+files_mountpoint(iso9660_t) - genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) - genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) - -@@ -238,6 +245,7 @@ +@@ -242,6 +243,7 @@ + type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) - files_type(removable_t) -+files_mountpoint(removable_t) ++files_type(removable_t) + files_mountpoint(removable_t) # - # nfs_t is the default type for NFS file systems -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.9/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/kernel.if 2010-02-16 15:08:37.000000000 -0500 -@@ -1849,7 +1849,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.15/policy/modules/kernel/kernel.if +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/kernel.if 2010-03-18 10:44:42.000000000 -0400 +@@ -1959,7 +1959,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -8529,33 +7416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -1920,6 +1920,25 @@ - - ######################################## - ## -+## Mount a kernel unlabeled filesystem. -+## -+## -+## -+## The type of the domain mounting the filesystem. -+## -+## -+# -+interface(`kernel_mount_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:filesystem mount; -+') -+ -+ -+######################################## -+## - ## Send general signals to unlabeled processes. - ## - ## -@@ -2663,6 +2682,24 @@ +@@ -2792,6 +2792,24 @@ ######################################## ## @@ -8580,7 +7441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2678,3 +2715,22 @@ +@@ -2807,3 +2825,22 @@ typeattribute $1 kern_unconfined; ') @@ -8603,9 +7464,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + + allow $1 kernel_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.9/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/kernel.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.15/policy/modules/kernel/kernel.te +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/kernel/kernel.te 2010-03-18 10:44:42.000000000 -0400 @@ -64,6 +64,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8679,15 +7540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -@@ -388,3 +411,5 @@ - allow kern_unconfined unlabeled_t:association *; - allow kern_unconfined unlabeled_t:packet *; - allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; -+ -+files_boot(kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.9/policy/modules/kernel/selinux.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.15/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/kernel/selinux.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/selinux.if 2010-03-18 10:44:42.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -8745,78 +7600,111 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + fs_type($1) + mls_trusted_object($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.9/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/storage.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -14,6 +14,7 @@ - /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.9/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/storage.if 2010-02-16 15:08:37.000000000 -0500 -@@ -304,6 +304,7 @@ - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; -+ dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms; - ') - - ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.9/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/kernel/terminal.if 2010-02-16 15:08:37.000000000 -0500 -@@ -273,9 +273,11 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.15/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/kernel/terminal.if 2010-03-18 10:44:42.000000000 -0400 +@@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; + type tty_device_t; ') - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; +- dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.9/policy/modules/roles/dbadm.if ---- nsaserefpolicy/policy/modules/roles/dbadm.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/dbadm.if 2010-02-16 15:08:37.000000000 -0500 -@@ -12,8 +12,8 @@ - ## - # - interface(`dbadm_role_change',` -- get_require(` -- role dbadm_r' +@@ -672,6 +674,25 @@ + + ######################################## + ## ++## Do not audit attempts to get attributes ++## on the pty multiplexor (/dev/ptmx). ++## ++## ++## ++## The type of the process to not audit. ++## ++## ++# ++interface(`term_dontaudit_getattr_ptmx',` + gen_require(` -+ role dbadm_r; ++ type ptmx_t; ++ ') ++ ++ dontaudit $1 ptmx_t:chr_file getattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to read and + ## write the pty multiplexor (/dev/ptmx). + ## +@@ -829,7 +850,7 @@ + attribute ptynode; ') - allow $1 dbadm_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.9/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/roles/guest.te 2010-02-16 15:08:37.000000000 -0500 -@@ -16,7 +16,11 @@ - # +- dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; ++ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; + ') + + ######################################## +@@ -1196,7 +1217,7 @@ + type tty_device_t; + ') + +- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -1333,7 +1354,7 @@ + attribute ttynode; + ') + +- dontaudit $1 ttynode:chr_file rw_chr_file_perms; ++ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; + ') + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.15/policy/modules/roles/auditadm.te +--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/roles/auditadm.te 2010-03-18 10:44:42.000000000 -0400 +@@ -33,6 +33,8 @@ + seutil_run_runinit(auditadm_t, auditadm_r) + seutil_read_bin_policy(auditadm_t) + ++userdom_dontaudit_search_admin_dir(auditadm_t) ++ optional_policy(` -- java_role(guest_r, guest_t) -+ java_role_template(guest, guest_r, guest_t) + consoletype_exec(auditadm_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.15/policy/modules/roles/guest.te +--- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/guest.te 2010-03-18 10:44:42.000000000 -0400 +@@ -16,6 +16,10 @@ + # --#gen_user(guest_u,, guest_r, s0, s0) -+optional_policy(` -+ mono_role_template(guest, guest_r, guest_t) + optional_policy(` ++ apache_role(guest_r, guest_t) +') + ++optional_policy(` + java_role_template(guest, guest_r, guest_t) + ') + +@@ -23,4 +27,4 @@ + mono_role_template(guest, guest_r, guest_t) + ') + +-#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.9/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/staff.te 2010-02-16 15:08:37.000000000 -0500 -@@ -10,165 +10,121 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.15/policy/modules/roles/staff.te +--- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/staff.te 2010-03-18 10:44:42.000000000 -0400 +@@ -10,24 +10,50 @@ userdom_unpriv_user_template(staff) @@ -8828,205 +7716,175 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t # Local policy # --optional_policy(` -- apache_role(staff_r, staff_t) --') -- --optional_policy(` -- auth_role(staff_r, staff_t) --') -- --optional_policy(` -- auditadm_role_change(staff_r) --') -- --optional_policy(` -- bluetooth_role(staff_r, staff_t) --') -- --optional_policy(` -- cdrecord_role(staff_r, staff_t) --') -- --optional_policy(` -- cron_role(staff_r, staff_t) --') -- --optional_policy(` -- dbus_role_template(staff, staff_r, staff_t) --') -- --optional_policy(` -- ethereal_role(staff_r, staff_t) --') -- --optional_policy(` -- evolution_role(staff_r, staff_t) --') -- --optional_policy(` -- games_role(staff_r, staff_t) --') +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) - --optional_policy(` -- gift_role(staff_r, staff_t) --') ++ +auth_domtrans_pam_console(staff_t) - --optional_policy(` -- gnome_role(staff_r, staff_t) --') ++ ++seutil_read_module_store(staff_t) +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) ++ + optional_policy(` + apache_role(staff_r, staff_t) + ') ++ifndef(`distro_redhat',` ++ optional_policy(` -- gpg_role(staff_r, staff_t) -+ auditadm_role_change(staff_r) + auth_role(staff_r, staff_t) ') ++') optional_policy(` -- irc_role(staff_r, staff_t) -+ kerneloops_manage_tmp_files(staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- java_role(staff_r, staff_t) ++ kerneloops_manage_tmp_files(staff_t) ++') ++ ++optional_policy(` + logadm_role_change(staff_r) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + bluetooth_role(staff_r, staff_t) + ') + +@@ -99,12 +125,18 @@ + oident_manage_user_content(staff_t) + oident_relabel_user_content(staff_t) ') ++') optional_policy(` -- lockdev_role(staff_r, staff_t) -+ postgresql_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` -- lpd_role(staff_r, staff_t) + rtkit_daemon_system_domain(staff_t) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + pyzor_role(staff_r, staff_t) ') +@@ -119,22 +151,27 @@ optional_policy(` -- mozilla_role(staff_r, staff_t) -+ secadm_role_change(staff_r) + screen_role_template(staff, staff_r, staff_t) ') ++') optional_policy(` -- mplayer_role(staff_r, staff_t) -+ ssh_role_template(staff, staff_r, staff_t) + secadm_role_change(staff_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- mta_role(staff_r, staff_t) -+ sudo_role_template(staff, staff_r, staff_t) + spamassassin_role(staff_r, staff_t) ') ++') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) -+ sysadm_role_change(staff_r) + ssh_role_template(staff, staff_r, staff_t) ') ++ifndef(`distro_redhat',` optional_policy(` -- postgresql_role(staff_r, staff_t) -+ usernetctl_run(staff_t, staff_r) + su_role_template(staff, staff_r, staff_t) ') ++') optional_policy(` -- pyzor_role(staff_r, staff_t) -+ unconfined_role_change(staff_r) + sudo_role_template(staff, staff_r, staff_t) +@@ -145,6 +182,7 @@ + userdom_dontaudit_use_user_terminals(staff_t) ') ++ifndef(`distro_redhat',` optional_policy(` -- razor_role(staff_r, staff_t) -+ webadm_role_change(staff_r) + thunderbird_role(staff_r, staff_t) + ') +@@ -169,6 +207,71 @@ + wireshark_role(staff_r, staff_t) ') --optional_policy(` -- rssh_role(staff_r, staff_t) --') ++') ++ ++optional_policy(` ++ unconfined_role_change(staff_r) ++') ++ ++optional_policy(` ++ webadm_role_change(staff_r) ++') ++ + optional_policy(` + xserver_role(staff_r, staff_t) + ') ++ +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) - --optional_policy(` -- screen_role_template(staff, staff_r, staff_t) --') ++ +files_read_kernel_modules(staff_usertype) - --optional_policy(` -- secadm_role_change(staff_r) --') ++ +kernel_read_fs_sysctls(staff_usertype) - --optional_policy(` -- spamassassin_role(staff_r, staff_t) --') ++ +modutils_read_module_config(staff_usertype) +modutils_read_module_deps(staff_usertype) - --optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) --') ++ +miscfiles_read_hwdata(staff_usertype) - --optional_policy(` -- su_role_template(staff, staff_r, staff_t) --') ++ +term_use_unallocated_ttys(staff_usertype) - - optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) ++ ++optional_policy(` + gnomeclock_dbus_chat(staff_t) - ') - - optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) ++') ++ ++optional_policy(` + firewallgui_dbus_chat(staff_t) - ') - - optional_policy(` -- thunderbird_role(staff_r, staff_t) ++') ++ ++optional_policy(` + lpd_list_spool(staff_t) - ') - - optional_policy(` -- tvtime_role(staff_r, staff_t) ++') ++ ++optional_policy(` + kerneloops_dbus_chat(staff_t) - ') - - optional_policy(` -- uml_role(staff_r, staff_t) ++') ++ ++optional_policy(` + rpm_dbus_chat(staff_usertype) - ') - - optional_policy(` -- userhelper_role_template(staff, staff_r, staff_t) ++') ++ ++optional_policy(` + sandbox_transition(staff_t, staff_r) - ') - - optional_policy(` -- vmware_role(staff_r, staff_t) ++') ++ ++optional_policy(` + screen_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` -- wireshark_role(staff_r, staff_t) ++') ++ ++optional_policy(` + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) + setroubleshoot_dbus_chat_fixit(staff_t) - ') - - optional_policy(` -- xserver_role(staff_r, staff_t) ++') ++ ++optional_policy(` + virt_stream_connect(staff_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.9/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/roles/sysadm.te 2010-02-16 15:08:37.000000000 -0500 ++') ++ ++userhelper_console_role_template(staff, staff_t, staff_usertype) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.15/policy/modules/roles/sysadm.te +--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/sysadm.te 2010-03-18 10:44:42.000000000 -0400 @@ -15,7 +15,7 @@ role sysadm_r; @@ -9036,66 +7894,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r) -@@ -35,10 +35,13 @@ +@@ -28,17 +28,28 @@ + + corecmd_exec_shell(sysadm_t) + ++domain_dontaudit_read_all_domains_state(sysadm_t) ++ + mls_process_read_up(sysadm_t) ++mls_file_read_to_clearance(sysadm_t) + + ubac_process_exempt(sysadm_t) + ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) ++application_exec(sysadm_t) ++ init_exec(sysadm_t) +init_exec_script_files(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) ++userdom_manage_user_tmp_dirs(sysadm_t) ++userdom_manage_user_tmp_files(sysadm_t) ++userdom_manage_user_tmp_symlinks(sysadm_t) +userdom_manage_user_tmp_chr_files(sysadm_t) +userdom_manage_user_tmp_blk_files(sysadm_t) ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -70,7 +73,6 @@ +@@ -70,7 +81,9 @@ apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) ++ ifndef(`distro_redhat',` ++ apache_role(sysadm_r, sysadm_t) ++ ') ') optional_policy(` -@@ -87,10 +89,6 @@ +@@ -86,9 +99,11 @@ + auditadm_role_change(sysadm_r) ') ++ifndef(`distro_redhat',` + optional_policy(` + auth_role(sysadm_r, sysadm_t) + ') ++') + optional_policy(` -- auth_role(sysadm_r, sysadm_t) --') -- --optional_policy(` backup_run(sysadm_t, sysadm_r) +@@ -98,17 +113,25 @@ + bind_run_ndc(sysadm_t, sysadm_r) ') -@@ -99,15 +97,11 @@ ++ifndef(`distro_redhat',` + optional_policy(` + bluetooth_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- bluetooth_role(sysadm_r, sysadm_t) --') -- --optional_policy(` bootloader_run(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- cdrecord_role(sysadm_r, sysadm_t) -+ certmonger_dbus_chat(sysadm_t) + cdrecord_role(sysadm_r, sysadm_t) ') ++') ++ ++optional_policy(` ++ certmonger_dbus_chat(sysadm_t) ++') optional_policy(` -@@ -127,7 +121,7 @@ + certwatch_run(sysadm_t, sysadm_r) +@@ -126,16 +149,18 @@ + consoletype_run(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- cron_admin_role(sysadm_r, sysadm_t) -+ su_exec(sysadm_t) + cron_admin_role(sysadm_r, sysadm_t) ') optional_policy(` -@@ -135,7 +129,7 @@ +- cvs_exec(sysadm_t) ++ dbus_role_template(sysadm, sysadm_r, sysadm_t) ++') ') optional_policy(` @@ -9104,41 +7993,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -166,10 +160,6 @@ +@@ -165,9 +190,11 @@ + ethereal_run_tethereal(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- evolution_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - firstboot_run(sysadm_t, sysadm_r) + evolution_role(sysadm_r, sysadm_t) ') ++') -@@ -178,22 +168,6 @@ + optional_policy(` + firstboot_run(sysadm_t, sysadm_r) +@@ -177,6 +204,7 @@ + fstools_run(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- games_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gift_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gnome_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- gpg_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - hostname_run(sysadm_t, sysadm_r) + games_role(sysadm_r, sysadm_t) + ') +@@ -192,6 +220,7 @@ + optional_policy(` + gpg_role(sysadm_r, sysadm_t) ') ++') -@@ -205,6 +179,9 @@ + optional_policy(` + hostname_run(sysadm_t, sysadm_r) +@@ -205,6 +234,9 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -9148,196 +8031,217 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,11 +189,7 @@ +@@ -212,12 +244,18 @@ ') optional_policy(` -- irc_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- java_role(sysadm_r, sysadm_t) + kerberos_exec_kadmind(sysadm_t) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + irc_role(sysadm_r, sysadm_t) ') optional_policy(` -@@ -228,10 +201,6 @@ + java_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- lockdev_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - logrotate_run(sysadm_t, sysadm_r) + kudzu_run(sysadm_t, sysadm_r) +@@ -227,9 +265,11 @@ + libs_run_ldconfig(sysadm_t, sysadm_r) ') -@@ -255,14 +224,6 @@ ++ifndef(`distro_redhat',` + optional_policy(` + lockdev_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- mozilla_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- mplayer_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - mta_role(sysadm_r, sysadm_t) - ') + logrotate_run(sysadm_t, sysadm_r) +@@ -252,8 +292,10 @@ -@@ -290,11 +251,6 @@ + optional_policy(` + mount_run(sysadm_t, sysadm_r) ++ mount_run_showmount(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- oident_manage_user_content(sysadm_t) -- oident_relabel_user_content(sysadm_t) --') -- --optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r) + mozilla_role(sysadm_r, sysadm_t) + ') +@@ -261,6 +303,7 @@ + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) ') ++') -@@ -308,7 +264,7 @@ + optional_policy(` + mta_role(sysadm_r, sysadm_t) +@@ -308,8 +351,14 @@ ') optional_policy(` -- pyzor_role(sysadm_r, sysadm_t) + prelink_run(sysadm_t, sysadm_r) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + pyzor_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -@@ -320,10 +276,6 @@ + quota_run(sysadm_t, sysadm_r) +@@ -319,9 +368,11 @@ + raid_domtrans_mdadm(sysadm_t) ') ++ifndef(`distro_redhat',` + optional_policy(` + razor_role(sysadm_r, sysadm_t) + ') ++') + optional_policy(` -- razor_role(sysadm_r, sysadm_t) --') -- --optional_policy(` rpc_domtrans_nfsd(sysadm_t) +@@ -331,9 +382,11 @@ + rpm_run(sysadm_t, sysadm_r) ') -@@ -332,10 +284,6 @@ ++ifndef(`distro_redhat',` + optional_policy(` + rssh_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- rssh_role(sysadm_r, sysadm_t) --') -- --optional_policy(` rsync_exec(sysadm_t) +@@ -358,8 +411,14 @@ ') -@@ -345,10 +293,6 @@ + optional_policy(` ++ shutdown_run(sysadm_t, sysadm_r) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + spamassassin_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- screen_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - secadm_role_change(sysadm_r) + ssh_role_template(sysadm, sysadm_r, sysadm_t) +@@ -369,6 +428,7 @@ + staff_role_change(sysadm_r) ') -@@ -358,35 +302,15 @@ ++ifndef(`distro_redhat',` + optional_policy(` + su_role_template(sysadm, sysadm_r, sysadm_t) ') - +@@ -376,15 +436,18 @@ optional_policy(` -- spamassassin_role(sysadm_r, sysadm_t) --') -- --optional_policy(` -- ssh_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` - staff_role_change(sysadm_r) + sudo_role_template(sysadm, sysadm_r, sysadm_t) ') ++') optional_policy(` -- su_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` -- sudo_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` sysnet_run_ifconfig(sysadm_t, sysadm_r) sysnet_run_dhcpc(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` + optional_policy(` + thunderbird_role(sysadm_r, sysadm_t) + ') ++') + optional_policy(` -- thunderbird_role(sysadm_r, sysadm_t) --') -- --optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) - tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +318,10 @@ +@@ -393,17 +456,21 @@ + tripwire_run_twprint(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` + optional_policy(` + tvtime_role(sysadm_r, sysadm_t) + ') ++') + optional_policy(` -- tvtime_role(sysadm_r, sysadm_t) --') -- --optional_policy(` tzdata_domtrans(sysadm_t) ') ++ifndef(`distro_redhat',` + optional_policy(` + uml_role(sysadm_r, sysadm_t) + ') ++') + optional_policy(` -- uml_role(sysadm_r, sysadm_t) --') -- --optional_policy(` unconfined_domtrans(sysadm_t) +@@ -417,9 +484,11 @@ + usbmodules_run(sysadm_t, sysadm_r) ') -@@ -418,17 +334,13 @@ ++ifndef(`distro_redhat',` + optional_policy(` + userhelper_role_template(sysadm, sysadm_r, sysadm_t) ') ++') optional_policy(` -- userhelper_role_template(sysadm, sysadm_r, sysadm_t) --') -- --optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) - usermanage_run_groupadd(sysadm_t, sysadm_r) +@@ -427,9 +496,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') ++ifndef(`distro_redhat',` optional_policy(` -- vmware_role(sysadm_r, sysadm_t) -+ vpn_run(sysadm_t, sysadm_r) + vmware_role(sysadm_r, sysadm_t) ') ++') ++ ++optional_policy(` ++ vpn_run(sysadm_t, sysadm_r) ++') optional_policy(` -@@ -440,13 +352,16 @@ + vpn_run(sysadm_t, sysadm_r) +@@ -440,13 +515,26 @@ ') optional_policy(` -- wireshark_role(sysadm_r, sysadm_t) + virt_stream_connect(sysadm_t) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` + wireshark_role(sysadm_r, sysadm_t) ') optional_policy(` -- xserver_role(sysadm_r, sysadm_t) -+ yam_run(sysadm_t, sysadm_r) + xserver_role(sysadm_r, sysadm_t) ') ++') optional_policy(` -- yam_run(sysadm_t, sysadm_r) -+ zebra_stream_connect(sysadm_t) + yam_run(sysadm_t, sysadm_r) ') + ++optional_policy(` ++ zebra_stream_connect(sysadm_t) ++') ++ +init_script_role_transition(sysadm_r) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.9/policy/modules/roles/unconfineduser.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.15/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,10 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -9349,9 +8253,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.9/policy/modules/roles/unconfineduser.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.15/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -10020,10 +8924,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + + allow $1 unconfined_r; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.9/policy/modules/roles/unconfineduser.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,445 @@ ++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,417 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10094,6 +8998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) ++files_root_filetrans_default(unconfined_t, dir) + +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) @@ -10198,6 +9103,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` ++ shutdown_run(unconfined_t, unconfined_r) ++ ') ++ ++ optional_policy(` + tzdata_run(unconfined_usertype, unconfined_r) + ') + @@ -10292,19 +9201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') + +optional_policy(` -+ java_role_template(unconfined, unconfined_r, unconfined_t) -+ role system_r types unconfined_java_t; -+ -+ files_execmod_all_files(unconfined_java_t) -+ -+ init_dbus_chat_script(unconfined_java_t) -+ -+ unconfined_domain_noaudit(unconfined_java_t) -+ unconfined_dbus_chat(unconfined_java_t) -+ -+ optional_policy(` -+ rpm_domtrans(unconfined_java_t) -+ ') ++ java_run_unconfined(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -10342,7 +9239,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +#') + +optional_policy(` -+ qemu_role_notrans(unconfined_r, unconfined_t) + qemu_unconfined_role(unconfined_r) + + tunable_policy(`allow_unconfined_qemu_transition',` @@ -10420,31 +9316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ type unconfined_execmem_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+ ') -+ -+ optional_policy(` + tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ type unconfined_execmem_t; -+ type nsplugin_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) -+ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) ++ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) + ') + ') + + optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ type unconfined_execmem_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t) + ') +') + @@ -10467,166 +9345,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +# + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.9/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/roles/unprivuser.te 2010-02-16 15:08:37.000000000 -0500 -@@ -14,100 +14,19 @@ - userdom_unpriv_user_template(user) - - optional_policy(` -- apache_role(user_r, user_t) -+ kerneloops_dontaudit_dbus_chat(user_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.15/policy/modules/roles/unprivuser.te +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-03-10 15:27:39.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/unprivuser.te 2010-03-18 10:44:42.000000000 -0400 +@@ -17,6 +17,7 @@ + apache_role(user_r, user_t) ') ++ifndef(`distro_redhat',` optional_policy(` -- auth_role(user_r, user_t) -+ rpm_dontaudit_dbus_chat(user_t) + auth_role(user_r, user_t) ') - +@@ -109,11 +110,25 @@ optional_policy(` -- bluetooth_role(user_r, user_t) -+ rtkit_daemon_system_domain(user_t) + rssh_role(user_r, user_t) ') ++') ++ ++optional_policy(` ++ rpm_dontaudit_dbus_chat(user_t) ++') ++ ++optional_policy(` ++ rtkit_daemon_system_domain(user_t) ++') ++ ++optional_policy(` ++ sandbox_transition(user_t, user_r) ++') optional_policy(` -- cdrecord_role(user_r, user_t) --') -- --optional_policy(` -- cron_role(user_r, user_t) --') -- --optional_policy(` -- dbus_role_template(user, user_r, user_t) --') -- --optional_policy(` -- ethereal_role(user_r, user_t) --') -- --optional_policy(` -- evolution_role(user_r, user_t) --') -- --optional_policy(` -- games_role(user_r, user_t) --') -- --optional_policy(` -- gift_role(user_r, user_t) --') -- --optional_policy(` -- gnome_role(user_r, user_t) --') -- --optional_policy(` -- gpg_role(user_r, user_t) --') -- --optional_policy(` -- irc_role(user_r, user_t) --') -- --optional_policy(` -- java_role(user_r, user_t) --') -- --optional_policy(` -- lockdev_role(user_r, user_t) --') -- --optional_policy(` -- lpd_role(user_r, user_t) --') -- --optional_policy(` -- mozilla_role(user_r, user_t) --') -- --optional_policy(` -- mplayer_role(user_r, user_t) --') -- --optional_policy(` -- mta_role(user_r, user_t) --') -- --optional_policy(` -- oident_manage_user_content(user_t) -- oident_relabel_user_content(user_t) --') -- --optional_policy(` -- postgresql_role(user_r, user_t) --') -- --optional_policy(` -- pyzor_role(user_r, user_t) --') -- --optional_policy(` -- razor_role(user_r, user_t) --') -- --optional_policy(` -- rssh_role(user_r, user_t) -+ sandbox_transition(user_t, user_r) + screen_role_template(user, user_r, user_t) ') ++ifndef(`distro_redhat',` optional_policy(` -@@ -115,45 +34,5 @@ + spamassassin_role(user_r, user_t) + ') +@@ -154,6 +169,12 @@ + wireshark_role(user_r, user_t) ') - optional_policy(` -- spamassassin_role(user_r, user_t) --') -- --optional_policy(` -- ssh_role_template(user, user_r, user_t) --') -- --optional_policy(` -- su_role_template(user, user_r, user_t) --') -- --optional_policy(` -- sudo_role_template(user, user_r, user_t) --') -- --optional_policy(` -- thunderbird_role(user_r, user_t) --') -- --optional_policy(` -- tvtime_role(user_r, user_t) --') -- --optional_policy(` -- uml_role(user_r, user_t) --') -- --optional_policy(` -- userhelper_role_template(user, user_r, user_t) --') -- --optional_policy(` -- vmware_role(user_r, user_t) --') -- --optional_policy(` -- wireshark_role(user_r, user_t) --') -- --optional_policy(` -- xserver_role(user_r, user_t) ++') ++ ++optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) ++') ++ + optional_policy(` + xserver_role(user_r, user_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.9/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/roles/xguest.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.15/policy/modules/roles/xguest.te +--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-03-10 15:28:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/roles/xguest.te 2010-03-18 10:44:42.000000000 -0400 @@ -15,7 +15,7 @@ ## @@ -10636,7 +9407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ##

## gen_tunable(xguest_connect_network, true) -@@ -30,11 +30,33 @@ +@@ -30,12 +30,12 @@ role xguest_r; userdom_restricted_xwindows_user_template(xguest) @@ -10646,19 +9417,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. # # Local policy # -+ifndef(`enable_mls',` -+ fs_exec_noxattr(xguest_t) -+ -+ tunable_policy(`user_rw_noexattrfile',` -+ fs_manage_noxattr_fs_files(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ # Write floppies -+ storage_raw_read_removable_device(xguest_t) -+ storage_raw_write_removable_device(xguest_t) -+ ',` -+ storage_raw_read_removable_device(xguest_t) -+ ') -+') +- + ifndef(`enable_mls',` + fs_exec_noxattr(xguest_t) + +@@ -49,6 +49,14 @@ + storage_raw_read_removable_device(xguest_t) + ') + ') +# Dontaudit fusermount +mount_dontaudit_exec_fusermount(xguest_t) + @@ -10670,7 +9436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. # Allow mounting of file systems optional_policy(` -@@ -49,10 +71,9 @@ +@@ -63,10 +71,9 @@ fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -10682,17 +9448,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -67,17 +88,60 @@ +@@ -81,19 +88,66 @@ ') optional_policy(` - java_role(xguest_r, xguest_t) -+ java_role_template(xguest, xguest_r, xguest_t) ++ apache_role(xguest_r, xguest_t) ') optional_policy(` - mozilla_role(xguest_r, xguest_t) -+ mono_role_template(xguest, xguest_r, xguest_t) ++ java_role_template(xguest, xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ mono_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` @@ -10701,7 +9471,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. optional_policy(` tunable_policy(`xguest_connect_network',` ++ kernel_read_network_state(xguest_usertype) ++ networkmanager_dbus_chat(xguest_t) +- corenet_tcp_connect_pulseaudio_port(xguest_t) +- corenet_tcp_connect_ipp_port(xguest_t) + networkmanager_read_var_lib_files(xguest_t) + corenet_tcp_connect_pulseaudio_port(xguest_usertype) + corenet_all_recvfrom_unlabeled(xguest_usertype) @@ -10746,9 +9520,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.9/policy/modules/services/abrt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.15/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/abrt.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/abrt.fc 2010-03-18 10:44:42.000000000 -0400 @@ -1,11 +1,17 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -10768,10 +9542,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.9/policy/modules/services/abrt.if ---- nsaserefpolicy/policy/modules/services/abrt.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/abrt.if 2010-02-16 15:08:37.000000000 -0500 -@@ -19,6 +19,29 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.15/policy/modules/services/abrt.if +--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/abrt.if 2010-03-18 10:44:42.000000000 -0400 +@@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -10794,14 +9568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + +ifdef(`hide_broken_symptoms', ` + dontaudit abrt_helper_t $1:socket_class_set { read write }; -+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') +') + ###################################### ## ## Execute abrt -@@ -56,6 +79,32 @@ +@@ -57,6 +79,32 @@ read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') @@ -10834,7 +9607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ###################################### ## ## Read abrt logs. -@@ -75,6 +124,101 @@ +@@ -76,6 +124,101 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -10936,9 +9709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.9/policy/modules/services/abrt.te ---- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/abrt.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.15/policy/modules/services/abrt.te +--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/abrt.te 2010-03-18 10:44:42.000000000 -0400 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10986,26 +9759,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +90,37 @@ +@@ -75,25 +90,40 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) +corecmd_read_all_executables(abrt_t) +-corenet_all_recvfrom_netlabel(abrt_t) +-corenet_all_recvfrom_unlabeled(abrt_t) +-corenet_sendrecv_http_client_packets(abrt_t) +-corenet_tcp_bind_generic_node(abrt_t) corenet_tcp_connect_http_port(abrt_t) +-corenet_tcp_sendrecv_generic_if(abrt_t) +-corenet_tcp_sendrecv_generic_node(abrt_t) +-corenet_tcp_sendrecv_generic_port(abrt_t) +corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_all_ports(abrt_t) +dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) -+dev_dontaudit_read_memory_dev(abrt_t) ++dev_dontaudit_read_raw_memory(abrt_t) + ++domain_getattr_all_domains(abrt_t) +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) ++files_read_var_symlinks(abrt_t) +files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) +files_read_generic_tmp_files(abrt_t) @@ -11020,11 +9802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +fs_read_fusefs_files(abrt_t) +fs_read_noxattr_fs_files(abrt_t) +fs_read_nfs_files(abrt_t) ++fs_read_nfs_symlinks(abrt_t) +fs_search_all(abrt_t) sysnet_read_config(abrt_t) -@@ -96,22 +130,96 @@ +@@ -103,22 +133,102 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -11040,8 +9823,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +optional_policy(` + nis_use_ypbind(abrt_t) +') -+ -+optional_policy(` + + optional_policy(` +- dbus_connect_system_bus(abrt_t) +- dbus_system_bus_client(abrt_t) + nsplugin_read_rw_files(abrt_t) + nsplugin_read_home(abrt_t) +') @@ -11052,10 +9837,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) +') - - optional_policy(` -- dbus_connect_system_bus(abrt_t) -- dbus_system_bus_client(abrt_t) ++ ++optional_policy(` + prelink_exec(abrt_t) + libs_exec_ld_so(abrt_t) + corecmd_exec_all_executables(abrt_t) @@ -11079,6 +9862,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ') + +optional_policy(` ++ sosreport_domtrans(abrt_t) ++') ++ ++optional_policy(` + sssd_stream_connect(abrt_t) +') + @@ -11114,7 +9901,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + +miscfiles_read_localization(abrt_helper_t) + -+userdom_dontaudit_use_user_terminals(abrt_helper_t) ++term_dontaudit_use_all_ttys(abrt_helper_t) ++term_dontaudit_use_all_ptys(abrt_helper_t) + +ifdef(`hide_broken_symptoms', ` + domain_dontaudit_leaks(abrt_helper_t) @@ -11127,25 +9915,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + dev_dontaudit_read_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) ++ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.9/policy/modules/services/afs.fc ---- nsaserefpolicy/policy/modules/services/afs.fc 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/afs.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -22,10 +22,10 @@ - - /usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - --/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) - /usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0) - - /var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) -+/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.15/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/afs.if 2010-03-18 10:44:42.000000000 -0400 +@@ -94,7 +94,7 @@ + # + interface(`afs_admin',` + gen_require(` +- type afs_t; ++ type afs_t, afs_initrc_exec_t; + ') - /vicepa gen_context(system_u:object_r:afs_files_t,s0) - /vicepb gen_context(system_u:object_r:afs_files_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.9/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/afs.te 2010-02-16 15:08:37.000000000 -0500 + allow $1 afs_t:process { ptrace signal_perms getattr }; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.15/policy/modules/services/afs.te +--- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/afs.te 2010-03-18 10:44:42.000000000 -0400 @@ -71,8 +71,8 @@ # afs client local policy # @@ -11153,7 +9939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. -allow afs_t self:capability { sys_nice sys_tty_config }; -allow afs_t self:process setsched; +allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; -+allow afs_t self:process { fork setsched signal }; ++allow afs_t self:process { setsched signal }; allow afs_t self:udp_socket create_socket_perms; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket create_stream_socket_perms; @@ -11166,18 +9952,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. ######################################## # # AFS bossserver local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.9/policy/modules/services/aiccu.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.15/policy/modules/services/aiccu.fc --- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aiccu.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/aiccu.fc 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,5 @@ + +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) +/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.9/policy/modules/services/aiccu.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.15/policy/modules/services/aiccu.if --- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aiccu.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/aiccu.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,119 @@ + +## policy for aiccu @@ -11298,9 +10084,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + aiccu_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.9/policy/modules/services/aiccu.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.15/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aiccu.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/aiccu.te 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,41 @@ +policy_module(aiccu,1.0.0) + @@ -11343,10 +10129,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.9/policy/modules/services/aisexec.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.15/policy/modules/services/aisexec.fc --- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aisexec.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,12 @@ ++++ serefpolicy-3.7.15/policy/modules/services/aisexec.fc 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,10 @@ + +/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0) + @@ -11357,11 +10143,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0) + +/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0) -+ -+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.9/policy/modules/services/aisexec.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.15/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aisexec.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/aisexec.if 2010-03-18 10:44:42.000000000 -0400 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -11469,10 +10253,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + + admin_pattern($1, aisexec_tmpfs_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.9/policy/modules/services/aisexec.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.15/policy/modules/services/aisexec.te --- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/aisexec.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,112 @@ ++++ serefpolicy-3.7.15/policy/modules/services/aisexec.te 2010-03-18 10:44:42.000000000 -0400 +@@ -0,0 +1,115 @@ + +policy_module(aisexec,1.0.0) + @@ -11550,8 +10334,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise +corenet_tcp_bind_reserved_port(aisexec_t) +corenet_udp_bind_cluster_port(aisexec_t) + -+ccs_stream_connect(aisexec_t) -+ +corecmd_exec_bin(aisexec_t) + +kernel_read_system_state(aisexec_t) @@ -11570,41 +10352,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise + +logging_send_syslog_msg(aisexec_t) + -+# to communication with RHCS -+dlm_controld_manage_tmpfs_files(aisexec_t) -+dlm_controld_rw_semaphores(aisexec_t) ++optional_policy(` ++ ccs_stream_connect(aisexec_t) ++') + -+fenced_manage_tmpfs_files(aisexec_t) -+fenced_rw_semaphores(aisexec_t) ++optional_policy(` ++ # to communication with RHCS ++ dlm_controld_manage_tmpfs_files(aisexec_t) ++ dlm_controld_rw_semaphores(aisexec_t) + -+gfs_controld_manage_tmpfs_files(aisexec_t) -+gfs_controld_rw_semaphores(aisexec_t) -+gfs_controld_t_rw_shm(aisexec_t) ++ fenced_manage_tmpfs_files(aisexec_t) ++ fenced_rw_semaphores(aisexec_t) + -+groupd_manage_tmpfs_files(aisexec_t) -+groupd_rw_semaphores(aisexec_t) -+groupd_rw_shm(aisexec_t) ++ gfs_controld_manage_tmpfs_files(aisexec_t) ++ gfs_controld_rw_semaphores(aisexec_t) ++ gfs_controld_t_rw_shm(aisexec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.9/policy/modules/services/amavis.te ---- nsaserefpolicy/policy/modules/services/amavis.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/amavis.te 2010-02-16 15:08:37.000000000 -0500 -@@ -138,11 +138,13 @@ - - auth_dontaudit_read_shadow(amavis_t) - -+init_read_utmp(amavis_t) - init_stream_connect_script(amavis_t) - - logging_send_syslog_msg(amavis_t) - - miscfiles_read_localization(amavis_t) -+miscfiles_read_certs(amavis_t) - - sysnet_dns_name_resolve(amavis_t) - sysnet_use_ldap(amavis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.9/policy/modules/services/apache.fc ++ groupd_manage_tmpfs_files(aisexec_t) ++ groupd_rw_semaphores(aisexec_t) ++ groupd_rw_shm(aisexec_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.15/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/apache.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/apache.fc 2010-03-18 10:44:42.000000000 -0400 @@ -2,12 +2,19 @@ /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -11732,9 +10502,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.9/policy/modules/services/apache.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.15/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/apache.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/apache.if 2010-03-18 10:44:42.000000000 -0400 @@ -13,21 +13,17 @@ # template(`apache_content_template',` @@ -12443,9 +11213,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.9/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/apache.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.15/policy/modules/services/apache.te +--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-18 06:48:02.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/apache.te 2010-03-18 10:44:42.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -12656,7 +11426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -283,9 +359,9 @@ +@@ -283,13 +359,14 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -12669,7 +11439,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -301,9 +377,11 @@ +-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) ++manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) ++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) + + manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) + manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -301,9 +378,11 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -12682,7 +11458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -312,18 +390,21 @@ +@@ -312,18 +391,21 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -12709,11 +11485,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -335,15 +416,15 @@ +@@ -335,15 +417,16 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) +fs_read_iso9660_files(httpd_t) ++fs_read_anon_inodefs_files(httpd_t) auth_use_nsswitch(httpd_t) @@ -12728,7 +11505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -@@ -358,6 +439,10 @@ +@@ -358,6 +441,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -12739,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -372,18 +457,33 @@ +@@ -372,18 +459,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -12777,7 +11554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -391,32 +491,71 @@ +@@ -391,32 +493,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12854,7 +11631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -424,11 +563,23 @@ +@@ -424,11 +565,23 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12878,7 +11655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,7 +602,18 @@ +@@ -451,7 +604,18 @@ ') optional_policy(` @@ -12897,7 +11674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -463,8 +625,24 @@ +@@ -463,8 +627,24 @@ ') optional_policy(` @@ -12924,7 +11701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,22 +650,19 @@ +@@ -472,22 +652,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12950,7 +11727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -498,12 +673,23 @@ +@@ -498,12 +675,23 @@ ') optional_policy(` @@ -12974,15 +11751,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -512,6 +698,7 @@ +@@ -512,6 +700,11 @@ ') optional_policy(` ++ smokeping_getattr_lib_files(httpd_t) ++') ++ ++optional_policy(` + files_dontaudit_rw_usr_dirs(httpd_t) snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -539,6 +726,23 @@ +@@ -539,6 +732,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -13006,7 +11787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -568,20 +772,25 @@ +@@ -568,20 +778,32 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -13025,6 +11806,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mysqld_port(httpd_suexec_t) + corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) ++ ++ corenet_tcp_connect_mssql_port(httpd_t) ++ corenet_sendrecv_mssql_client_packets(httpd_t) ++ corenet_tcp_connect_mssql_port(httpd_sys_script_t) ++ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_mssql_port(httpd_suexec_t) ++ corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ') -optional_policy(` @@ -13038,7 +11826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -599,23 +808,24 @@ +@@ -599,23 +821,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -13067,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +838,7 @@ +@@ -628,6 +851,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -13075,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -635,22 +846,31 @@ +@@ -635,22 +859,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -13114,7 +11902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -676,16 +896,16 @@ +@@ -676,16 +909,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -13135,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -700,15 +920,29 @@ +@@ -700,15 +933,29 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -13167,7 +11955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -716,6 +950,35 @@ +@@ -716,6 +963,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -13203,7 +11991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -728,6 +991,10 @@ +@@ -728,6 +1004,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -13214,7 +12002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -739,6 +1006,8 @@ +@@ -739,6 +1019,8 @@ # httpd_rotatelogs local policy # @@ -13223,7 +12011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -758,11 +1027,88 @@ +@@ -758,11 +1040,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13243,7 +12031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) @@ -13293,7 +12081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +optional_policy(` + mysql_search_db(httpd_bugzilla_script_t) + mysql_stream_connect(httpd_bugzilla_script_t) - ') ++') + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) @@ -13315,23 +12103,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.9/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/apm.te 2010-02-16 15:08:37.000000000 -0500 -@@ -223,6 +223,10 @@ - unconfined_domain(apmd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.15/policy/modules/services/apcupsd.te +--- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/apcupsd.te 2010-03-18 10:44:42.000000000 -0400 +@@ -95,6 +95,10 @@ ') -+optional_policy(` -+ vbetool_domtrans(apmd_t) + optional_policy(` ++ shutdown_domtrans(apcupsd_t) +') + - # cjp: related to sleep/resume (?) - optional_policy(` - xserver_domtrans(apmd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.9/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/arpwatch.te 2010-02-16 15:08:37.000000000 -0500 ++optional_policy(` + mta_send_mail(apcupsd_t) + mta_system_content(apcupsd_tmp_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.15/policy/modules/services/arpwatch.te +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/arpwatch.te 2010-03-18 10:44:42.000000000 -0400 @@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms }; allow arpwatch_t self:udp_socket create_socket_perms; @@ -13357,73 +12145,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.9/policy/modules/services/asterisk.