diff --git a/policy-20070703.patch b/policy-20070703.patch index 2eb6062..bf6f1ed 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -514,7 +514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.5/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te 2007-08-20 16:43:35.000000000 -0400 @@ -21,8 +21,8 @@ # Local policy # @@ -535,22 +535,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t # kudzu will telinit to make init re-read # the inittab after configuring serial consoles init_telinit(kudzu_t) -@@ -141,15 +143,6 @@ - udev_read_db(kudzu_t) +@@ -134,20 +136,15 @@ ') --optional_policy(` + optional_policy(` +- seutil_sigchld_newrole(kudzu_t) ++ rhgb_use_ptys(kudzu_t) + ') + + optional_policy(` +- udev_read_db(kudzu_t) ++ seutil_sigchld_newrole(kudzu_t) + ') + + optional_policy(` - # cjp: this was originally in the else block - # of ifdef userhelper.te, but it seems to - # make more sense here. also, require - # blocks curently do not work in the - # else block of optionals - unconfined_domain(kudzu_t) --') -- ++ udev_read_db(kudzu_t) + ') + ifdef(`TODO',` - allow kudzu_t modules_conf_t:file unlink; - optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.5/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-07-25 10:37:43.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/admin/logrotate.te 2007-08-07 09:39:49.000000000 -0400 @@ -664,11 +672,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.5/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te 2007-08-10 15:49:00.000000000 -0400 -@@ -94,9 +94,14 @@ ++++ serefpolicy-3.0.5/policy/modules/admin/netutils.te 2007-08-20 16:43:54.000000000 -0400 +@@ -94,9 +94,18 @@ ') optional_policy(` ++ rhgb_use_ptys(netutils_t) ++') ++ ++optional_policy(` + unconfined_dontaudit_use_terminals(netutils_t) +') + @@ -680,7 +692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil ######################################## # # Ping local policy -@@ -113,6 +118,7 @@ +@@ -113,6 +122,7 @@ corenet_tcp_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_if(ping_t) corenet_raw_sendrecv_all_nodes(ping_t) @@ -2948,7 +2960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # filesystem SID to label inodes in the following filesystem types, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.5/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/kernel/kernel.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/kernel/kernel.if 2007-08-20 15:13:02.000000000 -0400 @@ -108,6 +108,24 @@ ######################################## @@ -3176,7 +3188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.5/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/apache.fc 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/apache.fc 2007-08-20 15:01:49.000000000 -0400 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -3199,7 +3211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0) +#viewvc file context +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0) -+ ++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.5/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-07-03 07:06:27.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/apache.if 2007-08-10 15:52:40.000000000 -0400 @@ -3501,7 +3513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-14 10:30:04.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-20 15:04:52.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -3740,16 +3752,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +673,8 @@ +@@ -581,6 +673,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +auth_use_nsswitch(httpd_suexec_t) + ++can_exec(httpd_suexec_t, httpd_sys_script_exec_t) ++ kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -606,6 +700,10 @@ +@@ -606,6 +702,10 @@ miscfiles_read_localization(httpd_suexec_t) @@ -3760,7 +3774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -620,10 +718,13 @@ +@@ -620,10 +720,13 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -3775,7 +3789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -634,6 +735,12 @@ +@@ -634,6 +737,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -3788,7 +3802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +758,6 @@ +@@ -651,18 +760,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3807,7 +3821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +767,8 @@ +@@ -672,7 +769,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -3817,7 +3831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +782,66 @@ +@@ -686,15 +784,66 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3885,7 +3899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -711,6 +858,19 @@ +@@ -711,6 +860,19 @@ ######################################## # @@ -3905,7 +3919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_rotatelogs local policy # -@@ -728,3 +888,27 @@ +@@ -728,3 +890,27 