diff --git a/.gitignore b/.gitignore index 52a38dd..61e5f38 100644 --- a/.gitignore +++ b/.gitignore @@ -218,3 +218,6 @@ serefpolicy-3.8.5.tgz serefpolicy-3.8.6.tgz serefpolicy-3.8.7.tgz serefpolicy-3.8.8.tgz +*.rpm +serefpolicy* +/serefpolicy-3.9.0.tgz diff --git a/modules-minimum.conf b/modules-minimum.conf index d3b08ab..0b350d3 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -11,7 +11,7 @@ # as individual loadable modules. # -# Layer: admin +# Layer: services # Module: accountsd # # An application to view and modify user accounts information diff --git a/modules-mls.conf b/modules-mls.conf index d2bbca4..e73af3b 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -11,7 +11,7 @@ # as individual loadable modules. # -# Layer: admin +# Layer: services # Module: accountsd # # An application to view and modify user accounts information diff --git a/modules-targeted.conf b/modules-targeted.conf index d3b08ab..0b350d3 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -11,7 +11,7 @@ # as individual loadable modules. # -# Layer: admin +# Layer: services # Module: accountsd # # An application to view and modify user accounts information diff --git a/nsadiff b/nsadiff index 649de77..2383e96 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.8.8 > /tmp/diff +diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.9.0 > /tmp/diff diff --git a/policy-F14.patch b/policy-F14.patch index 4a1f485..437c188 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -1,7 +1,8 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/Makefile ---- nsaserefpolicy/Makefile 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.8/Makefile 2010-07-30 14:06:53.000000000 -0400 -@@ -244,7 +244,7 @@ +diff --git a/Makefile b/Makefile +index f802d3b..b8804f7 100644 +--- a/Makefile ++++ b/Makefile +@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers appdir := $(contextpath) user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) @@ -10,10 +11,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.8.8/M net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.8.8/man/man8/ftpd_selinux.8 ---- nsaserefpolicy/man/man8/ftpd_selinux.8 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.8.8/man/man8/ftpd_selinux.8 2010-08-23 13:38:00.000000000 -0400 -@@ -15,7 +15,7 @@ +diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 +index 9e19481..5bebd82 100644 +--- a/man/man8/ftpd_selinux.8 ++++ b/man/man8/ftpd_selinux.8 +@@ -15,7 +15,7 @@ Allow ftp servers to read the /var/ftp directory by adding the public_content_t semanage fcontext -a -t public_content_t "/var/ftp(/.*)?" .TP .B @@ -22,7 +24,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .TP Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set. .PP -@@ -23,7 +23,7 @@ +@@ -23,7 +23,7 @@ Allow ftp servers to read and write /var/tmp/incoming by adding the public_conte semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?" .TP .B @@ -31,9 +33,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .SH BOOLEANS .PP -diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 serefpolicy-3.8.8/man/man8/git_selinux.8 ---- nsaserefpolicy/man/man8/git_selinux.8 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/man/man8/git_selinux.8 2010-07-30 14:06:53.000000000 -0400 +diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8 +new file mode 100644 +index 0000000..e9c43b1 +--- /dev/null ++++ b/man/man8/git_selinux.8 @@ -0,0 +1,109 @@ +.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation" +.de EX @@ -144,84 +148,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/git_selinux.8 seref +This manual page was written by Dominick Grift . +.SH "SEE ALSO" +selinux(8), git(8), chcon(1), semodule(8), setsebool(8) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/constraints serefpolicy-3.8.8/policy/constraints ---- nsaserefpolicy/policy/constraints 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.8.8/policy/constraints 2010-07-30 14:06:53.000000000 -0400 -@@ -1,4 +1,3 @@ -- - # - # Define the constraints - # -@@ -91,7 +90,7 @@ - ( - u1 == u2 - or ( t1 == can_change_process_identity and t2 == process_user_target ) -- or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) -+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) - or ( t1 == can_system_change and u2 == system_u ) - or ( t1 == process_uncond_exempt ) - ); -@@ -100,7 +99,7 @@ - ( - r1 == r2 - or ( t1 == can_change_process_role and t2 == process_user_target ) -- or ( t1 == cron_source_domain and t2 == cron_job_domain ) -+ or ( t1 == cron_source_domain and t2 == cron_job_domain ) - or ( t1 == can_system_change and r2 == system_r ) - or ( t1 == process_uncond_exempt ) - ); -@@ -173,7 +172,7 @@ - - ######################################## - # --# SE-X Windows rules -+# X Windows rules - # - - exempted_ubac_constraint(x_drawable, ubacxwin) -@@ -219,26 +218,21 @@ - exempted_ubac_constraint(db_tuple, ubacdb) - exempted_ubac_constraint(db_blob, ubacdb) - -- -- - basic_ubac_constraint(association) - basic_ubac_constraint(peer) - -- --# these classes have no UBAC restrictions --#class security --#class system --#class capability --#class memprotect --#class passwd # userspace --#class node --#class netif --#class packet --#class capability2 --#class nscd # userspace --#class context # userspace -- -- -+# These classes have no UBAC restrictions -+# class security -+# class system -+# class capability -+# class memprotect -+# class passwd -+# class node -+# class netif -+# class packet -+# class capability2 -+# class nscd -+# class context - - undefine(`basic_ubac_constraint') - undefine(`basic_ubac_conditions') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.8.8/policy/global_tunables ---- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/global_tunables 2010-07-30 14:06:53.000000000 -0400 -@@ -61,15 +61,6 @@ +diff --git a/policy/global_tunables b/policy/global_tunables +index 3316f6e..cf3a77b 100644 +--- a/policy/global_tunables ++++ b/policy/global_tunables +@@ -61,15 +61,6 @@ gen_tunable(global_ssp,false) ## ##

@@ -237,7 +168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -104,3 +95,18 @@ +@@ -104,3 +95,18 @@ gen_tunable(use_samba_home_dirs,false) ##

## gen_tunable(user_tcp_server,false) @@ -256,10 +187,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(mmap_low_allowed, false) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8/policy/mcs ---- nsaserefpolicy/policy/mcs 2009-11-12 12:51:51.000000000 -0500 -+++ serefpolicy-3.8.8/policy/mcs 2010-07-30 14:06:53.000000000 -0400 -@@ -86,10 +86,10 @@ +diff --git a/policy/mcs b/policy/mcs +index af90ef2..ebe5833 100644 +--- a/policy/mcs ++++ b/policy/mcs +@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); # new file labels must be dominated by the relabeling subject clearance @@ -272,339 +204,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.8.8 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.fc serefpolicy-3.8.8/policy/modules/admin/accountsd.fc ---- nsaserefpolicy/policy/modules/admin/accountsd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) -+ -+/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.if serefpolicy-3.8.8/policy/modules/admin/accountsd.if ---- nsaserefpolicy/policy/modules/admin/accountsd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,173 @@ -+## Accountsservice D-Bus interfaces for querying and manipulating user account information. -+ -+######################################## -+## -+## Execute a domain transition to -+## run Account Service daemon. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`accountsd_domtrans',` -+ gen_require(` -+ type accountsd_t, accountsd_exec_t; -+ ') -+ -+ domtrans_pattern($1, accountsd_exec_t, accountsd_t) -+ corecmd_search_bin($1) -+ files_search_usr($1) -+') -+ -+######################################## -+## -+## Search Accounts Service daemon -+## lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_search_lib',` -+ gen_require(` -+ type accountsd_var_lib_t; -+ ') -+ -+ allow $1 accountsd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read Accounts Service daemon -+## lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_read_lib_files',` -+ gen_require(` -+ type accountsd_var_lib_t; -+ ') -+ -+ read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Manage Account Service daemon -+## lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_manage_lib_files',` -+ gen_require(` -+ type accountsd_var_lib_t; -+ ') -+ -+ manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Manage Account Service daemon -+## lib content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_manage_var_lib',` -+ gen_require(` -+ type accountsd_var_lib_t; -+ ') -+ -+ manage_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -+ manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -+ manage_lnk_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## Account Service daemon over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_dbus_chat',` -+ gen_require(` -+ type accountsd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 accountsd_t:dbus send_msg; -+ allow accountsd_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Do not audit attempts to read and -+## write Account Service daemon pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`accountsd_dontaudit_rw_fifo_file',` -+ gen_require(` -+ type accountsd_t; -+ ') -+ -+ dontaudit $1 accountsd_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an Account Service daemon environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`accountsd_admin',` -+ gen_require(` -+ type accountsd_t, accountsd_var_lib_t; -+ ') -+ -+ allow $1 accountsd_t:process { ptrace signal_perms }; -+ read_files_pattern($1, accountsd_t, accountsd_t) -+ -+ admin_pattern($1, accountsd_var_lib_t) -+ files_search_var_lib($1) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.8/policy/modules/admin/accountsd.te ---- nsaserefpolicy/policy/modules/admin/accountsd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/accountsd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,64 @@ -+policy_module(accountsd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type accountsd_t; -+type accountsd_exec_t; -+dbus_system_domain(accountsd_t, accountsd_exec_t) -+init_daemon_domain(accountsd_t, accountsd_exec_t) -+role system_r types accountsd_t; -+ -+type accountsd_var_lib_t; -+files_type(accountsd_var_lib_t) -+ -+######################################## -+# -+# accountsd local policy -+# -+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -+ -+allow accountsd_t self:fifo_file rw_fifo_file_perms; -+ -+manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -+manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) -+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir } ) -+ -+kernel_read_kernel_sysctls(accountsd_t) -+ -+corecmd_exec_bin(accountsd_t) -+ -+files_read_usr_files(accountsd_t) -+files_read_mnt_files(accountsd_t) -+ -+fs_list_inotifyfs(accountsd_t) -+fs_read_noxattr_fs_files(accountsd_t) -+ -+auth_read_shadow(accountsd_t) -+auth_use_nsswitch(accountsd_t) -+ -+miscfiles_read_localization(accountsd_t) -+ -+logging_send_syslog_msg(accountsd_t) -+logging_set_loginuid(accountsd_t) -+ -+usermanage_domtrans_useradd(accountsd_t) -+usermanage_domtrans_passwd(accountsd_t) -+ -+userdom_read_user_tmp_files(accountsd_t) -+userdom_read_user_home_content_files(accountsd_t) -+ -+optional_policy(` -+ consolekit_read_log(accountsd_t) -+') -+ -+optional_policy(` -+ policykit_dbus_chat(accountsd_t) -+') -+ -+optional_policy(` -+ xserver_dbus_chat_xdm(accountsd_t) -+ xserver_manage_xdm_etc_files(accountsd_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.if serefpolicy-3.8.8/policy/modules/admin/acct.if ---- nsaserefpolicy/policy/modules/admin/acct.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/acct.if 2010-07-30 14:06:53.000000000 -0400 -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -44,7 +44,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -65,7 +65,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.8.8/policy/modules/admin/alsa.fc ---- nsaserefpolicy/policy/modules/admin/alsa.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/alsa.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -1,18 +1,20 @@ --/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) - --/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) --/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) --/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) --/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - --/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) --/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) -+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) - --/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc +index 30a0ac7..f5fc753 100644 +--- a/policy/modules/admin/alsa.fc ++++ b/policy/modules/admin/alsa.fc +@@ -1,3 +1,5 @@ ++HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + -+/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) + /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) - ifdef(`distro_debian', ` --/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) --/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - ') - --/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.8.8/policy/modules/admin/alsa.if ---- nsaserefpolicy/policy/modules/admin/alsa.