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.15/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/asterisk.if 2010-02-16 15:08:37.000000000 -0500 -@@ -2,8 +2,28 @@ ++++ serefpolicy-3.7.15/policy/modules/services/asterisk.if 2010-03-18 10:44:43.000000000 -0400 +@@ -1,5 +1,24 @@ + ## Asterisk IP telephony server - ##################################### - ## --## Connect to asterisk over a unix domain --## stream socket. -+## Connect to asterisk over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`asterisk_stream_connect',` -+ gen_require(` -+ type asterisk_t, asterisk_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## asterisk lib files. - ## - ## - ## -@@ -11,18 +31,18 @@ - ## - ## - # --interface(`asterisk_stream_connect',` -+interface(`asterisk_manage_lib_files',` - gen_require(` -- type asterisk_t, asterisk_var_run_t; -+ type asterisk_var_lib_t; - ') - -- files_search_pids($1) -- stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) -+ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t) -+ files_search_var_lib($1) - ') - - ######################################## - ## --## All of the rules required to administrate -+## All of the rules required to administrate - ## an asterisk environment - ## - ## -@@ -71,3 +91,22 @@ - files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) - ') -+ -+ +###################################### +## -+## Execute asterisk ++## Execute asterisk in the asterisk domain. +## +## +## @@ -13431,16 +12161,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste +## +## +# -+interface(`asterisk_exec',` ++interface(`asterisk_domtrans',` + gen_require(` -+ type asterisk_exec_t; ++ type asterisk_t, asterisk_exec_t; + ') + -+ can_exec($1, asterisk_exec_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, asterisk_exec_t, asterisk_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.9/policy/modules/services/asterisk.te ++ + ##################################### + ## + ## Connect to asterisk over a unix domain +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.15/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/asterisk.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/asterisk.te 2010-03-18 10:44:43.000000000 -0400 @@ -40,12 +40,13 @@ # @@ -13488,14 +12223,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste domain_use_interactive_fds(asterisk_t) -@@ -119,18 +127,31 @@ +@@ -118,19 +126,33 @@ + files_read_usr_files(asterisk_t) fs_getattr_all_fs(asterisk_t) - fs_search_auto_mountpoints(asterisk_t) ++fs_list_inotifyfs(asterisk_t) +fs_read_anon_inodefs_files(asterisk_t) -+ -+auth_use_nsswitch(asterisk_t) + fs_search_auto_mountpoints(asterisk_t) ++auth_use_nsswitch(asterisk_t) ++ logging_send_syslog_msg(asterisk_t) miscfiles_read_localization(asterisk_t) @@ -13523,7 +12260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ') optional_policy(` -@@ -138,10 +159,11 @@ +@@ -138,10 +160,11 @@ ') optional_policy(` @@ -13539,37 +12276,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.9/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/automount.te 2010-02-16 15:08:37.000000000 -0500 -@@ -75,6 +75,7 @@ - - fs_mount_all_fs(automount_t) - fs_unmount_all_fs(automount_t) -+fs_search_all(automount_t) - - corecmd_exec_bin(automount_t) - corecmd_exec_shell(automount_t) -@@ -129,6 +130,7 @@ - fs_unmount_autofs(automount_t) - fs_mount_autofs(automount_t) - fs_manage_autofs_symlinks(automount_t) -+fs_read_nfs_files(automount_t) - - storage_rw_fuse(automount_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.9/policy/modules/services/avahi.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.15/policy/modules/services/avahi.fc --- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/avahi.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/avahi.fc 2010-03-18 10:44:43.000000000 -0400 @@ -6,4 +6,4 @@ /var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) -/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) -+/var/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.9/policy/modules/services/avahi.te ++/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.15/policy/modules/services/avahi.if +--- nsaserefpolicy/policy/modules/services/avahi.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/avahi.if 2010-03-18 10:44:43.000000000 -0400 +@@ -90,6 +90,7 @@ + class dbus send_msg; + ') + ++ allow avahi_t $1:file read; + allow $1 avahi_t:dbus send_msg; + allow avahi_t $1:dbus send_msg; + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.15/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/avahi.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/avahi.te 2010-03-18 10:44:43.000000000 -0400 @@ -24,7 +24,7 @@ # Local policy # @@ -13611,109 +12340,586 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah +sysnet_manage_config(avahi_t) +sysnet_etc_filetrans_config(avahi_t) + - userdom_dontaudit_use_unpriv_user_fds(avahi_t) - userdom_dontaudit_search_user_home_dirs(avahi_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.9/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/bind.if 2010-02-16 15:08:37.000000000 -0500 -@@ -253,7 +253,7 @@ - - ######################################## - ## --## Do not audit attempts to set the attributes -+## Allow domain to set the attributes - ## of the BIND pid directory. - ## - ## -@@ -272,6 +272,25 @@ - - ######################################## - ## -+## Allow domain to set attributes -+## of the BIND zone directory. -+## -+## -+## -+## Domain allowed access. -+## -+## + userdom_dontaudit_use_unpriv_user_fds(avahi_t) + userdom_dontaudit_search_user_home_dirs(avahi_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.15/policy/modules/services/bind.if +--- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/bind.if 2010-03-18 10:44:43.000000000 -0400 +@@ -253,7 +253,7 @@ + + ######################################## + ## +-## Do not audit attempts to set the attributes ++## Allow domain to set the attributes + ## of the BIND pid directory. + ## + ## +@@ -272,6 +272,25 @@ + + ######################################## + ## ++## Allow domain to set attributes ++## of the BIND zone directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_setattr_zone_dirs',` ++ gen_require(` ++ type named_zone_t; ++ ') ++ ++ allow $1 named_zone_t:dir setattr; ++') ++ ++######################################## ++## + ## Read BIND zone files. + ## + ## +@@ -356,7 +375,7 @@ + + bind_run_ndc($1, $2) + +- init_labeled_script_domtrans($1, bind_initrc_exec_t) ++ init_labeled_script_domtrans($1, named_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 named_initrc_exec_t system_r; + allow $2 system_r; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.15/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/bind.te 2010-03-18 10:44:43.000000000 -0400 +@@ -142,11 +142,11 @@ + + logging_send_syslog_msg(named_t) + ++init_read_script_tmp_files(named_t) ++ + miscfiles_read_localization(named_t) + miscfiles_read_certs(named_t) + +-sysnet_read_config(named_t) +- + userdom_dontaudit_use_unpriv_user_fds(named_t) + userdom_dontaudit_search_user_home_dirs(named_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.15/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/bluetooth.te 2010-03-18 10:44:43.000000000 -0400 +@@ -54,7 +54,7 @@ + # Bluetooth services local policy + # + +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getcap setcap getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; +@@ -96,6 +96,7 @@ + kernel_read_system_state(bluetooth_t) + kernel_read_network_state(bluetooth_t) + kernel_request_load_module(bluetooth_t) ++kernel_search_debugfs(bluetooth_t) + + corenet_all_recvfrom_unlabeled(bluetooth_t) + corenet_all_recvfrom_netlabel(bluetooth_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.15/policy/modules/services/boinc.fc +--- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/boinc.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/boinc_client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) ++ ++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) ++ ++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.15/policy/modules/services/boinc.if +--- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/boinc.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,151 @@ ++ ++## policy for boinc ++ ++######################################## ++## ++## Execute a domain transition to run boinc. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`boinc_domtrans',` ++ gen_require(` ++ type boinc_t, boinc_exec_t; ++ ') ++ ++ domtrans_pattern($1, boinc_exec_t, boinc_t) ++') ++ ++####################################### ++## ++## Execute boinc server in the boinc domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`boinc_initrc_domtrans',` ++ gen_require(` ++ type boinc_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, boinc_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search boinc lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_search_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ allow $1 boinc_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_read_lib_files',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## boinc lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_manage_lib_files',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++######################################## ++## ++## Manage boinc var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`boinc_manage_var_lib',` ++ gen_require(` ++ type boinc_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an boinc environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`boinc_admin',` ++ gen_require(` ++ type boinc_t, boinc_initrc_exec_t; ++ type boinc_var_lib_t; ++ ') ++ ++ allow $1 boinc_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, boinc_t, boinc_t) ++ ++ boinc_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 myboinc_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_list_var_lib($1) ++ admin_pattern($1, boinc_var_lib_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.15/policy/modules/services/boinc.te +--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/boinc.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,80 @@ ++ ++policy_module(boinc,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type boinc_t; ++type boinc_exec_t; ++init_daemon_domain(boinc_t, boinc_exec_t) ++ ++permissive boinc_t; ++ ++type boinc_initrc_exec_t; ++init_script_file(boinc_initrc_exec_t) ++ ++type boinc_tmpfs_t; ++files_tmpfs_file(boinc_tmpfs_t) ++ ++type boinc_var_lib_t; ++files_type(boinc_var_lib_t) ++ ++######################################## ++# ++# boinc local policy ++# ++ ++allow boinc_t self:capability { kill }; ++allow boinc_t self:process { execmem fork setsched signal }; ++ ++allow boinc_t self:fifo_file rw_fifo_file_perms; ++allow boinc_t self:unix_stream_socket create_stream_socket_perms; ++allow boinc_t self:tcp_socket create_stream_socket_perms; ++allow boinc_t self:shm create_shm_perms; ++ ++manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) ++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file) ++ ++exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) ++files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) ++ ++kernel_read_system_state(boinc_t) ++kernel_read_kernel_sysctls(boinc_t) ++ ++corecmd_exec_bin(boinc_t) ++corecmd_exec_shell(boinc_t) ++ ++corenet_all_recvfrom_unlabeled(boinc_t) ++corenet_all_recvfrom_netlabel(boinc_t) ++corenet_tcp_sendrecv_generic_if(boinc_t) ++corenet_udp_sendrecv_generic_if(boinc_t) ++corenet_tcp_sendrecv_generic_node(boinc_t) ++corenet_udp_sendrecv_generic_node(boinc_t) ++corenet_tcp_sendrecv_all_ports(boinc_t) ++corenet_udp_sendrecv_all_ports(boinc_t) ++corenet_tcp_bind_generic_node(boinc_t) ++corenet_udp_bind_generic_node(boinc_t) ++corenet_tcp_bind_boinc_port(boinc_t) ++corenet_tcp_connect_http_port(boinc_t) ++ ++dev_read_urand(boinc_t) ++ ++domain_read_all_domains_state(boinc_t) ++ ++files_read_etc_files(boinc_t) ++files_read_usr_files(boinc_t) ++ ++fs_getattr_all_fs(boinc_t) ++ ++term_dontaudit_getattr_ptmx(boinc_t) ++ ++miscfiles_read_localization(boinc_t) ++ ++logging_send_syslog_msg(boinc_t) ++ ++sysnet_dns_name_resolve(boinc_t) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.15/policy/modules/services/cachefilesd.fc +--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,28 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the contexts to be assigned to various files and directories of ++# importance to the CacheFiles kernel module and userspace management daemon. ++# ++ ++# cachefilesd executable will have: ++# label: system_u:object_r:cachefilesd_exec_t ++# MLS sensitivity: s0 ++# MCS categories: ++ ++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) ++/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) ++/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) ++ ++/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.15/policy/modules/services/cachefilesd.if +--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,41 @@ ++############################################################################### ++# ++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# Define the policy interface for the CacheFiles userspace management daemon. ++# ++ ++## policy for cachefilesd ++ ++######################################## ++## ++## Execute a domain transition to run cachefilesd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cachefilesd_domtrans',` ++ gen_require(` ++ type cachefilesd_t, cachefilesd_exec_t; ++ ') ++ ++ domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t) ++ ++ allow $1 cachefilesd_t:fd use; ++ allow cachefilesd_t $1:fd use; ++ allow cachefilesd_t $1:fifo_file rw_file_perms; ++ allow cachefilesd_t $1:process sigchld; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.15/policy/modules/services/cachefilesd.te +--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,146 @@ ++############################################################################### ++# ++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. ++# Written by David Howells (dhowells@redhat.com) ++# Karl MacMillan (kmacmill@redhat.com) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version ++# 2 of the License, or (at your option) any later version. ++# ++############################################################################### ++ ++# ++# This security policy governs access by the CacheFiles kernel module and ++# userspace management daemon to the files and directories in the on-disk ++# cache, on behalf of the processes accessing the cache through a network ++# filesystem such as NFS ++# ++policy_module(cachefilesd,1.0.17) ++ ++############################################################################### ++# ++# Declarations ++# ++require { type kernel_t; } ++ ++# ++# Files in the cache are created by the cachefiles module with security ID ++# cachefiles_var_t ++# ++type cachefiles_var_t; ++files_type(cachefiles_var_t) ++ ++# ++# The /dev/cachefiles character device has security ID cachefiles_dev_t ++# ++type cachefiles_dev_t; ++dev_node(cachefiles_dev_t) ++ ++# ++# The cachefilesd daemon normally runs with security ID cachefilesd_t ++# ++type cachefilesd_t; ++type cachefilesd_exec_t; ++domain_type(cachefilesd_t) ++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) ++ ++# ++# The cachefilesd daemon pid file context ++# ++type cachefilesd_var_run_t; ++files_pid_file(cachefilesd_var_run_t) ++ ++# ++# The CacheFiles kernel module causes processes accessing the cache files to do ++# so acting as security ID cachefiles_kernel_t ++# ++type cachefiles_kernel_t; ++domain_type(cachefiles_kernel_t) ++domain_obj_id_change_exemption(cachefiles_kernel_t) ++role system_r types cachefiles_kernel_t; ++ ++############################################################################### ++# ++# Permit RPM to deal with files in the cache ++# ++rpm_use_script_fds(cachefilesd_t) ++ ++############################################################################### ++# ++# cachefilesd local policy ++# ++# These define what cachefilesd is permitted to do. This doesn't include very ++# much: startup stuff, logging, pid file, scanning the cache superstructure and ++# deleting files from the cache. It is not permitted to read/write files in ++# the cache. ++# ++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow ++# rules. ++# ++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override }; ++ ++# Basic access ++files_read_etc_files(cachefilesd_t) ++libs_use_ld_so(cachefilesd_t) ++libs_use_shared_libs(cachefilesd_t) ++miscfiles_read_localization(cachefilesd_t) ++logging_send_syslog_msg(cachefilesd_t) ++init_dontaudit_use_script_ptys(cachefilesd_t) ++term_dontaudit_use_generic_ptys(cachefilesd_t) ++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ++ ++# Allow manipulation of pid file ++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; ++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t) ++files_pid_file(cachefilesd_var_run_t) ++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file) ++ ++# Allow access to cachefiles device file ++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms; ++ ++# Allow access to cache superstructure ++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms; ++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; ++ ++# Permit statfs on the backing filesystem ++fs_getattr_xattr_fs(cachefilesd_t) ++ ++############################################################################### +# -+interface(`bind_setattr_zone_dirs',` -+ gen_require(` -+ type named_zone_t; -+ ') ++# When cachefilesd invokes the kernel module to begin caching, it has to tell ++# the kernel module the security context in which it should act, and this ++# policy has to approve that. ++# ++# There are two parts to this: ++# ++# (1) the security context used by the module to access files in the cache, ++# as set by the 'secctx' command in /etc/cachefilesd.conf, and ++# ++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override }; + -+ allow $1 named_zone_t:dir setattr; -+') ++# ++# (2) the label that will be assigned to new files and directories created in ++# the cache by the module, which will be the same as the label on the ++# directory pointed to by the 'dir' command. ++# ++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as }; + -+######################################## -+## - ## Read BIND zone files. - ## - ## -@@ -356,7 +375,7 @@ - - bind_run_ndc($1, $2) - -- init_labeled_script_domtrans($1, bind_initrc_exec_t) -+ init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 named_initrc_exec_t system_r; - allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.9/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/bind.te 2010-02-16 15:08:37.000000000 -0500 -@@ -142,11 +142,11 @@ - - logging_send_syslog_msg(named_t) - -+init_read_script_tmp_files(named_t) ++############################################################################### ++# ++# cachefiles kernel module local policy ++# ++# This governs what the kernel module is allowed to do the contents of the ++# cache. ++# ++allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; ++allow cachefiles_kernel_t initrc_t:process sigchld; + - miscfiles_read_localization(named_t) - miscfiles_read_certs(named_t) - --sysnet_read_config(named_t) -- - userdom_dontaudit_use_unpriv_user_fds(named_t) - userdom_dontaudit_search_user_home_dirs(named_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.9/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/bluetooth.te 2010-02-16 15:08:37.000000000 -0500 -@@ -96,6 +96,7 @@ - kernel_read_system_state(bluetooth_t) - kernel_read_network_state(bluetooth_t) - kernel_request_load_module(bluetooth_t) -+kernel_search_debugfs(bluetooth_t) - - corenet_all_recvfrom_unlabeled(bluetooth_t) - corenet_all_recvfrom_netlabel(bluetooth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.9/policy/modules/services/ccs.te ++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t) ++ ++fs_getattr_xattr_fs(cachefiles_kernel_t) ++ ++dev_search_sysfs(cachefiles_kernel_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.15/policy/modules/services/ccs.te --- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ccs.te 2010-02-16 15:08:37.000000000 -0500 -@@ -73,6 +73,8 @@ - manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) - files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file }) ++++ serefpolicy-3.7.15/policy/modules/services/ccs.te 2010-03-18 10:44:43.000000000 -0400 +@@ -114,5 +114,10 @@ + ') -+aisexec_stream_connect(ccs_t) + optional_policy(` ++ aisexec_stream_connect(ccs_t) ++ corosync_stream_connect(ccs_t) ++') + - kernel_read_kernel_sysctls(ccs_t) - - corecmd_list_bin(ccs_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.9/policy/modules/services/certmaster.fc ---- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/certmaster.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -3,5 +3,6 @@ - - /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) - -+/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) - /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) - /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.9/policy/modules/services/certmonger.fc ++optional_policy(` + unconfined_use_fds(ccs_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.15/policy/modules/services/certmonger.fc --- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/certmonger.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/certmonger.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) + @@ -13721,9 +12927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + +/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0) +/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.9/policy/modules/services/certmonger.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.15/policy/modules/services/certmonger.if --- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/certmonger.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/certmonger.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,217 @@ + +## Certificate status monitor and PKI enrollment client @@ -13942,9 +13148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + files_search_pids($1) + admin_pattern($1, cermonger_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.9/policy/modules/services/certmonger.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.15/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/certmonger.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/certmonger.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,74 @@ +policy_module(certmonger,1.0.0) + @@ -14020,9 +13226,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +optional_policy(` + unconfined_dbus_send(certmonger_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.9/policy/modules/services/cgroup.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.15/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cgroup.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cgroup.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0) @@ -14031,9 +13237,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.9/policy/modules/services/cgroup.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.15/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cgroup.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cgroup.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,35 @@ +## Control group rules engine daemon. +## @@ -14070,9 +13276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.9/policy/modules/services/cgroup.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.15/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cgroup.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cgroup.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,87 @@ +policy_module(cgroup, 1.0.0) + @@ -14150,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + fs_manage_cgroup_dirs(cgconfigparser_t) + fs_rw_cgroup_files(cgconfigparser_t) + fs_setattr_cgroup_files(cgconfigparser_t) -+ fs_mount_cgroup_fs(cgconfigparser_t) ++ fs_mount_cgroup(cgconfigparser_t) +') + +files_mounton_mnt(cgconfigparser_t) @@ -14161,18 +13367,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# /mnt/cgroups/cpu +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.9/policy/modules/services/chronyd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.15/policy/modules/services/chronyd.fc --- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/chronyd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/chronyd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,3 +1,5 @@ +/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.9/policy/modules/services/chronyd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.15/policy/modules/services/chronyd.if --- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/chronyd.if 2010-02-16 15:09:12.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/chronyd.if 2010-03-18 10:44:43.000000000 -0400 @@ -77,7 +77,7 @@ gen_require(` type chronyd_t, chronyd_var_log_t; @@ -14191,9 +13397,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro logging_search_logs($1) admin_pattern($1, chronyd_var_log_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.9/policy/modules/services/chronyd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.15/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/chronyd.te 2010-02-16 15:12:44.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/chronyd.te 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,9 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -14242,9 +13448,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro +optional_policy(` + gpsd_rw_shm(chronyd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.9/policy/modules/services/clamav.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.15/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/clamav.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/clamav.te 2010-03-18 10:44:43.000000000 -0400 @@ -57,6 +57,7 @@ # @@ -14268,18 +13474,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.9/policy/modules/services/clogd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.15/policy/modules/services/clogd.fc --- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/clogd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/clogd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.9/policy/modules/services/clogd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.15/policy/modules/services/clogd.if --- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/clogd.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,98 @@ ++++ serefpolicy-3.7.15/policy/modules/services/clogd.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,82 @@ +## clogd - clustered mirror log server + +###################################### @@ -14324,26 +13530,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + +##################################### +## -+## Manage clogd tmpfs files. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`clogd_manage_tmpfs_files',` -+ gen_require(` -+ type clogd_tmpfs_t; -+ ') -+ -+ fs_search_tmpfs($1) -+ manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -+ manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) -+') -+ -+##################################### -+## +## Allow read and write access to clogd semaphores. +## +## @@ -14376,12 +13562,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog + ') + + allow $1 clogd_t:shm { rw_shm_perms destroy }; ++ allow $1 clogd_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++ read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) ++ fs_search_tmpfs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.9/policy/modules/services/clogd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.15/policy/modules/services/clogd.te --- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/clogd.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,62 @@ ++++ serefpolicy-3.7.15/policy/modules/services/clogd.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,65 @@ + +policy_module(clogd,1.0.0) + @@ -14425,8 +13615,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +files_pid_filetrans(clogd_t,clogd_var_run_t, { file }) + -+aisexec_stream_connect(clogd_t) -+ +dev_manage_generic_blk_files(clogd_t) + +storage_raw_read_fixed_disk(clogd_t) @@ -14440,32 +13628,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog +miscfiles_read_localization(clogd_t) + +optional_policy(` -+ dev_read_lvm_control(clogd_t) ++ aisexec_stream_connect(clogd_t) ++ corosync_stream_connect(clogd_t) +') + ++optional_policy(` ++ dev_read_lvm_control(clogd_t) ++') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.9/policy/modules/services/cobbler.fc ---- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cobbler.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -5,3 +5,5 @@ - - /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) - /var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) + -+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.9/policy/modules/services/cobbler.if ---- nsaserefpolicy/policy/modules/services/cobbler.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cobbler.if 2010-02-16 15:08:37.000000000 -0500 -@@ -162,6 +162,7 @@ - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t; -+ type httpd_cobbler_content_rw_t; - ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.15/policy/modules/services/cobbler.if +--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cobbler.if 2010-03-18 10:44:43.000000000 -0400 +@@ -173,9 +173,11 @@ + files_list_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; -@@ -176,6 +177,8 @@ - files_search_var_log($1) +- files_search_var_log($1) ++ logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) + admin_pattern($1, httpd_cobbler_content_rw_t) @@ -14473,9 +13653,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.9/policy/modules/services/cobbler.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.15/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cobbler.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cobbler.te 2010-03-18 10:44:43.000000000 -0400 @@ -40,6 +40,7 @@ allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; @@ -14506,9 +13686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +apache_content_template(cobbler) +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.9/policy/modules/services/consolekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.15/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/consolekit.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/consolekit.fc 2010-03-18 10:44:43.000000000 -0400 @@ -2,4 +2,5 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) @@ -14516,9 +13696,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons -/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) + +/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.9/policy/modules/services/consolekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.15/policy/modules/services/consolekit.if --- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/consolekit.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/consolekit.if 2010-03-18 10:44:43.000000000 -0400 @@ -57,3 +57,42 @@ read_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) @@ -14562,10 +13742,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.9/policy/modules/services/consolekit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.15/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/consolekit.te 2010-02-16 15:08:37.000000000 -0500 -@@ -21,7 +21,7 @@ ++++ serefpolicy-3.7.15/policy/modules/services/consolekit.te 2010-03-18 10:44:43.000000000 -0400 +@@ -16,12 +16,15 @@ + type consolekit_var_run_t; + files_pid_file(consolekit_var_run_t) + ++type consolekit_tmpfs_t; ++files_tmpfs_file(consolekit_tmpfs_t) ++ + ######################################## + # # consolekit local policy # @@ -14574,7 +13762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -59,28 +59,36 @@ +@@ -59,28 +62,36 @@ term_use_all_terms(consolekit_t) auth_use_nsswitch(consolekit_t) @@ -14615,7 +13803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ') optional_policy(` -@@ -100,6 +108,7 @@ +@@ -100,19 +111,33 @@ ') optional_policy(` @@ -14623,11 +13811,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -110,9 +119,17 @@ + ') + + optional_policy(` ++ shutdown_domtrans(consolekit_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) corenet_tcp_connect_xserver_port(consolekit_t) + xserver_stream_connect(consolekit_t) ++ xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t) +') + +optional_policy(` @@ -14641,10 +13837,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.9/policy/modules/services/corosync.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.15/policy/modules/services/corosync.fc --- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/corosync.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,13 @@ ++++ serefpolicy-3.7.15/policy/modules/services/corosync.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) + @@ -14656,11 +13852,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) + ++/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.9/policy/modules/services/corosync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.15/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/corosync.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/corosync.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,108 @@ +## SELinux policy for Corosync Cluster Engine + @@ -14770,10 +13967,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.9/policy/modules/services/corosync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.15/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/corosync.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,110 @@ ++++ serefpolicy-3.7.15/policy/modules/services/corosync.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,115 @@ + +policy_module(corosync,1.0.0) + @@ -14870,23 +14067,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +userdom_rw_user_tmpfs_files(corosync_t) + -+# to communication with RHCS -+dlm_controld_manage_tmpfs_files(corosync_t) -+dlm_controld_rw_semaphores(corosync_t) ++optional_policy(` ++ ccs_read_config(corosync_t) ++') + -+fenced_manage_tmpfs_files(corosync_t) -+fenced_rw_semaphores(corosync_t) ++optional_policy(` ++ # to communication with RHCS ++ dlm_controld_manage_tmpfs_files(corosync_t) ++ dlm_controld_rw_semaphores(corosync_t) + -+gfs_controld_manage_tmpfs_files(corosync_t) -+gfs_controld_rw_semaphores(corosync_t) ++ fenced_manage_tmpfs_files(corosync_t) ++ fenced_rw_semaphores(corosync_t) + -+optional_policy(` -+ ccs_read_config(corosync_t) ++ gfs_controld_manage_tmpfs_files(corosync_t) ++ gfs_controld_rw_semaphores(corosync_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.9/policy/modules/services/cron.fc ++optional_policy(` ++ rgmanager_manage_tmpfs_files(corosync_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.15/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/cron.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cron.fc 2010-03-18 10:44:43.000000000 -0400 @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14904,9 +14106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.9/policy/modules/services/cron.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.15/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/cron.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cron.if 2010-03-18 10:44:43.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -15057,9 +14259,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.9/policy/modules/services/cron.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.15/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cron.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cron.te 2010-03-18 10:44:43.000000000 -0400 @@ -38,8 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -15100,21 +14302,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -110,6 +117,13 @@ +@@ -109,6 +116,14 @@ + typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) - ++mta_system_content(user_cron_spool_t) ++ +type system_cronjob_var_lib_t; +files_type(system_cronjob_var_lib_t) +typealias system_cronjob_var_lib_t alias system_crond_var_lib_t; + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) -+ + ######################################## # - # Admin crontab local policy -@@ -139,7 +153,7 @@ +@@ -139,7 +154,7 @@ allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; @@ -15123,7 +14326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -194,6 +208,8 @@ +@@ -194,6 +209,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -15132,7 +14335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -209,7 +225,9 @@ +@@ -209,7 +226,9 @@ auth_use_nsswitch(crond_t) @@ -15142,7 +14345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -220,8 +238,10 @@ +@@ -220,8 +239,10 @@ userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -15153,7 +14356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` # pam_limits is used -@@ -241,8 +261,17 @@ +@@ -241,8 +262,17 @@ ') ') @@ -15173,7 +14376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -251,6 +280,20 @@ +@@ -251,6 +281,20 @@ ') optional_policy(` @@ -15194,7 +14397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron amanda_search_var_lib(crond_t) ') -@@ -260,6 +303,8 @@ +@@ -260,6 +304,8 @@ optional_policy(` hal_dbus_chat(crond_t) @@ -15203,7 +14406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -302,10 +347,17 @@ +@@ -302,10 +348,17 @@ # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -15222,7 +14425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -325,6 +377,7 @@ +@@ -325,6 +378,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -15230,7 +14433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -336,9 +389,13 @@ +@@ -336,9 +390,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -15245,7 +14448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -361,6 +418,7 @@ +@@ -361,6 +419,7 @@ dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -15253,7 +14456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -387,6 +445,7 @@ +@@ -387,6 +446,7 @@ # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -15261,7 +14464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -411,6 +470,8 @@ +@@ -411,6 +471,8 @@ ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -15270,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -435,6 +496,7 @@ +@@ -435,6 +497,7 @@ apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -15278,7 +14481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -442,6 +504,14 @@ +@@ -442,6 +505,14 @@ ') optional_policy(` @@ -15293,7 +14496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ftp_read_log(system_cronjob_t) ') -@@ -456,11 +526,16 @@ +@@ -456,11 +527,16 @@ ') optional_policy(` @@ -15310,7 +14513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -476,7 +551,7 @@ +@@ -476,7 +552,7 @@ prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -15319,7 +14522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -491,6 +566,7 @@ +@@ -491,6 +567,7 @@ optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -15327,7 +14530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -498,6 +574,9 @@ +@@ -498,6 +575,9 @@ ') optional_policy(` @@ -15337,9 +14540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.9/policy/modules/services/cups.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.15/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/cups.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cups.fc 2010-03-18 10:44:43.000000000 -0400 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -15386,9 +14589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.9/policy/modules/services/cups.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.15/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/cups.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cups.te 2010-03-18 10:44:43.000000000 -0400 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -15601,7 +14804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +598,15 @@ +@@ -556,13 +598,18 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -15616,8 +14819,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +') tunable_policy(`use_nfs_home_dirs',` ++ fs_search_auto_mountpoints(cups_pdf_t) fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +647,9 @@ + fs_manage_nfs_files(cups_pdf_t) + ') +@@ -601,6 +648,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -15627,7 +14833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +676,7 @@ +@@ -627,6 +677,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -15635,18 +14841,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.9/policy/modules/services/cvs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.15/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/cvs.te 2010-02-16 15:08:37.000000000 -0500 -@@ -112,4 +112,5 @@ ++++ serefpolicy-3.7.15/policy/modules/services/cvs.te 2010-03-18 10:44:43.000000000 -0400 +@@ -93,6 +93,7 @@ + auth_can_read_shadow_passwords(cvs_t) + tunable_policy(`allow_cvs_read_shadow',` + auth_tunable_read_shadow(cvs_t) ++ allow cvs_t self:capability dac_override; + ') + + optional_policy(` +@@ -112,4 +113,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.9/policy/modules/services/cyrus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.15/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/cyrus.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/cyrus.te 2010-03-18 10:44:43.000000000 -0400 @@ -75,6 +75,7 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -15663,9 +14877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.9/policy/modules/services/dbus.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.15/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/dbus.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dbus.if 2010-03-18 10:44:43.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15756,13 +14970,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## for service (acquire_svc). ## ## -@@ -364,6 +372,18 @@ +@@ -364,6 +372,19 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) + ps_process_pattern(system_dbusd_t, $1) + + userdom_dontaudit_search_admin_dir($1) ++ userdom_read_all_users_state($1) + + optional_policy(` + rpm_script_dbus_chat($1) @@ -15775,7 +14990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -405,3 +425,24 @@ +@@ -405,3 +426,24 @@ typeattribute $1 dbusd_unconfined; ') @@ -15800,9 +15015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.9/policy/modules/services/dbus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.15/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/dbus.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dbus.te 2010-03-18 10:44:43.000000000 -0400 @@ -86,6 +86,7 @@ dev_read_sysfs(system_dbusd_t) @@ -15861,9 +15076,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.9/policy/modules/services/denyhosts.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.15/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dcc.te 2010-03-18 10:44:43.000000000 -0400 +@@ -81,7 +81,7 @@ + # dcc daemon controller local policy + # + +-allow cdcc_t self:capability setuid; ++allow cdcc_t self:capability { setuid setgid }; + allow cdcc_t self:unix_dgram_socket create_socket_perms; + allow cdcc_t self:udp_socket create_socket_perms; + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.15/policy/modules/services/denyhosts.fc --- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0) + @@ -15872,9 +15099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0) +/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0) +/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.9/policy/modules/services/denyhosts.