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -4155,8 +4169,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind +/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.5/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/bind.te 2007-08-07 09:39:49.000000000 -0400 -@@ -119,6 +119,11 @@ ++++ serefpolicy-3.0.5/policy/modules/services/bind.te 2007-08-20 15:21:40.000000000 -0400 +@@ -66,7 +66,6 @@ + allow named_t self:unix_dgram_socket create_socket_perms; + allow named_t self:tcp_socket create_stream_socket_perms; + allow named_t self:udp_socket create_socket_perms; +-allow named_t self:netlink_route_socket r_netlink_socket_perms; + + allow named_t dnssec_t:file { getattr read }; + +@@ -92,6 +91,8 @@ + manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t) + files_pid_filetrans(named_t,named_var_run_t,{ file sock_file }) + ++auth_use_nsswitch(named_t) ++ + # read zone files + allow named_t named_zone_t:dir list_dir_perms; + read_files_pattern(named_t,named_zone_t,named_zone_t) +@@ -119,6 +120,11 @@ corenet_sendrecv_dns_client_packets(named_t) corenet_sendrecv_rndc_server_packets(named_t) corenet_sendrecv_rndc_client_packets(named_t) @@ -4168,7 +4199,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind dev_read_sysfs(named_t) dev_read_rand(named_t) -@@ -232,6 +237,7 @@ +@@ -175,6 +181,10 @@ + ') + + optional_policy(` ++ kerberos_use(named_t) ++') ++ ++optional_policy(` + # this seems like fds that arent being + # closed. these should probably be + # dontaudits instead. +@@ -184,14 +194,6 @@ + ') + + optional_policy(` +- nis_use_ypbind(named_t) +-') +- +-optional_policy(` +- nscd_socket_use(named_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(named_t) + ') + +@@ -232,6 +234,7 @@ corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) @@ -4308,6 +4365,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour libs_read_lib_files(courier_authdaemon_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-3.0.5/policy/modules/services/cpucontrol.te +--- nsaserefpolicy/policy/modules/services/cpucontrol.te 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/cpucontrol.te 2007-08-20 16:43:03.000000000 -0400 +@@ -63,6 +63,10 @@ + ') + + optional_policy(` ++ rhgb_use_ptys(cpucontrol_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(cpucontrol_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.0.5/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/cron.fc 2007-08-07 09:39:49.000000000 -0400 @@ -7129,7 +7200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.5/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/rpc.te 2007-08-13 07:08:48.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/rpc.te 2007-08-20 14:56:34.000000000 -0400 @@ -59,10 +59,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -7140,7 +7211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_search_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) -+kernel_read_fs_sysctls(rpcd_t) ++kernel_rw_fs_sysctls(rpcd_t) +kernel_getattr_core_if(nfsd_t) fs_list_rpc(rpcd_t) @@ -7190,16 +7261,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_search_network_sysctl(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.5/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/rshd.te 2007-08-07 09:39:49.000000000 -0400 -@@ -45,6 +45,7 @@ ++++ serefpolicy-3.0.5/policy/modules/services/rshd.te 2007-08-20 16:32:42.000000000 -0400 +@@ -11,6 +11,7 @@ + domain_subj_id_change_exemption(rshd_t) + domain_role_change_exemption(rshd_t) + role system_r types rshd_t; ++domain_interactive_fd(rshd_t) + + ######################################## + # +@@ -33,6 +34,8 @@ + corenet_udp_sendrecv_all_ports(rshd_t) + corenet_tcp_bind_all_nodes(rshd_t) + corenet_tcp_bind_rsh_port(rshd_t) ++corenet_tcp_bind_all_rpc_ports(rshd_t) ++corenet_tcp_connect_all_rpc_ports(rshd_t) + corenet_sendrecv_rsh_server_packets(rshd_t) + + dev_read_urand(rshd_t) +@@ -44,7 +47,9 @@ + selinux_compute_relabel_context(rshd_t) selinux_compute_user_contexts(rshd_t) ++auth_use_nsswitch(rshd_t) auth_domtrans_chk_passwd(rshd_t) +auth_domtrans_upd_passwd_chk(rshd_t) corecmd_read_bin_symlinks(rshd_t) -@@ -85,6 +86,5 @@ +@@ -85,6 +90,5 @@ ') optional_policy(` @@ -7383,7 +7473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/samba.