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/alsa.if 2010-08-11 08:22:58.000000000 -0400 -@@ -1,8 +1,9 @@ --## Ainit ALSA configuration tool -+## Advanced Linux Sound Architecture. - - ######################################## - ## --## Domain transition to alsa -+## Execute a domain transition to -+## run Alsa. - ## - ## - ## -@@ -16,11 +17,12 @@ + /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if +index fe09bea..090b5c9 100644 +--- a/policy/modules/admin/alsa.if ++++ b/policy/modules/admin/alsa.if +@@ -16,6 +16,7 @@ interface(`alsa_domtrans',` ') domtrans_pattern($1, alsa_exec_t, alsa_t) @@ -612,13 +226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ') ######################################## - ## --## Allow read and write access to alsa semaphores. -+## Read and write Alsa semaphores. - ## - ## - ## -@@ -33,12 +35,12 @@ +@@ -33,7 +34,7 @@ interface(`alsa_rw_semaphores',` type alsa_t; ') @@ -627,13 +235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ') ######################################## - ## --## Allow read and write access to alsa shared memory. -+## Read and write Alsa shared memory. - ## - ## - ## -@@ -51,12 +53,12 @@ +@@ -51,7 +52,7 @@ interface(`alsa_rw_shared_mem',` type alsa_t; ') @@ -642,13 +244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ') ######################################## - ## --## Read alsa writable config files. -+## Read Alsa writable config files. - ## - ## - ## -@@ -72,11 +74,12 @@ +@@ -72,6 +73,7 @@ interface(`alsa_read_rw_config',` allow $1 alsa_etc_rw_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) @@ -656,13 +252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ') ######################################## - ## --## Manage alsa writable config files. -+## Manage Alsa writable config files. - ## - ## - ## -@@ -92,11 +95,12 @@ +@@ -92,6 +94,7 @@ interface(`alsa_manage_rw_config',` allow $1 alsa_etc_rw_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) @@ -670,13 +260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if ') ######################################## - ## --## Read alsa lib files. -+## Read Alsa lib files. - ## - ## - ## -@@ -110,4 +114,24 @@ +@@ -110,4 +113,24 @@ interface(`alsa_read_lib',` ') read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) @@ -685,7 +269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if + +######################################## +## -+## Read Alsa home files. ++## Read alsa home files. +## +## +## @@ -701,10 +285,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if + allow $1 alsa_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.8.8/policy/modules/admin/alsa.te ---- nsaserefpolicy/policy/modules/admin/alsa.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/alsa.te 2010-07-30 14:06:53.000000000 -0400 -@@ -16,6 +16,9 @@ +diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te +index 04f9d96..ed1c3dc 100644 +--- a/policy/modules/admin/alsa.te ++++ b/policy/modules/admin/alsa.te +@@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t) type alsa_var_lib_t; files_type(alsa_var_lib_t) @@ -714,7 +299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te ######################################## # # Local policy -@@ -28,6 +31,8 @@ +@@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket create_stream_socket_perms; allow alsa_t self:unix_dgram_socket create_socket_perms; @@ -723,10 +308,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.8.8/policy/modules/admin/amanda.if ---- nsaserefpolicy/policy/modules/admin/amanda.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/amanda.if 2010-07-30 14:06:53.000000000 -0400 -@@ -1,12 +1,13 @@ +diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if +index d1d035e..2cb11ea 100644 +--- a/policy/modules/admin/amanda.if ++++ b/policy/modules/admin/amanda.if +@@ -1,8 +1,9 @@ -## Automated backup program. +## Advanced Maryland Automatic Network Disk Archiver. @@ -738,12 +324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## The type of the process performing this action. -+## Domain allowed to transition. - ## - ## - # -@@ -16,21 +17,25 @@ +@@ -16,12 +17,15 @@ interface(`amanda_domtrans_recover',` ') domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) @@ -761,19 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## The type of the process performing this action. -+## Domain allowed to transition. - ## - ## - ## - ## --## The role to be allowed the amanda_recover domain. -+## The role to be allowed the Amanda -+## Recover domain. - ## - ## - ## -@@ -46,11 +51,11 @@ +@@ -46,7 +50,7 @@ interface(`amanda_run_recover',` ######################################## ## @@ -782,12 +351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -61,11 +66,13 @@ +@@ -61,11 +65,13 @@ interface(`amanda_search_lib',` allow $1 amanda_usr_lib_t:dir search_dir_perms; files_search_usr($1) @@ -802,7 +366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## -@@ -78,16 +85,16 @@ +@@ -78,12 +84,12 @@ interface(`amanda_dontaudit_read_dumpdates',` type amanda_dumpdates_t; ') @@ -817,12 +381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## Domain to allow -+## Domain allowed access. - ## - ## - # -@@ -97,15 +104,16 @@ +@@ -97,11 +103,12 @@ interface(`amanda_rw_dumpdates_files',` ') allow $1 amanda_dumpdates_t:file rw_file_perms; @@ -836,12 +395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -116,15 +124,16 @@ +@@ -116,11 +123,12 @@ interface(`amanda_manage_lib',` allow $1 amanda_usr_lib_t:dir manage_dir_perms; files_search_usr($1) @@ -855,12 +409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## Domain to allow -+## Domain allowed access. - ## - ## - # -@@ -134,15 +143,16 @@ +@@ -134,11 +142,12 @@ interface(`amanda_append_log_files',` ') allow $1 amanda_log_t:file { read_file_perms append_file_perms }; @@ -874,12 +423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. ## ## ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -151,7 +161,6 @@ +@@ -151,7 +160,6 @@ interface(`amanda_search_var_lib',` type amanda_var_lib_t; ') @@ -888,21 +432,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. - + files_search_var_lib($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.8.8/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/anaconda.te 2010-07-30 14:06:53.000000000 -0400 -@@ -28,8 +28,10 @@ - logging_send_syslog_msg(anaconda_t) - - modutils_domtrans_insmod(anaconda_t) -+modutils_domtrans_depmod(anaconda_t) +diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te +index 96f68e9..6cf5d7a 100644 +--- a/policy/modules/admin/anaconda.te ++++ b/policy/modules/admin/anaconda.te +@@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) + modutils_domtrans_depmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -@@ -51,7 +53,7 @@ +@@ -52,7 +53,7 @@ optional_policy(` ') optional_policy(` @@ -911,154 +453,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/apt.if serefpolicy-3.8.8/policy/modules/admin/apt.if ---- nsaserefpolicy/policy/modules/admin/apt.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/apt.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -26,7 +26,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -52,7 +52,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -90,7 +90,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -109,7 +109,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -146,7 +146,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -167,7 +167,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -188,7 +188,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/backup.if serefpolicy-3.8.8/policy/modules/admin/backup.if ---- nsaserefpolicy/policy/modules/admin/backup.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/backup.if 2010-07-30 14:06:53.000000000 -0400 -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.8.8/policy/modules/admin/bootloader.if ---- nsaserefpolicy/policy/modules/admin/bootloader.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/bootloader.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -56,7 +56,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -75,7 +75,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -95,7 +95,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -115,7 +115,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.8.8/policy/modules/admin/brctl.if ---- nsaserefpolicy/policy/modules/admin/brctl.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/brctl.if 2010-08-10 05:23:35.000000000 -0400 -@@ -17,3 +17,22 @@ +diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if +index 5b43db5..fdb453c 100644 +--- a/policy/modules/admin/brctl.if ++++ b/policy/modules/admin/brctl.if +@@ -17,3 +17,22 @@ interface(`brctl_domtrans',` domtrans_pattern($1, brctl_exec_t, brctl_t) ') @@ -1081,31 +480,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.i + brctl_domtrans($1) + role $2 types brctl_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.8.8/policy/modules/admin/certwatch.if ---- nsaserefpolicy/policy/modules/admin/certwatch.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.if 2010-07-30 14:06:53.000000000 -0400 -@@ -29,7 +29,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -57,7 +57,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.8.8/policy/modules/admin/certwatch.te ---- nsaserefpolicy/policy/modules/admin/certwatch.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/certwatch.te 2010-07-30 14:06:53.000000000 -0400 -@@ -35,7 +35,7 @@ +diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te +index 89b9f2a..9cba75f 100644 +--- a/policy/modules/admin/certwatch.te ++++ b/policy/modules/admin/certwatch.te +@@ -35,7 +35,7 @@ miscfiles_read_certs(certwatch_t) miscfiles_read_localization(certwatch_t) userdom_use_user_terminals(certwatch_t) @@ -1114,7 +493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat optional_policy(` apache_exec_modules(certwatch_t) -@@ -47,6 +47,7 @@ +@@ -47,6 +47,7 @@ optional_policy(` ') optional_policy(` @@ -1122,40 +501,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat pcscd_stream_connect(certwatch_t) pcscd_read_pub_files(certwatch_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.8.8/policy/modules/admin/consoletype.if ---- nsaserefpolicy/policy/modules/admin/consoletype.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.if 2010-07-30 14:06:53.000000000 -0400 -@@ -8,7 +8,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -32,7 +32,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -56,7 +56,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.8/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/consoletype.te 2010-07-30 14:06:53.000000000 -0400 -@@ -85,6 +85,7 @@ +diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te +index 2b12a37..ce00934 100644 +--- a/policy/modules/admin/consoletype.te ++++ b/policy/modules/admin/consoletype.te +@@ -85,6 +85,7 @@ optional_policy(` hal_dontaudit_rw_pipes(consoletype_t) hal_dontaudit_rw_dgram_sockets(consoletype_t) hal_dontaudit_write_log(consoletype_t) @@ -1163,56 +513,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ddcprobe.if serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if ---- nsaserefpolicy/policy/modules/admin/ddcprobe.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/ddcprobe.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.if serefpolicy-3.8.8/policy/modules/admin/dmesg.if ---- nsaserefpolicy/policy/modules/admin/dmesg.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.8.8/policy/modules/admin/dmesg.te ---- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/dmesg.te 2010-07-30 14:06:53.000000000 -0400 -@@ -50,6 +50,12 @@ +diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te +index 72bc6d8..5421065 100644 +--- a/policy/modules/admin/dmesg.te ++++ b/policy/modules/admin/dmesg.te +@@ -50,6 +50,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t) userdom_use_user_terminals(dmesg_t) optional_policy(` -+ abrt_append_cache_files(dmesg_t) ++ abrt_cache_append(dmesg_t) + abrt_rw_fifo_file(dmesg_t) + abrt_manage_pid_files(dmesg_t) +') @@ -1221,154 +530,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t seutil_sigchld_newrole(dmesg_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.if serefpolicy-3.8.8/policy/modules/admin/dmidecode.if ---- nsaserefpolicy/policy/modules/admin/dmidecode.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/dmidecode.if 2010-07-30 14:06:53.000000000 -0400 -@@ -30,7 +30,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dpkg.if serefpolicy-3.8.8/policy/modules/admin/dpkg.if ---- nsaserefpolicy/policy/modules/admin/dpkg.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/dpkg.if 2010-07-30 14:06:53.000000000 -0400 -@@ -8,7 +8,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -50,7 +50,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -77,7 +77,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -95,7 +95,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -113,7 +113,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -131,7 +131,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -149,7 +149,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -170,7 +170,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -211,7 +211,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.8.8/policy/modules/admin/firstboot.if ---- nsaserefpolicy/policy/modules/admin/firstboot.