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.15/policy/modules/services/denyhosts.if --- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,90 @@ +## Deny Hosts. +## @@ -15966,9 +15193,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny + ps_process_pattern($1, denyhosts_t) + read_lnk_files_pattern($1, denyhosts_t, denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.9/policy/modules/services/denyhosts.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.15/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,72 @@ + +policy_module(denyhosts, 1.0.0) @@ -16042,9 +15269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + cron_system_entry(denyhosts_t, denyhosts_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.9/policy/modules/services/devicekit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.15/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/devicekit.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/devicekit.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,8 +1,12 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) @@ -16056,11 +15283,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) - /var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.9/policy/modules/services/devicekit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.15/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/devicekit.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/devicekit.if 2010-03-18 10:44:43.000000000 -0400 @@ -139,6 +139,26 @@ ######################################## @@ -16088,9 +15316,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## All of the rules required to administrate ## an devicekit environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.9/policy/modules/services/devicekit.te +@@ -162,7 +182,7 @@ + interface(`devicekit_admin',` + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; +- type devicekit_var_run_t; ++ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + ') + + allow $1 devicekit_t:process { ptrace signal_perms getattr }; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.15/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/devicekit.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/devicekit.te 2010-03-18 10:44:43.000000000 -0400 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -16112,7 +15349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,29 +75,58 @@ +@@ -71,29 +75,62 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -16150,6 +15387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) ++files_manage_boot_dirs(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) @@ -16168,12 +15406,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) ++mls_file_read_all_levels(devicekit_disk_t) ++mls_file_write_to_clearance(devicekit_disk_t) ++ +term_use_all_terms(devicekit_disk_t) + auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -102,6 +135,16 @@ +@@ -102,6 +139,16 @@ userdom_search_user_home_dirs(devicekit_disk_t) optional_policy(` @@ -16190,15 +15431,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi fstools_domtrans(devicekit_disk_t) ') -@@ -110,6 +153,7 @@ +@@ -110,28 +157,27 @@ ') optional_policy(` ++ mount_domtrans(devicekit_disk_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(devicekit_disk_t) policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -120,18 +164,12 @@ + ') + + optional_policy(` +- mount_domtrans(devicekit_disk_t) ++ raid_domtrans_mdadm(devicekit_disk_t) ') optional_policy(` @@ -16220,7 +15469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +177,11 @@ +@@ -139,9 +185,11 @@ # DeviceKit-Power local policy # @@ -16233,15 +15482,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +191,7 @@ +@@ -151,6 +199,8 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) ++kernel_search_debugfs(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,7 +200,9 @@ +@@ -159,7 +209,9 @@ domain_read_all_domains_state(devicekit_power_t) @@ -16251,7 +15501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +210,16 @@ +@@ -167,12 +219,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -16264,11 +15514,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi miscfiles_read_localization(devicekit_power_t) +sysnet_read_config(devicekit_power_t) ++sysnet_domtrans_ifconfig(devicekit_power_t) + userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +227,10 @@ +@@ -180,6 +237,10 @@ ') optional_policy(` @@ -16279,7 +15530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +254,23 @@ +@@ -203,17 +264,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -16303,9 +15554,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.9/policy/modules/services/djbdns.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.15/policy/modules/services/dhcp.te +--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dhcp.te 2010-03-18 10:44:43.000000000 -0400 +@@ -112,6 +112,10 @@ + ') + + optional_policy(` ++ cobbler_dontaudit_rw_log(dhcpd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.15/policy/modules/services/djbdns.if --- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/djbdns.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/djbdns.if 2010-03-18 10:44:43.000000000 -0400 @@ -26,6 +26,8 @@ daemontools_read_svc(djbdns_$1_t) @@ -16355,9 +15620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + + allow $1 djbdns_tinydn_t:key link; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.9/policy/modules/services/djbdns.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.15/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/djbdns.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/djbdns.te 2010-03-18 10:44:43.000000000 -0400 @@ -42,3 +42,11 @@ files_search_var(djbdns_axfrdns_t) @@ -16370,9 +15635,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + +init_dontaudit_use_script_fds(djbdns_tinydns_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.9/policy/modules/services/dnsmasq.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.15/policy/modules/services/dnsmasq.fc --- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.fc 2010-03-18 10:44:43.000000000 -0400 @@ -6,5 +6,7 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) @@ -16381,9 +15646,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.9/policy/modules/services/dnsmasq.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.15/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.if 2010-03-18 10:44:43.000000000 -0400 @@ -111,7 +111,7 @@ type dnsmasq_etc_t; ') @@ -16402,9 +15667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.9/policy/modules/services/dnsmasq.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.15/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.te 2010-03-18 10:44:43.000000000 -0400 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -16460,9 +15725,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm seutil_sigchld_newrole(dnsmasq_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.9/policy/modules/services/dovecot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.15/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/dovecot.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dovecot.fc 2010-03-18 10:44:43.000000000 -0400 @@ -34,6 +34,7 @@ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) @@ -16471,9 +15736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.9/policy/modules/services/dovecot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.15/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/dovecot.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/dovecot.te 2010-03-18 10:44:43.000000000 -0400 @@ -73,14 +73,21 @@ can_exec(dovecot_t, dovecot_exec_t) @@ -16536,18 +15801,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,8 +205,9 @@ +@@ -197,8 +205,8 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) -files_read_var_lib_files(dovecot_t) -+files_search_var_log(dovecot_auth_t) init_rw_utmp(dovecot_auth_t) -@@ -225,6 +234,7 @@ +@@ -225,6 +233,7 @@ ') optional_policy(` @@ -16555,7 +15819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,6 +244,8 @@ +@@ -234,6 +243,8 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -16564,6 +15828,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +@@ -246,6 +257,7 @@ + auth_use_nsswitch(dovecot_deliver_t) + + logging_send_syslog_msg(dovecot_deliver_t) ++logging_search_logs(dovecot_auth_t) + + miscfiles_read_localization(dovecot_deliver_t) + @@ -263,11 +275,19 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -16584,49 +15856,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_manage_cifs_files(dovecot_t) fs_manage_cifs_symlinks(dovecot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.9/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/exim.te 2010-02-16 15:08:37.000000000 -0500 -@@ -192,6 +192,10 @@ - ') - - optional_policy(` -+ sendmail_manage_tmp_files(exim_t) -+') -+ -+optional_policy(` - spamassassin_exec(exim_t) - spamassassin_exec_client(exim_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.9/policy/modules/services/fail2ban.if ---- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/fail2ban.if 2010-02-16 15:08:37.000000000 -0500 -@@ -98,6 +98,46 @@ - allow $1 fail2ban_var_run_t:file read_file_perms; - ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.15/policy/modules/services/fail2ban.if +--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/fail2ban.if 2010-03-18 10:44:43.000000000 -0400 +@@ -138,6 +138,26 @@ -+##################################### -+## -+## Connect to fail2ban over a unix domain -+## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fail2ban_stream_connect',` -+ gen_require(` -+ type fail2ban_t, fail2ban_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) -+') -+ -+######################################## -+## + ######################################## + ## +## dontaudit read and write an leaked file descriptors +## +## @@ -16645,45 +15881,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + - ######################################## - ## - ## All of the rules required to administrate -@@ -135,3 +175,21 @@ - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) - ') -+ +######################################## +## -+## Read and write to an fail2ban unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fail2ban_rw_stream_sockets',` -+ gen_require(` -+ type fail2ban_t; -+ ') -+ -+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.9/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/fetchmail.te 2010-02-16 15:08:37.000000000 -0500 -@@ -48,6 +48,7 @@ - kernel_dontaudit_read_system_state(fetchmail_t) - - corecmd_exec_shell(fetchmail_t) -+corecmd_exec_bin(fetchmail_t) - - corenet_all_recvfrom_unlabeled(fetchmail_t) - corenet_all_recvfrom_netlabel(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.9/policy/modules/services/fprintd.te + ## All of the rules required to administrate + ## an fail2ban environment + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.15/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/fprintd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/fprintd.te 2010-03-18 10:44:43.000000000 -0400 @@ -55,4 +55,6 @@ policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -16691,9 +15896,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri + policykit_dbus_chat_auth(fprintd_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.9/policy/modules/services/ftp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.15/policy/modules/services/ftp.fc --- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ftp.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ftp.fc 2010-03-18 10:44:43.000000000 -0400 @@ -22,7 +22,7 @@ # # /var @@ -16703,9 +15908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.9/policy/modules/services/ftp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.15/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ftp.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ftp.if 2010-03-18 10:44:43.000000000 -0400 @@ -115,6 +115,44 @@ role $2 types ftpdctl_t; ') @@ -16751,9 +15956,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.9/policy/modules/services/ftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.15/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ftp.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ftp.te 2010-03-18 10:44:43.000000000 -0400 @@ -41,11 +41,51 @@ ## @@ -17002,9 +16207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. + fs_read_nfs_files(sftpd_t) + fs_read_nfs_symlinks(ftpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.9/policy/modules/services/git.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.15/policy/modules/services/git.fc --- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/git.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/git.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,3 +1,16 @@ -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) @@ -17025,9 +16230,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.9/policy/modules/services/git.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.15/policy/modules/services/git.if --- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/git.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/git.if 2010-03-18 10:44:43.000000000 -0400 @@ -1 +1,535 @@ -## GIT revision control system +## Git - Fast Version Control System. @@ -17565,9 +16770,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.9/policy/modules/services/git.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.15/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/git.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/git.te 2010-03-18 10:44:43.000000000 -0400 @@ -1,9 +1,182 @@ -policy_module(git, 1.0) @@ -17754,9 +16959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. -apache_content_template(git) +#git_role_template(git_shell) +#gen_user(git_shell_u, user, git_shell_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.9/policy/modules/services/gpsd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.15/policy/modules/services/gpsd.te --- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/gpsd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/gpsd.te 2010-03-18 10:44:43.000000000 -0400 @@ -25,7 +25,7 @@ # gpsd local policy # @@ -17766,9 +16971,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd allow gpsd_t self:process setsched; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.9/policy/modules/services/hal.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.15/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/hal.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/hal.te 2010-03-18 10:44:43.000000000 -0400 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -17796,7 +17001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. kernel_setsched(hald_t) kernel_request_load_module(hald_t) -@@ -161,6 +165,7 @@ +@@ -117,6 +121,7 @@ + corenet_udp_sendrecv_all_ports(hald_t) + + dev_rw_usbfs(hald_t) ++dev_read_rand(hald_t) + dev_read_urand(hald_t) + dev_read_input(hald_t) + dev_read_mouse(hald_t) +@@ -161,6 +166,7 @@ fs_unmount_dos_fs(hald_t) fs_manage_dos_files(hald_t) fs_manage_fusefs_dirs(hald_t) @@ -17804,7 +17017,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. files_getattr_all_mountpoints(hald_t) -@@ -295,6 +300,7 @@ +@@ -180,7 +186,7 @@ + + # hal_probe_serial causes these + term_setattr_unallocated_ttys(hald_t) +-term_dontaudit_use_unallocated_ttys(hald_t) ++term_use_unallocated_ttys(hald_t) + + auth_use_nsswitch(hald_t) + +@@ -266,6 +272,10 @@ + ') + + optional_policy(` ++ gnome_read_config(hald_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(hald_t) + ') + +@@ -295,6 +305,7 @@ ') optional_policy(` @@ -17812,7 +17045,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ppp_read_rw_config(hald_t) ') -@@ -331,6 +337,10 @@ +@@ -315,11 +326,19 @@ + ') + + optional_policy(` ++ shutdown_domtrans(hald_t) ++') ++ ++optional_policy(` + udev_domtrans(hald_t) + udev_read_db(hald_t) + ') + + optional_policy(` ++ usbmuxd_stream_connect(hald_t) ++') ++ ++optional_policy(` + updfstab_domtrans(hald_t) + ') + +@@ -331,6 +350,10 @@ virt_manage_images(hald_t) ') @@ -17823,7 +17076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Hal acl local policy -@@ -351,6 +361,7 @@ +@@ -351,6 +374,7 @@ manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -17831,7 +17084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. corecmd_exec_bin(hald_acl_t) -@@ -463,6 +474,10 @@ +@@ -463,6 +487,10 @@ miscfiles_read_localization(hald_keymap_t) @@ -17842,21 +17095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.9/policy/modules/services/howl.te ---- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/howl.te 2010-02-16 15:08:37.000000000 -0500 -@@ -30,7 +30,7 @@ - - kernel_read_network_state(howl_t) - kernel_read_kernel_sysctls(howl_t) --kernel_load_module(howl_t) -+kernel_request_load_module(howl_t) - kernel_list_proc(howl_t) - kernel_read_proc_symlinks(howl_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.9/policy/modules/services/icecast.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.15/policy/modules/services/icecast.fc --- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/icecast.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/icecast.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + @@ -17865,9 +17106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.9/policy/modules/services/icecast.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.15/policy/modules/services/icecast.if --- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/icecast.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/icecast.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,199 @@ + +## ShoutCast compatible streaming media server @@ -18068,9 +17309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec + icecast_manage_log($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.9/policy/modules/services/icecast.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.15/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/icecast.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/icecast.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,59 @@ +policy_module(icecast,1.0.0) + @@ -18131,9 +17372,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.9/policy/modules/services/kerberos.if ---- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/kerberos.if 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.15/policy/modules/services/inn.te +--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/inn.te 2010-03-18 10:44:43.000000000 -0400 +@@ -106,6 +106,7 @@ + + userdom_dontaudit_use_unpriv_user_fds(innd_t) + userdom_dontaudit_search_user_home_dirs(innd_t) ++userdom_stream_connect(innd_t) + + mta_send_mail(innd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.15/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/kerberos.if 2010-03-18 10:44:43.000000000 -0400 @@ -74,7 +74,7 @@ ') @@ -18154,9 +17406,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.9/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/kerberos.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.15/policy/modules/services/kerberos.te +--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/kerberos.te 2010-03-18 10:44:43.000000000 -0400 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -18174,18 +17426,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kpropd_t krb5_keytab_t:file read_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.9/policy/modules/services/ksmtuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.15/policy/modules/services/ksmtuned.fc --- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) + +/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) + +/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.9/policy/modules/services/ksmtuned.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.15/policy/modules/services/ksmtuned.if --- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,76 @@ + +## policy for Kernel Samepage Merging (KSM) Tuning Daemon @@ -18263,9 +17515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + allow $2 system_r; + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.9/policy/modules/services/ksmtuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.15/policy/modules/services/ksmtuned.te --- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,44 @@ +policy_module(ksmtuned,1.0.0) + @@ -18311,38 +17563,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt +files_read_etc_files(ksmtuned_t) + +miscfiles_read_localization(ksmtuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.9/policy/modules/services/ldap.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.15/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ldap.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,8 +1,12 @@ ++++ serefpolicy-3.7.15/policy/modules/services/ldap.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -1,5 +1,7 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + /etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/dirsrv.* -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - - ifdef(`distro_debian',` - /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -@@ -10,8 +14,12 @@ - - /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - /var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0) -+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) -+ -+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:slapd_log_t,s0) - - /var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) +@@ -15,3 +17,4 @@ /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.9/policy/modules/services/ldap.if ++#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.15/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ldap.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ldap.if 2010-03-18 10:44:43.000000000 -0400 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18387,10 +17626,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.9/policy/modules/services/ldap.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.15/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ldap.te 2010-02-16 15:08:37.000000000 -0500 -@@ -28,6 +28,9 @@ ++++ serefpolicy-3.7.15/policy/modules/services/ldap.te 2010-03-18 10:44:43.000000000 -0400 +@@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -18400,7 +17639,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap type slapd_tmp_t; files_tmp_file(slapd_tmp_t) -@@ -68,6 +71,10 @@ ++type slapd_tmpfs_t; ++files_tmpfs_file(slapd_tmpfs_t) ++ + type slapd_var_run_t; + files_pid_file(slapd_var_run_t) + +@@ -68,10 +74,17 @@ manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -18411,9 +17656,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.9/policy/modules/services/lircd.te + ++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) ++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file) ++ + manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) + manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) + files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.15/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/lircd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/lircd.te 2010-03-18 10:44:43.000000000 -0400 @@ -24,8 +24,11 @@ # lircd local policy # @@ -18462,33 +17714,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.9/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/mailman.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,4 +1,4 @@ --/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) - - /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) -@@ -25,10 +25,10 @@ - ifdef(`distro_redhat', ` - /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - --/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) --/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) --/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) --/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) -+/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) -+/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) -+/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) - - /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.9/policy/modules/services/memcached.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.15/policy/modules/services/memcached.te --- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/memcached.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/memcached.te 2010-03-18 10:44:43.000000000 -0400 @@ -22,9 +22,12 @@ # @@ -18519,9 +17747,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc +term_dontaudit_use_all_ptys(memcached_t) +term_dontaudit_use_all_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.9/policy/modules/services/modemmanager.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.15/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/modemmanager.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/modemmanager.te 2010-03-18 10:44:43.000000000 -0400 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -18541,9 +17769,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.9/policy/modules/services/mta.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.15/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/mta.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/mta.fc 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,8 @@ /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -18553,10 +17781,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.9/policy/modules/services/mta.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.15/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/mta.if 2010-02-16 15:08:37.000000000 -0500 -@@ -335,6 +335,7 @@ ++++ serefpolicy-3.7.15/policy/modules/services/mta.if 2010-03-18 10:44:43.000000000 -0400 +@@ -220,6 +220,25 @@ + application_executable_file($1) + ') + ++###################################### ++## ++## Dontaudit read and write an leaked file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`mta_dontaudit_leaks_system_mail',` ++ gen_require(` ++ type system_mail_t; ++ ') ++ ++ dontaudit $1 system_mail_t:fifo_file write; ++ dontaudit $1 system_mail_t:tcp_socket { read write }; ++') ++ + ######################################## + ## + ## Make the specified type by a system MTA. +@@ -335,6 +354,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) @@ -18564,10 +17818,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ') -@@ -365,6 +366,25 @@ +@@ -356,11 +376,35 @@ + ') + + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; ++ corecmd_read_bin_symlinks($1) + domtrans_pattern($1, mta_exec_type, system_mail_t) - ######################################## - ## + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_fifo_file_perms; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit system_mail_t $1:socket_class_set { read write }; ++ ') ++') ++ ++######################################## ++## +## Send mail client a signal +## +## @@ -18583,14 +17851,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + ') + + allow $1 system_mail_t:process signal; -+') -+ -+######################################## -+## - ## Execute send mail in a specified domain. - ## - ## -@@ -454,7 +474,8 @@ + ') + + ######################################## +@@ -454,7 +498,8 @@ type etc_mail_t; ') @@ -18600,7 +17864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -678,7 +699,7 @@ +@@ -678,7 +723,7 @@ files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -18609,7 +17873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -765,6 +786,25 @@ +@@ -765,6 +810,25 @@ ####################################### ## @@ -18635,19 +17899,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read the mail queue. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.9/policy/modules/services/mta.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.15/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/mta.te 2010-02-16 15:08:37.000000000 -0500 -@@ -63,6 +63,8 @@ ++++ serefpolicy-3.7.15/policy/modules/services/mta.te 2010-03-18 10:44:43.000000000 -0400 +@@ -63,6 +63,9 @@ can_exec(system_mail_t, mta_exec_type) +files_read_all_tmp_files(system_mail_t) ++files_read_usr_files(system_mail_t) + kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) kernel_request_load_module(system_mail_t) -@@ -75,20 +77,27 @@ +@@ -75,20 +78,27 @@ selinux_getattr_fs(system_mail_t) @@ -18675,7 +17940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -107,6 +116,7 @@ +@@ -107,6 +117,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) @@ -18683,7 +17948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -126,6 +136,7 @@ +@@ -126,6 +137,7 @@ optional_policy(` fail2ban_append_log(system_mail_t) @@ -18691,7 +17956,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -185,6 +196,10 @@ +@@ -142,6 +154,10 @@ + ') + + optional_policy(` ++ munin_dontaudit_leaks(system_mail_t) ++') ++ ++optional_policy(` + nagios_read_tmp_files(system_mail_t) + ') + +@@ -185,6 +201,10 @@ ') optional_policy(` @@ -18702,7 +17978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -216,6 +231,7 @@ +@@ -216,6 +236,7 @@ create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -18710,20 +17986,180 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t) read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.9/policy/modules/services/munin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.15/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/munin.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -9,3 +9,6 @@ ++++ serefpolicy-3.7.15/policy/modules/services/munin.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -6,6 +6,64 @@ + /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) + /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0) + ++# disk plugins ++/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0) ++ ++# mail plugins ++/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0) ++ ++# services plugins ++/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/named -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:munin_services_plugin_exec_t,s0) ++ ++# system plugins ++/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/load -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/users -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:munin_system_plugin_exec_t,s0) ++ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) +/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.15/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/munin.if 2010-03-18 10:44:43.000000000 -0400 +@@ -43,6 +43,24 @@ + files_search_etc($1) + ') + ++###################################### ++## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`munin_dontaudit_leaks',` ++ gen_require(` ++ type munin_t; ++ ') ++ ++ dontaudit $1 munin_t:tcp_socket { read write }; ++') ++ + ####################################### + ## + ## Append to the munin log. +@@ -102,6 +120,54 @@ + dontaudit $1 munin_var_lib_t:dir search_dir_perms; + ') + ++###################################### ++## ++## Create a set of derived types for various ++## munin plugins, ++## ++## ++## ++## The name to be used for deriving type names. ++## ++## ++# ++template(`munin_plugin_template',` ++ ++ gen_require(` ++ type munin_t, munin_exec_t; ++ type munin_etc_t; ++ ') ++ ++ type munin_$1_plugin_t; ++ type munin_$1_plugin_exec_t; ++ application_domain(munin_$1_plugin_t, munin_$1_plugin_exec_t) ++ role system_r types munin_$1_plugin_t; ++ ++ type munin_$1_plugin_tmp_t; ++ files_tmp_file(munin_$1_plugin_tmp_t) ++ ++ allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms; ++ ++ manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t) ++ manage_dirs_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t) ++ files_tmp_filetrans(munin_$1_plugin_t, munin_$1_plugin_tmp_t, { dir file }) ++ ++ # automatic transition rules from munin domain ++ # to specific munin plugin domain ++ domtrans_pattern(munin_t, munin_$1_plugin_exec_t, munin_$1_plugin_t) ++ ++ allow munin_$1_plugin_t munin_exec_t:file read_file_perms; ++ allow munin_$1_plugin_t munin_t:tcp_socket rw_socket_perms; ++ ++ read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t) ++ ++ kernel_read_system_state(munin_$1_plugin_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.9/policy/modules/services/munin.te ++ corecmd_exec_bin(munin_$1_plugin_t) ++ ++ miscfiles_read_localization(munin_$1_plugin_t) ++') ++ + ######################################## + ## + ## All of the rules required to administrate +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.15/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/munin.te 2010-02-16 15:08:37.000000000 -0500 -@@ -33,7 +33,7 @@ ++++ serefpolicy-3.7.15/policy/modules/services/munin.te 2010-03-18 10:44:43.000000000 -0400 +@@ -28,12 +28,26 @@ + type munin_var_run_t alias lrrd_var_run_t; + files_pid_file(munin_var_run_t) + ++# munin plugins declaration ++ ++munin_plugin_template(disk) ++permissive munin_disk_plugin_t; ++ ++munin_plugin_template(mail) ++permissive munin_mail_plugin_t; ++ ++munin_plugin_template(services) ++permissive munin_services_plugin_t; ++ ++munin_plugin_template(system) ++permissive munin_system_plugin_t; ++ + ######################################## + # # Local policy # @@ -18732,7 +18168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -55,7 +55,8 @@ +@@ -55,7 +69,8 @@ manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t) manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t) @@ -18742,7 +18178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni # Allow access to the munin databases manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) -@@ -131,8 +132,13 @@ +@@ -131,8 +146,13 @@ ') optional_policy(` @@ -18756,7 +18192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni mta_read_queue(munin_t) ') -@@ -147,6 +153,7 @@ +@@ -147,6 +167,7 @@ optional_policy(` postfix_list_spool(munin_t) @@ -18764,132 +18200,176 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.9/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/mysql.if 2010-02-16 15:08:37.000000000 -0500 -@@ -1,5 +1,43 @@ - ## Policy for MySQL - -+###################################### -+## -+## Execute MySQL in the mysql domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## +@@ -164,3 +185,146 @@ + optional_policy(` + udev_read_db(munin_t) + ') ++ ++################################### +# -+interface(`mysql_domtrans',` -+ gen_require(` -+ type mysqld_t, mysqld_exec_t; -+ ') ++# local policy for disk plugins ++# ++ ++allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms; + -+ domtrans_pattern($1,mysqld_exec_t,mysqld_t) ++rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t) + ++corenet_tcp_connect_hddtemp_port(munin_disk_plugin_t) ++ ++corecmd_exec_shell(munin_disk_plugin_t) ++ ++files_read_etc_files(munin_disk_plugin_t) ++files_read_etc_runtime_files(munin_disk_plugin_t) ++ ++fs_getattr_all_fs(munin_disk_plugin_t) ++ ++dev_read_sysfs(munin_disk_plugin_t) ++dev_read_urand(munin_disk_plugin_t) ++ ++storage_getattr_fixed_disk_dev(munin_disk_plugin_t) ++ ++sysnet_read_config(munin_disk_plugin_t) ++ ++optional_policy(` ++ hddtemp_exec(munin_disk_plugin_t) +') + -+###################################### -+## -+## Execute MySQL server in the mysql domain. -+## -+## -+## -+## The type of the process performing this action. -+## -+## ++optional_policy(` ++ fstools_exec(munin_disk_plugin_t) ++') ++ ++#################################### +# -+interface(`mysql_domtrans_mysql_safe',` -+ gen_require(` -+ type mysqld_safe_t, mysqld_safe_exec_t; -+ ') ++# local policy for mail plugins ++# ++ ++allow munin_mail_plugin_t self:capability dac_override; ++ ++rw_files_pattern(munin_mail_plugin_t, munin_var_lib_t, munin_var_lib_t) ++ ++dev_read_urand(munin_mail_plugin_t) ++ ++files_read_etc_files(munin_mail_plugin_t) ++ ++fs_getattr_all_fs(munin_mail_plugin_t) ++ ++logging_read_generic_logs(munin_mail_plugin_t) ++ ++mta_read_config(munin_mail_plugin_t) ++mta_send_mail(munin_mail_plugin_t) ++mta_list_queue(munin_mail_plugin_t) ++mta_read_queue(munin_mail_plugin_t) ++ ++optional_policy(` ++ postfix_read_config(munin_mail_plugin_t) ++ postfix_list_spool(munin_mail_plugin_t) ++ postfix_getattr_spool_files(munin_mail_plugin_t) ++') + -+ domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t) ++optional_policy(` ++ sendmail_read_log(munin_mail_plugin_t) +') + ++################################### ++# ++# local policy for service plugins ++# + - ######################################## - ## - ## Send a generic signal to MySQL. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.9/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/mysql.te 2010-02-16 15:08:37.000000000 -0500 -@@ -1,6 +1,13 @@ - - policy_module(mysql, 1.11.1) - -+## -+##

-+## Allow mysqld to connect to all ports -+##

-+## -+gen_tunable(mysql_connect_any, false) ++allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms; ++allow munin_services_plugin_t self:udp_socket create_socket_perms; ++allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms; + - ######################################## - # - # Declarations -@@ -37,7 +44,7 @@ - # Local policy - # - --allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service }; -+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service }; - dontaudit mysqld_t self:capability sys_tty_config; - allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; - allow mysqld_t self:fifo_file rw_fifo_file_perms; -@@ -109,6 +116,11 @@ - # for /root/.my.cnf - should not be needed: - userdom_read_user_home_content_files(mysqld_t) - -+tunable_policy(`mysql_connect_any',` -+ corenet_tcp_connect_all_ports(mysqld_t) -+ corenet_sendrecv_all_client_packets(mysqld_t) ++corenet_tcp_connect_all_ports(munin_services_plugin_t) ++corenet_tcp_connect_http_port(munin_services_plugin_t) ++ ++dev_read_urand(munin_services_plugin_t) ++dev_read_rand(munin_services_plugin_t) ++ ++fs_getattr_all_fs(munin_services_plugin_t) ++ ++files_read_etc_files(munin_services_plugin_t) ++ ++sysnet_read_config(munin_services_plugin_t) ++ ++optional_policy(` ++ cups_stream_connect(munin_services_plugin_t) +') + - ifdef(`distro_redhat',` - # because Fedora has the sock_file in the database directory - type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t; -@@ -131,20 +143,26 @@ - # Local mysqld_safe policy - # - --allow mysqld_safe_t self:capability { dac_override fowner chown }; -+allow mysqld_safe_t self:capability { chown dac_override fowner kill }; -+dontaudit mysqld_safe_t self:capability sys_ptrace; - allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - - domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) ++optional_policy(` ++ lpd_exec_lpr(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ mysql_read_config(munin_services_plugin_t) ++ mysql_stream_connect(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ netutils_domtrans_ping(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ snmp_read_snmp_var_lib_files(munin_services_plugin_t) ++') ++ ++optional_policy(` ++ varnishd_read_lib_files(munin_services_plugin_t) ++') ++ ++################################## ++# ++# local policy for system plugins ++# ++ ++allow munin_system_plugin_t self:udp_socket create_socket_perms; ++ ++rw_files_pattern(munin_system_plugin_t, munin_var_lib_t, munin_var_lib_t) ++ ++kernel_read_network_state(munin_system_plugin_t) ++kernel_read_all_sysctls(munin_system_plugin_t) ++ ++corecmd_exec_shell(munin_system_plugin_t) ++ ++fs_getattr_all_fs(munin_system_plugin_t) ++ ++dev_read_sysfs(munin_system_plugin_t) ++dev_read_urand(munin_system_plugin_t) ++ ++domain_read_all_domains_state(munin_system_plugin_t) ++ ++# needed by users plugin ++init_read_utmp(munin_system_plugin_t) ++ ++sysnet_exec_ifconfig(munin_system_plugin_t) ++ ++term_getattr_unallocated_ttys(munin_system_plugin_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.15/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-12 11:48:14.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/mysql.te 2010-03-18 10:44:43.000000000 -0400 +@@ -65,6 +65,7 @@ - allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) ++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) + files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) --allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; -+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -176,6 +177,7 @@ domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) -+files_dontaudit_getattr_all_dirs(mysqld_safe_t) -+ - logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - - kernel_read_system_state(mysqld_safe_t) -+kernel_read_kernel_sysctls(mysqld_safe_t) - - dev_list_sysfs(mysqld_safe_t) - -@@ -158,6 +176,7 @@ - miscfiles_read_localization(mysqld_safe_t) - - mysql_manage_db_files(mysqld_safe_t) -+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - mysql_read_config(mysqld_safe_t) - mysql_search_pid_files(mysqld_safe_t) - mysql_write_log(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.9/policy/modules/services/nagios.fc + files_read_etc_files(mysqld_safe_t) + files_read_usr_files(mysqld_safe_t) + files_dontaudit_getattr_all_dirs(mysqld_safe_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.15/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,16 +1,87 @@ ++++ serefpolicy-3.7.15/policy/modules/services/nagios.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -1,16 +1,89 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) @@ -18921,7 +18401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + +# admin plugins -+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + +# check disk plugins +/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) @@ -18929,10 +18409,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + ++# mail plugins ++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++ +# system plugins +/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) @@ -18982,53 +18464,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +# unconfined plugins +/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.9/policy/modules/services/nagios.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.15/policy/modules/services/nagios.if --- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.if 2010-02-16 15:08:37.000000000 -0500 -@@ -64,7 +64,7 @@ ++++ serefpolicy-3.7.15/policy/modules/services/nagios.if 2010-03-18 10:44:43.000000000 -0400 +@@ -64,8 +64,8 @@ ######################################## ## -## Execute the nagios CGI with -+## Execute the nagios NRPE with - ## a domain transition. +-## a domain transition. ++## Allow the specified domain to read ++## nagios temporary files. ## ## -@@ -73,18 +73,17 @@ + ## +@@ -73,12 +73,13 @@ ## ## # -interface(`nagios_domtrans_cgi',` -+interface(`nagios_domtrans_nrpe',` ++interface(`nagios_rw_inerited_tmp_files',` gen_require(` - type nagios_cgi_t, nagios_cgi_exec_t; -+ type nrpe_t, nrpe_exec_t; ++ type nagios_tmp_t; ') - domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t) -+ domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ allow $1 nagios_tmp_t:file rw_inherited_file_perms; ++ files_search_tmp($1) ') ######################################## - ## --## Execute the nagios NRPE with --## a domain transition. +@@ -99,3 +100,134 @@ + + domtrans_pattern($1, nrpe_exec_t, nrpe_t) + ') ++ ++######################################## ++## +## Search nagios spool directories. - ## - ## - ## -@@ -92,10 +91,121 @@ - ## - ## - # --interface(`nagios_domtrans_nrpe',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`nagios_search_spool',` - gen_require(` -- type nrpe_t, nrpe_exec_t; -+ type nagios_spool_t; - ') - -- domtrans_pattern($1, nrpe_exec_t, nrpe_t) ++ gen_require(` ++ type nagios_spool_t; ++ ') ++ + allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) +') @@ -19067,6 +18553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + gen_require(` + type nagios_t, nrpe_t; ++ type nagios_log_t; + ') + + type nagios_$1_plugin_t; @@ -19087,6 +18574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + + # cjp: leaked file descriptor + dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write }; ++ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write }; + + miscfiles_read_localization(nagios_$1_plugin_t) +') @@ -19141,10 +18629,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + admin_pattern($1, nagios_var_run_t) + + admin_pattern($1, nrpe_etc_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.9/policy/modules/services/nagios.te ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.15/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nagios.