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/samba.te 2007-08-20 17:37:27.000000000 -0400 @@ -190,6 +190,8 @@ miscfiles_read_localization(samba_net_t) @@ -7443,7 +7533,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` nis_use_ypbind(smbmount_t) -@@ -622,17 +635,20 @@ +@@ -570,15 +583,18 @@ + # SWAT Local policy + # + +-allow swat_t self:capability { setuid setgid }; +-allow swat_t self:process signal_perms; ++allow swat_t self:capability { setuid setgid sys_resource net_bind_service }; ++allow swat_t self:process { setrlimit signal_perms }; + allow swat_t self:fifo_file rw_file_perms; + allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; + allow swat_t self:tcp_socket create_stream_socket_perms; + allow swat_t self:udp_socket create_socket_perms; + allow swat_t self:netlink_route_socket r_netlink_socket_perms; + +-allow swat_t nmbd_exec_t:file { execute read }; ++can_exec(swat_t, nmbd_exec_t) ++allow swat_t nmbd_port_t:udp_socket name_bind; ++allow swat_t nmbd_t:process { signal signull }; ++allow swat_t nmbd_var_run_t:file { lock read unlink }; + + rw_files_pattern(swat_t,samba_etc_t,samba_etc_t) + +@@ -597,7 +613,9 @@ + manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) + files_pid_filetrans(swat_t,swat_var_run_t,file) + +-allow swat_t winbind_exec_t:file execute; ++can_exec(swat_t, winbind_exec_t) ++allow swat_t winbind_var_run_t:dir { write add_name remove_name }; ++allow swat_t winbind_var_run_t:sock_file { create unlink }; + + kernel_read_kernel_sysctls(swat_t) + kernel_read_system_state(swat_t) +@@ -622,17 +640,20 @@ dev_read_urand(swat_t) @@ -7464,7 +7587,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -672,7 +688,6 @@ +@@ -660,6 +681,24 @@ + nscd_socket_use(swat_t) + ') + ++ ++init_read_utmp(swat_t) ++init_dontaudit_write_utmp(swat_t) ++ ++manage_dirs_pattern(swat_t,samba_log_t,samba_log_t) ++create_files_pattern(swat_t,samba_log_t,samba_log_t) ++ ++manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t) ++ ++manage_files_pattern(swat_t,samba_var_t,samba_var_t) ++files_list_var_lib(swat_t) ++ ++allow swat_t self:unix_stream_socket connectto; ++allow swat_t smbd_exec_t:file { execute_no_trans read }; ++allow swat_t smbd_port_t:tcp_socket name_bind; ++allow swat_t smbd_t:process signal; ++allow swat_t smbd_var_run_t:file { lock unlink }; ++ + ######################################## + # + # Winbind local policy +@@ -672,7 +711,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -7472,7 +7620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +724,8 @@ +@@ -709,6 +747,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -7481,7 +7629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +750,9 @@ +@@ -733,7 +773,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -7491,7 +7639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +765,6 @@ +@@ -746,9 +788,6 @@ miscfiles_read_localization(winbind_t) @@ -7501,7 +7649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +774,6 @@ +@@ -758,10 +797,6 @@ ') optional_policy(` @@ -7512,7 +7660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -804,6 +816,7 @@ +@@ -804,6 +839,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -7662,8 +7810,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.0.5/policy/modules/services/soundserver.fc --- nsaserefpolicy/policy/modules/services/soundserver.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/soundserver.fc 2007-08-07 09:39:49.000000000 -0400 -@@ -1,10 +1,22 @@ ++++ serefpolicy-3.0.5/policy/modules/services/soundserver.fc 2007-08-20 16:56:47.000000000 -0400 +@@ -1,10 +1,16 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) -/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - @@ -7673,6 +7821,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) - /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) ++/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) ++ /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) + + @@ -7684,17 +7834,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +# + +/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) -+ -+ -+# -+# /tmp -+# -+/tmp/\.sockets -d gen_context(system_u:object_r:soundd_tmp_t,s0) -+/tmp/\.sockets/.* -s <> -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.5/policy/modules/services/soundserver.if --- nsaserefpolicy/policy/modules/services/soundserver.if 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-20 17:00:30.000000000 -0400 @@ -13,3 +13,64 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -7726,7 +7868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +######################################## +## +## Do not audit attempts to read, -+## soundserver tmp files ++## soundserver socket files +## +## +## @@ -7734,17 +7876,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +## +## +# -+interface(`soundserver_dontaudit_read_tmp_files',` ++interface(`soundserver_dontaudit_read_socket_files',` + gen_require(` -+ type soundd_tmp_t; ++ type soundd_socket_t; + ') + -+ dontaudit $1 soundd_tmp_t:file r_file_perms; ++ dontaudit $1 soundd_socket_t:sock_file r_file_perms; +') + +######################################## +## -+## Allow domain to read, soundserver tmp files ++## Allow domain to read, soundserver socket files +## +## +## @@ -7752,17 +7894,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +## +## +# -+interface(`soundserver_read_tmp_files',` ++interface(`soundserver_read_socket_files',` + gen_require(` -+ type soundd_tmp_t; ++ type soundd_socket_t; + ') + -+ dontaudit $1 soundd_tmp_t:file r_file_perms; ++ allow $1 soundd_var_run_t:sock_file r_file_perms; +') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.5/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-20 16:59:45.