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.if 2010-07-30 14:06:53.000000000 -0400 -@@ -9,7 +9,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -28,7 +28,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -52,7 +52,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -89,7 +89,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -107,7 +107,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.8.8/policy/modules/admin/firstboot.te ---- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/firstboot.te 2010-08-11 09:17:15.000000000 -0400 -@@ -91,6 +91,10 @@ +diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te +index db780c2..2c438d9 100644 +--- a/policy/modules/admin/firstboot.te ++++ b/policy/modules/admin/firstboot.te +@@ -91,6 +91,10 @@ userdom_home_filetrans_user_home_dir(firstboot_t) userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -1379,7 +545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo dbus_system_bus_client(firstboot_t) optional_policy(` -@@ -121,6 +125,7 @@ +@@ -121,6 +125,7 @@ optional_policy(` ') optional_policy(` @@ -1387,70 +553,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo gnome_manage_config(firstboot_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.if serefpolicy-3.8.8/policy/modules/admin/kudzu.if ---- nsaserefpolicy/policy/modules/admin/kudzu.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/kudzu.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -50,7 +50,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.if serefpolicy-3.8.8/policy/modules/admin/logrotate.if ---- nsaserefpolicy/policy/modules/admin/logrotate.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -50,7 +50,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.8.8/policy/modules/admin/logrotate.te ---- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/logrotate.te 2010-07-30 14:06:53.000000000 -0400 -@@ -119,6 +119,7 @@ +diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te +index 0b6123e..23ef05f 100644 +--- a/policy/modules/admin/logrotate.te ++++ b/policy/modules/admin/logrotate.te +@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t) userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -1458,18 +565,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -138,7 +139,7 @@ - ') - - optional_policy(` -- abrt_cache_manage(logrotate_t) -+ abrt_manage_cache_files(logrotate_t) - ') - - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.8/policy/modules/admin/logwatch.fc ---- nsaserefpolicy/policy/modules/admin/logwatch.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc +index 3c7b1e8..1e155f5 100644 +--- a/policy/modules/admin/logwatch.fc ++++ b/policy/modules/admin/logwatch.fc @@ -1,7 +1,11 @@ /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) @@ -1482,10 +581,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc /var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.8.8/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/logwatch.te 2010-08-17 07:18:59.000000000 -0400 -@@ -19,6 +19,9 @@ +diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te +index 75ce30f..b845467 100644 +--- a/policy/modules/admin/logwatch.te ++++ b/policy/modules/admin/logwatch.te +@@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t) type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) @@ -1495,7 +595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ######################################## # # Local policy -@@ -39,6 +42,9 @@ +@@ -39,6 +42,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) @@ -1505,13 +605,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -92,8 +98,16 @@ +@@ -92,8 +98,16 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) -+userdom_dontaudit_list_admin_dir(logwatch_t) - +- -mta_send_mail(logwatch_t) ++userdom_dontaudit_list_admin_dir(logwatch_t) ++ +#mta_send_mail(logwatch_t) +mta_base_mail_template(logwatch) +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) @@ -1523,10 +624,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ifdef(`distro_redhat',` files_search_all(logwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.8.8/policy/modules/admin/mrtg.te ---- nsaserefpolicy/policy/modules/admin/mrtg.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/mrtg.te 2010-07-30 14:06:53.000000000 -0400 -@@ -115,6 +115,7 @@ +diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te +index 0e19d80..9d58abe 100644 +--- a/policy/modules/admin/mrtg.te ++++ b/policy/modules/admin/mrtg.te +@@ -115,6 +115,7 @@ selinux_dontaudit_getattr_dir(mrtg_t) userdom_use_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) @@ -1534,15 +636,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te netutils_domtrans_ping(mrtg_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.8.8/policy/modules/admin/ncftool.fc ---- nsaserefpolicy/policy/modules/admin/ncftool.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc +new file mode 100644 +index 0000000..ae4045e +--- /dev/null ++++ b/policy/modules/admin/ncftool.fc @@ -0,0 +1,2 @@ + +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.8.8/policy/modules/admin/ncftool.if ---- nsaserefpolicy/policy/modules/admin/ncftool.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.if 2010-08-10 05:23:35.000000000 -0400 +diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if +new file mode 100644 +index 0000000..8c2e044 +--- /dev/null ++++ b/policy/modules/admin/ncftool.if @@ -0,0 +1,78 @@ + +## policy for ncftool @@ -1622,9 +728,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + allow $2 ncftool_t:process signal; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.8.8/policy/modules/admin/ncftool.te ---- nsaserefpolicy/policy/modules/admin/ncftool.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/admin/ncftool.te 2010-08-11 08:45:52.000000000 -0400 +diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te +new file mode 100644 +index 0000000..eef0c87 +--- /dev/null ++++ b/policy/modules/admin/ncftool.te @@ -0,0 +1,91 @@ +policy_module(ncftool, 1.0.0) + @@ -1717,10 +825,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool +optional_policy(` + netutils_domtrans(ncftool_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.8.8/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/netutils.te 2010-07-30 14:06:53.000000000 -0400 -@@ -51,6 +51,8 @@ +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index b687b5d..4f38995 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -51,6 +51,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) kernel_read_all_sysctls(netutils_t) @@ -1729,7 +838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) -@@ -67,6 +69,9 @@ +@@ -67,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) dev_read_sysfs(netutils_t) @@ -1739,7 +848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil fs_getattr_xattr_fs(netutils_t) -@@ -137,8 +142,6 @@ +@@ -137,8 +142,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) @@ -1748,7 +857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -148,11 +151,25 @@ +@@ -148,11 +151,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -1774,7 +883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil pcmcia_use_cardmgr_fds(ping_t) ') -@@ -197,6 +214,7 @@ +@@ -197,6 +214,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -1782,7 +891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -207,9 +225,16 @@ +@@ -207,9 +225,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -1802,10 +911,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te ---- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-13 11:29:37.000000000 -0400 -@@ -59,6 +59,7 @@ +diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te +index aa0dcc6..0154b77 100644 +--- a/policy/modules/admin/prelink.te ++++ b/policy/modules/admin/prelink.te +@@ -59,6 +59,7 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) @@ -1813,7 +923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink # prelink misc objects that are not system # libraries or entrypoints -@@ -73,6 +74,7 @@ +@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -1821,7 +931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink files_list_all(prelink_t) files_getattr_all_files(prelink_t) -@@ -86,6 +88,8 @@ +@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -1830,7 +940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -99,6 +103,8 @@ +@@ -99,6 +103,8 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) @@ -1839,7 +949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +115,10 @@ +@@ -109,6 +115,10 @@ optional_policy(` ') optional_policy(` @@ -1850,7 +960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +139,7 @@ +@@ -129,6 +139,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1858,7 +968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,7 +159,7 @@ +@@ -148,7 +159,7 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -1867,7 +977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink libs_exec_ld_so(prelink_cron_system_t) -@@ -158,6 +169,8 @@ +@@ -158,6 +169,8 @@ optional_policy(` cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) @@ -1876,31 +986,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` rpm_read_db(prelink_cron_system_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.if serefpolicy-3.8.8/policy/modules/admin/quota.if ---- nsaserefpolicy/policy/modules/admin/quota.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/quota.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.8.8/policy/modules/admin/readahead.te ---- nsaserefpolicy/policy/modules/admin/readahead.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/readahead.te 2010-07-30 14:06:53.000000000 -0400 -@@ -51,6 +51,7 @@ +diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te +index c5c7852..947df2b 100644 +--- a/policy/modules/admin/readahead.te ++++ b/policy/modules/admin/readahead.te +@@ -51,6 +51,7 @@ domain_read_all_domains_state(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) @@ -1908,7 +998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -@@ -64,6 +65,7 @@ +@@ -64,6 +65,7 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -1916,9 +1006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.8.8/policy/modules/admin/rpm.fc ---- nsaserefpolicy/policy/modules/admin/rpm.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/rpm.fc 2010-08-06 11:14:58.000000000 -0400 +diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc +index b206bf6..48922c9 100644 +--- a/policy/modules/admin/rpm.fc ++++ b/policy/modules/admin/rpm.fc @@ -7,6 +7,7 @@ /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1927,7 +1018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -25,6 +26,9 @@ +@@ -25,6 +26,9 @@ ifdef(`distro_redhat', ` /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1937,7 +1028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc ') /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -@@ -36,6 +40,8 @@ +@@ -36,6 +40,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -1946,18 +1037,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.8.8/policy/modules/admin/rpm.if ---- nsaserefpolicy/policy/modules/admin/rpm.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/rpm.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,18 +6,21 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # +diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if +index 86463e3..ddbb3af 100644 +--- a/policy/modules/admin/rpm.if ++++ b/policy/modules/admin/rpm.if +@@ -13,11 +13,14 @@ interface(`rpm_domtrans',` gen_require(` type rpm_t, rpm_exec_t; @@ -1972,16 +1056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -69,7 +72,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -87,6 +90,11 @@ +@@ -87,6 +90,11 @@ interface(`rpm_run',` rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; @@ -1993,34 +1068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -135,7 +143,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -153,7 +161,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -171,7 +179,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -185,6 +193,41 @@ +@@ -185,6 +193,41 @@ interface(`rpm_rw_pipes',` ######################################## ## @@ -2062,34 +1110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ## Send and receive messages from ## rpm over dbus. ## -@@ -252,7 +295,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -290,7 +333,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -309,7 +352,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -338,7 +381,9 @@ +@@ -338,7 +381,9 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -2099,7 +1120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ##################################### -@@ -378,7 +423,9 @@ +@@ -378,7 +423,9 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -2109,16 +1130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -448,7 +495,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -461,6 +508,7 @@ +@@ -461,6 +508,7 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -2126,16 +1138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -487,7 +535,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -577,3 +625,66 @@ +@@ -577,3 +625,66 @@ interface(`rpm_pid_filetrans',` files_pid_filetrans($1, rpm_var_run_t, file) ') @@ -2202,9 +1205,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.8.8/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/rpm.te 2010-08-04 16:24:06.000000000 -0400 +diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te +index 95dbcf3..bdba9c5 100644 +--- a/policy/modules/admin/rpm.te ++++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ policy_module(rpm, 1.11.1) @@ -2218,7 +1222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te type debuginfo_exec_t; domain_entry_file(rpm_t, debuginfo_exec_t) -@@ -44,6 +45,7 @@ +@@ -44,6 +45,7 @@ type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) domain_system_change_exemption(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) @@ -2226,7 +1230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) -@@ -77,6 +79,8 @@ +@@ -77,6 +79,8 @@ allow rpm_t self:shm create_shm_perms; allow rpm_t self:sem create_sem_perms; allow rpm_t self:msgq create_msgq_perms; allow rpm_t self:msg { send receive }; @@ -2235,7 +1239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -84,6 +88,7 @@ +@@ -84,6 +88,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file) manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) @@ -2243,7 +1247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -91,6 +96,7 @@ +@@ -91,6 +96,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -2251,7 +1255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) -@@ -100,12 +106,14 @@ +@@ -100,12 +106,14 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -2267,7 +1271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te corecmd_exec_all_executables(rpm_t) -@@ -125,6 +133,8 @@ +@@ -125,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -2276,7 +1280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -205,6 +215,7 @@ +@@ -205,6 +215,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -2284,7 +1288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -212,7 +223,7 @@ +@@ -212,7 +223,7 @@ optional_policy(` ') optional_policy(` @@ -2293,7 +1297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -242,6 +253,8 @@ +@@ -242,6 +253,8 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) @@ -2302,7 +1306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -254,6 +267,7 @@ +@@ -254,6 +267,7 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -2310,7 +1314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -301,6 +315,8 @@ +@@ -301,6 +315,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -2319,7 +1323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -331,12 +347,15 @@ +@@ -331,12 +347,15 @@ modutils_domtrans_insmod(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -2335,7 +1339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ') -@@ -366,8 +385,9 @@ +@@ -366,8 +385,9 @@ optional_policy(` ') optional_policy(` @@ -2346,21 +1350,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te optional_policy(` java_domtrans_unconfined(rpm_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectoolm.te serefpolicy-3.8.8/policy/modules/admin/sectoolm.te ---- nsaserefpolicy/policy/modules/admin/sectoolm.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/sectoolm.te 2010-07-30 14:06:53.000000000 -0400 -@@ -84,6 +84,7 @@ - sysnet_domtrans_ifconfig(sectoolm_t) - - userdom_manage_user_tmp_sockets(sectoolm_t) -+userdom_write_user_tmp_sockets(sectoolm_t) - - optional_policy(` - mount_exec(sectoolm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.8.8/policy/modules/admin/shorewall.if ---- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.if 2010-08-17 06:09:36.000000000 -0400 -@@ -18,6 +18,24 @@ +diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if +index 0948921..992a7fc 100644 +--- a/policy/modules/admin/shorewall.if ++++ b/policy/modules/admin/shorewall.if +@@ -18,6 +18,24 @@ interface(`shorewall_domtrans',` domtrans_pattern($1, shorewall_exec_t, shorewall_t) ') @@ -2385,7 +1379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ####################################### ## ## Read shorewall etc configuration files. -@@ -134,9 +152,10 @@ +@@ -134,9 +152,10 @@ interface(`shorewall_rw_lib_files',` # interface(`shorewall_admin',` gen_require(` @@ -2398,7 +1392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa ') allow $1 shorewall_t:process { ptrace signal_perms }; -@@ -153,12 +172,12 @@ +@@ -153,12 +172,12 @@ interface(`shorewall_admin',` files_search_locks($1) admin_pattern($1, shorewall_lock_t) @@ -2414,10 +1408,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa files_search_tmp($1) admin_pattern($1, shorewall_tmp_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.8.8/policy/modules/admin/shorewall.te ---- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shorewall.te 2010-08-17 06:09:36.000000000 -0400 -@@ -58,6 +58,9 @@ +diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te +index a22e546..ffc0571 100644 +--- a/policy/modules/admin/shorewall.te ++++ b/policy/modules/admin/shorewall.te +@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file }) @@ -2427,7 +1422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa kernel_read_kernel_sysctls(shorewall_t) kernel_read_network_state(shorewall_t) -@@ -80,13 +83,18 @@ +@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) @@ -2447,19 +1442,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` hostname_exec(shorewall_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc ---- nsaserefpolicy/policy/modules/admin/shutdown.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc +index 9174268..09c3771 100644 +--- a/policy/modules/admin/shutdown.fc ++++ b/policy/modules/admin/shutdown.fc @@ -3,3 +3,5 @@ /sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) + +/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if ---- nsaserefpolicy/policy/modules/admin/shutdown.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-30 14:06:53.000000000 -0400 -@@ -19,10 +19,11 @@ +diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if +index d2c068d..914e1ac 100644 +--- a/policy/modules/admin/shutdown.if ++++ b/policy/modules/admin/shutdown.if +@@ -19,10 +19,11 @@ interface(`shutdown_domtrans',` ifdef(`hide_broken_symptoms', ` dontaudit shutdown_t $1:socket_class_set { read write }; @@ -2472,7 +1469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow ######################################## ## ## Execute shutdown in the shutdown domain, and -@@ -50,6 +51,73 @@ +@@ -50,6 +51,73 @@ interface(`shutdown_run',` ######################################## ## @@ -2546,10 +1543,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow ## Get attributes of shutdown executable. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.8/policy/modules/admin/shutdown.te ---- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.te 2010-08-10 05:23:35.000000000 -0400 -@@ -36,6 +36,8 @@ +diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te +index 51f7c3a..707fb3d 100644 +--- a/policy/modules/admin/shutdown.te ++++ b/policy/modules/admin/shutdown.te +@@ -36,6 +36,8 @@ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) @@ -2558,7 +1556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow term_use_all_terms(shutdown_t) auth_use_nsswitch(shutdown_t) -@@ -55,5 +57,10 @@ +@@ -55,5 +57,10 @@ optional_policy(` ') optional_policy(` @@ -2569,10 +1567,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +optional_policy(` xserver_dontaudit_write_log(shutdown_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.8.8/policy/modules/admin/smoltclient.te ---- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/smoltclient.te 2010-08-23 17:32:41.000000000 -0400 -@@ -42,6 +42,7 @@ +diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te +index 254c59d..35f2bb0 100644 +--- a/policy/modules/admin/smoltclient.te ++++ b/policy/modules/admin/smoltclient.te +@@ -42,6 +42,7 @@ dev_read_sysfs(smoltclient_t) fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) @@ -2580,10 +1579,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.8.8/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/sudo.if 2010-07-30 14:06:53.000000000 -0400 -@@ -76,6 +76,8 @@ +diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if +index a0aa8c5..1b60ad8 100644 +--- a/policy/modules/admin/su.if ++++ b/policy/modules/admin/su.if +@@ -212,7 +212,7 @@ template(`su_role_template',` + + auth_domtrans_chk_passwd($1_su_t) + auth_dontaudit_read_shadow($1_su_t) +- auth_use_nsswitch($1_su_t) ++ auth_use_pam($1_su_t) + auth_rw_faillog($1_su_t) + + corecmd_search_bin($1_su_t) +@@ -236,6 +236,7 @@ template(`su_role_template',` + + userdom_use_user_terminals($1_su_t) + userdom_search_user_home_dirs($1_su_t) ++ userdom_search_admin_dir($1_su_t) + + ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 5f44f1b..e753ac9 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -76,6 +76,8 @@ template(`sudo_role_template',` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) @@ -2592,7 +1613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_file_perms; allow $3 $1_sudo_t:process signal_perms; -@@ -134,12 +136,16 @@ +@@ -134,12 +136,16 @@ template(`sudo_role_template',` userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) # for some PAM modules and for cwd @@ -2610,42 +1631,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.8.8/policy/modules/admin/su.if ---- nsaserefpolicy/policy/modules/admin/su.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/su.if 2010-07-30 14:06:53.000000000 -0400 -@@ -212,7 +212,7 @@ - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) -- auth_use_nsswitch($1_su_t) -+ auth_use_pam($1_su_t) - auth_rw_faillog($1_su_t) - - corecmd_search_bin($1_su_t) -@@ -236,6 +236,7 @@ - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) -+ userdom_search_admin_dir($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.if serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if ---- nsaserefpolicy/policy/modules/admin/tmpreaper.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/tmpreaper.te 2010-07-30 14:06:53.000000000 -0400 -@@ -25,8 +25,11 @@ +diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te +index 6a5004b..50cd538 100644 +--- a/policy/modules/admin/tmpreaper.te ++++ b/policy/modules/admin/tmpreaper.te +@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -2657,7 +1647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -@@ -52,7 +55,9 @@ +@@ -52,7 +55,9 @@ optional_policy(` ') optional_policy(` @@ -2667,7 +1657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,6 +71,14 @@ +@@ -66,6 +71,14 @@ optional_policy(` ') optional_policy(` @@ -2682,124 +1672,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap rpm_manage_cache(tmpreaper_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/updfstab.if serefpolicy-3.8.8/policy/modules/admin/updfstab.if ---- nsaserefpolicy/policy/modules/admin/updfstab.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/updfstab.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usbmodules.if serefpolicy-3.8.8/policy/modules/admin/usbmodules.if ---- nsaserefpolicy/policy/modules/admin/usbmodules.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/usbmodules.if 2010-07-30 14:06:53.000000000 -0400 -@@ -26,7 +26,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.8/policy/modules/admin/usermanage.if ---- nsaserefpolicy/policy/modules/admin/usermanage.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -31,7 +31,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -55,7 +55,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -80,7 +80,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -109,7 +109,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -152,7 +152,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -200,7 +200,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -229,7 +229,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -247,7 +247,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -272,7 +272,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -290,6 +290,9 @@ +diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if +index aecbf1c..0b5e634 100644 +--- a/policy/modules/admin/usermanage.if ++++ b/policy/modules/admin/usermanage.if +@@ -290,6 +290,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -2809,19 +1686,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman seutil_run_semanage(useradd_t, $2) optional_policy(` -@@ -303,7 +306,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.8.8/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/usermanage.te 2010-07-30 14:06:53.000000000 -0400 -@@ -295,6 +295,7 @@ +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index c35d801..3045a19 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -295,6 +295,7 @@ selinux_compute_user_contexts(passwd_t) term_use_all_ttys(passwd_t) term_use_all_ptys(passwd_t) @@ -2829,7 +1698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) -@@ -304,6 +305,9 @@ +@@ -304,6 +305,9 @@ auth_use_nsswitch(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -2839,7 +1708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman domain_use_interactive_fds(passwd_t) -@@ -334,6 +338,7 @@ +@@ -334,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2847,7 +1716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_domtrans(passwd_t) -@@ -428,7 +433,7 @@ +@@ -428,7 +433,7 @@ optional_policy(` # Useradd local policy # @@ -2856,7 +1725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -500,12 +505,8 @@ +@@ -500,12 +505,8 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2870,10 +1739,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman mta_manage_spool(useradd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.8.8/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/vbetool.te 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,10 @@ +diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te +index edfa54e..8215138 100644 +--- a/policy/modules/admin/vbetool.te ++++ b/policy/modules/admin/vbetool.te +@@ -24,7 +24,10 @@ dev_rw_sysfs(vbetool_t) dev_rw_xserver_misc(vbetool_t) dev_rw_mtrr(vbetool_t) @@ -2885,10 +1755,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool mls_file_read_all_levels(vbetool_t) mls_file_write_all_levels(vbetool_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.8.8/policy/modules/admin/vpn.te ---- nsaserefpolicy/policy/modules/admin/vpn.