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nagios.te 2010-03-18 10:44:43.000000000 -0400 @@ -6,17 +6,23 @@ # Declarations # @@ -19183,7 +18671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +42,38 @@ +@@ -33,6 +42,44 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -19198,6 +18686,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# and nagios_checkdisk_plugin_t for domain +nagios_plugin_template(checkdisk) + ++# creates nagios_mail_plugin_exec_t for executable ++# and nagios_mail_plugin_t for domain ++nagios_plugin_template(mail) ++ +# creates nagios_services_plugin_exec_t for executable +# and nagios_services_plugin_t for domain +nagios_plugin_template(services) @@ -19210,29 +18702,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +files_tmp_file(nagios_system_plugin_tmp_t) + +nagios_plugin_template(unconfined) ++ +optional_policy(` + unconfined_domain(nagios_unconfined_plugin_t) +') + -+permissive nagios_admin_plugin_t; ++permissive nagios_admin_plugin_t; +permissive nagios_checkdisk_plugin_t; ++permissive nagios_mail_plugin_t; +permissive nagios_services_plugin_t; +permissive nagios_system_plugin_t; + ######################################## # # Nagios local policy -@@ -45,6 +86,9 @@ - allow nagios_t self:tcp_socket create_stream_socket_perms; - allow nagios_t self:udp_socket create_socket_perms; - -+# needed by command.cfg -+can_exec(nagios_t, nagios_checkdisk_plugin_exec_t) -+ - read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) - read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) - allow nagios_t nagios_etc_t:dir list_dir_perms; -@@ -60,6 +104,8 @@ +@@ -60,6 +107,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -19241,17 +18725,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -76,6 +122,9 @@ +@@ -76,6 +125,9 @@ corenet_udp_sendrecv_all_ports(nagios_t) corenet_tcp_connect_all_ports(nagios_t) +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t) -+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) ++corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t) + dev_read_sysfs(nagios_t) dev_read_urand(nagios_t) -@@ -86,6 +135,7 @@ +@@ -86,6 +138,7 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -19259,7 +18743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -118,61 +168,63 @@ +@@ -118,61 +171,63 @@ udev_read_db(nagios_t) ') @@ -19355,7 +18839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +235,21 @@ +@@ -183,11 +238,15 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -19371,13 +18855,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi logging_send_syslog_msg(nrpe_t) miscfiles_read_localization(nrpe_t) +@@ -199,6 +258,11 @@ + ') -+mta_send_mail(nrpe_t) + optional_policy(` ++ mta_send_mail(nrpe_t) ++ mta_dontaudit_leaks_system_mail(nrpe_t) ++') + - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) ++optional_policy(` + seutil_sigchld_newrole(nrpe_t) + ') - optional_policy(` -@@ -209,3 +267,120 @@ +@@ -209,3 +273,149 @@ optional_policy(` udev_read_db(nrpe_t) ') @@ -19387,14 +18877,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +# local policy for admin check plugins +# + -+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override }; -+ -+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms; -+allow nagios_admin_plugin_t self:udp_socket create_socket_perms; -+ -+kernel_read_system_state(nagios_admin_plugin_t) -+kernel_read_kernel_sysctls(nagios_admin_plugin_t) -+ +corecmd_read_bin_files(nagios_admin_plugin_t) +corecmd_read_bin_symlinks(nagios_admin_plugin_t) + @@ -19402,20 +18884,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + +files_read_etc_files(nagios_admin_plugin_t) + -+libs_use_lib_files(nagios_admin_plugin_t) -+libs_use_ld_so(nagios_admin_plugin_t) ++# for check_file_age plugin ++files_getattr_all_dirs(nagios_admin_plugin_t) ++files_getattr_all_files(nagios_admin_plugin_t) ++files_getattr_all_symlinks(nagios_admin_plugin_t) ++files_getattr_all_pipes(nagios_admin_plugin_t) ++files_getattr_all_sockets(nagios_admin_plugin_t) ++files_getattr_all_file_type_fs(nagios_admin_plugin_t) ++dev_getattr_all_chr_files(nagios_admin_plugin_t) ++dev_getattr_all_blk_files(nagios_admin_plugin_t) ++ ++###################################### ++# ++# local policy for mail check plugins ++# ++ ++allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; + -+logging_send_syslog_msg(nagios_admin_plugin_t) ++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; ++allow nagios_mail_plugin_t self:udp_socket create_socket_perms; + -+sysnet_read_config(nagios_admin_plugin_t) ++kernel_read_system_state(nagios_mail_plugin_t) ++kernel_read_kernel_sysctls(nagios_mail_plugin_t) + -+nscd_dontaudit_search_pid(nagios_admin_plugin_t) ++corecmd_read_bin_files(nagios_mail_plugin_t) ++corecmd_read_bin_symlinks(nagios_mail_plugin_t) ++ ++dev_read_urand(nagios_mail_plugin_t) ++ ++files_read_etc_files(nagios_mail_plugin_t) ++ ++libs_use_lib_files(nagios_mail_plugin_t) ++libs_use_ld_so(nagios_mail_plugin_t) ++ ++logging_send_syslog_msg(nagios_mail_plugin_t) ++ ++sysnet_read_config(nagios_mail_plugin_t) ++ ++nscd_dontaudit_search_pid(nagios_mail_plugin_t) ++ ++optional_policy(` ++ mta_send_mail(nagios_mail_plugin_t) ++') + +optional_policy(` -+ mta_read_config(nagios_admin_plugin_t) -+ mta_list_queue(nagios_admin_plugin_t) -+ mta_read_queue(nagios_admin_plugin_t) -+ mta_sendmail_exec(nagios_admin_plugin_t) ++ postfix_stream_connect_master(nagios_mail_plugin_t) ++ posftix_exec_postqueue(nagios_mail_plugin_t) +') + +###################################### @@ -19468,6 +18983,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi + mysql_stream_connect(nagios_services_plugin_t) +') + ++optional_policy(` ++ snmp_read_snmp_var_lib_files(nagios_services_plugin_t) ++') ++ +###################################### +# +# local policy for system check plugins @@ -19498,9 +19017,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi +optional_policy(` + init_read_utmp(nagios_system_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.9/policy/modules/services/networkmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.15/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,12 +1,32 @@ +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -19534,9 +19053,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.9/policy/modules/services/networkmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.15/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.if 2010-03-18 10:44:43.000000000 -0400 @@ -118,6 +118,24 @@ ######################################## @@ -19562,7 +19081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## Read NetworkManager PID files. ## ## -@@ -134,3 +152,50 @@ +@@ -134,3 +152,71 @@ files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -19613,9 +19132,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + role $2 types NetworkManager_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.9/policy/modules/services/networkmanager.te ++ ++####################################### ++## ++## Allow caller to relabel tun_socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_attach_tun_iface',` ++ gen_require(` ++ type NetworkManager_t; ++ ') ++ ++ allow $1 NetworkManager_t:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; ++') ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.15/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.te 2010-03-18 10:44:43.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -19859,9 +19399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.9/policy/modules/services/nis.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.15/policy/modules/services/nis.fc --- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nis.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nis.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,4 +1,7 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -19880,9 +19420,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. +/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) +/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) +/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.9/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nis.if 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.15/policy/modules/services/nis.if +--- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nis.if 2010-03-18 10:44:43.000000000 -0400 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -19892,7 +19432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -76,6 +76,10 @@ +@@ -88,6 +88,10 @@ ## # interface(`nis_use_ypbind',` @@ -19903,16 +19443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. tunable_policy(`allow_ypbind',` nis_use_ypbind_uncond($1) ') -@@ -87,7 +91,7 @@ - ## - ## - ## --## Domain allowed access. -+## The type of the process performing this action. - ## - ## - ## -@@ -262,6 +266,43 @@ +@@ -274,6 +278,43 @@ ######################################## ## @@ -19956,29 +19487,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. ## All of the rules required to administrate ## an nis environment ## -@@ -272,16 +313,19 @@ - ## - ## - ## --## Role allowed access. -+## The role to be allowed to manage the nis domain. - ## - ## - ## - # - interface(`nis_admin',` - gen_require(` -- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; -+ type ypbind_t, yppasswdd_t; -+ type ypserv_t, ypxfr_t; +@@ -294,6 +335,7 @@ + type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; -+ type ypbind_initrc_exec_t; -+ type nis_initrc_exec_t; ++ type ypbind_initrc_exec_t, nis_initrc_exec_t; ') allow $1 ypbind_t:process { ptrace signal_perms }; -@@ -296,6 +340,13 @@ +@@ -308,6 +350,13 @@ allow $1 ypxfr_t:process { ptrace signal_perms }; ps_process_pattern($1, ypxfr_t) @@ -19992,7 +19509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. files_list_tmp($1) admin_pattern($1, ypbind_tmp_t) -@@ -311,3 +362,31 @@ +@@ -323,3 +372,30 @@ admin_pattern($1, ypserv_var_run_t) ') @@ -20023,10 +19540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. + nis_domtrans_ypbind($1) + role $2 types ypbind_t; +') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.9/policy/modules/services/nis.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.15/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nis.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nis.te 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -20098,9 +19614,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_bind_all_rpc_ports(ypxfr_t) corenet_udp_bind_all_rpc_ports(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.9/policy/modules/services/nscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.15/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nscd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nscd.if 2010-03-18 10:44:43.000000000 -0400 @@ -121,6 +121,24 @@ ######################################## @@ -20135,9 +19651,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.9/policy/modules/services/nscd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.15/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/nscd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nscd.te 2010-03-18 10:44:43.000000000 -0400 @@ -1,10 +1,17 @@ -policy_module(nscd, 1.10.0) @@ -20182,9 +19698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.9/policy/modules/services/ntop.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.15/policy/modules/services/ntop.fc --- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ntop.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ntop.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,7 +1,6 @@ /etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0) @@ -20193,9 +19709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) /var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.9/policy/modules/services/ntop.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.15/policy/modules/services/ntop.te --- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ntop.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ntop.te 2010-03-18 10:44:43.000000000 -0400 @@ -11,12 +11,12 @@ init_daemon_domain(ntop_t, ntop_exec_t) application_domain(ntop_t, ntop_exec_t) @@ -20286,9 +19802,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.9/policy/modules/services/ntp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.15/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ntp.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ntp.te 2010-03-18 10:44:43.000000000 -0400 @@ -100,6 +100,8 @@ fs_getattr_all_fs(ntpd_t) @@ -20298,9 +19814,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.9/policy/modules/services/nut.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.15/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/nut.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nut.te 2010-03-18 10:44:43.000000000 -0400 @@ -29,7 +29,8 @@ # Local policy for upsd # @@ -20319,17 +19835,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. # /usr/bin/wall term_write_all_terms(nut_upsmon_t) -@@ -123,7 +125,9 @@ +@@ -100,6 +102,12 @@ + + miscfiles_read_localization(nut_upsmon_t) + ++mta_send_mail(nut_upsmon_t) ++ ++optional_policy(` ++ shutdown_domtrans(nut_upsmon_t) ++') ++ + ######################################## + # + # Local policy for upsdrvctl +@@ -123,6 +131,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t) # /sbin/upsdrvctl executes other drivers +# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) corecmd_exec_bin(nut_upsdrvctl_t) -+corecmd_exec_sbin(nut_upsdrvctl_t) dev_read_urand(nut_upsdrvctl_t) - dev_rw_generic_usb_dev(nut_upsdrvctl_t) -@@ -149,5 +153,15 @@ +@@ -149,5 +158,15 @@ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) @@ -20345,9 +19872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.9/policy/modules/services/nx.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.15/policy/modules/services/nx.fc --- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/nx.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nx.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,7 +1,15 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) @@ -20366,9 +19893,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f +/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) + /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.9/policy/modules/services/nx.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.15/policy/modules/services/nx.if --- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nx.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nx.if 2010-03-18 10:44:43.000000000 -0400 @@ -17,3 +17,70 @@ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) @@ -20440,9 +19967,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.9/policy/modules/services/nx.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.15/policy/modules/services/nx.te --- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/nx.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/nx.te 2010-03-18 10:44:43.000000000 -0400 @@ -25,6 +25,12 @@ type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -20477,9 +20004,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.9/policy/modules/services/oddjob.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.15/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/oddjob.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/oddjob.if 2010-03-18 10:44:43.000000000 -0400 @@ -44,6 +44,7 @@ ') @@ -20488,9 +20015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.9/policy/modules/services/oddjob.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.15/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/oddjob.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/oddjob.te 2010-03-18 10:44:43.000000000 -0400 @@ -100,8 +100,7 @@ # Add/remove user home directories @@ -20502,9 +20029,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.9/policy/modules/services/openvpn.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.15/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/openvpn.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/openvpn.te 2010-03-18 10:44:43.000000000 -0400 @@ -41,7 +41,7 @@ # openvpn local policy # @@ -20540,9 +20067,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.9/policy/modules/services/pcscd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.15/policy/modules/services/pcscd.if --- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/pcscd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/pcscd.if 2010-03-18 10:44:43.000000000 -0400 @@ -39,6 +39,44 @@ ######################################## @@ -20588,9 +20115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc ## Connect to pcscd over an unix stream socket. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.9/policy/modules/services/pegasus.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.15/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/pegasus.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/pegasus.te 2010-03-18 10:44:43.000000000 -0400 @@ -30,7 +30,7 @@ # Local policy # @@ -20662,9 +20189,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.9/policy/modules/services/plymouthd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.15/policy/modules/services/plymouthd.fc --- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,9 @@ +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0) + @@ -20675,9 +20202,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0) + +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.9/policy/modules/services/plymouthd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.15/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,322 @@ +## policy for plymouthd + @@ -21001,9 +20528,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + + allow $1 plymouthd_t:unix_stream_socket connectto; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.9/policy/modules/services/plymouthd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.15/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.te 2010-02-16 15:20:46.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,105 @@ +policy_module(plymouthd, 1.0.0) + @@ -21032,7 +20559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + +type plymouth_t; +type plymouth_exec_t; -+init_daemon_domain(plymouth_t, plymouth_exec_t) ++application_domain(plymouth_t, plymouth_exec_t) + +######################################## +# @@ -21110,9 +20637,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym + hal_dontaudit_rw_pipes(plymouth_t) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.9/policy/modules/services/policykit.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.15/policy/modules/services/policykit.fc --- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/policykit.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/policykit.fc 2010-03-18 10:44:43.000000000 -0400 @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -21128,9 +20655,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.9/policy/modules/services/policykit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.15/policy/modules/services/policykit.if --- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/policykit.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/policykit.if 2010-03-18 10:44:43.000000000 -0400 @@ -17,12 +17,37 @@ class dbus send_msg; ') @@ -21227,9 +20754,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.9/policy/modules/services/policykit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.15/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/policykit.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/policykit.te 2010-03-18 10:44:43.000000000 -0400 @@ -36,11 +36,12 @@ # policykit local policy # @@ -21237,8 +20764,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli -allow policykit_t self:capability { setgid setuid }; -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; -+allow policykit_t self:capability { setgid setuid sys_ptrace }; -+allow policykit_t self:process { getsched getattr }; ++allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; ++allow policykit_t self:process { getsched getattr signal }; +allow policykit_t self:fifo_file rw_fifo_file_perms; + allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -21262,7 +20789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli auth_use_nsswitch(policykit_t) -@@ -68,21 +73,42 @@ +@@ -68,21 +73,43 @@ miscfiles_read_localization(policykit_t) @@ -21295,7 +20822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli -allow policykit_auth_t self:process getattr; -allow policykit_auth_t self:fifo_file rw_file_perms; +allow policykit_auth_t self:capability { setgid setuid }; -+allow policykit_auth_t self:process { getattr getsched }; ++dontaudit policykit_auth_t self:capability sys_tty_config; ++allow policykit_auth_t self:process { getattr getsched signal }; +allow policykit_auth_t self:fifo_file rw_fifo_file_perms; + allow policykit_auth_t self:unix_dgram_socket create_socket_perms; @@ -21309,7 +20837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -92,21 +118,29 @@ +@@ -92,21 +119,29 @@ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -21341,7 +20869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -119,6 +153,14 @@ +@@ -119,6 +154,14 @@ hal_read_state(policykit_auth_t) ') @@ -21356,7 +20884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -126,7 +168,8 @@ +@@ -126,7 +169,8 @@ allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -21366,7 +20894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -156,9 +199,12 @@ +@@ -156,9 +200,12 @@ userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -21380,7 +20908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -170,7 +216,8 @@ +@@ -170,7 +217,8 @@ allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -21390,9 +20918,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.9/policy/modules/services/portreserve.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.15/policy/modules/services/portreserve.te --- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/portreserve.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/portreserve.te 2010-03-18 10:44:43.000000000 -0400 @@ -21,6 +21,7 @@ # Portreserve local policy # @@ -21410,9 +20938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_bind_generic_node(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.9/policy/modules/services/postfix.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.15/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/postfix.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postfix.fc 2010-03-18 10:44:43.000000000 -0400 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -21426,9 +20954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.9/policy/modules/services/postfix.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.15/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/postfix.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postfix.if 2010-03-18 10:44:43.000000000 -0400 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -21497,7 +21025,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Allow domain to read postfix local process state ## ## -@@ -378,7 +405,7 @@ +@@ -368,6 +395,25 @@ + can_exec($1, postfix_master_exec_t) + ') + ++####################################### ++## ++## Connect to postfix master process using a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`postfix_stream_connect_master',` ++ gen_require(` ++ type postfix_master_t, postfix_public_t; ++ ') ++ ++ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) ++') ++ + ######################################## + ## + ## Create a named socket in a postfix private directory. +@@ -378,7 +424,7 @@ ## ## # @@ -21506,7 +21060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -389,6 +416,25 @@ +@@ -389,6 +435,25 @@ ######################################## ## @@ -21532,7 +21086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -418,10 +464,10 @@ +@@ -418,10 +483,10 @@ # interface(`postfix_search_spool',` gen_require(` @@ -21545,20 +21099,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -437,11 +483,30 @@ +@@ -437,15 +502,34 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; -+ ') -+ + ') + +- allow $1 postfix_spool_t:dir list_dir_perms; + allow $1 postfix_spool_type:dir list_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## + files_search_spool($1) + ') + + ######################################## + ## +## Getattr postfix mail spool files. +## +## @@ -21570,15 +21125,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; - ') - -- allow $1 postfix_spool_t:dir list_dir_perms; - files_search_spool($1) ++ ') ++ ++ files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) - ') - - ######################################## -@@ -456,16 +521,16 @@ ++') ++ ++######################################## ++## + ## Read postfix mail spool files. + ## + ## +@@ -456,16 +540,16 @@ # interface(`postfix_read_spool_files',` gen_require(` @@ -21598,7 +21156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## ## ## -@@ -475,11 +540,11 @@ +@@ -475,11 +559,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` @@ -21612,7 +21170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -500,3 +565,62 @@ +@@ -500,3 +584,80 @@ typeattribute $1 postfix_user_domtrans; ') @@ -21655,6 +21213,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) +') + ++####################################### ++## ++## Execute the master postqueue in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`posftix_exec_postqueue',` ++ gen_require(` ++ type postfix_postqueue_exec_t; ++ ') ++ ++ can_exec($1, postfix_postqueue_exec_t) ++') ++ +######################################## +## +## Execute the master postdrop in the @@ -21675,9 +21251,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.9/policy/modules/services/postfix.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.15/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/postfix.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postfix.te 2010-03-18 10:44:43.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -21710,12 +21286,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_exec_t; application_executable_file(postfix_exec_t) -@@ -27,13 +36,17 @@ +@@ -27,13 +36,20 @@ postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) -type postfix_local_tmp_t; -files_tmp_file(postfix_local_tmp_t) ++# Handle vacation script ++mta_send_mail(postfix_local_t) ++ +userdom_read_user_home_content_files(postfix_local_t) + +tunable_policy(`allow_postfix_local_write_mail_spool',` @@ -21730,7 +21309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -68,13 +81,13 @@ +@@ -68,13 +84,13 @@ postfix_server_domain_template(smtpd) @@ -21747,7 +21326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_type(postfix_spool_flush_t) type postfix_public_t; -@@ -90,9 +103,6 @@ +@@ -90,9 +106,6 @@ postfix_server_domain_template(virtual) mta_mailserver_delivery(postfix_virtual_t) @@ -21757,7 +21336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix master process local policy -@@ -103,6 +113,7 @@ +@@ -103,6 +116,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -21765,7 +21344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -132,6 +143,7 @@ +@@ -132,6 +146,7 @@ # allow access to deferred queue and allow removing bogus incoming entries manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) @@ -21773,7 +21352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr; -@@ -142,6 +154,7 @@ +@@ -142,6 +157,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -21781,7 +21360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post kernel_read_all_sysctls(postfix_master_t) -@@ -153,6 +166,9 @@ +@@ -153,6 +169,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -21791,7 +21370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -170,6 +186,8 @@ +@@ -170,6 +189,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -21800,7 +21379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post term_dontaudit_search_ptys(postfix_master_t) -@@ -181,6 +199,7 @@ +@@ -181,6 +202,7 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -21808,7 +21387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases -@@ -193,6 +212,10 @@ +@@ -193,6 +215,10 @@ ') optional_policy(` @@ -21819,7 +21398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for postalias mailman_manage_data_files(postfix_master_t) ') -@@ -202,6 +225,10 @@ +@@ -202,6 +228,10 @@ ') optional_policy(` @@ -21830,7 +21409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post sendmail_signal(postfix_master_t) ') -@@ -219,6 +246,7 @@ +@@ -219,6 +249,7 @@ manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) @@ -21838,7 +21417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -240,11 +268,18 @@ +@@ -240,11 +271,18 @@ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) @@ -21857,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix local local policy -@@ -253,10 +288,6 @@ +@@ -253,10 +291,6 @@ allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; @@ -21868,7 +21447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -270,18 +301,29 @@ +@@ -270,18 +304,31 @@ files_read_etc_files(postfix_local_t) @@ -21880,6 +21459,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_config(postfix_local_t) +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++# Might be a leak, but I need a postfix expert to explain ++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; + optional_policy(` clamav_search_lib(postfix_local_t) @@ -21898,7 +21479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -292,8 +334,7 @@ +@@ -292,8 +339,7 @@ # # Postfix map local policy # @@ -21908,7 +21489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,14 +381,15 @@ +@@ -340,14 +386,15 @@ miscfiles_read_localization(postfix_map_t) @@ -21928,7 +21509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -372,6 +414,7 @@ +@@ -372,6 +419,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -21936,7 +21517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -379,6 +422,12 @@ +@@ -379,6 +427,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -21949,7 +21530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -388,6 +437,16 @@ +@@ -388,6 +442,16 @@ ') optional_policy(` @@ -21966,7 +21547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -415,6 +474,10 @@ +@@ -415,6 +479,10 @@ mta_rw_user_mail_stream_sockets(postfix_postdrop_t) optional_policy(` @@ -21977,7 +21558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') -@@ -424,8 +487,11 @@ +@@ -424,8 +492,11 @@ ') optional_policy(` @@ -21991,7 +21572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ####################################### -@@ -451,6 +517,15 @@ +@@ -451,6 +522,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -22007,7 +21588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -464,6 +539,7 @@ +@@ -464,6 +544,7 @@ manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) @@ -22015,7 +21596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -@@ -499,13 +575,14 @@ +@@ -499,13 +580,14 @@ # # connect to master process @@ -22031,7 +21612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -535,9 +612,18 @@ +@@ -535,9 +617,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -22050,7 +21631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mailman_read_data_files(postfix_smtpd_t) ') -@@ -559,20 +645,22 @@ +@@ -559,20 +650,22 @@ allow postfix_virtual_t postfix_spool_t:file rw_file_perms; @@ -22078,9 +21659,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.9/policy/modules/services/postgresql.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.15/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/postgresql.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postgresql.fc 2010-03-18 10:44:43.000000000 -0400 @@ -3,6 +3,7 @@ # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) @@ -22107,9 +21688,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.9/policy/modules/services/postgresql.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.15/policy/modules/services/postgresql.if --- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/postgresql.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postgresql.if 2010-03-18 10:44:43.000000000 -0400 @@ -125,6 +125,23 @@ typeattribute $1 sepgsql_table_type; ') @@ -22134,9 +21715,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.9/policy/modules/services/postgresql.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.15/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/postgresql.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/postgresql.te 2010-03-18 10:44:43.000000000 -0400 @@ -150,6 +150,7 @@ dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; allow postgresql_t self:process signal_perms; @@ -22171,9 +21752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post miscfiles_read_localization(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.9/policy/modules/services/ppp.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.15/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ppp.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ppp.fc 2010-03-18 10:44:43.000000000 -0400 @@ -3,6 +3,7 @@ # /etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) @@ -22182,9 +21763,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.9/policy/modules/services/ppp.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.15/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ppp.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ppp.if 2010-03-18 10:44:43.000000000 -0400 @@ -182,6 +182,10 @@ ppp_domtrans($1) role $2 types pppd_t; @@ -22196,18 +21777,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.9/policy/modules/services/ppp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.15/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ppp.te 2010-02-16 15:08:37.000000000 -0500 -@@ -66,14 +66,17 @@ - type pptp_var_run_t; - files_pid_file(pptp_var_run_t) - -+type pppd_home_t; -+files_type(pppd_secret_t) -+ - ######################################## - # ++++ serefpolicy-3.7.15/policy/modules/services/ppp.te 2010-03-18 10:44:43.000000000 -0400 +@@ -71,9 +71,9 @@ # PPPD Local policy # @@ -22219,7 +21792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -168,6 +171,7 @@ +@@ -168,6 +168,7 @@ auth_use_nsswitch(pppd_t) logging_send_syslog_msg(pppd_t) @@ -22227,7 +21800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. miscfiles_read_localization(pppd_t) -@@ -193,6 +197,8 @@ +@@ -193,6 +194,8 @@ optional_policy(` mta_send_mail(pppd_t) @@ -22236,7 +21809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -289,6 +295,7 @@ +@@ -289,6 +292,7 @@ userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_user_home_dirs(pptp_t) @@ -22244,9 +21817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` consoletype_exec(pppd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.9/policy/modules/services/prelude.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.15/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/prelude.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/prelude.te 2010-03-18 10:44:43.000000000 -0400 @@ -90,6 +90,7 @@ corenet_tcp_bind_prelude_port(prelude_t) corenet_tcp_connect_prelude_port(prelude_t) @@ -22264,9 +21837,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel fs_rw_anon_inodefs_files(prelude_lml_t) auth_use_nsswitch(prelude_lml_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.9/policy/modules/services/procmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.15/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/procmail.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/procmail.te 2010-03-18 10:44:43.000000000 -0400 @@ -22,7 +22,7 @@ # Local policy # @@ -22314,9 +21887,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.9/policy/modules/services/pyzor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.15/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/pyzor.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/pyzor.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -22328,9 +21901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.9/policy/modules/services/pyzor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.15/policy/modules/services/pyzor.if --- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/pyzor.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/pyzor.if 2010-03-18 10:44:43.000000000 -0400 @@ -88,3 +88,50 @@ corecmd_search_bin($1) can_exec($1, pyzor_exec_t) @@ -22382,9 +21955,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.9/policy/modules/services/pyzor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.15/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/pyzor.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/pyzor.te 2010-03-18 10:44:43.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # @@ -22449,9 +22022,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.9/policy/modules/services/radvd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.15/policy/modules/services/radvd.te --- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/radvd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/radvd.te 2010-03-18 10:44:43.000000000 -0400 @@ -22,9 +22,9 @@ # # Local policy @@ -22487,17 +22060,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv seutil_sigchld_newrole(radvd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.9/policy/modules/services/razor.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.15/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/razor.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/razor.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.9/policy/modules/services/razor.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.15/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/razor.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/razor.if 2010-03-18 10:44:43.000000000 -0400 @@ -157,3 +157,45 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -22544,9 +22117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.9/policy/modules/services/razor.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.15/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/razor.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/razor.te 2010-03-18 10:44:43.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # @@ -22598,9 +22171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.9/policy/modules/services/rdisc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.15/policy/modules/services/rdisc.if --- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rdisc.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rdisc.if 2010-03-18 10:44:43.000000000 -0400 @@ -1 +1,20 @@ ## Network router discovery daemon + @@ -22619,12 +22192,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis + type rdisc_exec_t; + ') + -+ corecmd_search_sbin($1) ++ corecmd_search_bin($1) + can_exec($1,rdisc_exec_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.9/policy/modules/services/rgmanager.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.15/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,8 @@ + +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) @@ -22634,10 +22207,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.9/policy/modules/services/rgmanager.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.15/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,59 @@ ++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,98 @@ +## SELinux policy for rgmanager + +####################################### @@ -22697,10 +22270,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.9/policy/modules/services/rgmanager.te ++###################################### ++## ++## Allow manage rgmanager tmpfs files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rgmanager_manage_tmpfs_files',` ++ gen_require(` ++ type rgmanager_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ++ manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ++') ++ ++###################################### ++## ++## Allow manage rgmanager tmp files. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rgmanager_manage_tmp_files',` ++ gen_require(` ++ type rgmanager_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) ++ manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.15/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,204 @@ ++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,223 @@ + +policy_module(rgmanager,1.0.0) + @@ -22741,7 +22353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +# rgmanager local policy +# + -+allow rgmanager_t self:capability { sys_nice ipc_lock }; ++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +dontaudit rgmanager_t self:capability { sys_ptrace }; +allow rgmanager_t self:process { setsched signal }; +dontaudit rgmanager_t self:process { ptrace }; @@ -22770,12 +22382,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) + +corecmd_exec_bin(rgmanager_t) -+corecmd_exec_sbin(rgmanager_t) +corecmd_exec_shell(rgmanager_t) +consoletype_exec(rgmanager_t) + ++kernel_kill(rgmanager_t) +kernel_read_kernel_sysctls(rgmanager_t) ++kernel_read_rpc_sysctls(rgmanager_t) ++kernel_read_system_state(rgmanager_t) ++kernel_rw_rpc_sysctls(rgmanager_t) +kernel_search_debugfs(rgmanager_t) ++kernel_search_network_state(rgmanager_t) + +fs_getattr_xattr_fs(rgmanager_t) + @@ -22788,16 +22404,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +domain_getattr_all_domains(rgmanager_t) +domain_dontaudit_ptrace_all_domains(rgmanager_t) + ++storage_getattr_fixed_disk_dev(rgmanager_t) ++ +# needed by resources scripts +auth_read_all_files_except_shadow(rgmanager_t) +auth_dontaudit_getattr_shadow(rgmanager_t) + +files_list_all(rgmanager_t) +files_getattr_all_symlinks(rgmanager_t) ++files_manage_mnt_dirs(rgmanager_t) ++files_manage_isid_type_dirs(rgmanager_t) + +files_create_var_run_dirs(rgmanager_t) + -+fs_getattr_xattr_fs(rgmanager_t) ++fs_getattr_all_fs(rgmanager_t) + +term_getattr_pty_fs(rgmanager_t) +#term_use_ptmx(rgmanager_t) @@ -22811,15 +22431,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + +miscfiles_read_localization(rgmanager_t) + ++mount_domtrans(rgmanager_t) ++ +tunable_policy(`rgmanager_can_network_connect',` + corenet_tcp_connect_all_ports(rgmanager_t) +') + +# rgmanager can run resource scripts -+ -+ +optional_policy(` + aisexec_stream_connect(rgmanager_t) ++ corosync_stream_connect(rgmanager_t) +') + +optional_policy(` @@ -22828,10 +22449,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') + +optional_policy(` -+ corosync_stream_connect(rgmanager_t) -+') -+ -+optional_policy(` + fstools_domtrans(rgmanager_t) +') + @@ -22878,11 +22495,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') + +optional_policy(` ++ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t) ++') ++ ++optional_policy(` + rpc_initrc_domtrans_nfsd(rgmanager_t) + rpc_initrc_domtrans_rpcd(rgmanager_t) + + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) ++ rpc_manage_nfs_state_data(rgmanager_t) +') + +optional_policy(` @@ -22903,18 +22525,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + udev_read_db(rgmanager_t) +') + ++optional_policy(` ++ virt_stream_connect(rgmanager_t) ++') + ++optional_policy(` ++ unconfined_domain(rgmanager_t) ++') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.9/policy/modules/services/rhcs.fc ++optional_policy(` ++ xen_domtrans_xm(rgmanager_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.15/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rhcs.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,22 @@ ++++ serefpolicy-3.7.15/policy/modules/services/rhcs.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,23 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) + +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) +/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) @@ -22931,12 +22563,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.9/policy/modules/services/rhcs.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.15/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rhcs.if 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,367 @@ ++++ serefpolicy-3.7.15/policy/modules/services/rhcs.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,424 @@ +## SELinux policy for RHCS - Red Hat Cluster Suite + ++####################################### ++## ++## Creates types and rules for a basic ++## rhcs init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`rhcs_domain_template',` ++ ++ gen_require(` ++ attribute cluster_domain; ++ ') ++ ++ ############################## ++ # ++ # $1_t declarations ++ # ++ ++ type $1_t, cluster_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ++ # log files ++ type $1_var_log_t; ++ logging_log_file($1_var_log_t) ++ ++ # pid files ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ ++ ############################## ++ # ++ # $1_t local policy ++ # ++ ++ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file }) ++ ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file }) ++ ++ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t) ++ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file }) ++ ++') ++ +###################################### +## +## Execute a domain transition to run groupd. @@ -23302,12 +22991,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.9/policy/modules/services/rhcs.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.15/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rhcs.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,419 @@ ++++ serefpolicy-3.7.15/policy/modules/services/rhcs.