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(soundserver,1.3.0) @@ -7780,7 +7922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun type soundd_state_t; files_type(soundd_state_t) -@@ -28,20 +25,34 @@ +@@ -28,20 +25,28 @@ ######################################## # @@ -7795,12 +7937,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun allow soundd_t self:udp_socket create_socket_perms; + +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) -+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file }) -+ -+ -+# Remove /tmp/.sockets/audio$n -+delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) + +allow soundd_t self:capability { dac_override }; + @@ -7820,6 +7956,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t) manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t) +@@ -55,8 +60,10 @@ + manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t) + fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + ++manage_sock_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) + manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) +-files_pid_filetrans(soundd_t,soundd_var_run_t,file) ++manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) ++files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir sock_file }) + + kernel_read_kernel_sysctls(soundd_t) + kernel_list_proc(soundd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.5/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/spamassassin.fc 2007-08-07 09:39:49.000000000 -0400 @@ -8016,7 +8164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-14 20:40:43.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-20 15:13:39.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -8026,7 +8174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # ssh client executable. type ssh_exec_t; -@@ -73,6 +73,8 @@ +@@ -73,8 +73,12 @@ manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) @@ -8034,8 +8182,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + kernel_search_key(sshd_t) kernel_link_key(sshd_t) ++# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 ++kernel_write_proc_files(sshd_t) -@@ -100,6 +102,11 @@ + # for X forwarding + corenet_tcp_bind_xserver_port(sshd_t) +@@ -100,6 +104,11 @@ userdom_use_unpriv_users_ptys(sshd_t) ') @@ -8047,7 +8199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -119,7 +126,12 @@ +@@ -119,7 +128,12 @@ ') optional_policy(` @@ -8103,15 +8255,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.5/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/xserver.fc 2007-08-07 09:39:49.000000000 -0400 -@@ -92,6 +92,7 @@ ++++ serefpolicy-3.0.5/policy/modules/services/xserver.fc 2007-08-20 16:46:34.000000000 -0400 +@@ -92,8 +92,10 @@ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + ifdef(`distro_suse',` + /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/xserver.if 2007-08-18 06:25:18.000000000 -0400 @@ -8409,7 +8564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.5/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/xserver.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/xserver.te 2007-08-20 16:48:25.000000000 -0400 @@ -16,6 +16,13 @@ ## @@ -8495,6 +8650,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; +@@ -385,7 +400,7 @@ + allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; + dontaudit xdm_xserver_t xdm_var_lib_t:dir search; + +-allow xdm_xserver_t xdm_var_run_t:file { getattr read }; ++read_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t) + + # Label pid and temporary files with derived types. + manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) @@ -425,6 +440,10 @@ ') @@ -8607,7 +8771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.5/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-20 15:21:45.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -9759,7 +9923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ld_so_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.5/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/libraries.te 2007-08-13 07:20:30.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/libraries.te 2007-08-20 17:12:36.000000000 -0400 @@ -44,9 +44,9 @@ # ldconfig local policy # @@ -9772,15 +9936,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) -@@ -62,6 +62,7 @@ +@@ -60,8 +60,11 @@ + + fs_getattr_xattr_fs(ldconfig_t) ++corecmd_search_bin(ldconfig_t) ++ domain_use_interactive_fds(ldconfig_t) +files_search_home(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -96,4 +97,11 @@ +@@ -96,4 +99,11 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) @@ -10819,7 +10987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.5/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-02 08:17:28.