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/admin/vpn.te 2010-07-30 14:06:53.000000000 -0400 -@@ -107,6 +107,7 @@ +diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te +index a870982..6542902 100644 +--- a/policy/modules/admin/vpn.te ++++ b/policy/modules/admin/vpn.te +@@ -107,6 +107,7 @@ sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) userdom_dontaudit_search_user_home_content(vpnc_t) @@ -2896,10 +1767,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te optional_policy(` dbus_system_bus_client(vpnc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.8.8/policy/modules/apps/awstats.te ---- nsaserefpolicy/policy/modules/apps/awstats.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/awstats.te 2010-07-30 14:06:53.000000000 -0400 -@@ -47,6 +47,7 @@ +diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te +index 051b979..31397a3 100644 +--- a/policy/modules/apps/awstats.te ++++ b/policy/modules/apps/awstats.te +@@ -47,6 +47,7 @@ dev_read_urand(awstats_t) files_read_etc_files(awstats_t) # e.g. /usr/share/awstats/lang/awstats-en.txt files_read_usr_files(awstats_t) @@ -2907,16 +1779,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats. fs_list_inotifyfs(awstats_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.8.8/policy/modules/apps/chrome.fc ---- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/chrome.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc +new file mode 100644 +index 0000000..432fb25 +--- /dev/null ++++ b/policy/modules/apps/chrome.fc @@ -0,0 +1,3 @@ + /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.8.8/policy/modules/apps/chrome.if ---- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/chrome.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if +new file mode 100644 +index 0000000..5ef90cd +--- /dev/null ++++ b/policy/modules/apps/chrome.if @@ -0,0 +1,90 @@ + +## policy for chrome @@ -3008,9 +1884,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.8.8/policy/modules/apps/chrome.te ---- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/chrome.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te +new file mode 100644 +index 0000000..90c754f +--- /dev/null ++++ b/policy/modules/apps/chrome.te @@ -0,0 +1,86 @@ +policy_module(chrome,1.0.0) + @@ -3098,10 +1976,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t + fs_dontaudit_append_cifs_files(chrome_sandbox_t) + fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te ---- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/cpufreqselector.te 2010-07-30 14:06:53.000000000 -0400 -@@ -27,7 +27,7 @@ +diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te +index 7fd0900..899e234 100644 +--- a/policy/modules/apps/cpufreqselector.te ++++ b/policy/modules/apps/cpufreqselector.te +@@ -27,7 +27,7 @@ dev_rw_sysfs(cpufreqselector_t) miscfiles_read_localization(cpufreqselector_t) userdom_read_all_users_state(cpufreqselector_t) @@ -3110,9 +1989,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs optional_policy(` dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.8.8/policy/modules/apps/execmem.fc ---- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/execmem.fc 2010-08-13 16:54:24.000000000 -0400 +diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc +new file mode 100644 +index 0000000..9bd4f45 +--- /dev/null ++++ b/policy/modules/apps/execmem.fc @@ -0,0 +1,48 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -3162,9 +2043,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.8.8/policy/modules/apps/execmem.if ---- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/execmem.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if +new file mode 100644 +index 0000000..06ed3de +--- /dev/null ++++ b/policy/modules/apps/execmem.if @@ -0,0 +1,110 @@ +## execmem domain + @@ -3276,9 +2159,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. + + domtrans_pattern($1, execmem_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.8.8/policy/modules/apps/execmem.te ---- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/execmem.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te +new file mode 100644 +index 0000000..a7d37e2 +--- /dev/null ++++ b/policy/modules/apps/execmem.te @@ -0,0 +1,10 @@ +policy_module(execmem, 1.0.0) + @@ -3290,17 +2175,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem. +type execmem_exec_t alias unconfined_execmem_exec_t; +application_executable_file(execmem_exec_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc ---- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc +new file mode 100644 +index 0000000..ce498b3 +--- /dev/null ++++ b/policy/modules/apps/firewallgui.fc @@ -0,0 +1,3 @@ + +/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.8.8/policy/modules/apps/firewallgui.if ---- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.if 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,23 @@ +diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if +new file mode 100644 +index 0000000..7fe26f3 +--- /dev/null ++++ b/policy/modules/apps/firewallgui.if +@@ -0,0 +1,41 @@ + +## policy for firewallgui + @@ -3324,9 +2213,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + allow $1 firewallgui_t:dbus send_msg; + allow firewallgui_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.8.8/policy/modules/apps/firewallgui.te ---- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/firewallgui.te 2010-07-30 14:06:53.000000000 -0400 ++ ++######################################## ++## ++## Read and write firewallgui unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewallgui_dontaudit_rw_pipes',` ++ gen_require(` ++ type firewallgui_t; ++ ') ++ ++ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ++') +diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te +new file mode 100644 +index 0000000..4da3d86 +--- /dev/null ++++ b/policy/modules/apps/firewallgui.te @@ -0,0 +1,66 @@ +policy_module(firewallgui,1.0.0) + @@ -3394,16 +2303,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall + policykit_dbus_chat(firewallgui_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.8.8/policy/modules/apps/gnome.fc ---- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gnome.fc 2010-08-23 10:35:05.000000000 -0400 -@@ -1,8 +1,30 @@ +diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc +index 00a19e3..46db5ff 100644 +--- a/policy/modules/apps/gnome.fc ++++ b/policy/modules/apps/gnome.fc +@@ -1,9 +1,30 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) -+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) + HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) +/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) @@ -3430,14 +2340,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if ---- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-23 14:05:52.000000000 -0400 -@@ -74,6 +74,24 @@ +diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if +index f5afe78..852f36f 100644 +--- a/policy/modules/apps/gnome.if ++++ b/policy/modules/apps/gnome.if +@@ -37,8 +37,26 @@ interface(`gnome_role',` ######################################## ## -+## Dontaudit search gnome homedir content (.config) +-## Execute gconf programs in +-## in the caller domain. ++## gconf connection template. +## +## +## @@ -3445,23 +2358,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## +# -+interface(`gnome_dontaudit_search_config',` ++interface(`gnome_stream_connect_gconf',` + gen_require(` -+ attribute gnome_home_type; ++ type gconfd_t, gconf_tmp_t; + ') + -+ dontaudit $1 gnome_home_type:dir search_dir_perms; ++ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) ++ allow $1 gconfd_t:unix_stream_socket connectto; +') + +######################################## +## - ## manage gnome homedir content (.config) ++## Run gconfd in gconfd domain. ## - ## -@@ -84,10 +102,426 @@ + ## + ## +@@ -46,75 +64,124 @@ interface(`gnome_role',` + ## + ## # - interface(`gnome_manage_config',` +-interface(`gnome_exec_gconf',` ++interface(`gnome_domtrans_gconfd',` gen_require(` +- type gconfd_exec_t; ++ type gconfd_t, gconfd_exec_t; + ') + +- can_exec($1, gconfd_exec_t) ++ domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++') ++ ++######################################## ++## ++## Dontaudit search gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`gnome_dontaudit_search_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ dontaudit $1 gnome_home_type:dir search_dir_perms; + ') + + ######################################## + ## +-## Read gconf config files. ++## manage gnome homedir content (.config) + ## + ## + ## ++## The type of the user domain. ++## ++## ++# ++interface(`gnome_manage_config',` ++ gen_require(` + attribute gnome_home_type; + ') + @@ -3477,29 +2434,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## +## -+## Domain allowed access. -+## -+## -+# + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_gconf_config',` +interface(`gnome_signal_all',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + attribute gnomedomain; -+ ') -+ + ') + +- allow $1 gconf_etc_t:dir list_dir_perms; +- read_files_pattern($1, gconf_etc_t, gconf_etc_t) +- files_search_etc($1) + allow $1 gnomedomain:process signal; -+') -+ + ') + +-####################################### +######################################## -+## + ## +-## Create, read, write, and delete gconf config files. +## Create objects in a Gnome cache home directory +## with an automatic type transition to +## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. @@ -3510,50 +2474,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## The class of the object to be created. +## +## -+# + # +-interface(`gnome_manage_gconf_config',` +interface(`gnome_cache_filetrans',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + type cache_home_t; -+ ') -+ + ') + +- manage_files_pattern($1, gconf_etc_t, gconf_etc_t) +- files_search_etc($1) + filetrans_pattern($1, cache_home_t, $2, $3) + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## gconf connection template. +## Read generic cache home files (.cache) -+## + ## +-## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_stream_connect_gconf',` +interface(`gnome_read_generic_cache_files',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconf_tmp_t; + type cache_home_t; -+ ') -+ + ') + +- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) +- allow $1 gconfd_t:unix_stream_socket connectto; + read_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Run gconfd in gconfd domain. +## Set attributes of cache home dir (.cache) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -122,12 +189,52 @@ interface(`gnome_stream_connect_gconf',` + ## + ## + # +-interface(`gnome_domtrans_gconfd',` +interface(`gnome_setattr_cache_home_dir',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconfd_exec_t; + type cache_home_t; -+ ') -+ + ') + +- domtrans_pattern($1, gconfd_exec_t, gconfd_t) + setattr_dirs_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) +') @@ -3595,40 +2573,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) -+') -+ -+######################################## -+## -+## Set attributes of Gnome config dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_setattr_config_dirs',` -+ gen_require(` - type gnome_home_t; - ') + ') -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; -+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -+ files_search_home($1) -+') -+ -+######################################## -+## + ######################################## +@@ -151,40 +258,270 @@ interface(`gnome_setattr_config_dirs',` + + ######################################## + ## +-## Read gnome homedir content (.config) +## Create objects in a Gnome gconf home directory +## with an automatic type transition to +## a specified private type. -+## + ## +-## +## -+## -+## Domain allowed access. -+## -+## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. @@ -3639,18 +2601,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## The class of the object to be created. +## +## -+# + # +-template(`gnome_read_config',` +interface(`gnome_data_filetrans',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type data_home_t; -+ ') -+ + ') + +- list_dirs_pattern($1, gnome_home_t, gnome_home_t) +- read_files_pattern($1, gnome_home_t, gnome_home_t) +- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) + filetrans_pattern($1, data_home_t, $2, $3) + gnome_search_gconf($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## manage gnome homedir content (.config) +## Create gconf_home_t objects in the /root directory +## +## @@ -3675,9 +2643,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +######################################## +## +## read gconf config files -+## -+## -+## + ## + ## + ## +## The type of the user domain. +## +## @@ -3717,12 +2685,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## +## -+## Domain allowed access. -+## -+## -+# + ## Domain allowed access. + ## + ## + # +-interface(`gnome_manage_config',` +interface(`gnome_exec_gconf',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type gconfd_exec_t; + ') + @@ -3764,8 +2734,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +interface(`gnome_search_gconf',` + gen_require(` + type gconf_home_t; -+ ') -+ + ') + +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; + allow $1 gconf_home_t:dir search_dir_perms; userdom_search_user_home_dirs($1) ') @@ -3887,18 +2859,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.8.8/policy/modules/apps/gnome.te ---- nsaserefpolicy/policy/modules/apps/gnome.