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,248 @@ + -+policy_module(rhcs,1.0.0) ++policy_module(rhcs,1.1.0) + +######################################## +# @@ -23321,122 +23010,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +## +gen_tunable(fenced_can_network_connect, false) + -+type dlm_controld_t; -+type dlm_controld_exec_t; -+init_daemon_domain(dlm_controld_t, dlm_controld_exec_t) -+ -+# log files -+type dlm_controld_var_log_t; -+logging_log_file(dlm_controld_var_log_t) -+ -+# pid files -+type dlm_controld_var_run_t; -+files_pid_file(dlm_controld_var_run_t) ++attribute cluster_domain; + -+type dlm_controld_tmpfs_t; -+files_tmpfs_file(dlm_controld_tmpfs_t) ++rhcs_domain_template(dlm_controld) + -+type fenced_t; -+type fenced_exec_t; -+init_daemon_domain(fenced_t, fenced_exec_t) ++rhcs_domain_template(fenced) + +# tmp files +type fenced_tmp_t; +files_tmp_file(fenced_tmp_t) + -+type fenced_tmpfs_t; -+files_tmpfs_file(fenced_tmpfs_t) -+ -+# log files -+type fenced_var_log_t; -+logging_log_file(fenced_var_log_t) -+ -+# pid files -+type fenced_var_run_t; -+files_pid_file(fenced_var_run_t) -+ -+type gfs_controld_t; -+type gfs_controld_exec_t; -+init_daemon_domain(gfs_controld_t, gfs_controld_exec_t) -+ -+# log files -+type gfs_controld_var_log_t; -+logging_log_file(gfs_controld_var_log_t) -+ -+# pid files -+type gfs_controld_var_run_t; -+files_pid_file(gfs_controld_var_run_t) -+ -+type gfs_controld_tmpfs_t; -+files_tmpfs_file(gfs_controld_tmpfs_t) -+ -+ -+type groupd_t; -+type groupd_exec_t; -+init_daemon_domain(groupd_t, groupd_exec_t) -+ -+# log files -+type groupd_var_log_t; -+logging_log_file(groupd_var_log_t) -+ -+# pid files -+type groupd_var_run_t; -+files_pid_file(groupd_var_run_t) ++type fenced_lock_t; ++files_lock_file(fenced_lock_t) + -+type groupd_tmpfs_t; -+files_tmpfs_file(groupd_tmpfs_t) ++rhcs_domain_template(gfs_controld) + -+type qdiskd_t; -+type qdiskd_exec_t; -+init_daemon_domain(qdiskd_t, qdiskd_exec_t) ++rhcs_domain_template(groupd) + -+type qdiskd_tmpfs_t; -+files_tmpfs_file(qdiskd_tmpfs_t) ++rhcs_domain_template(qdiskd) + +# var/lib files +type qdiskd_var_lib_t; +files_type(qdiskd_var_lib_t) + -+# log files -+type qdiskd_var_log_t; -+logging_log_file(qdiskd_var_log_t) -+ -+# pid files -+type qdiskd_var_run_t; -+files_pid_file(qdiskd_var_run_t) -+ +##################################### +# +# dlm_controld local policy +# + -+allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource }; -+allow dlm_controld_t self:process setsched; ++allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; + -+allow dlm_controld_t self:sem create_sem_perms; -+allow dlm_controld_t self:fifo_file rw_fifo_file_perms; -+allow dlm_controld_t self:unix_stream_socket create_stream_socket_perms; -+allow dlm_controld_t self:unix_dgram_socket create_socket_perms; +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + -+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) -+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t) -+logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -+manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t) -+files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) -+ +stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -+aisexec_stream_connect(dlm_controld_t) -+ccs_stream_connect(dlm_controld_t) -+corosync_stream_connect(dlm_controld_t) -+groupd_stream_connect(dlm_controld_t) ++stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(dlm_controld_t) + @@ -23448,15 +23055,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +init_rw_script_tmp_files(dlm_controld_t) + -+libs_use_ld_so(dlm_controld_t) -+libs_use_shared_libs(dlm_controld_t) -+ -+logging_send_syslog_msg(dlm_controld_t) -+ -+miscfiles_read_localization(dlm_controld_t) -+ +optional_policy(` -+ corosync_stream_connect(dlm_controld_t) ++ ccs_stream_connect(dlm_controld_t) +') + +####################################### @@ -23464,13 +23064,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# fenced local policy +# + -+allow fenced_t self:capability { sys_nice sys_rawio sys_resource }; -+allow fenced_t self:process { setsched getsched }; ++allow fenced_t self:capability { sys_rawio sys_resource }; ++allow fenced_t self:process getsched; + -+allow fenced_t self:fifo_file rw_fifo_file_perms; -+allow fenced_t self:sem create_sem_perms; -+allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow fenced_t self:unix_dgram_socket create_socket_perms; +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; + @@ -23479,25 +23075,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# tmp files +manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) +manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) -+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir }) -+ -+manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -+manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t) -+fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t) -+logging_log_filetrans(fenced_t,fenced_var_log_t,{ file }) ++manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) ++files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) + -+# pid file -+manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t) -+manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -+manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t) -+files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) ++manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) ++files_lock_filetrans(fenced_t,fenced_lock_t,file) + +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -+aisexec_stream_connect(fenced_t) -+ccs_stream_connect(fenced_t) + +corecmd_exec_bin(fenced_t) + @@ -23508,34 +23092,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +storage_raw_write_fixed_disk(fenced_t) +storage_raw_read_removable_device(fenced_t) + ++term_getattr_pty_fs(fenced_t) +term_use_ptmx(fenced_t) + +auth_use_nsswitch(fenced_t) + +files_read_usr_symlinks(fenced_t) + -+libs_use_ld_so(fenced_t) -+libs_use_shared_libs(fenced_t) -+ -+logging_send_syslog_msg(fenced_t) -+ -+miscfiles_read_localization(fenced_t) -+ ++corenet_tcp_connect_http_port(fenced_t) +tunable_policy(`fenced_can_network_connect',` -+ corenet_tcp_connect_all_ports(fenced_t) ++ corenet_tcp_connect_all_ports(fenced_t) +') + +optional_policy(` -+ ccs_read_config(fenced_t) ++ ccs_read_config(fenced_t) ++ ccs_stream_connect(fenced_t) +') + +optional_policy(` -+ corosync_stream_connect(fenced_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(fenced_t) -+ lvm_read_config(fenced_t) ++ lvm_domtrans(fenced_t) ++ lvm_read_config(fenced_t) +') + +###################################### @@ -23543,35 +23119,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# gfs_controld local policy +# + -+allow gfs_controld_t self:capability { net_admin sys_nice sys_resource }; -+allow gfs_controld_t self:process setsched; ++allow gfs_controld_t self:capability { net_admin sys_resource }; + -+allow gfs_controld_t self:sem create_sem_perms; +allow gfs_controld_t self:shm create_shm_perms; -+allow gfs_controld_t self:fifo_file rw_fifo_file_perms; -+allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms }; -+allow gfs_controld_t self:unix_dgram_socket { create_socket_perms }; +allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; + -+manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -+manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -+fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t) -+logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -+manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) -+files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) -+ -+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) +stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -+ -+aisexec_stream_connect(gfs_controld_t) -+ccs_stream_connect(gfs_controld_t) -+groupd_stream_connect(gfs_controld_t) ++stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) ++stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +kernel_read_system_state(gfs_controld_t) + @@ -23579,24 +23134,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +dev_rw_dlm_control(gfs_controld_t) +dev_setattr_dlm_control(gfs_controld_t) ++ +dev_rw_sysfs(gfs_controld_t) + +init_rw_script_tmp_files(gfs_controld_t) + -+libs_use_ld_so(gfs_controld_t) -+libs_use_shared_libs(gfs_controld_t) -+ -+logging_send_syslog_msg(gfs_controld_t) -+ -+miscfiles_read_localization(gfs_controld_t) -+ +optional_policy(` -+ corosync_stream_connect(gfs_controld_t) ++ ccs_stream_connect(gfs_controld_t) +') + +optional_policy(` -+ lvm_exec(gfs_controld_t) -+ dev_rw_lvm_control(gfs_controld_t) ++ lvm_exec(gfs_controld_t) ++ dev_rw_lvm_control(gfs_controld_t) +') + +####################################### @@ -23607,79 +23156,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +allow groupd_t self:capability { sys_nice sys_resource }; +allow groupd_t self:process setsched; + -+allow groupd_t self:sem create_sem_perms; +allow groupd_t self:shm create_shm_perms; -+allow groupd_t self:fifo_file rw_fifo_file_perms; -+allow groupd_t self:unix_stream_socket create_stream_socket_perms; -+allow groupd_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -+manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t) -+fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file }) -+ -+# log files -+manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t) -+logging_log_filetrans(groupd_t,groupd_var_log_t,{ file }) -+ -+# pid files -+manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -+manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) -+files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) -+ -+aisexec_stream_connect(groupd_t) + +dev_list_sysfs(groupd_t) + +files_read_etc_files(groupd_t) + -+libs_use_ld_so(groupd_t) -+libs_use_shared_libs(groupd_t) -+ -+logging_send_syslog_msg(groupd_t) -+ -+miscfiles_read_localization(groupd_t) -+ +init_rw_script_tmp_files(groupd_t) + -+logging_send_syslog_msg(groupd_t) -+ +###################################### +# +# qdiskd local policy +# + -+allow qdiskd_t self:capability { sys_nice ipc_lock }; -+allow qdiskd_t self:process setsched; ++allow qdiskd_t self:capability ipc_lock; + -+allow qdiskd_t self:sem create_sem_perms; -+allow qdiskd_t self:udp_socket create_socket_perms; ++allow qdiskd_t self:tcp_socket create_stream_socket_perms; +allow qdiskd_t self:udp_socket create_socket_perms; -+allow qdiskd_t self:unix_dgram_socket create_socket_perms; -+allow qdiskd_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t) +files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file }) + -+# log files -+manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -+manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t) -+logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file }) -+ -+manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -+manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t) -+fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file }) -+ -+# pid files -+manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -+manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) -+files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) -+ -+aisexec_stream_connect(qdiskd_t) -+ccs_stream_connect(qdiskd_t) -+ -+corecmd_getattr_sbin_files(qdiskd_t) ++corecmd_getattr_bin_files(qdiskd_t) +corecmd_exec_shell(qdiskd_t) + +kernel_read_system_state(qdiskd_t) @@ -23708,26 +23208,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +files_read_etc_files(qdiskd_t) + -+libs_use_ld_so(qdiskd_t) -+libs_use_shared_libs(qdiskd_t) -+ -+logging_send_syslog_msg(qdiskd_t) -+ -+miscfiles_read_localization(qdiskd_t) ++optional_policy(` ++ ccs_stream_connect(qdiskd_t) ++') + +optional_policy(` -+ netutils_domtrans_ping(qdiskd_t) ++ netutils_domtrans_ping(qdiskd_t) +') + +optional_policy(` -+ udev_read_db(qdiskd_t) ++ udev_read_db(qdiskd_t) +') + ++##################################### ++# ++# rhcs domains common policy ++# ++ ++allow cluster_domain self:capability { sys_nice }; ++allow cluster_domain self:process setsched; + ++allow cluster_domain self:sem create_sem_perms; ++allow cluster_domain self:fifo_file rw_fifo_file_perms; ++allow cluster_domain self:unix_stream_socket create_stream_socket_perms; ++allow cluster_domain self:unix_dgram_socket create_socket_perms; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.9/policy/modules/services/ricci.te ++libs_use_ld_so(cluster_domain) ++libs_use_shared_libs(cluster_domain) ++ ++logging_send_syslog_msg(cluster_domain) ++ ++miscfiles_read_localization(cluster_domain) ++ ++optional_policy(` ++ corosync_stream_connect(cluster_domain) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.15/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ricci.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ricci.te 2010-03-18 10:44:43.000000000 -0400 @@ -194,10 +194,13 @@ # ricci_modcluster local policy # @@ -23743,18 +23261,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc kernel_read_kernel_sysctls(ricci_modcluster_t) kernel_read_system_state(ricci_modcluster_t) -@@ -227,6 +230,10 @@ +@@ -227,6 +230,11 @@ ricci_stream_connect_modclusterd(ricci_modcluster_t) optional_policy(` -+ aisexec_stream_connect(ricci_modcluster_t) ++ aisexec_stream_connect(ricci_modcluster_t) ++ corosync_stream_connect(ricci_modcluster_t) +') + +optional_policy(` ccs_stream_connect(ricci_modcluster_t) ccs_domtrans(ricci_modcluster_t) ccs_manage_config(ricci_modcluster_t) -@@ -245,6 +252,10 @@ +@@ -245,6 +253,10 @@ ') optional_policy(` @@ -23765,7 +23284,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # XXX This has got to go. unconfined_domain(ricci_modcluster_t) ') -@@ -264,6 +275,7 @@ +@@ -259,11 +271,11 @@ + allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms; + allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms; + allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms; +-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms; + # cjp: this needs to be fixed for a specific socket type: allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; @@ -23773,17 +23297,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc # log files allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; -@@ -306,12 +318,20 @@ - sysnet_dns_name_resolve(ricci_modclusterd_t) +@@ -294,6 +306,8 @@ - optional_policy(` -+ aisexec_stream_connect(ricci_modclusterd_t) -+') + fs_getattr_xattr_fs(ricci_modclusterd_t) + ++auth_use_nsswitch(ricci_modclusterd_t) ++ + init_stream_connect_script(ricci_modclusterd_t) + + locallogin_dontaudit_use_fds(ricci_modclusterd_t) +@@ -303,7 +317,11 @@ + miscfiles_read_localization(ricci_modclusterd_t) + + sysnet_domtrans_ifconfig(ricci_modclusterd_t) +-sysnet_dns_name_resolve(ricci_modclusterd_t) + +optional_policy(` ++ aisexec_stream_connect(ricci_modclusterd_t) ++ corosync_stream_connect(ricci_modclusterd_t) ++') + + optional_policy(` ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) - ccs_read_config(ricci_modclusterd_t) +@@ -312,6 +330,10 @@ ') optional_policy(` @@ -23794,11 +23330,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_modclusterd_t) ') -@@ -440,6 +460,11 @@ +@@ -440,6 +462,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) ++files_root_filetrans_default(ricci_modstorage_t, dir) +files_mounton_default(ricci_modstorage_t) +files_manage_default_dirs(ricci_modstorage_t) +files_manage_default_files(ricci_modstorage_t) @@ -23806,20 +23343,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -@@ -457,6 +482,10 @@ +@@ -457,6 +485,11 @@ mount_domtrans(ricci_modstorage_t) optional_policy(` -+ aisexec_stream_connect(ricci_modstorage_t) ++ aisexec_stream_connect(ricci_modstorage_t) ++ corosync_stream_connect(ricci_modstorage_t) +') + +optional_policy(` ccs_stream_connect(ricci_modstorage_t) ccs_read_config(ricci_modstorage_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.9/policy/modules/services/rpc.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.15/policy/modules/services/rpc.fc --- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rpc.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rpc.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,6 +1,10 @@ # # /etc @@ -23831,9 +23369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /etc/exports -- gen_context(system_u:object_r:exports_t,s0) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.9/policy/modules/services/rpc.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.15/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rpc.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rpc.if 2010-03-18 10:44:43.000000000 -0400 @@ -54,7 +54,7 @@ allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -23921,9 +23459,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ######################################## ## ## Read NFS exported content. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.9/policy/modules/services/rpc.te +@@ -373,4 +414,5 @@ + + files_search_var_lib($1) + manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ++ allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.15/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rpc.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rpc.te 2010-03-18 10:44:43.000000000 -0400 @@ -8,7 +8,7 @@ ## @@ -23973,15 +23517,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. files_manage_mounttab(rpcd_t) files_getattr_all_dirs(rpcd_t) -@@ -91,14 +100,21 @@ +@@ -91,14 +100,26 @@ seutil_dontaudit_search_config(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) ++userdom_read_user_home_content_files(rpcd_t) + optional_policy(` automount_signal(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) ++') ++ ++optional_policy(` ++ domain_unconfined_signal(rpcd_t) ') optional_policy(` @@ -23989,13 +23538,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') +optional_policy(` -+ domain_unconfined_signal(rpcd_t) ++ rgmanager_manage_tmp_files(rpcd_t) +') + ######################################## # # NFSD local policy -@@ -127,6 +143,7 @@ +@@ -127,6 +148,7 @@ files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type files_manage_mounttab(nfsd_t) @@ -24003,7 +23552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) -@@ -135,6 +152,7 @@ +@@ -135,6 +157,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -24011,7 +23560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -151,6 +169,7 @@ +@@ -151,6 +174,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -24019,7 +23568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -182,6 +201,7 @@ +@@ -182,6 +206,7 @@ kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) @@ -24027,7 +23576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corecmd_exec_bin(gssd_t) -@@ -189,8 +209,10 @@ +@@ -189,8 +214,10 @@ fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -24038,7 +23587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) -@@ -199,10 +221,14 @@ +@@ -199,10 +226,14 @@ mount_signal(gssd_t) @@ -24053,9 +23602,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.9/policy/modules/services/rsync.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.15/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rsync.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rsync.if 2010-03-18 10:44:43.000000000 -0400 @@ -119,7 +119,7 @@ type rsync_etc_t; ') @@ -24073,9 +23622,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.9/policy/modules/services/rsync.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.15/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/rsync.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rsync.te 2010-03-18 10:44:43.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -24127,9 +23676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.9/policy/modules/services/rtkit.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.15/policy/modules/services/rtkit.if --- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rtkit.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rtkit.if 2010-03-18 10:44:43.000000000 -0400 @@ -38,3 +38,23 @@ allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; @@ -24154,9 +23703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.9/policy/modules/services/rtkit.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.15/policy/modules/services/rtkit.te --- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/rtkit.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/rtkit.te 2010-03-18 10:44:43.000000000 -0400 @@ -17,9 +17,11 @@ allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; @@ -24178,9 +23727,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki optional_policy(` policykit_dbus_chat(rtkit_daemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.9/policy/modules/services/samba.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.15/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/samba.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/samba.fc 2010-03-18 10:44:43.000000000 -0400 @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -24189,9 +23738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.9/policy/modules/services/samba.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.15/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/samba.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/samba.if 2010-03-18 10:44:43.000000000 -0400 @@ -62,6 +62,25 @@ ######################################## @@ -24405,9 +23954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.9/policy/modules/services/samba.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.15/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/samba.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/samba.te 2010-03-18 10:44:43.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24422,6 +23971,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -156,7 +163,7 @@ + # + # Samba net local policy + # +-allow samba_net_t self:capability { sys_nice dac_read_search dac_override }; ++allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override }; + allow samba_net_t self:process { getsched setsched }; + allow samba_net_t self:unix_dgram_socket create_socket_perms; + allow samba_net_t self:unix_stream_socket create_stream_socket_perms; @@ -201,14 +208,16 @@ files_read_usr_symlinks(samba_net_t) @@ -24450,7 +24008,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) -@@ -316,6 +327,7 @@ +@@ -306,6 +317,8 @@ + dev_read_urand(smbd_t) + dev_getattr_mtrr_dev(smbd_t) + dev_dontaudit_getattr_usbfs_dirs(smbd_t) ++dev_getattr_all_blk_files(smbd_t) ++dev_getattr_all_chr_files(smbd_t) + + fs_getattr_all_fs(smbd_t) + fs_get_xattr_fs_quotas(smbd_t) +@@ -316,6 +329,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) @@ -24458,7 +24025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -325,6 +337,8 @@ +@@ -325,6 +339,8 @@ files_read_etc_runtime_files(smbd_t) files_read_usr_files(smbd_t) files_search_spool(smbd_t) @@ -24467,7 +24034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -337,10 +351,13 @@ +@@ -337,10 +353,13 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -24482,7 +24049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -352,19 +369,19 @@ +@@ -352,19 +371,19 @@ ') tunable_policy(`samba_domain_controller',` @@ -24508,7 +24075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') # Support Samba sharing of NFS mount points -@@ -376,6 +393,15 @@ +@@ -376,6 +395,15 @@ fs_manage_nfs_named_sockets(smbd_t) ') @@ -24524,7 +24091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -391,6 +417,11 @@ +@@ -391,6 +419,11 @@ ') optional_policy(` @@ -24536,7 +24103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rpc_search_nfs_state_data(smbd_t) ') -@@ -405,13 +436,15 @@ +@@ -405,13 +438,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -24553,7 +24120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_read_all_files_except_shadow(nmbd_t) ') -@@ -420,8 +453,8 @@ +@@ -420,8 +455,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -24563,7 +24130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -525,6 +558,7 @@ +@@ -525,6 +560,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; @@ -24571,7 +24138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -536,6 +570,8 @@ +@@ -536,6 +572,8 @@ miscfiles_read_localization(smbcontrol_t) @@ -24580,7 +24147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -618,7 +654,7 @@ +@@ -618,7 +656,7 @@ # SWAT Local policy # @@ -24589,7 +24156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +662,23 @@ +@@ -626,23 +664,23 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; @@ -24622,16 +24189,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,7 +693,7 @@ +@@ -657,7 +695,8 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; -can_exec(swat_t, winbind_exec_t) +domtrans_pattern(swat_t, winbind_exec_t, winbind_t) ++allow swat_t winbind_t:process { signal signull }; allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -700,6 +736,8 @@ +@@ -700,6 +739,8 @@ miscfiles_read_localization(swat_t) @@ -24640,7 +24208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +751,23 @@ +@@ -713,12 +754,23 @@ kerberos_use(swat_t) ') @@ -24665,7 +24233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -779,6 +828,9 @@ +@@ -779,6 +831,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -24675,7 +24243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +840,7 @@ +@@ -788,7 +843,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -24684,7 +24252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +918,18 @@ +@@ -866,6 +921,18 @@ # optional_policy(` @@ -24703,7 +24271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +940,12 @@ +@@ -876,9 +943,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -24717,9 +24285,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.9/policy/modules/services/sasl.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.15/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/sasl.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sasl.te 2010-03-18 10:44:43.000000000 -0400 @@ -31,7 +31,7 @@ # Local policy # @@ -24782,9 +24350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl seutil_sigchld_newrole(saslauthd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.9/policy/modules/services/sendmail.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.15/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/sendmail.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sendmail.if 2010-03-18 10:44:43.000000000 -0400 @@ -277,3 +277,22 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; @@ -24808,9 +24376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.9/policy/modules/services/sendmail.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.15/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/sendmail.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sendmail.te 2010-03-18 10:44:43.000000000 -0400 @@ -30,7 +30,7 @@ # @@ -24889,18 +24457,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + unconfined_domain_noaudit(unconfined_sendmail_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.9/policy/modules/services/setroubleshoot.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.15/policy/modules/services/setroubleshoot.fc --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.fc 2010-03-18 10:44:43.000000000 -0400 @@ -5,3 +5,5 @@ /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) /var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) + +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.9/policy/modules/services/setroubleshoot.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.15/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.if 2010-03-18 10:44:43.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -25038,9 +24606,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + files_list_pids($1) + admin_pattern($1, setroubleshoot_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.9/policy/modules/services/setroubleshoot.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.15/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.te 2010-03-18 10:44:43.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -25102,7 +24670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,79 @@ +@@ -94,23 +113,81 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -25110,6 +24678,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) ++modutils_read_module_config(setroubleshootd_t) ++ seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) - @@ -25122,13 +24692,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr - dbus_system_bus_client(setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) + locate_read_lib_files(setroubleshootd_t) - ') - - optional_policy(` -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +') + +optional_policy(` ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) + ') + + optional_policy(` + rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) @@ -25186,37 +24756,307 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.9/policy/modules/services/snmp.if ---- nsaserefpolicy/policy/modules/services/snmp.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/snmp.if 2010-02-16 15:08:37.000000000 -0500 -@@ -69,6 +69,24 @@ - - ######################################## - ## -+## Append snmpd libraries. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.15/policy/modules/services/smokeping.fc +--- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/smokeping.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,12 @@ ++ ++/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0) ++ ++/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) ++ ++/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) ++ ++/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) ++ ++/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) ++ ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.15/policy/modules/services/smokeping.if +--- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/smokeping.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,193 @@ ++ ++## policy for smokeping ++ ++######################################## ++## ++## Execute a domain transition to run smokeping. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`smokeping_domtrans',` ++ gen_require(` ++ type smokeping_t, smokeping_exec_t; ++ ') ++ ++ domtrans_pattern($1, smokeping_exec_t, smokeping_t) ++') ++ ++ ++######################################## ++## ++## Execute smokeping server in the smokeping domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`smokeping_initrc_domtrans',` ++ gen_require(` ++ type smokeping_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, smokeping_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read smokeping PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_read_pid_files',` ++ gen_require(` ++ type smokeping_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 smokeping_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage smokeping var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_manage_var_run',` ++ gen_require(` ++ type smokeping_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1, smokeping_var_run_t, smokeping_var_run_t) ++ manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) ++ manage_lnk_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) ++') ++ ++ ++######################################## ++## ++## Search smokeping lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_getattr_lib_files',` ++ gen_require(` ++ type smokeping_var_lib_t; ++ ') ++ ++ getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read smokeping lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_read_lib_files',` ++ gen_require(` ++ type smokeping_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## smokeping lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_manage_lib_files',` ++ gen_require(` ++ type smokeping_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++') ++ ++######################################## ++## ++## Manage smokeping var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`smokeping_manage_var_lib',` ++ gen_require(` ++ type smokeping_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++ manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++ manage_lnk_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an smokeping environment +## +## +## +## Domain allowed access. +## +## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`smokeping_admin',` ++ gen_require(` ++ type smokeping_t, smokeping_initrc_exec_t; ++ ') ++ ++ allow $1 smokeping_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, smokeping_t, smokeping_t) ++ ++ smokeping_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 smokeping_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ smokeping_manage_var_run($1) ++ ++ smokeping_manage_var_lib($1) ++ ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.15/policy/modules/services/smokeping.te +--- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/smokeping.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,81 @@ ++ ++policy_module(smokeping,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type smokeping_t; ++type smokeping_exec_t; ++init_daemon_domain(smokeping_t, smokeping_exec_t) ++ ++permissive smokeping_t; ++ ++type smokeping_initrc_exec_t; ++init_script_file(smokeping_initrc_exec_t) ++ ++type smokeping_var_run_t; ++files_pid_file(smokeping_var_run_t) ++ ++type smokeping_var_lib_t; ++files_type(smokeping_var_lib_t) ++ ++######################################## ++# ++# smokeping local policy ++# ++ ++# to read /etc/shadow ++allow smokeping_t self:capability dac_override; ++ ++allow smokeping_t self:fifo_file rw_fifo_file_perms; ++allow smokeping_t self:udp_socket create_socket_perms; ++allow smokeping_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) ++manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) ++files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) ++ ++manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) ++manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) ++files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) ++ ++corecmd_read_bin_symlinks(smokeping_t) ++ ++dev_read_urand(smokeping_t) ++ ++files_read_etc_files(smokeping_t) ++files_read_usr_files(smokeping_t) ++files_search_tmp(smokeping_t) ++ ++auth_use_nsswitch(smokeping_t) ++auth_read_shadow(smokeping_t) ++ ++logging_send_syslog_msg(smokeping_t) ++ ++miscfiles_read_localization(smokeping_t) ++ ++mta_send_mail(smokeping_t) ++ ++netutils_domtrans_ping(smokeping_t) ++ ++####################################### ++# ++# local policy for smokeping cgi scripts +# -+interface(`snmp_append_snmp_var_lib_files',` -+ gen_require(` -+ type snmpd_var_lib_t; -+ ') + -+ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+') ++optional_policy(` ++ apache_content_template(smokeping_cgi) ++ ++ allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; + -+######################################## -+## - ## dontaudit Read snmpd libraries. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.9/policy/modules/services/snmp.te ++ manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) ++ ++ getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) ++ ++ files_search_tmp(httpd_smokeping_cgi_script_t) ++ files_search_var_lib(httpd_smokeping_cgi_script_t) ++ ++ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.15/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/snmp.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/snmp.te 2010-03-18 10:44:43.000000000 -0400 @@ -25,7 +25,7 @@ # # Local policy @@ -25226,9 +25066,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.9/policy/modules/services/snort.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.15/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/snort.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/snort.te 2010-03-18 10:44:43.000000000 -0400 @@ -37,6 +37,7 @@ allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; @@ -25262,9 +25102,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor domain_use_interactive_fds(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.9/policy/modules/services/spamassassin.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.15/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25294,9 +25134,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.9/policy/modules/services/spamassassin.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.15/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.if 2010-03-18 10:44:43.000000000 -0400 @@ -111,6 +111,45 @@ ') @@ -25423,9 +25263,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.9/policy/modules/services/spamassassin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.15/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.te 2010-03-18 10:44:43.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -25731,10 +25571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.9/policy/modules/services/squid.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.15/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/squid.te 2010-02-16 15:08:37.000000000 -0500 -@@ -67,7 +67,9 @@ ++++ serefpolicy-3.7.15/policy/modules/services/squid.te 2010-03-18 10:44:43.000000000 -0400 +@@ -14,6 +14,13 @@ + ## + gen_tunable(squid_connect_any, false) + ++## ++##

++## Allow squid to run as a transparent proxy (TPROXY) ++##

++## ++gen_tunable(squid_use_tproxy, false) ++ + type squid_t; + type squid_exec_t; + init_daemon_domain(squid_t, squid_exec_t) +@@ -67,7 +74,9 @@ can_exec(squid_t, squid_exec_t) @@ -25744,7 +25598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi logging_log_filetrans(squid_t, squid_log_t, { file dir }) manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) -@@ -118,6 +120,8 @@ +@@ -118,6 +127,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) @@ -25753,7 +25607,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi fs_list_inotifyfs(squid_t) selinux_dontaudit_getattr_dir(squid_t) -@@ -186,8 +190,3 @@ +@@ -157,6 +168,11 @@ + corenet_sendrecv_all_packets(squid_t) + ') + ++tunable_policy(`squid_use_tproxy',` ++ allow squid_t self:capability net_admin; ++ corenet_tcp_bind_netport_port(squid_t) ++') ++ + optional_policy(` + apache_content_template(squid) + +@@ -186,8 +202,3 @@ optional_policy(` udev_read_db(squid_t) ') @@ -25762,18 +25628,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.9/policy/modules/services/ssh.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.15/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ssh.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ssh.fc 2010-03-18 10:44:43.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.9/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ssh.if 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.15/policy/modules/services/ssh.if +--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ssh.if 2010-03-18 10:44:43.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25829,15 +25695,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand($1_ssh_t) -@@ -181,7 +180,7 @@ +@@ -181,9 +180,9 @@ type $1_var_run_t; files_pid_file($1_var_run_t) - allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; -+ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec }; +- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; ++ allow $1_t self:process { signal getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + # ssh agent connections: @@ -206,6 +205,7 @@ kernel_read_kernel_sysctls($1_t) @@ -25859,7 +25728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. fs_dontaudit_getattr_all_fs($1_t) -@@ -234,9 +239,11 @@ +@@ -234,17 +239,19 @@ corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -25871,15 +25740,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. logging_search_logs($1_t) -@@ -244,6 +251,7 @@ + miscfiles_read_localization($1_t) +- userdom_create_all_users_keys($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) -@@ -264,9 +272,12 @@ +@@ -265,9 +272,12 @@ optional_policy(` files_read_var_lib_symlinks($1_t) @@ -25893,7 +25763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## -@@ -387,6 +398,7 @@ +@@ -388,6 +398,7 @@ logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) @@ -25901,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_dontaudit_read_config($1_ssh_agent_t) -@@ -394,6 +406,7 @@ +@@ -395,6 +406,7 @@ userdom_use_user_terminals($1_ssh_agent_t) # for the transition back to normal privs upon exec @@ -25909,7 +25779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. userdom_user_home_domtrans($1_ssh_agent_t, $3) allow $3 $1_ssh_agent_t:fd use; allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; -@@ -695,6 +708,27 @@ +@@ -696,6 +708,27 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -25937,9 +25807,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ####################################### ## ## Delete from the ssh temp files. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.9/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/ssh.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.15/policy/modules/services/ssh.te +--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ssh.te 2010-03-18 10:44:43.000000000 -0400 @@ -114,6 +114,7 @@ manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -25992,11 +25862,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -@@ -291,23 +299,30 @@ - kernel_link_key(sshd_t) +@@ -292,22 +300,30 @@ term_use_all_ptys(sshd_t) --term_setattr_all_ptys(sshd_t) + term_setattr_all_ptys(sshd_t) +term_setattr_all_ttys(sshd_t) term_relabelto_all_ptys(sshd_t) @@ -26028,7 +25897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -315,7 +330,12 @@ +@@ -315,7 +331,12 @@ ') optional_policy(` @@ -26042,7 +25911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -323,6 +343,10 @@ +@@ -323,6 +344,10 @@ ') optional_policy(` @@ -26053,7 +25922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. rpm_use_script_fds(sshd_t) ') -@@ -333,10 +357,18 @@ +@@ -333,10 +358,18 @@ ') optional_policy(` @@ -26073,21 +25942,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.9/policy/modules/services/sssd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.15/policy/modules/services/sssd.fc --- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/sssd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sssd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -4,6 +4,8 @@ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) + - /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) ++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.9/policy/modules/services/sssd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.15/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/sssd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sssd.if 2010-03-18 10:44:43.000000000 -0400 @@ -38,6 +38,25 @@ ######################################## @@ -26166,9 +26036,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd + + admin_pattern($1, sssd_public_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.9/policy/modules/services/sssd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.15/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/sssd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sssd.te 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,9 @@ type sssd_initrc_exec_t; init_script_file(sssd_initrc_exec_t) @@ -26196,7 +26066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -@@ -49,6 +55,9 @@ +@@ -49,12 +55,17 @@ dev_read_urand(sssd_t) @@ -26206,7 +26076,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) -@@ -66,6 +75,8 @@ + + fs_list_inotifyfs(sssd_t) + ++mls_file_read_to_clearance(sssd_t) ++ + auth_use_nsswitch(sssd_t) + auth_domtrans_chk_passwd(sssd_t) + auth_domtrans_upd_passwd(sssd_t) +@@ -66,6 +77,8 @@ miscfiles_read_localization(sssd_t) @@ -26215,9 +26093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.9/policy/modules/services/sysstat.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.15/policy/modules/services/sysstat.te --- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/sysstat.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/sysstat.te 2010-03-18 10:44:43.000000000 -0400 @@ -19,14 +19,15 @@ # Local policy # @@ -26236,9 +26114,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.9/policy/modules/services/telnet.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.15/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/telnet.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/telnet.te 2010-03-18 10:44:43.000000000 -0400 @@ -85,6 +85,7 @@ remotelogin_domtrans(telnetd_t) @@ -26247,9 +26125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.9/policy/modules/services/tftp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.15/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/tftp.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/tftp.te 2010-03-18 10:44:43.000000000 -0400 @@ -50,9 +50,8 @@ manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) @@ -26261,45 +26139,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.9/policy/modules/services/tgtd.if ---- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/tgtd.if 2010-02-16 15:08:37.000000000 -0500 -@@ -9,3 +9,20 @@ - ##

- ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.7.15/policy/modules/services/tor.fc +--- nsaserefpolicy/policy/modules/services/tor.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/tor.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -5,5 +5,8 @@ + /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) -+##################################### -+## -+## Allow read and write access to tgtd semaphores. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`tgtd_rw_semaphores',` -+ gen_require(` -+ type tgtd_t; -+ ') + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) ++/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) + -+ allow $1 tgtd_t:sem { rw_sem_perms }; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.9/policy/modules/services/tgtd.te ---- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/tgtd.te 2010-02-16 15:08:37.000000000 -0500 -@@ -60,7 +60,7 @@ - - files_read_etc_files(tgtd_t) - --storage_getattr_fixed_disk_dev(tgtd_t) -+storage_manage_fixed_disk(tgtd_t) - - logging_send_syslog_msg(tgtd_t) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.9/policy/modules/services/tor.te + /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) ++ + /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.15/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/tor.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/tor.te 2010-03-18 10:44:43.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -26331,9 +26185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. +tunable_policy(`tor_bind_all_unreserved_ports', ` + corenet_tcp_bind_all_unreserved_ports(tor_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.9/policy/modules/services/tuned.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.15/policy/modules/services/tuned.fc --- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/tuned.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/tuned.fc 2010-03-18 10:44:43.000000000 -0400 @@ -2,4 +2,7 @@ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) @@ -26342,9 +26196,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune +/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0) + /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.9/policy/modules/services/tuned.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.15/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/tuned.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/tuned.te 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,9 @@ type tuned_initrc_exec_t; init_script_file(tuned_initrc_exec_t) @@ -26398,9 +26252,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.9/policy/modules/services/ucspitcp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.15/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/ucspitcp.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/ucspitcp.te 2010-03-18 10:44:43.000000000 -0400 @@ -92,3 +92,8 @@ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) @@ -26410,17 +26264,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.9/policy/modules/services/usbmuxd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.15/policy/modules/services/usbmuxd.fc --- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,4 @@ + +/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.9/policy/modules/services/usbmuxd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.15/policy/modules/services/usbmuxd.if --- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,39 @@ +## Daemon for communicating with Apple's iPod Touch and iPhone + @@ -26461,10 +26315,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.9/policy/modules/services/usbmuxd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.15/policy/modules/services/usbmuxd.te --- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.te 2010-02-16 15:08:37.000000000 -0500 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,50 @@ +policy_module(usbmuxd,1.0.0) + +######################################## @@ -26475,6 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +type usbmuxd_t; +type usbmuxd_exec_t; +application_domain(usbmuxd_t, usbmuxd_exec_t) ++role system_r types usbmuxd_t; + +type usbmuxd_var_run_t; +files_pid_file(usbmuxd_var_run_t) @@ -26487,7 +26342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +# + +allow usbmuxd_t self:capability { kill setgid setuid }; -+allow usbmuxd_t self:process { fork }; ++allow usbmuxd_t self:process { fork signal signull }; + +# Init script handling +domain_use_interactive_fds(usbmuxd_t) @@ -26501,8 +26356,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) + ++kernel_read_kernel_sysctls(usbmuxd_t) +kernel_read_system_state(usbmuxd_t) + ++dev_read_sysfs(usbmuxd_t) +dev_rw_generic_usb_dev(usbmuxd_t) + +files_read_etc_files(usbmuxd_t) @@ -26512,16 +26369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +auth_use_nsswitch(usbmuxd_t) + +logging_send_syslog_msg(usbmuxd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.9/policy/modules/services/uucp.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.15/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/uucp.te 2010-02-16 15:08:37.000000000 -0500 -@@ -1,5 +1,5 @@ - --policy_module(uucp, 1.10.1) -+policy_module(uucp, 1.10.0) - - ######################################## - # ++++ serefpolicy-3.7.15/policy/modules/services/uucp.te 2010-03-18 10:44:43.000000000 -0400 @@ -90,6 +90,7 @@ fs_getattr_xattr_fs(uucpd_t) @@ -26539,9 +26389,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.9/policy/modules/services/vhostmd.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.15/policy/modules/services/varnishd.if +--- nsaserefpolicy/policy/modules/services/varnishd.if 2009-07-23 14:11:04.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/services/varnishd.if 2010-03-18 10:44:43.000000000 -0400 +@@ -56,6 +56,25 @@ + read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) + ') + ++##################################### ++## ++## Read varnish lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`varnishd_read_lib_files',` ++ gen_require(` ++ type varnishd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) ++') ++ + ####################################### + ## + ## Read varnish logs. +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.15/policy/modules/services/vhostmd.fc --- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.fc 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,6 @@ + +/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) @@ -26549,9 +26428,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) +/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.9/policy/modules/services/vhostmd.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.15/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.if 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,228 @@ + +## policy for vhostmd @@ -26781,9 +26660,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + vhostmd_manage_var_run($1) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.9/policy/modules/services/vhostmd.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.15/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.te 2010-03-18 10:44:43.000000000 -0400 @@ -0,0 +1,84 @@ + +policy_module(vhostmd,1.0.0) @@ -26869,9 +26748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos + xen_stream_connect_xenstore(vhostmd_t) + xen_stream_connect_xm(vhostmd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.9/policy/modules/services/virt.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.15/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/virt.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/virt.fc 2010-03-18 10:44:43.000000000 -0400 @@ -8,6 +8,10 @@ /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) @@ -26883,19 +26762,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.9/policy/modules/services/virt.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.15/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/virt.if 2010-02-16 15:08:37.000000000 -0500 -@@ -22,6 +22,8 @@ ++++ serefpolicy-3.7.15/policy/modules/services/virt.if 2010-03-18 10:44:43.000000000 -0400 +@@ -22,6 +22,11 @@ domain_type($1_t) role system_r types $1_t; ++ type $1_devpts_t; ++ term_pty($1_devpts_t) ++ + domain_user_exemption_target($1_t) + type $1_tmp_t; files_tmp_file($1_tmp_t) -@@ -62,6 +64,9 @@ +@@ -31,10 +36,14 @@ + type $1_image_t, virt_image_type; + files_type($1_image_t) + dev_node($1_image_t) ++ dev_associate_sysfs($1_image_t) + + type $1_var_run_t; + files_pid_file($1_var_run_t) + ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ term_create_pty($1_t, $1_devpts_t) ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) +@@ -62,6 +71,9 @@ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) @@ -26905,7 +26802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -293,6 +298,7 @@ +@@ -293,6 +305,7 @@ files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) @@ -26913,7 +26810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -505,3 +511,32 @@ +@@ -505,3 +518,32 @@ virt_manage_log($1) ') @@ -26946,9 +26843,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + ptchown_run(svirt_t, $2) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.9/policy/modules/services/virt.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.15/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/virt.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/virt.te 2010-03-18 10:44:43.000000000 -0400 @@ -15,6 +15,13 @@ ## @@ -27117,7 +27014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) -@@ -410,11 +447,17 @@ +@@ -410,11 +447,21 @@ files_read_etc_files(virt_domain) files_read_usr_files(virt_domain) files_read_var_files(virt_domain) @@ -27127,6 +27024,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) ++# I think we need these for now. ++miscfiles_read_public_files(virt_domain) ++storage_raw_read_removable_device(virt_domain) ++ +term_use_all_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -27135,9 +27036,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt auth_use_nsswitch(virt_domain) logging_send_syslog_msg(virt_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.9/policy/modules/services/w3c.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.15/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/w3c.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/w3c.te 2010-03-18 10:44:43.000000000 -0400 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -27157,9 +27058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.9/policy/modules/services/xserver.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.15/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/xserver.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/xserver.fc 2010-03-18 10:44:43.000000000 -0400 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27194,7 +27095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /opt # -@@ -47,21 +51,22 @@ +@@ -47,21 +51,23 @@ # /tmp # @@ -27204,14 +27105,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> +/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) ++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) # # /usr # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -27221,7 +27123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +94,42 @@ +@@ -89,17 +95,42 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -27267,10 +27169,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.9/policy/modules/services/xserver.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.15/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/xserver.if 2010-02-16 15:08:37.000000000 -0500 -@@ -19,7 +19,7 @@ ++++ serefpolicy-3.7.15/policy/modules/services/xserver.if 2010-03-18 10:44:43.000000000 -0400 +@@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; @@ -27278,8 +27180,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; ++ class dbus send_msg; ') -@@ -31,7 +31,7 @@ + + role $1 types { xserver_t xauth_t iceauth_t }; +@@ -31,7 +32,7 @@ allow xserver_t $2:shm rw_shm_perms; domtrans_pattern($2, xserver_exec_t, xserver_t) @@ -27288,7 +27193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t $2:shm rw_shm_perms; -@@ -45,6 +45,7 @@ +@@ -45,6 +46,7 @@ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -27296,21 +27201,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_search_tmp($2) # Communicate via System V shared memory. -@@ -56,6 +57,13 @@ +@@ -56,6 +58,10 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) +ifdef(`hide_broken_symptoms', ` -+ dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit iceauth_t $2:tcp_socket rw_socket_perms; -+ dontaudit iceauth_t $2:udp_socket rw_socket_perms; -+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) ++ dontaudit iceauth_t $2:socket_class_set { read write }; +') + allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +79,10 @@ +@@ -71,9 +77,13 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -27319,10 +27221,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; + dontaudit $2 xdm_tmp_t:dir setattr; ++ ++ allow $2 xdm_t:dbus send_msg; ++ allow xdm_t $2:dbus send_msg; # Client read xserver shm allow $2 xserver_t:fd use; -@@ -94,9 +103,9 @@ +@@ -94,9 +104,9 @@ dev_rw_usbfs($2) miscfiles_read_fonts($2) @@ -27333,7 +27238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -197,7 +206,7 @@ +@@ -197,7 +207,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -27342,7 +27247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +300,12 @@ +@@ -291,12 +301,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -27358,7 +27263,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -476,6 +485,7 @@ +@@ -355,6 +365,11 @@ + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; ++ class x_client destroy; ++ class x_server manage; ++ class x_pointer manage; ++ class x_keyboard { read manage }; ++ type xdm_t, xserver_t; + ') + + ############################## +@@ -386,6 +401,14 @@ + allow $2 xevent_t:{ x_event x_synthetic_event } receive; + # dont audit send failures + dontaudit $2 input_xevent_type:x_event send; ++ ++ allow $2 xdm_t:x_drawable { read add_child }; ++ allow $2 xdm_t:x_client destroy; ++ ++ allow $2 root_xdrawable_t:x_drawable write; ++ allow $2 xserver_t:x_server manage; ++ allow $2 xserver_t:x_pointer manage; ++ allow $2 xserver_t:x_keyboard { read manage }; + ') + + ####################################### +@@ -476,6 +499,7 @@ xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -27366,20 +27298,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +555,12 @@ +@@ -545,6 +569,9 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) +ifdef(`hide_broken_symptoms', ` -+ dontaudit xauth_t $1:unix_stream_socket rw_socket_perms; -+ dontaudit xauth_t $1:tcp_socket rw_socket_perms; -+ dontaudit xauth_t $1:udp_socket rw_socket_perms; -+ fs_dontaudit_rw_anon_inodefs_files(xauth_t) ++ dontaudit xauth_t $1:socket_class_set { read write }; +') ') ######################################## -@@ -598,6 +614,7 @@ +@@ -598,6 +625,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -27387,7 +27316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +822,7 @@ +@@ -805,7 +833,7 @@ ') files_search_pids($1) @@ -27396,7 +27325,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1267,329 @@ +@@ -1224,9 +1252,20 @@ + class x_device all_x_device_perms; + class x_pointer all_x_pointer_perms; + class x_keyboard all_x_keyboard_perms; ++ class x_screen all_x_screen_perms; ++ class x_drawable { manage }; ++ type root_xdrawable_t; ++ attribute x_domain; ++ class x_drawable { read manage setattr show }; ++ class x_resource { write read }; + ') + + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; ++ allow $1 xserver_t:{ x_screen } setattr; ++ ++ allow $1 x_domain:x_drawable { read manage setattr show }; ++ allow $1 x_domain:x_resource { write read }; ++ allow $1 root_xdrawable_t:x_drawable manage; + ') + + ######################################## +@@ -1250,3 +1289,329 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -27726,9 +27676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.9/policy/modules/services/xserver.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.15/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/services/xserver.te 2010-02-16 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/xserver.te 2010-03-18 10:44:43.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -27892,7 +27842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +283,57 @@ +@@ -250,30 +283,58 @@ fs_manage_cifs_files(iceauth_t) ') @@ -27901,6 +27851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + dev_dontaudit_rw_dri(iceauth_t) + dev_dontaudit_rw_generic_dev_nodes(iceauth_t) + fs_list_inotifyfs(iceauth_t) ++ fs_dontaudit_rw_anon_inodefs_files(iceauth_t) + term_dontaudit_use_unallocated_ttys(iceauth_t) + + optional_policy(` @@ -27953,13 +27904,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,17 +343,35 @@ +@@ -283,17 +344,36 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) + +ifdef(`hide_broken_symptoms', ` ++ fs_dontaudit_rw_anon_inodefs_files(xauth_t) + userdom_manage_user_home_content_files(xauth_t) + userdom_manage_user_tmp_files(xauth_t) + dev_dontaudit_rw_generic_dev_nodes(xauth_t) @@ -27989,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +383,31 @@ +@@ -305,20 +385,31 @@ # XDM Local policy # @@ -28024,10 +27976,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,24 +423,42 @@ +@@ -332,26 +423,45 @@ + + manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) ++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) @@ -28071,7 +28027,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -363,6 +470,7 @@ +@@ -359,10 +469,13 @@ + + # transition to the xdm xserver + domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) ++ ++ps_process_pattern(xserver_t, xdm_t) + allow xserver_t xdm_t:process signal; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -28079,7 +28041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +479,14 @@ +@@ -371,10 +484,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28095,7 +28057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +506,13 @@ +@@ -394,11 +511,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28109,7 +28071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +520,7 @@ +@@ -406,6 +525,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28117,7 +28079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +529,21 @@ +@@ -414,18 +534,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28142,7 +28104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +554,15 @@ +@@ -436,9 +559,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28158,15 +28120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,6 +571,7 @@ +@@ -447,14 +576,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) ++term_use_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -455,6 +580,7 @@ + term_setattr_unallocated_ttys(xdm_t) ++term_relabel_all_ttys(xdm_t) ++term_relabel_unallocated_ttys(xdm_t) + auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28174,7 +28140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +591,12 @@ +@@ -465,10 +599,12 @@ logging_read_generic_logs(xdm_t) @@ -28189,7 +28155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +605,11 @@ +@@ -477,6 +613,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28201,7 +28167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +642,12 @@ +@@ -509,10 +650,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28214,7 +28180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +655,49 @@ +@@ -520,12 +663,50 @@ ') optional_policy(` @@ -28258,13 +28224,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` + gnome_read_gconf_config(xdm_t) + gnome_read_config(xdm_t) ++ gnome_append_gconf_home_files(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') -@@ -543,9 +715,43 @@ +@@ -543,20 +724,59 @@ ') optional_policy(` @@ -28308,7 +28275,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +761,9 @@ + + optional_policy(` ++ shutdown_domtrans(xdm_t) ++') ++ ++optional_policy(` + udev_read_db(xdm_t) ') optional_policy(` @@ -28320,7 +28293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +772,6 @@ +@@ -565,7 +785,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28328,7 +28301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +782,10 @@ +@@ -576,6 +795,10 @@ ') optional_policy(` @@ -28339,7 +28312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +810,9 @@ +@@ -600,10 +823,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28351,7 +28324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +824,18 @@ +@@ -615,6 +837,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28370,7 +28343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +855,19 @@ +@@ -634,12 +868,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28392,7 +28365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +901,6 @@ +@@ -673,7 +914,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28400,7 +28373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +910,12 @@ +@@ -683,9 +923,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28414,7 +28387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +930,12 @@ +@@ -700,8 +943,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28424,10 +28397,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +mls_process_write_to_clearance(xserver_t) +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) ++mls_file_upgrade(xserver_t) selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +957,7 @@ +@@ -723,11 +971,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28435,7 +28409,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +1014,20 @@ + # read x_contexts + seutil_read_default_contexts(xserver_t) ++seutil_read_config(xserver_t) ++seutil_read_file_contexts(xserver_t) + + userdom_search_user_home_dirs(xserver_t) + userdom_use_user_ttys(xserver_t) +@@ -779,12 +1030,24 @@ ') optional_policy(` @@ -28453,11 +28434,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +optional_policy(` ++ udev_read_db(xserver_t) ++') ++ ++optional_policy(` + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') -@@ -811,7 +1054,7 @@ +@@ -811,7 +1074,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28466,7 +28451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1075,14 @@ +@@ -832,9 +1095,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28481,7 +28466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1097,14 @@ +@@ -849,11 +1117,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28498,7 +28483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1250,33 @@ +@@ -999,3 +1270,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28532,9 +28517,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.9/policy/modules/services/zebra.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.15/policy/modules/services/zebra.if --- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/services/zebra.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/services/zebra.if 2010-03-18 10:44:43.000000000 -0400 @@ -24,6 +24,26 @@ ######################################## @@ -28562,9 +28547,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr ## All of the rules required to administrate ## an zebra environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.9/policy/modules/system/application.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.15/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/application.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/application.te 2010-03-18 10:44:43.000000000 -0400 @@ -7,6 +7,17 @@ # Executables to be run by user attribute application_exec_type; @@ -28583,16 +28568,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.9/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/authlogin.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -7,12 +7,10 @@ - /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) - /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) - --/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) --/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0) -- +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.15/policy/modules/system/authlogin.fc +--- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/authlogin.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -28600,74 +28579,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` -@@ -42,6 +40,9 @@ - /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) - - /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -- - /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+ - /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.9/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/authlogin.if 2010-02-16 15:08:37.000000000 -0500 -@@ -40,17 +40,76 @@ - ## - ## - # -+interface(`auth_use_pam',` -+ -+ # for SSP/ProPolice -+ dev_read_urand($1) -+ # for encrypted homedir -+ dev_read_sysfs($1) -+ -+ auth_domtrans_chk_passwd($1) -+ auth_domtrans_upd_passwd($1) -+ auth_dontaudit_read_shadow($1) -+ auth_read_login_records($1) -+ auth_append_login_records($1) -+ auth_rw_lastlog($1) -+ auth_rw_faillog($1) -+ auth_exec_pam($1) -+ auth_use_nsswitch($1) -+ -+ logging_send_audit_msgs($1) -+ logging_send_syslog_msg($1) -+ -+ optional_policy(` -+ dbus_system_bus_client($1) -+ optional_policy(` -+ consolekit_dbus_chat($1) -+ ') -+ ') -+ -+ optional_policy(` -+ kerberos_manage_host_rcache($1) -+ kerberos_read_config($1) -+ ') -+ -+ optional_policy(` -+ nis_authenticate($1) -+ ') -+') -+ -+######################################## -+## -+## Make the specified domain used for a login program. -+## -+## -+## -+## Domain type used for a login program domain. -+## -+## -+# - interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t, auth_cache_t; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.15/policy/modules/system/authlogin.if +--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/authlogin.if 2010-03-18 10:52:29.000000000 -0400 +@@ -94,6 +94,8 @@ ') domain_type($1) @@ -28676,58 +28591,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) - role system_r types $1; - -+ # Needed for pam_selinux_permit to cleanup properly -+ domain_read_all_domains_state($1) -+ domain_kill_all_domains($1) -+ -+ # pam_keyring -+ allow $1 self:capability ipc_lock; -+ allow $1 self:process setkeycreate; -+ allow $1 self:key manage_key_perms; +@@ -107,6 +109,7 @@ + allow $1 self:capability ipc_lock; + allow $1 self:process setkeycreate; + allow $1 self:key manage_key_perms; + userdom_manage_all_users_keys($1) -+ + files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) - -@@ -62,8 +121,6 @@ - manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1, auth_cache_t, dir) - -- # for SSP/ProPolice -- dev_read_urand($1) - # for fingerprint readers - dev_rw_input_dev($1) - dev_rw_generic_usb_dev($1) -@@ -86,27 +143,45 @@ +@@ -141,6 +144,7 @@ mls_process_set_level($1) mls_fd_share_all_levels($1) -- auth_domtrans_chk_passwd($1) -- auth_domtrans_upd_passwd($1) -- auth_dontaudit_read_shadow($1) -- auth_read_login_records($1) -- auth_append_login_records($1) -- auth_rw_lastlog($1) -- auth_rw_faillog($1) -- auth_exec_pam($1) -- auth_use_nsswitch($1) + auth_manage_pam_pid($1) -+ auth_use_pam($1) + auth_use_pam($1) init_rw_utmp($1) - -- logging_send_audit_msgs($1) -- logging_send_syslog_msg($1) - logging_set_loginuid($1) -+ logging_set_tty_audit($1) - +@@ -151,6 +155,36 @@ seutil_read_config($1) seutil_read_default_contexts($1) -- tunable_policy(`allow_polyinstantiation',` -- files_polyinstantiate_all($1) + userdom_set_rlimitnh($1) + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) @@ -28756,157 +28639,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + ssh_agent_exec($1) + ssh_read_user_home_files($1) + userdom_read_user_home_content_files($1) - ') - ') - -@@ -258,6 +333,7 @@ - type auth_cache_t; - ') - -+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) - ') - -@@ -305,29 +381,50 @@ - dev_read_rand($1) - dev_read_urand($1) - -+ auth_use_nsswitch($1) -+ auth_rw_faillog($1) ++ ') + - logging_send_audit_msgs($1) - - miscfiles_read_certs($1) - -- sysnet_dns_name_resolve($1) -- sysnet_use_ldap($1) -- - optional_policy(` -- kerberos_use($1) -+ kerberos_read_keytab($1) -+ kerberos_connect_524($1) + tunable_policy(`allow_polyinstantiation',` + files_polyinstantiate_all($1) ') - - optional_policy(` -- nis_use_ypbind($1) -- ') -- -- optional_policy(` -- pcscd_read_pub_files($1) -+ pcscd_manage_pub_files($1) -+ pcscd_manage_pub_pipes($1) - pcscd_stream_connect($1) +@@ -365,13 +399,15 @@ ') optional_policy(` - samba_stream_connect_winbind($1) - ') -+ auth_domtrans_upd_passwd($1) -+') -+ -+######################################## -+## -+## Run unix_chkpwd to check a password. -+## Stripped down version to be called within boolean -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_domtrans_chkpwd',` -+ gen_require(` -+ type chkpwd_t, chkpwd_exec_t, shadow_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -+ dontaudit $1 shadow_t:file { getattr read }; -+ auth_domtrans_upd_passwd($1) - ') - - ######################################## -@@ -352,6 +449,7 @@ - - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; -+ auth_run_upd_passwd($1, $2) - ') - - ######################################## -@@ -1129,6 +1227,32 @@ - - ######################################## - ## -+## rw all files on the filesystem, except -+## the shadow passwords and listed exceptions. -+## -+## -+## -+## The type of the domain perfoming this action. -+## -+## -+## -+## -+## The types to be excluded. Each type or attribute -+## must be negated by the caller. -+## -+## -+# -+ -+interface(`auth_rw_all_files_except_shadow',` -+ gen_require(` -+ type shadow_t; -+ ') -+ -+ files_rw_all_files($1,$2 -shadow_t) -+') -+ -+######################################## -+## - ## Manage all files on the filesystem, except - ## the shadow passwords and listed exceptions. - ## -@@ -1254,6 +1378,25 @@ - - ######################################## - ## -+## dontaudit read login records files (/var/log/wtmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`auth_dontaudit_read_login_records',` -+ gen_require(` -+ type wtmp_t; -+ ') -+ -+ dontaudit $1 wtmp_t:file read_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to write to - ## login records files. - ## -@@ -1395,16 +1538,33 @@ +- pcscd_read_pub_files($1) ++ pcscd_manage_pub_files($1) ++ pcscd_manage_pub_pipes($1) + pcscd_stream_connect($1) ') optional_policy(` -+ ldap_stream_connect($1) -+ ') -+ -+ optional_policy(` -+ kerberos_use($1) -+ ') + samba_stream_connect_winbind($1) + ') ++ auth_domtrans_upd_passwd($1) + ') + + ######################################## +@@ -418,6 +454,7 @@ + + auth_domtrans_chk_passwd($1) + role $2 types chkpwd_t; ++ auth_run_upd_passwd($1, $2) + ') + + ######################################## +@@ -1500,6 +1537,8 @@ + # + interface(`auth_use_nsswitch',` + ++ allow $1 self:netlink_route_socket r_netlink_socket_perms; + -+ optional_policy(` - nis_use_ypbind($1) + files_list_var_lib($1) + + # read /etc/nsswitch.conf +@@ -1531,7 +1570,15 @@ ') optional_policy(` @@ -28923,48 +28695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` - samba_stream_connect_winbind($1) - samba_read_var_files($1) -+ samba_dontaudit_write_var_files($1) - ') - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.9/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/authlogin.te 2010-02-16 15:08:37.000000000 -0500 -@@ -103,8 +103,10 @@ - - fs_dontaudit_getattr_xattr_fs(chkpwd_t) - -+term_dontaudit_use_console(chkpwd_t) - term_dontaudit_use_unallocated_ttys(chkpwd_t) - term_dontaudit_use_generic_ptys(chkpwd_t) -+term_dontaudit_use_all_ptys(chkpwd_t) - - auth_use_nsswitch(chkpwd_t) - -@@ -125,9 +127,18 @@ - ') - - optional_policy(` -+ # apache leaks file descriptors -+ apache_dontaudit_rw_tcp_sockets(chkpwd_t) -+') -+ -+optional_policy(` - kerberos_use(chkpwd_t) - ') - -+optional_policy(` -+ nis_authenticate(chkpwd_t) -+') -+ - ######################################## - # - # PAM local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.9/policy/modules/system/daemontools.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.15/policy/modules/system/daemontools.if --- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/daemontools.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/daemontools.if 2010-03-18 10:44:43.000000000 -0400 @@ -71,6 +71,32 @@ domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -29045,9 +28778,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.9/policy/modules/system/daemontools.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.15/policy/modules/system/daemontools.te --- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/daemontools.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/daemontools.te 2010-03-18 10:44:43.000000000 -0400 @@ -39,7 +39,10 @@ # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -29120,19 +28853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.9/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/fstools.fc 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.15/policy/modules/system/fstools.fc +--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/fstools.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -19,10 +18,10 @@ - /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - /sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -23,7 +22,6 @@ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -29140,9 +28869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.9/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/fstools.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.15/policy/modules/system/fstools.te +--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/fstools.te 2010-03-18 10:44:43.000000000 -0400 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -29152,19 +28881,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -148,8 +150,7 @@ +@@ -148,7 +150,7 @@ seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) --userdom_use_unpriv_users_fds(fsadm_t) +term_use_all_terms(fsadm_t) ifdef(`distro_redhat',` optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.9/policy/modules/system/getty.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.15/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/getty.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/getty.te 2010-03-18 10:44:43.000000000 -0400 @@ -56,11 +56,10 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) files_pid_filetrans(getty_t, getty_var_run_t, file) @@ -29180,9 +28908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. dev_read_sysfs(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.9/policy/modules/system/hostname.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.15/policy/modules/system/hostname.te --- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/hostname.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/hostname.te 2010-03-18 10:44:43.000000000 -0400 @@ -27,15 +27,18 @@ dev_read_sysfs(hostname_t) @@ -29202,36 +28930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.9/policy/modules/system/hotplug.te ---- nsaserefpolicy/policy/modules/system/hotplug.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/hotplug.te 2010-02-16 15:08:37.000000000 -0500 -@@ -125,6 +125,10 @@ - ') - - optional_policy(` -+ brctl_domtrans(hotplug_t) -+') -+ -+optional_policy(` - consoletype_exec(hotplug_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.9/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/init.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -4,10 +4,10 @@ - /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) --/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) -+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0) - - /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) - +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.15/policy/modules/system/init.fc +--- nsaserefpolicy/policy/modules/system/init.fc 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/init.fc 2010-03-18 10:44:43.000000000 -0400 @@ -44,6 +44,9 @@ /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -29242,10 +28943,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.9/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/init.if 2010-02-16 15:08:37.000000000 -0500 -@@ -162,8 +162,10 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.15/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/init.if 2010-03-18 10:56:08.000000000 -0400 +@@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; @@ -29256,7 +28957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') typeattribute $1 daemon; -@@ -174,6 +176,15 @@ +@@ -205,6 +207,15 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -29272,7 +28973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i # daemons started from init will # inherit fds from init for the console -@@ -233,7 +244,7 @@ +@@ -285,7 +296,7 @@ type initrc_t; ') @@ -29281,7 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; -@@ -265,6 +276,7 @@ +@@ -338,6 +349,7 @@ gen_require(` type initrc_t; role system_r; @@ -29289,7 +28990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') application_domain($1,$2) -@@ -272,6 +284,9 @@ +@@ -345,6 +357,9 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -29299,7 +29000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +295,36 @@ +@@ -353,6 +368,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -29336,17 +29037,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -546,7 +591,8 @@ +@@ -681,7 +726,9 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; ++ allow $1 init_t:unix_stream_socket sendto; + allow $1 init_t:unix_stream_socket connectto; + init_chat($1) ') ') -@@ -619,18 +665,19 @@ +@@ -754,18 +801,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -29370,7 +29072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -646,19 +693,39 @@ +@@ -781,23 +829,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -29391,11 +29093,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -29408,13 +29110,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -714,8 +781,10 @@ ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -849,8 +917,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -29425,67 +29131,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -923,6 +992,24 @@ - allow $1 init_script_file_type:file read_file_perms; - ') +@@ -1444,7 +1514,7 @@ -+####################################### -+## -+## Dontaudit read all init script files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dontaudit_init_read_all_script_files',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ dontaudit $1 init_script_file_type:file read_file_perms; -+') -+ ######################################## ## - ## Execute all init scripts in the caller domain. -@@ -1142,7 +1229,7 @@ - type initrc_t; +-## Read init script temporary data. ++## Read and write init script temporary data. + ## + ## + ## +@@ -1452,18 +1522,18 @@ + ## + ## + # +-interface(`init_read_script_tmp_files',` ++interface(`init_rw_script_tmp_files',` + gen_require(` + type initrc_tmp_t; ') -- allow $1 initrc_t:unix_stream_socket { read write }; -+ allow $1 initrc_t:unix_stream_socket rw_socket_perms; + files_search_tmp($1) +- read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ++ rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') ######################################## -@@ -1310,6 +1397,25 @@ - - ######################################## ## +-## Read and write init script temporary data. +## Read init script temporary data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1471,13 +1541,13 @@ + ## + ## + # +-interface(`init_rw_script_tmp_files',` +interface(`init_read_script_tmp_files',` -+ gen_require(` -+ type initrc_tmp_t; -+ ') -+ -+ files_search_tmp($1) + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) +- rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) + read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) -+') -+ -+######################################## -+## - ## Create files in a init script - ## temporary data directory. - ## -@@ -1540,3 +1646,76 @@ + ') + + ######################################## +@@ -1637,7 +1707,7 @@ + type initrc_var_run_t; + ') + +- dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; ++ dontaudit $1 initrc_var_run_t:file { getattr read write append }; + ') + + ######################################## +@@ -1712,3 +1782,76 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29562,9 +29264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + init_dontaudit_use_script_fds($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.9/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/init.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.15/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/init.te 2010-03-18 10:44:43.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -29631,15 +29333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -140,6 +158,7 @@ - files_dontaudit_rw_root_files(init_t) - files_dontaudit_rw_root_chr_files(init_t) - -+fs_list_inotifyfs(init_t) - # cjp: this may be related to /dev/log - fs_write_ramfs_sockets(init_t) - -@@ -167,11 +186,14 @@ +@@ -169,6 +187,8 @@ miscfiles_read_localization(init_t) @@ -29648,13 +29342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') - - ifdef(`distro_redhat',` -+ fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) - fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) - ') -@@ -189,10 +211,31 @@ +@@ -192,10 +212,23 @@ ') optional_policy(` @@ -29663,10 +29351,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + +optional_policy(` + dbus_connect_system_bus(init_t) -+ dbus_system_bus_client(init_t) -+') -+ -+optional_policy(` + dbus_system_bus_client(init_t) + ') + + optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -29678,15 +29366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') - optional_policy(` -+ sssd_stream_connect(init_t) -+') -+ -+optional_policy(` - unconfined_domain(init_t) - ') - -@@ -202,9 +245,10 @@ +@@ -213,7 +246,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29694,36 +29374,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; -+allow initrc_t self:key manage_key_perms; - - # Allow IPC with self - allow initrc_t self:unix_dgram_socket create_socket_perms; -@@ -217,7 +261,8 @@ - term_create_pty(initrc_t, initrc_devpts_t) + allow initrc_t self:key manage_key_perms; +@@ -230,6 +263,7 @@ # Going to single user mode --init_exec(initrc_t) -+init_telinit(initrc_t) + init_telinit(initrc_t) +init_chat(initrc_t) can_exec(initrc_t, init_script_file_type) -@@ -230,10 +275,12 @@ +@@ -242,6 +276,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_manage_generic_pids_symlinks(initrc_t) can_exec(initrc_t, initrc_tmp_t) --allow initrc_t initrc_tmp_t:file manage_file_perms; --allow initrc_t initrc_tmp_t:dir manage_dir_perms; -+manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -+manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -+manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) - files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) - - init_write_initctl(initrc_t) -@@ -246,13 +293,19 @@ + manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) +@@ -259,13 +294,19 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29745,38 +29413,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -267,21 +320,29 @@ - - dev_read_rand(initrc_t) - dev_read_urand(initrc_t) -+dev_write_kmsg(initrc_t) - dev_write_rand(initrc_t) - dev_write_urand(initrc_t) - dev_rw_sysfs(initrc_t) - dev_list_usbfs(initrc_t) - dev_read_framebuffer(initrc_t) -+dev_write_framebuffer(initrc_t) - dev_read_realtime_clock(initrc_t) - dev_read_sound_mixer(initrc_t) - dev_write_sound_mixer(initrc_t) +@@ -293,12 +334,14 @@ dev_setattr_all_chr_files(initrc_t) --dev_read_lvm_control(initrc_t) -+dev_rw_lvm_control(initrc_t) + dev_rw_lvm_control(initrc_t) dev_delete_lvm_control_dev(initrc_t) +dev_delete_null(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) -+dev_getattr_all_blk_files(initrc_t) -+dev_getattr_all_chr_files(initrc_t) + dev_getattr_all_blk_files(initrc_t) + dev_getattr_all_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) -+ -+corecmd_exec_all_executables(initrc_t) - domain_kill_all_domains(initrc_t) - domain_signal_all_domains(initrc_t) -@@ -291,7 +352,7 @@ + corecmd_exec_all_executables(initrc_t) + +@@ -310,7 +353,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29785,7 +29437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -306,14 +367,15 @@ +@@ -325,8 +368,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29797,24 +29449,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) - files_manage_etc_runtime_files(initrc_t) - files_etc_filetrans_etc_runtime(initrc_t, file) --files_manage_generic_locks(initrc_t) - files_exec_etc_files(initrc_t) - files_read_usr_files(initrc_t) - files_manage_urandom_seed(initrc_t) -@@ -324,7 +386,10 @@ +@@ -342,6 +387,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) -+fs_list_inotifyfs(initrc_t) + fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) - # rhgb-console writes to ramfs - fs_write_ramfs_pipes(initrc_t) -@@ -333,6 +398,11 @@ +@@ -352,6 +399,11 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29826,17 +29470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -365,7 +435,9 @@ - - libs_rw_ld_so_cache(initrc_t) - libs_exec_lib_files(initrc_t) -+libs_exec_ld_so(initrc_t) - -+logging_send_audit_msgs(initrc_t) - logging_send_syslog_msg(initrc_t) - logging_manage_generic_logs(initrc_t) - logging_read_all_logs(initrc_t) -@@ -374,19 +446,22 @@ +@@ -395,19 +447,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -29850,7 +29484,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +userdom_read_admin_home_files(initrc_t) userdom_read_user_home_content_files(initrc_t) - # Allow access to the sysadm TTYs. Note that this will give access to the +-# Allow access to the sysadm TTYs. Note that this will give access to the ++# Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) @@ -29860,16 +29495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -431,7 +506,7 @@ - # /lib/rcscripts/net/system.sh rewrites resolv.conf :( - sysnet_create_config(initrc_t) - sysnet_write_config(initrc_t) -- sysnet_setattr_config(initrc_t) -+ sysnet_setattr_config(initrc_t) - - optional_policy(` - arpwatch_manage_data_files(initrc_t) -@@ -450,11 +525,9 @@ +@@ -471,7 +526,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -29877,35 +29503,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) -- selinux_set_enforce_mode(initrc_t) -- # These seem to be from the initrd - # during device initialization: - dev_create_generic_dirs(initrc_t) -@@ -464,6 +537,7 @@ - storage_raw_read_fixed_disk(initrc_t) - storage_raw_write_fixed_disk(initrc_t) - -+ files_create_boot_dirs(initrc_t) - files_create_boot_flag(initrc_t) - files_rw_boot_symlinks(initrc_t) - # wants to read /.fonts directory -@@ -472,6 +546,7 @@ - # Needs to cp localtime to /var dirs - files_write_var_dirs(initrc_t) - -+ fs_read_tmpfs_symlinks(initrc_t) - fs_rw_tmpfs_chr_files(initrc_t) - - storage_manage_fixed_disk(initrc_t) -@@ -490,17 +565,32 @@ - miscfiles_read_hwdata(initrc_t) - +@@ -517,6 +572,15 @@ optional_policy(` -+ alsa_manage_rw_config(initrc_t) -+ ') -+ -+ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) @@ -29920,18 +29520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` - #for /etc/rc.d/init.d/nfs to create /etc/exports - rpc_write_exports(initrc_t) -+ rpc_manage_nfs_state_data(initrc_t) - ') - - optional_policy(` - sysnet_rw_dhcp_config(initrc_t) -+ sysnet_manage_config(initrc_t) - ') - - optional_policy(` -@@ -515,6 +605,34 @@ +@@ -542,6 +606,34 @@ ') ') @@ -29954,7 +29543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`allow_daemons_dump_core',` -+ files_dump_core(daemon) ++ files_manage_root_files(daemon) +') + +optional_policy(` @@ -29966,7 +29555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -527,6 +645,8 @@ +@@ -554,6 +646,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29975,38 +29564,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -567,10 +687,19 @@ +@@ -594,6 +688,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) + dbus_manage_lib_files(initrc_t) -+ -+ optional_policy(` -+ consolekit_dbus_chat(initrc_t) -+ ') optional_policy(` - networkmanager_dbus_chat(initrc_t) - ') -+ -+ optional_policy(` -+ policykit_dbus_chat(initrc_t) -+ ') + consolekit_dbus_chat(initrc_t) +@@ -647,11 +742,6 @@ ') optional_policy(` -@@ -590,6 +719,10 @@ +- iscsi_stream_connect(initrc_t) +- iscsi_read_lib_files(initrc_t) +-') +- +-optional_policy(` + kerberos_use(initrc_t) ') - optional_policy(` -+ hal_write_log(initrc_t) -+') -+ -+optional_policy(` - dev_read_usbfs(initrc_t) - - # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +779,20 @@ +@@ -690,12 +780,18 @@ ') optional_policy(` @@ -30024,32 +29602,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + mta_write_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') --# cjp: require doesnt work in the else of optionals :\ --# this also would result in a type transition --# conflict if sendmail is enabled --#optional_policy(`',` --# mta_send_mail(initrc_t) --#') - - optional_policy(` - ifdef(`distro_redhat',` -@@ -668,6 +801,7 @@ - - mysql_stream_connect(initrc_t) - mysql_write_log(initrc_t) -+ mysql_read_config(initrc_t) - ') - - optional_policy(` -@@ -700,7 +834,6 @@ - ') - - optional_policy(` -- corecmd_shell_entry_type(initrc_t) - fs_write_ramfs_sockets(initrc_t) - fs_search_ramfs(initrc_t) -@@ -722,8 +855,6 @@ +@@ -760,8 +856,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30058,7 +29612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -736,13 +867,16 @@ +@@ -774,10 +868,12 @@ squid_manage_logs(initrc_t) ') @@ -30071,37 +29625,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -+ ssh_setattr_key_files(initrc_t) - ') - - optional_policy(` -@@ -751,6 +885,7 @@ - - optional_policy(` - udev_rw_db(initrc_t) -+ udev_manage_pid_files(initrc_t) - ') - - optional_policy(` -@@ -758,7 +893,17 @@ +@@ -801,8 +897,14 @@ + virt_manage_svirt_cache(initrc_t) ') - optional_policy(` -+ virt_manage_svirt_cache(initrc_t) -+') -+ +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) +') + -+optional_policy(` + optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -768,6 +913,25 @@ +@@ -812,6 +914,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -30127,191 +29666,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -793,3 +957,31 @@ +@@ -837,3 +958,34 @@ optional_policy(` zebra_read_config(initrc_t) ') + ++# if I start an initrc script from an random director I can generate this avc ++files_dontaudit_search_all_dirs(daemon) ++ +userdom_inherit_append_user_home_content_files(daemon) +userdom_inherit_append_user_tmp_files(daemon) -+userdom_dontaudit_rw_stream(daemon) -+ -+logging_append_all_logs(daemon) -+ -+optional_policy(` -+ # sudo service restart causes this -+ unconfined_signull(daemon) -+') -+ -+ -+optional_policy(` -+ xserver_dontaudit_append_xdm_home_files(daemon) -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_rw_nfs_files(daemon) -+ ') -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_rw_cifs_files(daemon) -+ ') -+') -+ -+init_rw_script_stream_sockets(daemon) -+ -+optional_policy(` -+ fail2ban_read_lib_files(daemon) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.9/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/ipsec.