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te 2007-08-15 06:15:41.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.te 2007-08-20 16:44:46.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -10828,18 +10996,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -94,6 +93,10 @@ +@@ -94,6 +93,11 @@ application_domain(semanage_t,semanage_exec_t) role system_r types semanage_t; +type setsebool_exec_t; +init_system_domain(semanage_t, setsebool_exec_t) +domain_interactive_fd(semanage_t) ++init_use_fds(semanage_t) + type semanage_store_t; files_type(semanage_store_t) -@@ -173,6 +176,7 @@ +@@ -173,6 +177,7 @@ fs_getattr_xattr_fs(load_policy_t) mls_file_read_up(load_policy_t) @@ -10847,7 +11016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu selinux_get_fs_mount(load_policy_t) selinux_load_policy(load_policy_t) -@@ -195,7 +199,7 @@ +@@ -195,7 +200,7 @@ # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; optional_policy(` @@ -10856,7 +11025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ') -@@ -216,7 +220,7 @@ +@@ -216,7 +221,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -10865,7 +11034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t,selinux_config_t,selinux_config_t) read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t) -@@ -254,7 +258,9 @@ +@@ -254,7 +259,9 @@ term_dontaudit_use_unallocated_ttys(newrole_t) auth_domtrans_chk_passwd(newrole_t) @@ -10875,7 +11044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) -@@ -274,6 +280,7 @@ +@@ -274,6 +281,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -10883,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -362,7 +369,7 @@ +@@ -362,7 +370,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -10892,7 +11061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -376,6 +383,7 @@ +@@ -376,6 +384,7 @@ term_dontaudit_list_ptys(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -10900,7 +11069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) -@@ -432,7 +440,7 @@ +@@ -432,7 +441,7 @@ allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; @@ -10909,7 +11078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu allow semanage_t policy_config_t:file { read write }; -@@ -443,7 +451,10 @@ +@@ -443,7 +452,10 @@ kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) @@ -10920,7 +11089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dev_read_urand(semanage_t) -@@ -467,6 +478,8 @@ +@@ -467,6 +479,8 @@ # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) @@ -10929,7 +11098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -@@ -490,6 +503,17 @@ +@@ -490,6 +504,17 @@ # netfilter_contexts: seutil_manage_default_contexts(semanage_t) @@ -10947,7 +11116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -517,6 +541,8 @@ +@@ -517,6 +542,8 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; @@ -10956,7 +11125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) -@@ -533,6 +559,7 @@ +@@ -533,6 +560,7 @@ fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) @@ -10964,7 +11133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -588,6 +615,10 @@ +@@ -588,6 +616,10 @@ ifdef(`hide_broken_symptoms',` optional_policy(` @@ -11331,7 +11500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.5/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/unconfined.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/unconfined.te 2007-08-20 16:24:34.000000000 -0400 @@ -5,28 +5,36 @@ # # Declarations @@ -11430,20 +11599,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +120,7 @@ +@@ -118,11 +120,11 @@ ') optional_policy(` - inn_domtrans(unconfined_t) --') -- --optional_policy(` ++ iptables_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + ') + + optional_policy(` - java_domtrans(unconfined_t) + java_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -@@ -134,11 +132,7 @@ +@@ -134,11 +136,7 @@ ') optional_policy(` @@ -11456,7 +11626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -155,22 +149,12 @@ +@@ -155,22 +153,12 @@ optional_policy(` postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -11481,7 +11651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -180,10 +164,6 @@ +@@ -180,10 +168,6 @@ ') optional_policy(` @@ -11492,7 +11662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) sysnet_dbus_chat_dhcpc(unconfined_t) ') -@@ -205,11 +185,12 @@ +@@ -205,11 +189,12 @@ ') optional_policy(` @@ -11506,7 +11676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -227,6 +208,17 @@ +@@ -227,6 +212,17 @@ unconfined_dbus_chat(unconfined_execmem_t) optional_policy(`