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gnome.te 2010-07-30 14:06:53.000000000 -0400 -@@ -6,18 +6,33 @@ +diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te +index 35f7486..26852d2 100644 +--- a/policy/modules/apps/gnome.te ++++ b/policy/modules/apps/gnome.te +@@ -6,11 +6,24 @@ policy_module(gnome, 2.0.1) # attribute gnomedomain; +attribute gnome_home_type; type gconf_etc_t; --files_type(gconf_etc_t) -+files_config_file(gconf_etc_t) + files_config_file(gconf_etc_t) -type gconf_home_t; +type data_home_t, gnome_home_type; @@ -3916,17 +2888,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +type gconf_home_t, gnome_home_type; typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; -+typealias gconf_home_t alias unconfined_gconf_home_t; - userdom_user_home_content(gconf_home_t) - - type gconf_tmp_t; - typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t }; - typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t }; -+typealias gconf_tmp_t alias unconfined_gconf_tmp_t; - files_tmp_file(gconf_tmp_t) - ubac_constrained(gconf_tmp_t) - -@@ -28,11 +43,20 @@ + typealias gconf_home_t alias unconfined_gconf_home_t; +@@ -30,12 +43,20 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; application_domain(gconfd_t, gconfd_exec_t) ubac_constrained(gconfd_t) @@ -3934,7 +2897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +type gnome_home_t, gnome_home_type; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; -+typealias gnome_home_t alias unconfined_gnome_home_t; + typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) +type gconfdefaultsm_t; @@ -3948,7 +2911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te ############################## # # Local Policy -@@ -72,3 +96,91 @@ +@@ -75,3 +96,91 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4040,19 +3003,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.8.8/policy/modules/apps/gpg.fc ---- nsaserefpolicy/policy/modules/apps/gpg.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gpg.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc +index e9853d4..717d163 100644 +--- a/policy/modules/apps/gpg.fc ++++ b/policy/modules/apps/gpg.fc @@ -1,4 +1,5 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.8.8/policy/modules/apps/gpg.if ---- nsaserefpolicy/policy/modules/apps/gpg.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gpg.if 2010-07-30 14:06:53.000000000 -0400 -@@ -85,6 +85,43 @@ +diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if +index 40e0a2a..7c48fc5 100644 +--- a/policy/modules/apps/gpg.if ++++ b/policy/modules/apps/gpg.if +@@ -85,6 +85,43 @@ interface(`gpg_domtrans',` domtrans_pattern($1, gpg_exec_t, gpg_t) ') @@ -4096,10 +3061,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## ## ## Send generic signals to user gpg processes. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.8.8/policy/modules/apps/gpg.te ---- nsaserefpolicy/policy/modules/apps/gpg.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/gpg.te 2010-08-23 14:06:23.000000000 -0400 -@@ -4,6 +4,7 @@ +diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te +index 4525c37..e9a7937 100644 +--- a/policy/modules/apps/gpg.te ++++ b/policy/modules/apps/gpg.te +@@ -4,6 +4,7 @@ policy_module(gpg, 2.3.1) # # Declarations # @@ -4107,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ## ##

-@@ -13,7 +14,15 @@ +@@ -13,7 +14,15 @@ policy_module(gpg, 2.3.1) ## gen_tunable(gpg_agent_env_file, false) @@ -4124,7 +3090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; -@@ -62,17 +71,23 @@ +@@ -62,17 +71,23 @@ type gpg_pinentry_tmpfs_t; files_tmpfs_file(gpg_pinentry_tmpfs_t) ubac_constrained(gpg_pinentry_tmpfs_t) @@ -4153,7 +3119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -@@ -128,6 +143,7 @@ +@@ -128,6 +143,7 @@ userdom_use_user_terminals(gpg_t) userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) @@ -4161,7 +3127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s mta_write_config(gpg_t) -@@ -142,6 +158,10 @@ +@@ -142,6 +158,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -4172,7 +3138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s mozilla_read_user_home_files(gpg_t) mozilla_write_user_home_files(gpg_t) ') -@@ -151,10 +171,10 @@ +@@ -151,10 +171,10 @@ optional_policy(` xserver_rw_xdm_pipes(gpg_t) ') @@ -4187,7 +3153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # -@@ -205,6 +225,7 @@ +@@ -205,6 +225,7 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -4195,7 +3161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -@@ -245,6 +266,7 @@ +@@ -245,6 +266,7 @@ userdom_search_user_home_dirs(gpg_agent_t) ifdef(`hide_broken_symptoms',` userdom_dontaudit_read_user_tmp_files(gpg_agent_t) @@ -4203,7 +3169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ') tunable_policy(`gpg_agent_env_file',` -@@ -332,6 +354,9 @@ +@@ -332,6 +354,9 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -4213,7 +3179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -347,6 +372,12 @@ +@@ -347,6 +372,12 @@ optional_policy(` ') optional_policy(` @@ -4226,7 +3192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +387,28 @@ +@@ -356,4 +387,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -4255,9 +3221,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +tunable_policy(`gpg_web_anon_write',` + miscfiles_manage_public_files(gpg_web_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.8.8/policy/modules/apps/irc.fc ---- nsaserefpolicy/policy/modules/apps/irc.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/irc.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc +index 65ece18..6bfdfd3 100644 +--- a/policy/modules/apps/irc.fc ++++ b/policy/modules/apps/irc.fc @@ -2,10 +2,14 @@ # /home # @@ -4273,9 +3240,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc s /usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0) +/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0) /usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.8.8/policy/modules/apps/irc.if ---- nsaserefpolicy/policy/modules/apps/irc.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/irc.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if +index 4f9dc90..8dc8a5f 100644 +--- a/policy/modules/apps/irc.if ++++ b/policy/modules/apps/irc.if @@ -18,9 +18,11 @@ interface(`irc_role',` gen_require(` @@ -4288,7 +3256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s # Transition from the user domain to the derived domain. domtrans_pattern($2, irc_exec_t, irc_t) -@@ -28,4 +30,17 @@ +@@ -28,4 +30,17 @@ interface(`irc_role',` # allow ps to show irc ps_process_pattern($2, irc_t) allow $2 irc_t:process signal; @@ -4306,10 +3274,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if s + relabel_files_pattern($2, irssi_home_t, irssi_home_t) + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.8.8/policy/modules/apps/irc.te ---- nsaserefpolicy/policy/modules/apps/irc.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/irc.te 2010-07-30 14:06:53.000000000 -0400 -@@ -24,6 +24,30 @@ +diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te +index 66beb80..b7c6502 100644 +--- a/policy/modules/apps/irc.te ++++ b/policy/modules/apps/irc.te +@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t) ######################################## # @@ -4340,7 +3309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s # Local policy # -@@ -101,3 +125,83 @@ +@@ -101,3 +125,83 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` nis_use_ypbind(irc_t) ') @@ -4424,9 +3393,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + nis_use_ypbind(irssi_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.8.8/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/java.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc +index 86c1768..87d560b 100644 +--- a/policy/modules/apps/java.fc ++++ b/policy/modules/apps/java.fc @@ -9,6 +9,7 @@ # # /usr @@ -4445,10 +3415,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc ifdef(`distro_redhat',` /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.8.8/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/java.if 2010-07-30 14:06:53.000000000 -0400 -@@ -72,7 +72,8 @@ +diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if +index e6d84e8..f0c4777 100644 +--- a/policy/modules/apps/java.if ++++ b/policy/modules/apps/java.if +@@ -72,7 +72,8 @@ template(`java_role_template',` domain_interactive_fd($1_java_t) @@ -4458,7 +3429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_java_t self:process { ptrace signal getsched execmem execstack }; -@@ -82,7 +83,7 @@ +@@ -82,7 +83,7 @@ template(`java_role_template',` domtrans_pattern($3, java_exec_t, $1_java_t) @@ -4467,16 +3438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if dev_dontaudit_append_rand($1_java_t) -@@ -120,7 +121,7 @@ - ##

- ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -179,6 +180,7 @@ +@@ -179,6 +180,7 @@ interface(`java_run_unconfined',` java_domtrans_unconfined($1) role $2 types unconfined_java_t; @@ -4484,10 +3446,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-08-13 15:48:49.000000000 -0400 -@@ -82,12 +82,12 @@ +diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te +index 726e853..90ce46a 100644 +--- a/policy/modules/apps/java.te ++++ b/policy/modules/apps/java.te +@@ -82,12 +82,12 @@ dev_read_urand(java_t) dev_read_rand(java_t) dev_dontaudit_append_rand(java_t) @@ -4501,7 +3464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te fs_getattr_xattr_fs(java_t) fs_dontaudit_rw_tmpfs_files(java_t) -@@ -143,12 +143,15 @@ +@@ -143,12 +143,15 @@ optional_policy(` # execheap is needed for itanium/BEA jrocket allow unconfined_java_t self:process { execstack execmem execheap }; @@ -4517,95 +3480,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te optional_policy(` rpm_domtrans(unconfined_java_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc ---- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if ---- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.if 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,2 @@ -+## system-config-kdump policy -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te ---- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/kdumpgui.te 2010-08-11 08:49:51.000000000 -0400 -@@ -0,0 +1,69 @@ -+policy_module(kdumpgui,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type kdumpgui_t; -+type kdumpgui_exec_t; -+ -+dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) -+ -+###################################### -+# -+# system-config-kdump local policy -+# -+ +diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te +index f63c4c2..3812a46 100644 +--- a/policy/modules/apps/kdumpgui.te ++++ b/policy/modules/apps/kdumpgui.te +@@ -14,6 +14,7 @@ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + # system-config-kdump local policy + # + +allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; -+allow kdumpgui_t self:fifo_file rw_fifo_file_perms; -+ -+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; -+ -+kdump_manage_config(kdumpgui_t) -+kdump_initrc_domtrans(kdumpgui_t) -+ -+corecmd_exec_bin(kdumpgui_t) -+corecmd_exec_shell(kdumpgui_t) -+consoletype_exec(kdumpgui_t) -+ -+kernel_read_system_state(kdumpgui_t) -+kernel_read_network_state(kdumpgui_t) -+ -+storage_raw_read_fixed_disk(kdumpgui_t) -+storage_raw_write_fixed_disk(kdumpgui_t) -+ -+dev_dontaudit_getattr_all_chr_files(kdumpgui_t) -+dev_read_sysfs(kdumpgui_t) -+ -+# for blkid.tab -+files_manage_etc_runtime_files(kdumpgui_t) -+files_etc_filetrans_etc_runtime(kdumpgui_t, file) -+ -+files_manage_boot_files(kdumpgui_t) -+files_manage_boot_symlinks(kdumpgui_t) -+# Needed for running chkconfig -+files_manage_etc_symlinks(kdumpgui_t) + allow kdumpgui_t self:fifo_file rw_fifo_file_perms; + allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + +@@ -33,6 +34,7 @@ files_manage_etc_symlinks(kdumpgui_t) + # for blkid.tab + files_manage_etc_runtime_files(kdumpgui_t) + files_etc_filetrans_etc_runtime(kdumpgui_t, file) +files_read_usr_files(kdumpgui_t) -+ -+auth_use_nsswitch(kdumpgui_t) -+ -+logging_send_syslog_msg(kdumpgui_t) -+ -+miscfiles_read_localization(kdumpgui_t) -+ -+init_dontaudit_read_all_script_files(kdumpgui_t) -+ + + storage_raw_read_fixed_disk(kdumpgui_t) + storage_raw_write_fixed_disk(kdumpgui_t) +@@ -50,10 +52,16 @@ miscfiles_read_localization(kdumpgui_t) + + init_dontaudit_read_all_script_files(kdumpgui_t) + +userdom_dontaudit_search_admin_dir(kdumpgui_t) + -+optional_policy(` -+ dev_rw_lvm_control(kdumpgui_t) -+') -+ -+optional_policy(` + optional_policy(` + dev_rw_lvm_control(kdumpgui_t) + ') + + optional_policy(` + gnome_dontaudit_search_config(kdumpgui_t) +') + +optional_policy(` -+ policykit_dbus_chat(kdumpgui_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.8.8/policy/modules/apps/livecd.if ---- nsaserefpolicy/policy/modules/apps/livecd.