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -37,6 +37,8 @@ - - /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - -+/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) -+ - /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) -+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) - --/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.9/policy/modules/system/ipsec.if ---- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/ipsec.if 2010-02-16 15:08:37.000000000 -0500 -@@ -39,6 +39,25 @@ - - ######################################## - ## -+## Connect to racoon using a unix domain stream socket. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`ipsec_stream_connect_racoon',` -+ gen_require(` -+ type racoon_t, ipsec_var_run_t; -+ ') ++userdom_dontaudit_rw_stream(daemon) + -+ files_search_pids($1) -+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) ++logging_append_all_logs(daemon) ++ ++optional_policy(` ++ # sudo service restart causes this ++ unconfined_signull(daemon) +') + -+######################################## -+## - ## Get the attributes of an IPSEC key socket. - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.9/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/ipsec.te 2010-02-16 15:08:37.000000000 -0500 -@@ -29,9 +29,15 @@ - type ipsec_key_file_t; - files_type(ipsec_key_file_t) - -+type ipsec_log_t; -+logging_log_file(ipsec_log_t) + - # Default type for IPSEC SPD entries - type ipsec_spd_t; - -+type ipsec_tmp_t; -+files_tmp_file(ipsec_tmp_t) ++optional_policy(` ++ xserver_dontaudit_append_xdm_home_files(daemon) ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files(daemon) ++ ') ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files(daemon) ++ ') ++') ++ ++init_rw_script_stream_sockets(daemon) + - # type for runtime files, including pluto.ctl - type ipsec_var_run_t; - files_pid_file(ipsec_var_run_t) -@@ -66,7 +72,7 @@ - # ipsec Local policy ++optional_policy(` ++ fail2ban_read_lib_files(daemon) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.15/policy/modules/system/ipsec.te +--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/ipsec.te 2010-03-18 10:44:43.000000000 -0400 +@@ -73,7 +73,7 @@ # --allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; -+allow ipsec_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; - dontaudit ipsec_t self:capability sys_tty_config; + allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-dontaudit ipsec_t self:capability sys_tty_config; ++dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; -@@ -85,6 +91,10 @@ - manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) - read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) - -+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) -+ - manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) - manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) - files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file }) -@@ -98,7 +108,9 @@ - corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) - allow ipsec_mgmt_t ipsec_t:fd use; - allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; -+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; - allow ipsec_mgmt_t ipsec_t:process sigchld; -+sysnet_domtrans_ifconfig(ipsec_t) - - kernel_read_kernel_sysctls(ipsec_t) - kernel_list_proc(ipsec_t) -@@ -171,8 +183,9 @@ - # ipsec_mgmt Local policy - # - --allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; --allow ipsec_mgmt_t self:process { signal setrlimit }; -+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -+dontaudit ipsec_mgmt_t self:capability sys_tty_config; -+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; + allow ipsec_t self:udp_socket create_socket_perms; +@@ -186,7 +186,7 @@ + + allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; + dontaudit ipsec_mgmt_t self:capability sys_tty_config; +-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal }; ++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -182,6 +195,13 @@ - allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; - files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) - -+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) -+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) -+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) -+ -+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t) -+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) -+ - allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; - files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) - -@@ -209,7 +229,6 @@ - # whack needs to connect to pluto - stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) +@@ -258,7 +258,7 @@ --can_exec(ipsec_mgmt_t, ipsec_exec_t) - can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) - allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; - -@@ -247,8 +266,10 @@ - files_read_etc_files(ipsec_mgmt_t) - files_exec_etc_files(ipsec_mgmt_t) - files_read_etc_runtime_files(ipsec_mgmt_t) -+files_read_usr_files(ipsec_mgmt_t) - files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) - files_dontaudit_getattr_default_files(ipsec_mgmt_t) -+files_list_tmp(ipsec_mgmt_t) - - fs_getattr_xattr_fs(ipsec_mgmt_t) - fs_list_tmpfs(ipsec_mgmt_t) -@@ -259,6 +280,7 @@ - init_use_script_ptys(ipsec_mgmt_t) - init_exec_script_files(ipsec_mgmt_t) - init_use_fds(ipsec_mgmt_t) -+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) - - logging_send_syslog_msg(ipsec_mgmt_t) - -@@ -323,6 +345,7 @@ - - kernel_read_system_state(racoon_t) - kernel_read_network_state(racoon_t) -+kernel_request_load_module(racoon_t) - - corecmd_exec_shell(racoon_t) - corecmd_exec_bin(racoon_t) -@@ -362,6 +385,8 @@ + domain_use_interactive_fds(ipsec_mgmt_t) + # denials when ps tries to search /proc. Do not audit these denials. +-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t) ++domain_dontaudit_read_all_domains_state(ipsec_mgmt_t) + # suppress audit messages about unnecessary socket access + # cjp: this seems excessive + domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) +@@ -386,6 +386,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -30320,15 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -380,12 +405,15 @@ - read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) - read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t) - -+kernel_request_load_module(setkey_t) -+ - # allow setkey utility to set contexts on SA's and policy - domain_ipsec_setcontext_all_domains(setkey_t) - +@@ -412,6 +414,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -30336,14 +29748,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -397,3 +425,4 @@ +@@ -423,3 +426,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.9/policy/modules/system/iptables.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.15/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/iptables.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/iptables.fc 2010-03-18 10:44:43.000000000 -0400 @@ -1,6 +1,4 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -30351,9 +29763,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.9/policy/modules/system/iptables.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.15/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/iptables.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/iptables.if 2010-03-18 10:44:43.000000000 -0400 @@ -17,6 +17,10 @@ corecmd_search_bin($1) @@ -30365,9 +29777,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.9/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/iptables.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.15/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2010-03-18 10:35:11.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/iptables.te 2010-03-18 10:44:43.000000000 -0400 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -30378,10 +29790,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl type iptables_tmp_t; files_tmp_file(iptables_tmp_t) -@@ -30,11 +27,12 @@ +@@ -30,12 +27,12 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; +-allow iptables_t self:fifo_file rw_fifo_file_perms; +allow iptables_t self:fifo_file rw_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; @@ -30393,11 +29806,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -53,8 +51,12 @@ - kernel_use_fds(iptables_t) - - corenet_relabelto_all_packets(iptables_t) -+corenet_dontaudit_rw_tun_tap_dev(iptables_t) +@@ -57,6 +54,9 @@ + corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +ifdef(`hide_broken_symptoms',` @@ -30406,7 +29816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -63,6 +65,7 @@ +@@ -65,6 +65,7 @@ mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -30414,7 +29824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) -@@ -76,6 +79,7 @@ +@@ -78,6 +79,7 @@ # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -30422,7 +29832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl logging_send_syslog_msg(iptables_t) -@@ -89,6 +93,7 @@ +@@ -91,6 +93,7 @@ optional_policy(` fail2ban_append_log(iptables_t) @@ -30430,101 +29840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -@@ -122,5 +127,10 @@ - ') - - optional_policy(` -+ shorewall_rw_var_lib(iptables_t) -+') -+ -+optional_policy(` - udev_read_db(iptables_t) - ') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.9/policy/modules/system/iscsi.fc ---- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/iscsi.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,5 +1,9 @@ - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - - /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) - /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) -+ -+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) -+ - /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.9/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/iscsi.te 2010-02-16 15:08:37.000000000 -0500 -@@ -14,6 +14,9 @@ - type iscsi_lock_t; - files_lock_file(iscsi_lock_t) - -+type iscsi_log_t; -+logging_log_file(iscsi_log_t) -+ - type iscsi_tmp_t; - files_tmp_file(iscsi_tmp_t) - -@@ -36,15 +39,21 @@ - allow iscsid_t self:sem create_sem_perms; - allow iscsid_t self:shm create_shm_perms; - allow iscsid_t self:netlink_socket create_socket_perms; -+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; - allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; - allow iscsid_t self:tcp_socket create_stream_socket_perms; - -+can_exec(iscsid_t, iscsid_exec_t) -+ - manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) - files_lock_filetrans(iscsid_t, iscsi_lock_t, file) - --allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; --allow iscsid_t iscsi_tmp_t:file manage_file_perms; --fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file ) -+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) -+logging_log_filetrans(iscsid_t, iscsi_log_t, file) -+ -+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) -+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } ) - - allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; - read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -@@ -54,6 +63,7 @@ - manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) - files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - -+kernel_read_network_state(iscsid_t) - kernel_read_system_state(iscsid_t) - kernel_search_debugfs(iscsid_t) - -@@ -67,13 +77,21 @@ - corenet_tcp_connect_isns_port(iscsid_t) - - dev_rw_sysfs(iscsid_t) -+dev_rw_userio_dev(iscsid_t) - - domain_use_interactive_fds(iscsid_t) -+domain_dontaudit_read_all_domains_state(iscsid_t) - - files_read_etc_files(iscsid_t) - -+init_stream_connect_script(iscsid_t) -+ - logging_send_syslog_msg(iscsid_t) - - auth_use_nsswitch(iscsid_t) - - miscfiles_read_localization(iscsid_t) -+ -+optional_policy(` -+ tgtd_rw_semaphores(iscsid_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.9/policy/modules/system/libraries.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.15/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/libraries.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/libraries.fc 2010-03-18 10:44:43.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -30741,7 +30059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,10 +317,137 @@ +@@ -307,10 +317,143 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -30813,8 +30131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30879,9 +30196,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.9/policy/modules/system/libraries.if ++ ++/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.15/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/libraries.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/libraries.if 2010-03-18 10:44:43.000000000 -0400 @@ -17,6 +17,7 @@ corecmd_search_bin($1) @@ -30908,9 +30232,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.9/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/libraries.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.15/policy/modules/system/libraries.te +--- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/libraries.te 2010-03-18 10:44:43.000000000 -0400 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -30953,18 +30277,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) -@@ -100,6 +106,10 @@ +@@ -100,17 +106,11 @@ ') ') +-ifdef(`hide_broken_symptoms',` +- ifdef(`distro_gentoo',` +- # leaked fds from portage +- files_dontaudit_rw_var_files(ldconfig_t) +- +- optional_policy(` +- portage_dontaudit_search_tmp(ldconfig_t) +- portage_dontaudit_rw_tmp_files(ldconfig_t) +- ') +- ') +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) -+ - ifdef(`hide_broken_symptoms',` + ++ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -127,3 +137,7 @@ + ') +@@ -137,3 +137,7 @@ # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') @@ -30972,19 +30307,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +optional_policy(` + unconfined_domain(ldconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.9/policy/modules/system/locallogin.te +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.15/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/locallogin.te 2010-02-16 15:08:37.000000000 -0500 -@@ -33,7 +33,7 @@ ++++ serefpolicy-3.7.15/policy/modules/system/locallogin.te 2010-03-18 10:44:43.000000000 -0400 +@@ -33,9 +33,8 @@ # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-allow local_login_t self:process { setrlimit setexec }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; - allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow local_login_t self:process { setrlimit setexec }; ++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; -@@ -74,6 +74,8 @@ + allow local_login_t self:fifo_file rw_fifo_file_perms; + allow local_login_t self:sock_file read_sock_file_perms; +@@ -74,6 +73,8 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -30993,7 +30331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -152,6 +154,11 @@ +@@ -152,6 +153,11 @@ fs_read_cifs_symlinks(local_login_t) ') @@ -31005,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` alsa_domtrans(local_login_t) ') -@@ -181,7 +188,7 @@ +@@ -181,7 +187,7 @@ ') optional_policy(` @@ -31014,7 +30352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -@@ -198,9 +205,10 @@ +@@ -198,9 +204,10 @@ # Sulogin local policy # @@ -31026,7 +30364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; -@@ -220,6 +228,7 @@ +@@ -220,6 +227,7 @@ files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -31034,17 +30372,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall init_getpgid_script(sulogin_t) -@@ -233,11 +242,23 @@ +@@ -233,14 +241,23 @@ userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) +-sysadm_shell_domtrans(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) + +ifdef(`enable_mls',` - sysadm_shell_domtrans(sulogin_t) ++ sysadm_shell_domtrans(sulogin_t) +',` -+ optional_policy(` ++ optional_policy(` + unconfined_shell_domtrans(sulogin_t) + ') +') @@ -31052,13 +30391,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat',`define(`sulogin_no_pam') -+ selinux_compute_user_contexts(sulogin_t) -+') ++allow sulogin_t self:capability sys_tty_config; ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; -@@ -251,11 +272,3 @@ +- allow sulogin_t self:capability sys_tty_config; + init_getpgid(sulogin_t) + ', ` + allow sulogin_t self:process setexec; +@@ -251,11 +268,3 @@ selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -31070,9 +30410,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.9/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/logging.fc 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.15/policy/modules/system/logging.fc +--- nsaserefpolicy/policy/modules/system/logging.fc 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/logging.fc 2010-03-18 10:44:43.000000000 -0400 @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -31084,11 +30424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -51,17 +55,23 @@ - - ifdef(`distro_redhat',` - /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) -+/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +@@ -54,10 +58,10 @@ + /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) @@ -31102,41 +30439,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - -+/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) - /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) -+/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) +@@ -69,3 +73,5 @@ + /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.9/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/logging.if 2010-02-16 15:08:37.000000000 -0500 -@@ -69,6 +69,20 @@ - - ######################################## - ## -+## Set tty auditing -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_set_tty_audit',` -+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; -+') -+ -+######################################## -+## - ## Set up audit - ## - ## -@@ -624,7 +638,25 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.15/policy/modules/system/logging.if +--- nsaserefpolicy/policy/modules/system/logging.if 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/logging.if 2010-03-18 10:44:43.000000000 -0400 +@@ -715,7 +715,25 @@ ') files_search_var($1) @@ -31163,7 +30475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -707,7 +739,9 @@ +@@ -798,7 +816,9 @@ files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -31174,31 +30486,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.9/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/logging.te 2010-02-16 15:08:37.000000000 -0500 -@@ -101,6 +101,7 @@ - - kernel_read_kernel_sysctls(auditctl_t) - kernel_read_proc_symlinks(auditctl_t) -+kernel_setsched(auditctl_t) - - domain_read_all_domains_state(auditctl_t) - domain_use_interactive_fds(auditctl_t) -@@ -123,10 +124,10 @@ - - allow auditd_t self:capability { chown fsetid sys_nice sys_resource }; - dontaudit auditd_t self:capability sys_tty_config; --allow auditd_t self:process { signal_perms setpgid setsched }; -+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched }; - allow auditd_t self:file rw_file_perms; - allow auditd_t self:unix_dgram_socket create_socket_perms; --allow auditd_t self:fifo_file rw_file_perms; -+allow auditd_t self:fifo_file rw_fifo_file_perms; - allow auditd_t self:tcp_socket create_stream_socket_perms; - - allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -179,6 +180,8 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.15/policy/modules/system/logging.te +--- nsaserefpolicy/policy/modules/system/logging.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/logging.te 2010-03-18 10:44:43.000000000 -0400 +@@ -180,6 +180,8 @@ logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -31207,280 +30498,137 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) -@@ -215,9 +218,9 @@ - # audit dispatcher local policy - # - --allow audisp_t self:capability sys_nice; --allow audisp_t self:process setsched; --allow audisp_t self:fifo_file rw_file_perms; -+allow audisp_t self:capability { dac_override setpcap sys_nice }; -+allow audisp_t self:process { getcap signal_perms setcap setsched }; -+allow audisp_t self:fifo_file rw_fifo_file_perms; - allow audisp_t self:unix_stream_socket create_stream_socket_perms; - allow audisp_t self:unix_dgram_socket create_socket_perms; - -@@ -226,13 +229,18 @@ - manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) - files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) - --corecmd_search_bin(audisp_t) -+corecmd_exec_bin(audisp_t) -+corecmd_exec_shell(audisp_t) - - domain_use_interactive_fds(audisp_t) - +@@ -235,7 +237,11 @@ files_read_etc_files(audisp_t) -+files_read_etc_runtime_files(audisp_t) + files_read_etc_runtime_files(audisp_t) ++mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) + -+auth_use_nsswitch(audisp_t) - - logging_send_syslog_msg(audisp_t) - -@@ -240,6 +248,14 @@ - - sysnet_dns_name_resolve(audisp_t) - -+optional_policy(` -+ dbus_system_bus_client(audisp_t) -+ -+ optional_policy(` -+ setroubleshoot_dbus_chat(audisp_t) -+ ') -+') -+ - ######################################## - # - # Audit remote logger local policy -@@ -253,11 +269,16 @@ - corenet_tcp_sendrecv_generic_node(audisp_remote_t) - corenet_tcp_connect_audit_port(audisp_remote_t) - corenet_sendrecv_audit_client_packets(audisp_remote_t) -+corenet_tcp_bind_audit_port(audisp_remote_t) -+corenet_tcp_sendrecv_all_ports(audisp_remote_t) -+corenet_tcp_bind_generic_node(audisp_remote_t) - - files_read_etc_files(audisp_remote_t) - - logging_send_syslog_msg(audisp_remote_t) - -+auth_use_nsswitch(audisp_remote_t) -+ - miscfiles_read_localization(audisp_remote_t) - - sysnet_dns_name_resolve(audisp_remote_t) -@@ -337,7 +358,7 @@ - allow syslogd_t self:unix_dgram_socket create_socket_perms; - allow syslogd_t self:unix_stream_socket create_stream_socket_perms; - allow syslogd_t self:unix_dgram_socket sendto; --allow syslogd_t self:fifo_file rw_file_perms; -+allow syslogd_t self:fifo_file rw_fifo_file_perms; - allow syslogd_t self:udp_socket create_socket_perms; - allow syslogd_t self:tcp_socket create_stream_socket_perms; - -@@ -461,10 +482,18 @@ - ') - - optional_policy(` -+ bind_search_cache(syslogd_t) -+') -+ -+optional_policy(` - inn_manage_log(syslogd_t) - ') - - optional_policy(` -+ mysql_stream_connect(syslogd_t) -+') -+ -+optional_policy(` - postgresql_stream_connect(syslogd_t) - ') - -@@ -473,6 +502,10 @@ - ') - - optional_policy(` -+ daemontools_search_svc_dir(syslogd_t) -+') -+ -+optional_policy(` - udev_read_db(syslogd_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.9/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/lvm.te 2010-02-16 15:08:37.000000000 -0500 -@@ -142,6 +142,10 @@ - ') - - optional_policy(` -+ aisexec_stream_connect(clvmd_t) -+') -+ -+optional_policy(` - ccs_stream_connect(clvmd_t) - ') - -@@ -244,6 +248,7 @@ - dev_dontaudit_getattr_generic_blk_files(lvm_t) - dev_dontaudit_getattr_generic_pipes(lvm_t) - dev_create_generic_dirs(lvm_t) -+dev_rw_generic_files(lvm_t) - - domain_use_interactive_fds(lvm_t) - domain_read_all_domains_state(lvm_t) -@@ -253,6 +258,7 @@ - files_read_etc_runtime_files(lvm_t) - # for when /usr is not mounted: - files_dontaudit_search_isid_type_dirs(lvm_t) -+files_dontaudit_getattr_tmpfs_files(lvm_t) - - fs_getattr_xattr_fs(lvm_t) - fs_search_auto_mountpoints(lvm_t) -@@ -311,6 +317,10 @@ - ') - - optional_policy(` -+ aisexec_stream_connect(lvm_t) -+') -+ -+optional_policy(` - bootloader_rw_tmp_files(lvm_t) - ') - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.9/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -42,6 +42,7 @@ - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) - /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) -@@ -70,7 +71,7 @@ - - /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - --/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0) -+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) - /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.9/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.if 2010-02-16 15:08:37.000000000 -0500 -@@ -73,7 +73,8 @@ - # - interface(`miscfiles_read_fonts',` - gen_require(` -- type fonts_t; -+ type fonts_t, fonts_cache_t; -+ - ') - - # cjp: fonts can be in either of these dirs -@@ -83,6 +84,10 @@ - allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1, fonts_t, fonts_t) - read_lnk_files_pattern($1, fonts_t, fonts_t) -+ -+ allow $1 fonts_cache_t:dir list_dir_perms; -+ read_files_pattern($1, fonts_cache_t, fonts_cache_t) -+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - ') - - ######################################## -@@ -167,6 +172,68 @@ - manage_dirs_pattern($1, fonts_t, fonts_t) - manage_files_pattern($1, fonts_t, fonts_t) - manage_lnk_files_pattern($1, fonts_t, fonts_t) -+ miscfiles_manage_fonts_cache($1) -+') -+ -+######################################## -+## -+## Set the attributes on a fonts cache directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_setattr_fonts_cache_dirs',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ allow $1 fonts_cache_t:dir setattr; -+') -+ -+######################################## -+## -+## Dontaudit attempts to set the attributes on a fonts cache directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ allow $1 fonts_cache_t:dir setattr; -+') -+ -+######################################## -+## -+## Create, read, write, and delete fonts cache. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`miscfiles_manage_fonts_cache',` -+ gen_require(` -+ type fonts_cache_t; -+ ') -+ -+ files_search_var($1) ++auth_use_nsswitch(audisp_t) + + logging_send_syslog_msg(audisp_t) + +@@ -245,6 +251,10 @@ + + optional_policy(` + dbus_system_bus_client(audisp_t) + -+ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) -+ manage_files_pattern($1, fonts_cache_t, fonts_cache_t) -+ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) ++ optional_policy(` ++ setroubleshoot_dbus_chat(audisp_t) ++ ') ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.9/policy/modules/system/miscfiles.te ---- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.te 2010-02-16 15:08:37.000000000 -0500 -@@ -19,6 +19,9 @@ - type fonts_t; - files_type(fonts_t) +@@ -268,6 +278,8 @@ + + logging_send_syslog_msg(audisp_remote_t) + ++auth_use_nsswitch(audisp_remote_t) ++ + miscfiles_read_localization(audisp_remote_t) -+type fonts_cache_t; -+files_type(fonts_cache_t) + sysnet_dns_name_resolve(audisp_remote_t) +@@ -491,6 +503,10 @@ + ') + + optional_policy(` ++ daemontools_search_svc_dir(syslogd_t) ++') + ++optional_policy(` + udev_read_db(syslogd_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.15/policy/modules/system/lvm.fc +--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/lvm.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -28,6 +28,7 @@ # - # type for /usr/share/hwdata + /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) + /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) + # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.9/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/modutils.te 2010-02-16 15:08:37.000000000 -0500 + # /sbin +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.15/policy/modules/system/lvm.if +--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/lvm.if 2010-03-18 10:44:43.000000000 -0400 +@@ -34,7 +34,7 @@ + type lvm_exec_t; + ') + +- corecmd_search_sbin($1) ++ corecmd_search_bin($1) + can_exec($1, lvm_exec_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.15/policy/modules/system/lvm.te +--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/lvm.te 2010-03-18 10:44:43.000000000 -0400 +@@ -142,6 +142,11 @@ + ') + + optional_policy(` ++ aisexec_stream_connect(clvmd_t) ++ corosync_stream_connect(clvmd_t) ++') ++ ++optional_policy(` + ccs_stream_connect(clvmd_t) + ') + +@@ -171,6 +176,7 @@ + allow lvm_t self:process { sigchld sigkill sigstop signull signal }; + # LVM will complain a lot if it cannot set its priority. + allow lvm_t self:process setsched; ++allow lvm_t self:sem create_sem_perms; + allow lvm_t self:file rw_file_perms; + allow lvm_t self:fifo_file manage_fifo_file_perms; + allow lvm_t self:unix_dgram_socket create_socket_perms; +@@ -218,6 +224,7 @@ + # it has no reason to need this + kernel_dontaudit_getattr_core_if(lvm_t) + kernel_use_fds(lvm_t) ++kernel_request_load_module(lvm_t) + kernel_search_debugfs(lvm_t) + + corecmd_exec_bin(lvm_t) +@@ -244,6 +251,7 @@ + dev_dontaudit_getattr_generic_blk_files(lvm_t) + dev_dontaudit_getattr_generic_pipes(lvm_t) + dev_create_generic_dirs(lvm_t) ++dev_rw_generic_files(lvm_t) + + domain_use_interactive_fds(lvm_t) + domain_read_all_domains_state(lvm_t) +@@ -253,8 +261,9 @@ + files_read_etc_runtime_files(lvm_t) + # for when /usr is not mounted: + files_dontaudit_search_isid_type_dirs(lvm_t) ++files_dontaudit_getattr_tmpfs_files(lvm_t) + +-fs_getattr_xattr_fs(lvm_t) ++fs_getattr_all_fs(lvm_t) + fs_search_auto_mountpoints(lvm_t) + fs_list_tmpfs(lvm_t) + fs_read_tmpfs_symlinks(lvm_t) +@@ -311,6 +320,11 @@ + ') + + optional_policy(` ++ aisexec_stream_connect(lvm_t) ++ corosync_stream_connect(lvm_t) ++') ++ ++optional_policy(` + bootloader_rw_tmp_files(lvm_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.15/policy/modules/system/modutils.te +--- nsaserefpolicy/policy/modules/system/modutils.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/modutils.te 2010-03-18 10:44:43.000000000 -0400 @@ -19,6 +19,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -31537,11 +30685,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +166,15 @@ - files_write_kernel_modules(insmod_t) +@@ -161,11 +167,14 @@ fs_getattr_xattr_fs(insmod_t) -+fs_dontaudit_use_tmpfs_chr_dev(insmod_t) + fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_mount_rpc_pipefs(insmod_t) init_rw_initctl(insmod_t) @@ -31553,7 +30700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,10 +183,13 @@ +@@ -174,8 +183,7 @@ seutil_read_file_contexts(insmod_t) @@ -31562,39 +30709,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti +term_use_all_terms(insmod_t) userdom_dontaudit_search_user_home_dirs(insmod_t) -+optional_policy(` -+ unconfined_domain(insmod_t) -+') -+ if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t, insmod_exec_t) - } -@@ -230,7 +243,7 @@ - ') - - optional_policy(` -- unconfined_domain(insmod_t) -+ unconfined_dontaudit_rw_pipes(insmod_t) - ') - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.9/policy/modules/system/mount.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.15/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/mount.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,4 +1,9 @@ ++++ serefpolicy-3.7.15/policy/modules/system/mount.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0) -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.9/policy/modules/system/mount.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.15/policy/modules/system/mount.if --- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/mount.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/mount.if 2010-03-18 10:44:43.000000000 -0400 @@ -16,6 +16,14 @@ ') @@ -31619,7 +30752,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. optional_policy(` samba_run_smbmount($1, $2) ') -@@ -84,9 +94,11 @@ +@@ -51,6 +61,35 @@ + + ######################################## + ## ++## Execute fusermount in the mount domain, and ++## allow the specified role the mount domain, ++## and use the caller's terminal. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to be allowed the mount domain. ++## ++## ++## ++# ++interface(`mount_run_fusermount',` ++ gen_require(` ++ type mount_t; ++ ') ++ ++ mount_domtrans_fusermount($1) ++ role $2 types mount_t; ++ ++ fstools_run(mount_t, $2) ++') ++ ++######################################## ++## + ## Execute mount in the caller domain. + ## + ## +@@ -84,9 +123,11 @@ interface(`mount_signal',` gen_require(` type mount_t; @@ -31631,7 +30800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -177,3 +189,57 @@ +@@ -177,3 +218,100 @@ mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') @@ -31689,9 +30858,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.9/policy/modules/system/mount.te ++ ++###################################### ++## ++## Execute a domain transition to run showmount. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mount_domtrans_showmount',` ++ gen_require(` ++ type showmount_t, showmount_exec_t; ++ ') ++ ++ domtrans_pattern($1, showmount_exec_t, showmount_t) ++') ++ ++###################################### ++## ++## Execute showmount in the showmount domain, and ++## allow the specified role the showmount domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the showmount domain. ++## ++## ++# ++interface(`mount_run_showmount',` ++ gen_require(` ++ type showmount_t; ++ ') ++ ++ mount_domtrans_showmount($1) ++ role $2 types showmount_t; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.15/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/mount.te 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/mount.te 2010-03-18 10:44:43.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -31708,7 +30920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -29,6 +36,10 @@ +@@ -29,6 +36,19 @@ # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -31716,10 +30928,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + +type mount_var_run_t; +files_pid_file(mount_var_run_t) ++ ++# showmount - show mount information for an NFS server ++ ++type showmount_t; ++type showmount_exec_t; ++application_domain(showmount_t, showmount_exec_t) ++role system_r types showmount_t; ++ ++permissive showmount_t; ######################################## # -@@ -36,7 +47,11 @@ +@@ -36,7 +56,11 @@ # # setuid/setgid needed to mount cifs @@ -31732,7 +30953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,21 +62,38 @@ +@@ -47,30 +71,49 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -31772,8 +30993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -70,7 +102,7 @@ + files_manage_etc_runtime_files(mount_t) + files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) ++# ntfs-3g checks whether the mountpoint is writable before mounting ++files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_fs(mount_t) @@ -31781,7 +31005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +112,18 @@ +@@ -80,15 +123,18 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -31803,7 +31027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +134,7 @@ +@@ -99,6 +145,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -31811,7 +31035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +143,8 @@ +@@ -107,6 +154,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -31820,7 +31044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +155,8 @@ +@@ -117,6 +166,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -31829,7 +31053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +172,17 @@ +@@ -132,10 +183,17 @@ ') ') @@ -31847,7 +31071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +212,8 @@ +@@ -165,6 +223,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -31856,7 +31080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +221,25 @@ +@@ -172,6 +232,25 @@ ') optional_policy(` @@ -31882,7 +31106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +247,11 @@ +@@ -179,6 +258,11 @@ ') ') @@ -31894,7 +31118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +259,19 @@ +@@ -186,6 +270,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -31914,7 +31138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -195,5 +281,10 @@ +@@ -195,5 +292,41 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -31926,16 +31150,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + devicekit_dbus_chat_disk(unconfined_mount_t) ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.9/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/raid.te 2010-02-16 15:08:37.000000000 -0500 -@@ -51,11 +51,13 @@ - dev_dontaudit_getattr_generic_chr_files(mdadm_t) - dev_dontaudit_getattr_generic_blk_files(mdadm_t) - dev_read_realtime_clock(mdadm_t) -+dev_read_raw_memory(mdadm_t) - - domain_use_interactive_fds(mdadm_t) ++###################################### ++# ++# showmount local policy ++# ++ ++allow showmount_t self:tcp_socket create_stream_socket_perms; ++allow showmount_t self:udp_socket create_socket_perms; ++ ++kernel_read_system_state(showmount_t) ++ ++corenet_all_recvfrom_unlabeled(showmount_t) ++corenet_all_recvfrom_netlabel(showmount_t) ++corenet_tcp_sendrecv_generic_if(showmount_t) ++corenet_udp_sendrecv_generic_if(showmount_t) ++corenet_tcp_sendrecv_generic_node(showmount_t) ++corenet_udp_sendrecv_generic_node(showmount_t) ++corenet_tcp_sendrecv_all_ports(showmount_t) ++corenet_udp_sendrecv_all_ports(showmount_t) ++corenet_tcp_bind_generic_node(showmount_t) ++corenet_udp_bind_generic_node(showmount_t) ++corenet_tcp_bind_all_rpc_ports(showmount_t) ++corenet_udp_bind_all_rpc_ports(showmount_t) ++corenet_tcp_connect_all_ports(showmount_t) ++ ++files_read_etc_files(showmount_t) ++ ++miscfiles_read_localization(showmount_t) ++ ++sysnet_dns_name_resolve(showmount_t) ++ ++userdom_use_user_terminals(showmount_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.15/policy/modules/system/raid.te +--- nsaserefpolicy/policy/modules/system/raid.te 2010-03-12 09:24:22.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/raid.te 2010-03-18 10:44:43.000000000 -0400 +@@ -58,6 +58,7 @@ files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) @@ -31943,9 +31192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.9/policy/modules/system/selinuxutil.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.15/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.fc 2010-03-18 10:44:43.000000000 -0400 @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -31985,10 +31234,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.9/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.if 2010-02-16 15:08:37.000000000 -0500 -@@ -351,6 +351,27 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.15/policy/modules/system/selinuxutil.if +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.if 2010-03-18 10:44:43.000000000 -0400 +@@ -361,6 +361,27 @@ ######################################## ## @@ -32016,7 +31265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute run_init in the run_init domain. ## ## -@@ -535,6 +556,53 @@ +@@ -545,6 +566,53 @@ ######################################## ## @@ -32070,7 +31319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -680,6 +748,7 @@ +@@ -690,6 +758,7 @@ ') files_search_etc($1) @@ -32078,7 +31327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -999,6 +1068,26 @@ +@@ -1009,6 +1078,26 @@ ######################################## ## @@ -32105,7 +31354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1010,7 +1099,7 @@ +@@ -1020,7 +1109,7 @@ ## ## ## @@ -32114,7 +31363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1028,6 +1117,54 @@ +@@ -1038,6 +1127,54 @@ ######################################## ## @@ -32160,7 +31409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + ') + + files_search_etc($1) -+ read_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) +') + @@ -32169,7 +31418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1139,3 +1276,194 @@ +@@ -1149,3 +1286,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -32364,9 +31613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.9/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.15/policy/modules/system/selinuxutil.te +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.te 2010-03-18 10:44:43.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -32612,7 +31861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,111 +485,43 @@ +@@ -499,112 +485,43 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -32656,6 +31905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -files_read_etc_files(setfiles_t) -files_list_all(setfiles_t) -files_relabel_all_files(setfiles_t) +-files_read_usr_symlinks(setfiles_t) - -fs_getattr_xattr_fs(setfiles_t) -fs_list_all(setfiles_t) @@ -32728,31 +31978,248 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +# During boot in Rawhide +term_use_generic_ptys(setfiles_t) + -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) - - ifdef(`hide_broken_symptoms',` - optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -- ') -- -- # cjp: cover up stray file descriptors. -- optional_policy(` -- unconfined_dontaudit_read_pipes(setfiles_t) -- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) -+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t) -+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t) - ') - ') - - optional_policy(` -- hotplug_use_fds(setfiles_t) -+ unconfined_domain(setfiles_mac_t) - ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.9/policy/modules/system/sysnetwork.fc ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) + + ifdef(`hide_broken_symptoms',` + optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- ') +- +- # cjp: cover up stray file descriptors. +- optional_policy(` +- unconfined_dontaudit_read_pipes(setfiles_t) +- unconfined_dontaudit_rw_tcp_sockets(setfiles_t) ++ setroubleshoot_fixit_dontaudit_leaks(setfiles_t) ++ setroubleshoot_fixit_dontaudit_leaks(setsebool_t) + ') + ') + + optional_policy(` +- hotplug_use_fds(setfiles_t) ++ unconfined_domain(setfiles_mac_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.7.15/policy/modules/system/sosreport.fc +--- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sosreport.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.7.15/policy/modules/system/sosreport.if +--- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sosreport.if 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,74 @@ ++ ++## policy for sosreport ++ ++######################################## ++## ++## Execute a domain transition to run sosreport. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sosreport_domtrans',` ++ gen_require(` ++ type sosreport_t, sosreport_exec_t; ++ ') ++ ++ domtrans_pattern($1, sosreport_exec_t, sosreport_t) ++') ++ ++ ++######################################## ++## ++## Execute sosreport in the sosreport domain, and ++## allow the specified role the sosreport domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sosreport domain. ++## ++## ++# ++interface(`sosreport_run',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ sosreport_domtrans($1) ++ role $2 types sosreport_t; ++') ++ ++######################################## ++## ++## Role access for sosreport ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`sosreport_role',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ role $1 types sosreport_t; ++ ++ sosreport_domtrans($2) ++ ++ ps_process_pattern($2, sosreport_t) ++ allow $2 sosreport_t:process signal; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.7.15/policy/modules/system/sosreport.te +--- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sosreport.te 2010-03-18 10:44:43.000000000 -0400 +@@ -0,0 +1,129 @@ ++ ++policy_module(sosreport,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type sosreport_t; ++type sosreport_exec_t; ++application_domain(sosreport_t, sosreport_exec_t) ++role system_r types sosreport_t; ++ ++type sosreport_tmp_t; ++files_tmp_file(sosreport_tmp_t) ++ ++type sosreport_tmpfs_t; ++files_tmpfs_file(sosreport_tmpfs_t) ++ ++######################################## ++# ++# sosreport local policy ++# ++ ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override }; ++allow sosreport_t self:process { setsched signull }; ++ ++allow sosreport_t self:fifo_file rw_fifo_file_perms; ++allow sosreport_t self:tcp_socket create_stream_socket_perms; ++allow sosreport_t self:udp_socket create_socket_perms; ++allow sosreport_t self:unix_dgram_socket create_socket_perms; ++allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; ++allow sosreport_t self:unix_stream_socket create_stream_socket_perms; ++ ++# sosreport tmp files ++manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) ++ ++manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) ++fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file) ++ ++kernel_read_device_sysctls(sosreport_t) ++kernel_read_hotplug_sysctls(sosreport_t) ++kernel_read_kernel_sysctls(sosreport_t) ++kernel_read_modprobe_sysctls(sosreport_t) ++kernel_read_net_sysctls(sosreport_t) ++kernel_read_network_state(sosreport_t) ++kernel_read_rpc_sysctls(sosreport_t) ++kernel_read_software_raid_state(sosreport_t) ++kernel_read_unix_sysctls(sosreport_t) ++kernel_read_vm_sysctls(sosreport_t) ++kernel_search_debugfs(sosreport_t) ++ ++corecmd_exec_all_executables(sosreport_t) ++ ++dev_getattr_all_chr_files(sosreport_t) ++dev_getattr_all_blk_files(sosreport_t) ++ ++dev_read_rand(sosreport_t) ++dev_read_urand(sosreport_t) ++dev_read_raw_memory(sosreport_t) ++dev_read_sysfs(sosreport_t) ++ ++domain_getattr_all_domains(sosreport_t) ++domain_read_all_domains_state(sosreport_t) ++ ++# for blkid.tab ++files_manage_etc_runtime_files(sosreport_t) ++files_etc_filetrans_etc_runtime(sosreport_t, file) ++ ++files_exec_etc_files(sosreport_t) ++files_list_all(sosreport_t) ++files_read_config_files(sosreport_t) ++files_read_etc_files(sosreport_t) ++files_read_generic_tmp_files(sosreport_t) ++files_read_usr_files(sosreport_t) ++files_read_var_lib_files(sosreport_t) ++files_read_var_symlinks(sosreport_t) ++files_read_kernel_modules(sosreport_t) ++ ++fs_getattr_all_fs(sosreport_t) ++ ++# cjp: some config files do not have configfile attribute ++# sosreport needs to read various files on system ++auth_read_all_files_except_shadow(sosreport_t) ++auth_use_nsswitch(sosreport_t) ++ ++init_domtrans_script(sosreport_t) ++ ++libs_domtrans_ldconfig(sosreport_t) ++ ++logging_read_all_logs(sosreport_t) ++logging_send_syslog_msg(sosreport_t) ++ ++miscfiles_read_localization(sosreport_t) ++ ++# needed by modinfo ++modutils_read_module_deps(sosreport_t) ++ ++sysnet_read_config(sosreport_t) ++ ++optional_policy(` ++ cups_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(sosreport_t) ++') ++ ++optional_policy(` ++ pulseaudio_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ rpm_exec(sosreport_t) ++ rpm_dontaudit_manage_db(sosreport_t) ++ rpm_read_db(sosreport_t) ++') ++ ++optional_policy(` ++ xserver_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(sosreport_t) ++') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.15/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.fc 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.fc 2010-03-18 10:44:43.000000000 -0400 @@ -13,6 +13,9 @@ /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -32786,10 +32253,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.9/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.if 2010-02-16 15:08:37.000000000 -0500 -@@ -43,6 +43,36 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.15/policy/modules/system/sysnetwork.if +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.if 2010-03-18 10:44:43.000000000 -0400 +@@ -43,6 +43,41 @@ sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; @@ -32799,15 +32266,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + modutils_run_insmod(dhcpc_t, $2) + + optional_policy(` -+ hostname_run(dhcpc_t, $2) ++ consoletype_run(dhcpc_t, $2) + ') + + optional_policy(` -+ netutils_run_ping(dhcpc_t, $2) ++ hostname_run(dhcpc_t, $2) + ') ++ + optional_policy(` + netutils_run(dhcpc_t, $2) ++ netutils_run_ping(dhcpc_t, $2) + ') ++ + optional_policy(` + networkmanager_run(dhcpc_t, $2) + ') @@ -32819,14 +32289,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + optional_policy(` + nscd_run(dhcpc_t, $2) + ') ++ + optional_policy(` + ntp_run(dhcpc_t, $2) + ') ++ + seutil_run_setfiles(dhcpc_t, $2) ') ######################################## -@@ -192,7 +222,25 @@ +@@ -192,7 +227,25 @@ type dhcpc_state_t; ') @@ -32853,7 +32325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -230,7 +278,8 @@ +@@ -251,7 +304,8 @@ ') files_search_etc($1) @@ -32863,7 +32335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -323,7 +372,8 @@ +@@ -344,7 +398,8 @@ type net_conf_t; ') @@ -32873,7 +32345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -380,6 +430,10 @@ +@@ -401,6 +456,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -32884,7 +32356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -464,6 +518,7 @@ +@@ -485,6 +544,7 @@ ') files_search_etc($1) @@ -32892,19 +32364,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') -@@ -541,6 +596,7 @@ +@@ -562,9 +622,9 @@ type net_conf_t; ') + allow $1 self:netlink_route_socket r_netlink_socket_perms; allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; +- allow $1 self:netlink_route_socket r_netlink_socket_perms; -@@ -556,7 +612,15 @@ + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) +@@ -577,7 +637,16 @@ + corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) - files_search_etc($1) -- allow $1 net_conf_t:file read_file_perms; +- sysnet_read_config($1) ++ files_search_etc($1) + read_files_pattern($1, net_conf_t, net_conf_t) + + optional_policy(` @@ -32917,19 +32393,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -586,6 +650,8 @@ +@@ -605,7 +674,10 @@ + corenet_tcp_connect_ldap_port($1) + corenet_sendrecv_ldap_client_packets($1) - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; +- sysnet_read_config($1) ++ files_search_etc($1) ++ allow $1 net_conf_t:file read_file_perms; + # LDAP Configuration using encrypted requires + dev_read_urand($1) ') ######################################## -@@ -620,3 +686,49 @@ - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - ') +@@ -637,5 +709,52 @@ + corenet_tcp_connect_portmap_port($1) + corenet_sendrecv_portmap_client_packets($1) + +- sysnet_read_config($1) ++ files_search_etc($1) ++ allow $1 net_conf_t:file read_file_perms; ++') + +######################################## +## @@ -32975,10 +32458,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + ') + + role_transition $1 dhcpc_exec_t system_r; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.9/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.te 2010-02-16 15:08:37.000000000 -0500 + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.15/policy/modules/system/sysnetwork.te +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.te 2010-03-18 10:44:43.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -33056,15 +32539,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -146,7 +158,7 @@ - ') - - optional_policy(` -- consoletype_domtrans(dhcpc_t) -+ consoletype_exec(dhcpc_t) - ') - - optional_policy(` @@ -183,25 +195,23 @@ ') @@ -33135,17 +32609,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -@@ -260,7 +276,9 @@ +@@ -260,6 +276,7 @@ kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) +kernel_request_load_module(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) -+kernel_search_debugfs(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) - corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +287,23 @@ +@@ -269,15 +286,23 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -33170,7 +32642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +320,8 @@ +@@ -294,6 +319,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -33179,7 +32651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +358,22 @@ +@@ -330,8 +357,22 @@ ') optional_policy(` @@ -33202,10 +32674,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + hal_dontaudit_rw_pipes(ifconfig_t) + hal_dontaudit_rw_dgram_sockets(ifconfig_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.9/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/udev.if 2010-02-16 15:08:37.000000000 -0500 -@@ -186,6 +186,7 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.15/policy/modules/system/udev.fc +--- nsaserefpolicy/policy/modules/system/udev.fc 2009-11-25 11:47:19.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/udev.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -22,3 +22,4 @@ + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) + + /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.15/policy/modules/system/udev.if +--- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/udev.if 2010-03-18 10:44:43.000000000 -0400 +@@ -20,6 +20,24 @@ + + ######################################## + ## ++## Send kill signals to udev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_kill',` ++ gen_require(` ++ type udev_t; ++ ') ++ ++ allow $1 udev_t:process sigkill; ++') ++ ++######################################## ++## + ## Execute udev in the udev domain. + ## + ## +@@ -192,6 +210,7 @@ dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; @@ -33213,9 +32718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.9/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/udev.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.15/policy/modules/system/udev.te +--- nsaserefpolicy/policy/modules/system/udev.te 2010-03-18 06:48:09.000000000 -0400 ++++ serefpolicy-3.7.15/policy/modules/system/udev.te 2010-03-18 10:44:43.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -33224,15 +32729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -99,6 +100,7 @@ - # udev_node.c/node_symlink() symlink labels are explicitly - # preserved, instead of short circuiting the relabel - dev_relabel_generic_symlinks(udev_t) -+dev_manage_generic_symlinks(udev_t) - - domain_read_all_domains_state(udev_t) - domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these -@@ -210,6 +212,10 @@ +@@ -211,6 +212,10 @@ ') optional_policy(` @@ -33243,24 +32740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -236,6 +242,7 @@ - - optional_policy(` - hal_dgram_send(udev_t) -+ hal_dontaudit_rw_dgram_sockets(udev_t) - ') - - optional_policy(` -@@ -263,7 +270,7 @@ - ') - - optional_policy(` -- unconfined_signal(udev_t) -+ rpm_search_log(udev_t) - ') - - optional_policy(` -@@ -271,6 +278,14 @@ +@@ -268,6 +273,10 @@ ') optional_policy(` @@ -33268,22 +32748,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t +') + +optional_policy(` -+ unconfined_signal(udev_t) -+') -+ -+optional_policy(` - kernel_write_xen_state(udev_t) - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.9/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/unconfined.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,16 +1 @@ + unconfined_signal(udev_t) + ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.15/policy/modules/system/unconfined.fc +--- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/unconfined.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: -# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t --/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) - @@ -33295,9 +32770,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.9/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/unconfined.if 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.15/policy/modules/system/unconfined.if +--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/unconfined.if 2010-03-18 10:44:43.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -33369,7 +32844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -111,16 +123,15 @@ +@@ -122,6 +134,10 @@ ## # interface(`unconfined_domain',` @@ -33380,17 +32855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` - auditallow $1 self:process execheap; - ') -- --# Turn off this audit for FC5 --# tunable_policy(`allow_execmem',` --# auditallow $1 self:process execmem; --# ') - ') - - ######################################## -@@ -173,411 +184,3 @@ +@@ -179,411 +195,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') @@ -33802,9 +33267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.9/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/unconfined.te 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.15/policy/modules/system/unconfined.te +--- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/unconfined.te 2010-03-18 10:44:43.000000000 -0400 @@ -5,227 +5,5 @@ # # Declarations @@ -34034,15 +33499,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.9/policy/modules/system/userdomain.fc +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.15/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/modules/system/userdomain.fc 2010-02-16 15:08:37.000000000 -0500 -@@ -1,4 +1,11 @@ ++++ serefpolicy-3.7.15/policy/modules/system/userdomain.fc 2010-03-18 10:44:43.000000000 -0400 +@@ -1,4 +1,10 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - -+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) @@ -34050,9 +33514,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.9/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/userdomain.if 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.15/policy/modules/system/userdomain.if +--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/userdomain.if 2010-03-18 10:44:43.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -34344,7 +33808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -368,51 +368,46 @@ +@@ -368,46 +368,41 @@ ####################################### ## @@ -34411,91 +33875,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### - ## --## The template for creating a user xwindows client. (Deprecated) -+## The template for creating a user xwindows client. - ## - ## - ## -@@ -420,35 +415,58 @@ - ## is the prefix for user_t). - ## - ## --## -+## - # --template(`userdom_xwindows_client_template',` -- refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') -+interface(`userdom_xwindows_client',` - gen_require(` -- type $1_t, user_tmpfs_t; -+ type user_tmpfs_t; - ') - -- dev_rw_xserver_misc($1_t) -- dev_rw_power_management($1_t) -- dev_read_input($1_t) -- dev_read_misc($1_t) -- dev_write_misc($1_t) -+ dev_rwx_zero($1) -+ dev_rw_xserver_misc($1) -+ dev_rw_power_management($1) -+ dev_read_input($1) -+ dev_read_misc($1) -+ dev_write_misc($1) - # open office is looking for the following -- dev_getattr_agp_dev($1_t) -- dev_dontaudit_rw_dri($1_t) -+ dev_getattr_agp_dev($1) -+ -+ tunable_policy(`user_direct_dri',` -+ dev_rw_dri($1) -+ ',` -+ dev_dontaudit_rw_dri($1) -+ ') -+ +@@ -438,6 +433,7 @@ + dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: -- dev_rw_usbfs($1_t) -+ dev_rw_usbfs($1) -+ dev_rw_generic_usb_dev($1) -+ dev_read_video_dev($1) -+ dev_write_video_dev($1) -+ dev_rw_wireless($1) -+ -+ miscfiles_dontaudit_write_fonts($1) -+ -+ optional_policy(` -+ udev_read_db($1) -+ ') -+ -+ optional_policy(` -+ setroubleshoot_dontaudit_dbus_chat($1) -+ ') - -- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) -- xserver_xsession_entry_type($1_t) -- xserver_dontaudit_write_log($1_t) -- xserver_stream_connect_xdm($1_t) -+ optional_policy(` -+ xserver_user_client($1, user_tmpfs_t) -+ xserver_xsession_entry_type($1) -+ xserver_dontaudit_write_log($1) - # certain apps want to read xdm.pid file -- xserver_read_xdm_pid($1_t) -+ xserver_read_xdm_pid($1) - # gnome-session creates socket under /tmp/.ICE-unix/ -- xserver_create_xdm_tmp_sockets($1_t) -+ xserver_create_xdm_tmp_sockets($1) - # Needed for escd, remove if we get escd policy -- xserver_manage_xdm_tmp_files($1_t) -+ xserver_manage_xdm_tmp_files($1) -+ xserver_dbus_chat_xdm($1) -+ ') -+ - ') + dev_rw_usbfs($1_t) ++ dev_rw_generic_usb_dev($1_t) - ####################################### -@@ -498,7 +516,7 @@ + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) + xserver_xsession_entry_type($1_t) +@@ -498,7 +494,7 @@ attribute unpriv_userdomain; ') @@ -34504,7 +33892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -508,182 +526,213 @@ +@@ -508,71 +504,77 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -34525,27 +33913,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -34619,21 +34007,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dev_read_mouse($1_usertype) ') -- tunable_policy(`user_ttyfile_stat',` -- term_getattr_all_ttys($1_t) -+ optional_policy(` -+ alsa_read_rw_config($1_usertype) + tunable_policy(`user_ttyfile_stat',` +@@ -580,65 +582,100 @@ ') optional_policy(` - alsa_read_rw_config($1_t) -+ # Allow graphical boot to check battery lifespan -+ apm_stream_connect($1_usertype) ++ alsa_read_rw_config($1_usertype) ') optional_policy(` -- # Allow graphical boot to check battery lifespan + # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) ++ apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + canna_stream_connect($1_usertype) ') @@ -34647,42 +34036,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; - - optional_policy(` -- bluetooth_dbus_chat($1_t) ++ ++ optional_policy(` + avahi_dbus_chat($1_usertype) + ') + + optional_policy(` ++ policykit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + bluetooth_dbus_chat($1_usertype) -+ ') ++ ') + -+ optional_policy(` ++ optional_policy(` + consolekit_dbus_chat($1_usertype) + consolekit_read_log($1_usertype) -+ ') ++ ') + -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ ') + + optional_policy(` +- bluetooth_dbus_chat($1_t) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ hal_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) + networkmanager_read_var_lib_files($1_usertype) ') @@ -34730,12 +34127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -- tunable_policy(`allow_user_mysql_connect',` -- mysql_stream_connect($1_t) -+ tunable_policy(`allow_user_postgresql_connect',` -+ postgresql_stream_connect($1_usertype) - ') - ') +@@ -649,41 +686,50 @@ optional_policy(` # to allow monitoring of pcmcia status @@ -34751,58 +34143,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -- tunable_policy(`allow_user_postgresql_connect',` + tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) -+ resmgr_stream_connect($1_usertype) ++ postgresql_stream_connect($1_usertype) ++ postgresql_tcp_connect($1_usertype) ') -+ -+ optional_policy(` -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ rpcbind_stream_connect($1_usertype) ++ resmgr_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') + ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ') ####################################### -@@ -711,13 +760,26 @@ +@@ -711,13 +757,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -34823,7 +34221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +797,72 @@ +@@ -735,70 +794,73 @@ allow $1_t self:context contains; @@ -34891,54 +34289,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - seutil_read_config($1_t) + seutil_read_config($1_usertype) -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) -+ kerberos_connect_524($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_connect_524($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -826,6 +890,8 @@ - ') +@@ -830,12 +892,35 @@ + typeattribute $1_t unpriv_userdomain; + domain_interactive_fd($1_t) - userdom_login_user_template($1) + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_t self:netlink_audit_socket create_socket_perms; - - typeattribute $1_t unpriv_userdomain; - domain_interactive_fd($1_t) -@@ -836,6 +902,26 @@ ++ + ############################## + # + # Local policy # optional_policy(` @@ -34965,15 +34364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +951,83 @@ - - userdom_restricted_user_template($1) - -+ userdom_xwindows_client($1_usertype) -+ - ############################## - # - # Local policy +@@ -871,45 +956,80 @@ # auth_role($1_r, $1_t) @@ -34982,8 +34373,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -34991,11 +34380,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) - -- logging_send_syslog_msg($1_t) ++ + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) -+ ++ dev_rw_wireless($1_usertype) + +- logging_send_syslog_msg($1_t) + tunable_policy(`user_rw_noexattrfile',` + fs_manage_noxattr_fs_files($1_usertype) + fs_manage_noxattr_fs_dirs($1_usertype) @@ -35015,37 +34405,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) -- xserver_restricted_role($1_r, $1_t) -+ optional_policy(` -+ alsa_read_rw_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ apache_role($1_r, $1_usertype) -+ ') + xserver_restricted_role($1_r, $1_t) optional_policy(` - alsa_read_rw_config($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ alsa_read_rw_config($1_usertype) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -+ fprintd_dbus_chat($1_t) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) + ') - optional_policy(` +- optional_policy(` - consolekit_dbus_chat($1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) - ') +- ') ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') - optional_policy(` +- optional_policy(` - cups_dbus_chat($1_t) +- ') ++ optional_policy(` ++ openoffice_role_template($1, $1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + policykit_role($1_r, $1_usertype) - ') ++ ') + + optional_policy(` + pulseaudio_role($1_r, $1_usertype) @@ -35057,22 +34448,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -- setroubleshoot_dontaudit_stream_connect($1_t) + setroubleshoot_dontaudit_stream_connect($1_t) ++ ') ++ ++ optional_policy(` ++ udev_read_db($1_usertype) ++ ') ++ ++ optional_policy(` + wm_role_template($1, $1_r, $1_t) ') ') -@@ -943,8 +1061,8 @@ - # Declarations +@@ -944,7 +1064,7 @@ # -+ userdom_restricted_xwindows_user_template($1) # Inherit rules for ordinary users. - userdom_restricted_user_template($1) ++ userdom_restricted_xwindows_user_template($1) userdom_common_user_template($1) ############################## -@@ -953,54 +1071,71 @@ +@@ -953,54 +1073,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -35085,21 +34482,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - files_exec_usr_files($1_t) - # cjp: why? - files_read_kernel_symbol_table($1_t) -+ storage_rw_fuse($1_t) -+ -+ # Allow users to run TCP servers (bind to ports and accept connection from -+ # the same domain and outside users) disabling this forces FTP passive mode -+ # and may change other protocols -+ tunable_policy(`user_tcp_server',` -+ corenet_tcp_bind_all_unreserved_ports($1_usertype) -+ ') - +- - ifndef(`enable_mls',` - fs_exec_noxattr($1_t) -+ optional_policy(` -+ cdrecord_role($1_r, $1_t) -+ ') - +- - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) @@ -35108,35 +34494,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - storage_raw_write_removable_device($1_t) - ',` - storage_raw_read_removable_device($1_t) -+ optional_policy(` -+ cron_role($1_r, $1_t) - ') -+ -+ optional_policy(` -+ games_rw_data($1_usertype) - ') +- ') +- ') ++ storage_rw_fuse($1_t) - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) -+ optional_policy(` -+ gpg_role($1_r, $1_usertype) - ') +- ') ++ miscfiles_read_hwdata($1_usertype) -- # Allow users to run TCP servers (bind to ports and accept connection from -- # the same domain and outside users) disabling this forces FTP passive mode -- # and may change other protocols -- tunable_policy(`user_tcp_server',` + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols + tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) -+ optional_policy(` -+ gnomeclock_dbus_chat($1_t) ++ corenet_tcp_bind_all_unreserved_ports($1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) ++ cdrecord_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ cron_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ games_rw_data($1_usertype) ++ ') ++ ++ optional_policy(` ++ gpg_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ gnomeclock_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + gpm_stream_connect($1_usertype) + ') + @@ -35153,27 +34553,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + optional_policy(` -+ mount_run($1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ++ mount_run_fusermount($1_t, $1_r) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ postfix_run_postdrop($1_t, $1_r) ++ wine_role_template($1, $1_r, $1_t) ') -+ # Run pppd in pppd_t by default for user optional_policy(` - setroubleshoot_stream_connect($1_t) ++ postfix_run_postdrop($1_t, $1_r) ++ ') ++ ++ # Run pppd in pppd_t by default for user ++ optional_policy(` + ppp_run_cond($1_t, $1_r) ') ') -@@ -1036,7 +1171,7 @@ +@@ -1036,7 +1175,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -35182,17 +34582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1045,8 +1180,7 @@ - # - - # Inherit rules for ordinary users. -- userdom_login_user_template($1) -- userdom_common_user_template($1) -+ userdom_unpriv_user_template($1) - - domain_obj_id_change_exemption($1_t) - role system_r types $1_t; -@@ -1071,6 +1205,9 @@ +@@ -1071,6 +1210,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -35202,7 +34592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1222,7 @@ +@@ -1085,6 +1227,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -35210,16 +34600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1092,8 +1230,6 @@ - - dev_getattr_generic_blk_files($1_t) - dev_getattr_generic_chr_files($1_t) -- # for lsof -- dev_getattr_mtrr_dev($1_t) - # Allow MAKEDEV to work - dev_create_all_blk_files($1_t) - dev_create_all_chr_files($1_t) -@@ -1120,12 +1256,11 @@ +@@ -1120,6 +1263,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -35228,42 +34609,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -- storage_raw_read_removable_device($1_t) -- storage_raw_write_removable_device($1_t) -- - term_use_all_terms($1_t) - - auth_getattr_shadow($1_t) -@@ -1148,20 +1283,6 @@ - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - -- userdom_manage_user_home_content_dirs($1_t) -- userdom_manage_user_home_content_files($1_t) -- userdom_manage_user_home_content_symlinks($1_t) -- userdom_manage_user_home_content_pipes($1_t) -- userdom_manage_user_home_content_sockets($1_t) -- userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) -- -- tunable_policy(`user_rw_noexattrfile',` -- fs_manage_noxattr_fs_files($1_t) -- fs_manage_noxattr_fs_dirs($1_t) -- ',` -- fs_read_noxattr_fs_files($1_t) -- ') -- - optional_policy(` - postgresql_unconfined($1_t) - ') -@@ -1207,6 +1328,7 @@ +@@ -1207,6 +1352,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) + files_create_default_dir($1) ++ files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1272,11 +1394,15 @@ +@@ -1272,11 +1419,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -35279,7 +34634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,12 +1513,13 @@ +@@ -1387,6 +1538,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -35287,14 +34642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') - ######################################## - ## --## Search user home directories. -+## dontaudit Search user home directories. - ## - ## - ## -@@ -1425,6 +1552,14 @@ +@@ -1433,6 +1585,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -35309,7 +34657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1440,9 +1575,11 @@ +@@ -1448,9 +1608,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -35321,7 +34669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1499,6 +1636,42 @@ +@@ -1507,6 +1669,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -35364,7 +34712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1573,11 +1746,14 @@ +@@ -1581,6 +1779,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -35373,76 +34721,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## - ## --## List contents of users home directory. -+## Create, read, write, and delete directories -+## in a user home subdirectory. - ## - ## - ## -@@ -1585,18 +1761,18 @@ - ## - ## +@@ -1595,10 +1795,12 @@ # --interface(`userdom_list_user_home_content',` -+interface(`userdom_manage_user_home_content_dirs',` + interface(`userdom_list_user_home_content',` gen_require(` - type user_home_t; -+ type user_home_dir_t, user_home_t; ++ type user_home_dir_t; ++ attribute user_home_type; ') - allow $1 user_home_t:dir list_dir_perms; -+ manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ files_search_home($1) ++ files_list_home($1) ++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## - ## --## Create, read, write, and delete directories --## in a user home subdirectory. -+## Delete directories in a user home subdirectory. - ## - ## - ## -@@ -1604,18 +1780,17 @@ - ## - ## - # --interface(`userdom_manage_user_home_content_dirs',` -+interface(`userdom_delete_user_home_content_dirs',` - gen_require(` -- type user_home_dir_t, user_home_t; -+ type user_home_t; - ') - -- manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) -+ allow $1 user_home_t:dir delete_dir_perms; - ') +@@ -1641,6 +1843,24 @@ ######################################## ## --## Delete directories in a user home subdirectory. +## Set the attributes of user home files. - ## - ## - ## -@@ -1623,12 +1798,12 @@ - ## - ## - # --interface(`userdom_delete_user_home_content_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- allow $1 user_home_t:dir delete_dir_perms; ++ gen_require(` ++ type user_home_t; ++ ') ++ + allow $1 user_home_t:file setattr; - ') - - ######################################## -@@ -1684,6 +1859,7 @@ ++') ++ ++######################################## ++## + ## Do not audit attempts to set the + ## attributes of user home files. + ## +@@ -1692,6 +1912,7 @@ type user_home_dir_t, user_home_t; ') @@ -35450,7 +34769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1700,11 +1876,14 @@ +@@ -1708,11 +1929,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -35468,7 +34787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1811,19 +1990,32 @@ +@@ -1819,20 +2043,14 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -35482,33 +34801,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) -+ dontaudit $1 user_home_type:sock_file execute; - ') - +- ') +- - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) -+######################################## -+## -+## Dontaudit Delete files -+## in a user home subdirectory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaudit_delete_user_home_content_files',` -+ gen_require(` -+ type user_home_t; ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; ') -+ -+ allow $1 user_home_t:dir delete_file_perms; - ') +-') ######################################## -@@ -1858,6 +2050,7 @@ + ## +@@ -1866,6 +2084,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -35516,7 +34820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2094,6 +2287,25 @@ +@@ -2102,6 +2321,25 @@ ######################################## ## @@ -35542,137 +34846,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to list user ## temporary directories. ## -@@ -2210,7 +2422,26 @@ +@@ -2218,6 +2456,25 @@ ######################################## ## --## Do not audit attempts to manage users +## Do not audit attempts to write users -+## temporary files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_write_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:file write; -+') -+ -+######################################## -+## -+## Do not audit attempts to manage users - ## temporary files. - ## - ## -@@ -2290,6 +2521,46 @@ - ######################################## - ## - ## Create, read, write, and delete user -+## temporary chr files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_user_tmp_chr_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary blk files. ++## temporary files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_manage_user_tmp_blk_files',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) ++ dontaudit $1 user_tmp_t:file write; +') + +######################################## +## -+## Create, read, write, and delete user - ## temporary symbolic links. - ## - ## -@@ -2405,7 +2676,7 @@ - - ######################################## - ## --## Read user tmpfs files. -+## Read/Write user tmpfs files. + ## Do not audit attempts to manage users + ## temporary files. ## - ## - ## -@@ -2413,19 +2684,21 @@ - ## - ## - # --interface(`userdom_read_user_tmpfs_files',` -+interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; +@@ -2427,13 +2684,14 @@ ') -- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) allow $1 user_tmpfs_t:dir list_dir_perms; fs_search_tmpfs($1) ') --######################################## -+ -+###################################### + ######################################## ## -## Read user tmpfs files. -+## Manage user tmpfs files. ++## Read/Write user tmpfs files. ## ## ## -@@ -2433,15 +2706,14 @@ - ## - ## - # --interface(`userdom_rw_user_tmpfs_files',` -+interface(`userdom_manage_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') - -- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) -+ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - ') - - ######################################## -@@ -2763,7 +3035,7 @@ +@@ -2787,7 +3045,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -35681,114 +34897,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2779,11 +3051,33 @@ +@@ -2803,11 +3061,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; -+ ') -+ -+ files_list_home($1) -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## List users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_list_user_home_content',` -+ gen_require(` -+ type user_home_dir_t; -+ attribute user_home_type; ') files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') ######################################## -@@ -2898,6 +3192,25 @@ - - ######################################## - ## -+## Dontaudit search user temporary directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dontaduit_search_user_tmp',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ dontaudit $1 user_tmp_t:dir search_dir_perms; -+') -+ -+ -+######################################## -+## - ## Write all users files in /tmp - ## - ## -@@ -2911,7 +3224,43 @@ +@@ -2944,7 +3204,7 @@ type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Write all inherited users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_write_inherited_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file write; -+') -+ -+######################################## -+## -+## Delete all users files in /tmp -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_delete_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file delete_file_perms; ') ######################################## -@@ -2948,6 +3297,7 @@ +@@ -2981,6 +3241,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -35796,7 +34930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3078,3 +3428,674 @@ +@@ -3111,3 +3372,745 @@ allow $1 userdomain:dbus send_msg; ') @@ -36279,27 +35413,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## -+## Read user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ allow $1 user_tmpfs_t:dir list_dir_perms; -+ fs_search_tmpfs($1) -+') -+ -+######################################## -+## +## Write all users files in /tmp +## +## @@ -36471,24 +35584,102 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:file getattr; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.9/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/userdomain.te 2010-02-16 15:08:37.000000000 -0500 -@@ -8,13 +8,6 @@ - - ## - ##

--## Allow users to connect to mysql --##

--## --gen_tunable(allow_user_mysql_connect, false) -- --## --##

- ## Allow users to connect to PostgreSQL - ##

- ## -@@ -29,10 +22,10 @@ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary chr files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_chr_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary blk files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_blk_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++######################################## ++## ++## Dontaudit search user temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaduit_search_user_tmp',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ dontaudit $1 user_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Write all inherited users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_inherited_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file write; ++') ++ ++######################################## ++## ++## Delete all users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file delete_file_perms; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.15/policy/modules/system/userdomain.te +--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/userdomain.te 2010-03-18 10:44:43.000000000 -0400 +@@ -29,10 +29,10 @@ ## ##

@@ -36501,7 +35692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ##

-@@ -54,11 +47,20 @@ +@@ -54,11 +54,20 @@ # all user domains attribute userdomain; @@ -36524,7 +35715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) -@@ -72,6 +74,7 @@ +@@ -72,6 +81,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -36532,7 +35723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +100,29 @@ +@@ -97,3 +107,29 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -36562,9 +35753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +allow userdomain userdomain:process signull; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.9/policy/modules/system/xen.if +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.15/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/xen.if 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/modules/system/xen.if 2010-03-18 10:44:43.000000000 -0400 @@ -180,6 +180,25 @@ ######################################## @@ -36591,10 +35782,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## Connect to xend over an unix domain stream socket. ##

## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.9/policy/modules/system/xen.te +@@ -213,7 +232,8 @@ + interface(`xen_domtrans_xm',` + gen_require(` + type xm_t, xm_exec_t; ++ attribute xm_transition_domain; + ') +- ++ typeattribute $1 xm_transition_domain; + domtrans_pattern($1, xm_exec_t, xm_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.15/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.9/policy/modules/system/xen.te 2010-02-16 15:08:37.000000000 -0500 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.7.15/policy/modules/system/xen.te 2010-03-18 10:44:43.000000000 -0400 +@@ -5,6 +5,7 @@ + # + # Declarations + # ++attribute xm_transition_domain; + + ## + ##

+@@ -85,6 +86,7 @@ type xenconsoled_t; type xenconsoled_exec_t; init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) @@ -36602,7 +35811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te # pid files type xenconsoled_var_run_t; -@@ -209,6 +210,7 @@ +@@ -209,6 +211,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t, file) files_read_usr_files(xend_t) @@ -36610,7 +35819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) -@@ -259,6 +261,7 @@ +@@ -259,6 +262,7 @@ # allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; @@ -36618,7 +35827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; -@@ -279,6 +282,7 @@ +@@ -279,6 +283,7 @@ domain_dontaudit_ptrace_all_domains(xenconsoled_t) @@ -36626,7 +35835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_read_usr_files(xenconsoled_t) fs_list_tmpfs(xenconsoled_t) -@@ -297,6 +301,10 @@ +@@ -297,6 +302,10 @@ xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) @@ -36637,7 +35846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ######################################## # # Xen store local policy -@@ -340,6 +348,9 @@ +@@ -340,6 +349,9 @@ files_read_usr_files(xenstored_t) @@ -36647,33 +35856,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xenstored_t) storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) -@@ -421,7 +432,14 @@ +@@ -421,7 +433,22 @@ xen_stream_connect_xenstore(xm_t) optional_policy(` ++ dbus_system_bus_client(xm_t) ++ optional_policy(` ++ hal_dbus_chat(xm_t) ++ ') ++') ++ ++optional_policy(` + vhostmd_rw_tmpfs_files(xm_t) + vhostmd_stream_connect(xm_t) + vhostmd_dontaudit_rw_stream_connect(xm_t) +') + +optional_policy(` ++ virt_domtrans(xm_t) virt_manage_images(xm_t) + virt_manage_config(xm_t) virt_stream_connect(xm_t) ') -@@ -438,6 +456,8 @@ +@@ -435,9 +462,14 @@ + kernel_read_xen_state(xm_ssh_t) + kernel_write_xen_state(xm_ssh_t) + ++ dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_inherited_fifo_file_perms; ++ files_search_tmp(xm_ssh_t) ++ fs_manage_xenfs_dirs(xm_ssh_t) fs_manage_xenfs_files(xm_ssh_t) -+userdom_search_admin_dir(xm_ssh_t) ++ userdom_search_admin_dir(xm_ssh_t) + #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.9/policy/support/misc_patterns.spt +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.15/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.9/policy/support/misc_patterns.spt 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/support/misc_patterns.spt 2010-03-18 10:44:43.000000000 -0400 @@ -15,7 +15,7 @@ domain_transition_pattern($1,$2,$3) @@ -36692,9 +35915,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.9/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.9/policy/support/obj_perm_sets.spt 2010-02-16 15:08:37.000000000 -0500 +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.15/policy/support/obj_perm_sets.spt +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500 ++++ serefpolicy-3.7.15/policy/support/obj_perm_sets.spt 2010-03-18 10:44:43.000000000 -0400 @@ -28,7 +28,7 @@ # # All socket classes. @@ -36725,7 +35948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') --define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }') +-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }') +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') @@ -36785,9 +36008,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.9/policy/users +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.15/policy/users --- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.9/policy/users 2010-02-16 15:08:37.000000000 -0500 ++++ serefpolicy-3.7.15/policy/users 2010-03-18 10:44:43.000000000 -0400 @@ -6,7 +6,7 @@ # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) diff --git a/securetty_types-minimum b/securetty_types-minimum index fe7ce17..7055096 100644 --- a/securetty_types-minimum +++ b/securetty_types-minimum @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/securetty_types-mls b/securetty_types-mls index 242dffe..89bf54d 100644 --- a/securetty_types-mls +++ b/securetty_types-mls @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/securetty_types-targeted b/securetty_types-targeted index fe7ce17..7055096 100644 --- a/securetty_types-targeted +++ b/securetty_types-targeted @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t diff --git a/selinux-policy.spec b/selinux-policy.spec index 9f65478..3b87b5f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.7.9 +Version: 3.7.15 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -466,6 +466,91 @@ exit 0 %endif %changelog +* Thu Mar 18 2010 Dan Walsh 3.7.15-1 +- Update to upstream + +* Tue Mar 16 2010 Dan Walsh 3.7.14-5 +- Allow boinc to read kernel sysctl +- Fix snmp port definitions +- Allow apache to read anon_inodefs + +* Sun Mar 14 2010 Dan Walsh 3.7.14-4 +- Allow shutdown dac_override + +* Sat Mar 13 2010 Dan Walsh 3.7.14-3 +- Add device_t as a file system +- Fix sysfs association + +* Fri Mar 12 2010 Dan Walsh 3.7.14-2 +- Dontaudit ipsec_mgmt sys_ptrace +- Allow at to mail its spool files +- Allow nsplugin to search in .pulse directory + +* Fri Mar 12 2010 Dan Walsh 3.7.14-1 +- Update to upstream + +* Fri Mar 12 2010 Dan Walsh 3.7.13-4 +- Allow users to dbus chat with xdm +- Allow users to r/w wireless_device_t +- Dontaudit reading of process states by ipsec_mgmt + +* Thu Mar 11 2010 Dan Walsh 3.7.13-3 +- Fix openoffice from unconfined_t + +* Wed Mar 10 2010 Dan Walsh 3.7.13-2 +- Add shutdown policy so consolekit can shutdown system + +* Tue Mar 9 2010 Dan Walsh 3.7.13-1 +- Update to upstream + +* Thu Mar 4 2010 Dan Walsh 3.7.12-1 +- Update to upstream + +* Thu Mar 4 2010 Dan Walsh 3.7.11-1 +- Update to upstream - These are merges of my patches +- Remove 389 labeling conflicts +- Add MLS fixes found in RHEL6 testing +- Allow pulseaudio to run as a service +- Add label for mssql and allow apache to connect to this database port if boolean set +- Dontaudit searches of debugfs mount point +- Allow policykit_auth to send signals to itself +- Allow modcluster to call getpwnam +- Allow swat to signal winbind +- Allow usbmux to run as a system role +- Allow svirt to create and use devpts + +* Mon Mar 1 2010 Dan Walsh 3.7.10-5 +- Add MLS fixes found in RHEL6 testing +- Allow domains to append to rpm_tmp_t +- Add cachefilesfd policy +- Dontaudit leaks when transitioning + +* Wed Feb 23 2010 Dan Walsh 3.7.10-4 +- Change allow_execstack and allow_execmem booleans to on +- dontaudit acct using console +- Add label for fping +- Allow tmpreaper to delete sandbox_file_t +- Fix wine dontaudit mmap_zero +- Allow abrt to read var_t symlinks + +* Tue Feb 22 2010 Dan Walsh 3.7.10-3 +- Additional policy for rgmanager + +* Mon Feb 22 2010 Dan Walsh 3.7.10-2 +- Allow sshd to setattr on pseudo terms + +* Mon Feb 22 2010 Dan Walsh 3.7.10-1 +- Update to upstream + +* Thu Feb 18 2010 Dan Walsh 3.7.9-4 +- Allow policykit to send itself signals + +* Wed Feb 17 2010 Dan Walsh 3.7.9-3 +- Fix duplicate cobbler definition + +* Wed Feb 17 2010 Dan Walsh 3.7.9-2 +- Fix file context of /var/lib/avahi-autoipd + * Fri Feb 12 2010 Dan Walsh 3.7.9-1 - Merge with upstream diff --git a/sources b/sources index ee92df8..f23a132 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4c7d323036f1662a06a7a4f2a7da57a5 config.tgz -87a01bd56d6fca0ae9bef4d35dad49ef serefpolicy-3.7.9.tgz +aaaf54fcfe4fe4e0a906dca6c21fa7ed serefpolicy-3.7.15.tgz