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/livecd.if 2010-08-12 08:05:10.000000000 -0400 -@@ -41,6 +41,8 @@ + policykit_dbus_chat(kdumpgui_t) + ') +diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if +index 12b772f..b67cf26 100644 +--- a/policy/modules/apps/livecd.if ++++ b/policy/modules/apps/livecd.if +@@ -41,6 +41,8 @@ interface(`livecd_run',` livecd_domtrans($1) role $2 types livecd_t; @@ -4614,7 +3530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i optional_policy(` mount_run(livecd_t, $2) -@@ -49,6 +51,24 @@ +@@ -49,6 +51,24 @@ interface(`livecd_run',` ######################################## ## @@ -4639,7 +3555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i ## Read livecd temporary files. ## ## -@@ -82,7 +102,7 @@ +@@ -82,7 +102,7 @@ interface(`livecd_rw_tmp_files',` ') files_search_tmp($1) @@ -4648,104 +3564,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.8.8/policy/modules/apps/livecd.te ---- nsaserefpolicy/policy/modules/apps/livecd.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/livecd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -20,6 +20,7 @@ - - dontaudit livecd_t self:capability2 mac_admin; - -+unconfined_domain_noaudit(livecd_t) - domain_ptrace_all_domains(livecd_t) - - manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -@@ -27,9 +28,6 @@ +diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te +index 49abe8e..47a193c 100644 +--- a/policy/modules/apps/livecd.te ++++ b/policy/modules/apps/livecd.te +@@ -27,7 +27,7 @@ manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) optional_policy(` - unconfined_domain(livecd_t) --') -- --optional_policy(` - hal_dbus_chat(livecd_t) ++ unconfined_domain_noaudit(livecd_t) ') -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.8.8/policy/modules/apps/loadkeys.if ---- nsaserefpolicy/policy/modules/apps/loadkeys.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/loadkeys.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -29,7 +29,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -54,7 +54,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.8.8/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mono.if 2010-07-30 14:06:53.000000000 -0400 -@@ -41,15 +41,18 @@ + + optional_policy(` +diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if +index 7b08e13..9c9e6c1 100644 +--- a/policy/modules/apps/mono.if ++++ b/policy/modules/apps/mono.if +@@ -41,7 +41,6 @@ template(`mono_role_template',` application_type($1_mono_t) allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; -+ userdom_unpriv_usertype($1, $1_mono_t) -+ userdom_manage_tmpfs_role($2, $1_mono_t) -+ domtrans_pattern($3, mono_exec_t, $1_mono_t) - +@@ -49,7 +48,12 @@ template(`mono_role_template',` fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) -- + - userdom_manage_user_tmpfs_files($1_mono_t) ++ userdom_unpriv_usertype($1, $1_mono_t) ++ userdom_manage_tmpfs_role($2, $1_mono_t) ++ + ifdef(`hide_broken_symptoms', ` + dontaudit $1_t $1_mono_t:socket_class_set { read write }; + ') optional_policy(` xserver_role($1_r, $1_mono_t) -@@ -82,7 +85,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -125,7 +128,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.8.8/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.fc 2010-08-19 06:50:14.000000000 -0400 +diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc +index 93ac529..aafece7 100644 +--- a/policy/modules/apps/mozilla.fc ++++ b/policy/modules/apps/mozilla.fc @@ -1,6 +1,7 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -4754,15 +3615,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -@@ -27,3 +28,4 @@ +@@ -27,3 +28,4 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.8.8/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.if 2010-08-19 06:49:11.000000000 -0400 -@@ -29,6 +29,8 @@ +diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if +index 9a6d67d..99a3d49 100644 +--- a/policy/modules/apps/mozilla.if ++++ b/policy/modules/apps/mozilla.if +@@ -29,6 +29,8 @@ interface(`mozilla_role',` allow mozilla_t $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; @@ -4771,7 +3633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) allow $2 mozilla_t:process signal_perms; -@@ -48,6 +50,12 @@ +@@ -48,6 +50,12 @@ interface(`mozilla_role',` mozilla_dbus_chat($2) @@ -4784,7 +3646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. optional_policy(` pulseaudio_role($1, mozilla_t) ') -@@ -108,7 +116,7 @@ +@@ -108,7 +116,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` type mozilla_home_t; ') @@ -4793,7 +3655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -168,6 +176,50 @@ +@@ -168,6 +176,50 @@ interface(`mozilla_domtrans',` ######################################## ## @@ -4844,10 +3706,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ## Send and receive messages from ## mozilla over dbus. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-24 10:04:03.000000000 -0400 -@@ -25,6 +25,7 @@ +diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te +index cbf4bec..b2e4e0c 100644 +--- a/policy/modules/apps/mozilla.te ++++ b/policy/modules/apps/mozilla.te +@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; @@ -4855,7 +3718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. userdom_user_home_content(mozilla_home_t) type mozilla_tmpfs_t; -@@ -33,6 +34,13 @@ +@@ -33,6 +34,13 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_ files_tmpfs_file(mozilla_tmpfs_t) ubac_constrained(mozilla_tmpfs_t) @@ -4869,7 +3732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ######################################## # # Local policy -@@ -89,16 +97,20 @@ +@@ -89,16 +97,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t) corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) @@ -4890,7 +3753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. corenet_sendrecv_ftp_client_packets(mozilla_t) corenet_sendrecv_ipp_client_packets(mozilla_t) corenet_sendrecv_generic_client_packets(mozilla_t) -@@ -238,6 +250,7 @@ +@@ -238,6 +250,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -4898,7 +3761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -258,6 +271,11 @@ +@@ -258,6 +271,11 @@ optional_policy(` ') optional_policy(` @@ -4910,7 +3773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +284,46 @@ +@@ -266,3 +284,46 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4957,10 +3820,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.if 2010-07-30 14:06:53.000000000 -0400 -@@ -102,3 +102,39 @@ +diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if +index d8ea41d..8bdc526 100644 +--- a/policy/modules/apps/mplayer.if ++++ b/policy/modules/apps/mplayer.if +@@ -102,3 +102,39 @@ interface(`mplayer_read_user_home_files',` read_files_pattern($1, mplayer_home_t, mplayer_home_t) userdom_search_user_home_dirs($1) ') @@ -5000,10 +3864,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. + allow $2 mplayer_exec_t:file entrypoint; + domtrans_pattern($1, mplayer_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.8.8/policy/modules/apps/mplayer.te ---- nsaserefpolicy/policy/modules/apps/mplayer.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mplayer.te 2010-07-30 14:06:53.000000000 -0400 -@@ -32,6 +32,7 @@ +diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te +index 815a467..192d54e 100644 +--- a/policy/modules/apps/mplayer.te ++++ b/policy/modules/apps/mplayer.te +@@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t) type mplayer_home_t; typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t }; typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t }; @@ -5011,7 +3876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. userdom_user_home_content(mplayer_home_t) type mplayer_tmpfs_t; -@@ -159,6 +160,7 @@ +@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t) userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir) @@ -5019,7 +3884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -222,6 +224,8 @@ +@@ -222,6 +224,8 @@ fs_dontaudit_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) @@ -5028,7 +3893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. miscfiles_read_localization(mplayer_t) miscfiles_read_fonts(mplayer_t) -@@ -302,6 +306,10 @@ +@@ -302,6 +306,10 @@ optional_policy(` ') optional_policy(` @@ -5039,9 +3904,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer. nscd_socket_use(mplayer_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc ---- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc +new file mode 100644 +index 0000000..63abc5c +--- /dev/null ++++ b/policy/modules/apps/nsplugin.fc @@ -0,0 +1,10 @@ +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) @@ -5053,9 +3920,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if ---- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-24 10:00:03.000000000 -0400 +diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if +new file mode 100644 +index 0000000..74c624e +--- /dev/null ++++ b/policy/modules/apps/nsplugin.if @@ -0,0 +1,391 @@ + +## policy for nsplugin @@ -5448,9 +4317,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + allow $2 nsplugin_exec_t:file entrypoint; + domtrans_pattern($1, nsplugin_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te ---- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-23 17:18:54.000000000 -0400 +diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te +new file mode 100644 +index 0000000..ccb1203 +--- /dev/null ++++ b/policy/modules/apps/nsplugin.te @@ -0,0 +1,306 @@ +policy_module(nsplugin, 1.0.0) + @@ -5758,17 +4629,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.8.8/policy/modules/apps/openoffice.fc ---- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc +new file mode 100644 +index 0000000..0c53a12 +--- /dev/null ++++ b/policy/modules/apps/openoffice.fc @@ -0,0 +1,4 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.8.8/policy/modules/apps/openoffice.if ---- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if +new file mode 100644 +index 0000000..6863365 +--- /dev/null ++++ b/policy/modules/apps/openoffice.if @@ -0,0 +1,129 @@ +## Openoffice + @@ -5899,9 +4774,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi + allow $2 openoffice_exec_t:file entrypoint; + domtrans_pattern($1, openoffice_exec_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.8.8/policy/modules/apps/openoffice.te ---- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/openoffice.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te +new file mode 100644 +index 0000000..a842371 +--- /dev/null ++++ b/policy/modules/apps/openoffice.te @@ -0,0 +1,16 @@ +policy_module(openoffice, 1.0.0) + @@ -5919,10 +4796,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi +# Unconfined java local policy +# + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.8.8/policy/modules/apps/podsleuth.te ---- nsaserefpolicy/policy/modules/apps/podsleuth.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/podsleuth.te 2010-08-23 17:51:56.000000000 -0400 -@@ -27,7 +27,7 @@ +diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te +index 690589e..815d35d 100644 +--- a/policy/modules/apps/podsleuth.te ++++ b/policy/modules/apps/podsleuth.te +@@ -27,7 +27,7 @@ ubac_constrained(podsleuth_tmpfs_t) # podsleuth local policy # allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; @@ -5931,7 +4809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; -@@ -73,6 +73,7 @@ +@@ -73,6 +73,7 @@ miscfiles_read_localization(podsleuth_t) sysnet_dns_name_resolve(podsleuth_t) userdom_signal_unpriv_users(podsleuth_t) @@ -5939,10 +4817,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut userdom_read_user_tmpfs_files(podsleuth_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if ---- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.if 2010-07-30 14:06:53.000000000 -0400 -@@ -35,6 +35,10 @@ +diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if +index 2ba7787..3b0d3be 100644 +--- a/policy/modules/apps/pulseaudio.if ++++ b/policy/modules/apps/pulseaudio.if +@@ -35,6 +35,10 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; @@ -5953,10 +4832,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te ---- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/pulseaudio.te 2010-07-30 14:06:53.000000000 -0400 -@@ -44,6 +44,7 @@ +diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te +index 5c2680c..88fc6f6 100644 +--- a/policy/modules/apps/pulseaudio.te ++++ b/policy/modules/apps/pulseaudio.te +@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs(pulseaudio_t) @@ -5964,7 +4844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -53,7 +54,7 @@ +@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -5973,7 +4853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -94,11 +95,6 @@ +@@ -94,11 +95,6 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -5985,7 +4865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud optional_policy(` bluetooth_stream_connect(pulseaudio_t) ') -@@ -131,6 +127,10 @@ +@@ -131,6 +127,10 @@ optional_policy(` ') optional_policy(` @@ -5996,7 +4876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +148,7 @@ +@@ -148,3 +148,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -6004,10 +4884,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud +optional_policy(` + sandbox_manage_tmpfs_files(pulseaudio_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.8.8/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/qemu.if 2010-07-30 14:06:53.000000000 -0400 -@@ -275,6 +275,67 @@ +diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if +index c1d5f50..95bb89d 100644 +--- a/policy/modules/apps/qemu.if ++++ b/policy/modules/apps/qemu.if +@@ -275,6 +275,67 @@ interface(`qemu_domtrans_unconfined',` ######################################## ## @@ -6075,7 +4956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if ## Manage qemu temporary dirs. ## ## -@@ -308,3 +369,24 @@ +@@ -308,3 +369,24 @@ interface(`qemu_manage_tmp_files',` manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') @@ -6100,10 +4981,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.8.8/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/qemu.te 2010-07-30 14:06:53.000000000 -0400 -@@ -102,6 +102,10 @@ +diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te +index a3225d4..7551020 100644 +--- a/policy/modules/apps/qemu.te ++++ b/policy/modules/apps/qemu.te +@@ -102,6 +102,10 @@ optional_policy(` xen_rw_image_files(qemu_t) ') @@ -6114,7 +4996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te ######################################## # # Unconfined qemu local policy -@@ -112,6 +116,8 @@ +@@ -112,6 +116,8 @@ optional_policy(` typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) @@ -6123,95 +5005,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te allow unconfined_qemu_t self:process { execstack execmem }; allow unconfined_qemu_t qemu_exec_t:file execmod; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.8.8/policy/modules/apps/sambagui.fc ---- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1 @@ -+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.8.8/policy/modules/apps/sambagui.if ---- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.if 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,2 @@ -+## system-config-samba policy -+ -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te ---- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-08-13 15:50:28.000000000 -0400 -@@ -0,0 +1,66 @@ -+policy_module(sambagui,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sambagui_t; -+type sambagui_exec_t; -+dbus_system_domain(sambagui_t, sambagui_exec_t) -+ -+######################################## -+# -+# system-config-samba local policy -+# -+ -+allow sambagui_t self:capability dac_override; -+allow sambagui_t self:fifo_file rw_fifo_file_perms; -+allow sambagui_t self:unix_dgram_socket create_socket_perms; -+ -+# handling with samba conf files -+samba_append_log(sambagui_t) -+samba_manage_config(sambagui_t) -+samba_manage_var_files(sambagui_t) -+samba_read_secrets(sambagui_t) -+samba_initrc_domtrans(sambagui_t) -+samba_domtrans_smbd(sambagui_t) -+samba_domtrans_nmbd(sambagui_t) -+ -+# execut apps of system-config-samba -+corecmd_exec_shell(sambagui_t) -+corecmd_exec_bin(sambagui_t) -+ -+files_read_etc_files(sambagui_t) +diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te +index 9ec1478..26bb71c 100644 +--- a/policy/modules/apps/sambagui.te ++++ b/policy/modules/apps/sambagui.te +@@ -29,7 +29,7 @@ dev_dontaudit_read_urand(sambagui_t) + + files_read_etc_files(sambagui_t) + files_search_var_lib(sambagui_t) +-files_search_usr(sambagui_t) +files_read_usr_files(sambagui_t) -+files_search_var_lib(sambagui_t) -+ -+# reading shadow by pdbedit -+#auth_read_shadow(sambagui_t) -+ -+auth_use_nsswitch(sambagui_t) -+ -+logging_send_syslog_msg(sambagui_t) -+ -+miscfiles_read_localization(sambagui_t) -+ -+# read meminfo -+kernel_read_system_state(sambagui_t) -+ -+dev_dontaudit_read_urand(sambagui_t) -+nscd_dontaudit_search_pid(sambagui_t) -+ + + auth_use_nsswitch(sambagui_t) + +@@ -39,6 +39,8 @@ miscfiles_read_localization(sambagui_t) + + nscd_dontaudit_search_pid(sambagui_t) + +userdom_dontaudit_search_admin_dir(sambagui_t) + -+ -+optional_policy(` -+ consoletype_exec(sambagui_t) -+') -+ -+optional_policy(` + # handling with samba conf files + samba_append_log(sambagui_t) + samba_manage_config(sambagui_t) +@@ -53,5 +55,9 @@ optional_policy(` + ') + + optional_policy(` + gnome_dontaudit_search_config(sambagui_t) +') + +optional_policy(` -+ policykit_dbus_chat(sambagui_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.8.8/policy/modules/apps/sandbox.fc ---- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.fc 2010-07-30 14:06:53.000000000 -0400 + policykit_dbus_chat(sambagui_t) + ') +diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc +new file mode 100644 +index 0000000..15778fd +--- /dev/null ++++ b/policy/modules/apps/sandbox.fc @@ -0,0 +1 @@ +# No types are sandbox_exec_t -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if ---- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-25 09:14:51.000000000 -0400 +diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if +new file mode 100644 +index 0000000..d104714 +--- /dev/null ++++ b/policy/modules/apps/sandbox.if @@ -0,0 +1,334 @@ + +## policy for sandbox @@ -6547,9 +5384,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + + allow $1 sandbox_file_type:dir list_dir_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te ---- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 18:24:37.000000000 -0400 +diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te +new file mode 100644 +index 0000000..88a211a +--- /dev/null ++++ b/policy/modules/apps/sandbox.te @@ -0,0 +1,401 @@ +policy_module(sandbox,1.0.0) +dbus_stub() @@ -6952,10 +5791,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.8.8/policy/modules/apps/seunshare.if ---- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.if 2010-07-30 14:06:53.000000000 -0400 -@@ -53,8 +53,14 @@ +diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if +index 1dc7a85..7455c19 100644 +--- a/policy/modules/apps/seunshare.if ++++ b/policy/modules/apps/seunshare.if +@@ -53,8 +53,14 @@ interface(`seunshare_run',` ######################################## ## @@ -6971,7 +5811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ## ## ## Role allowed access. -@@ -66,15 +72,28 @@ +@@ -66,15 +72,28 @@ interface(`seunshare_run',` ## ## # @@ -6987,15 +5827,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; -+ -+ mls_process_set_level($1_seunshare_t) - seunshare_domtrans($1) -+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) -+ sandbox_transition($1_seunshare_t, $2) ++ mls_process_set_level($1_seunshare_t) - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; ++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) ++ sandbox_transition($1_seunshare_t, $2) ++ + ps_process_pattern($3, $1_seunshare_t) + allow $3 $1_seunshare_t:process signal_perms; + @@ -7006,10 +5846,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar + dontaudit $1_seunshare_t $3:socket_class_set { read write }; + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te ---- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-25 09:09:14.000000000 -0400 -@@ -5,40 +5,45 @@ +diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te +index 7590165..e5ef7b3 100644 +--- a/policy/modules/apps/seunshare.te ++++ b/policy/modules/apps/seunshare.te +@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -7072,9 +5913,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ') ') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.fc serefpolicy-3.8.8/policy/modules/apps/telepathy.fc ---- nsaserefpolicy/policy/modules/apps/telepathy.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc +new file mode 100644 +index 0000000..1e47b96 +--- /dev/null ++++ b/policy/modules/apps/telepathy.fc @@ -0,0 +1,14 @@ +HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) @@ -7090,9 +5933,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.if serefpolicy-3.8.8/policy/modules/apps/telepathy.if ---- nsaserefpolicy/policy/modules/apps/telepathy.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if +new file mode 100644 +index 0000000..3d12484 +--- /dev/null ++++ b/policy/modules/apps/telepathy.if @@ -0,0 +1,188 @@ + +## Telepathy framework. @@ -7282,9 +6127,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + files_search_tmp($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te ---- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-25 09:41:04.000000000 -0400 +diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te +new file mode 100644 +index 0000000..59867f6 +--- /dev/null ++++ b/policy/modules/apps/telepathy.te @@ -0,0 +1,313 @@ + +policy_module(telepathy, 1.0.0) @@ -7338,8 +6185,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) -+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file}) -+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file}) ++files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) ++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file }) +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) + +corenet_sendrecv_http_client_packets(telepathy_msn_t) @@ -7599,18 +6446,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath +optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.8.8/policy/modules/apps/userhelper.fc ---- nsaserefpolicy/policy/modules/apps/userhelper.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc +index e70b0e8..cd83b89 100644 +--- a/policy/modules/apps/userhelper.fc ++++ b/policy/modules/apps/userhelper.fc @@ -7,3 +7,4 @@ # /usr # /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.8.8/policy/modules/apps/userhelper.if ---- nsaserefpolicy/policy/modules/apps/userhelper.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.if 2010-07-30 14:06:53.000000000 -0400 -@@ -25,6 +25,7 @@ +diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if +index ced285a..d73e7c8 100644 +--- a/policy/modules/apps/userhelper.if ++++ b/policy/modules/apps/userhelper.if +@@ -25,6 +25,7 @@ template(`userhelper_role_template',` gen_require(` attribute userhelper_type; type userhelper_exec_t, userhelper_conf_t; @@ -7618,16 +6467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ') ######################################## -@@ -245,7 +246,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -256,3 +257,58 @@ +@@ -256,3 +257,58 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) ') @@ -7686,10 +6526,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp + xserver_read_xdm_pid($1_consolehelper_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.8.8/policy/modules/apps/userhelper.te ---- nsaserefpolicy/policy/modules/apps/userhelper.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/userhelper.te 2010-08-23 08:31:37.000000000 -0400 -@@ -6,9 +6,54 @@ +diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te +index d584dff..f62c171 100644 +--- a/policy/modules/apps/userhelper.te ++++ b/policy/modules/apps/userhelper.te +@@ -6,9 +6,54 @@ policy_module(userhelper, 1.5.1) # attribute userhelper_type; @@ -7744,20 +6585,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp +optional_policy(` + xserver_stream_connect(consolehelper_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.8.8/policy/modules/apps/vmware.fc ---- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/vmware.fc 2010-08-13 14:51:09.000000000 -0400 -@@ -66,5 +66,6 @@ +diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc +index 5872ea2..028c994 100644 +--- a/policy/modules/apps/vmware.fc ++++ b/policy/modules/apps/vmware.fc +@@ -66,5 +66,6 @@ ifdef(`distro_gentoo',` /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400 -@@ -126,6 +126,7 @@ +diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te +index 1f803bb..ab99aa0 100644 +--- a/policy/modules/apps/vmware.te ++++ b/policy/modules/apps/vmware.te +@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) @@ -7765,31 +6608,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.if serefpolicy-3.8.8/policy/modules/apps/webalizer.if ---- nsaserefpolicy/policy/modules/apps/webalizer.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/webalizer.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.8.8/policy/modules/apps/wine.fc ---- nsaserefpolicy/policy/modules/apps/wine.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/wine.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -2,6 +2,7 @@ +diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc +index 9d24449..9782698 100644 +--- a/policy/modules/apps/wine.fc ++++ b/policy/modules/apps/wine.fc +@@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -7797,9 +6620,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-05 17:18:31.000000000 -0400 +diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if +index c26662d..9cbfded 100644 +--- a/policy/modules/apps/wine.if ++++ b/policy/modules/apps/wine.if @@ -29,12 +29,16 @@ # template(`wine_role',` @@ -7817,7 +6641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; -@@ -86,6 +90,7 @@ +@@ -86,6 +90,7 @@ template(`wine_role',` # template(`wine_role_template',` gen_require(` @@ -7825,37 +6649,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if type wine_exec_t; ') -@@ -101,9 +106,16 @@ +@@ -101,9 +106,16 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) + userdom_manage_tmpfs_role($2, $1_wine_t) -+ + +- domain_mmap_low($1_wine_t) + domain_mmap_low_type($1_wine_t) + tunable_policy(`mmap_low_allowed',` + allow $1_wine_t self:memprotect mmap_zero; + ') - -- domain_mmap_low($1_wine_t) ++ + tunable_policy(`wine_mmap_zero_ignore',` + dontaudit $1_wine_t self:memprotect mmap_zero; + ') optional_policy(` xserver_role($1_r, $1_wine_t) -@@ -136,7 +148,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.8.8/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/wine.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te +index 8af45db..6fe38a1 100644 +--- a/policy/modules/apps/wine.te ++++ b/policy/modules/apps/wine.te @@ -1,5 +1,13 @@ policy_module(wine, 1.7.1) @@ -7870,7 +6686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ######################################## # # Declarations -@@ -29,7 +37,13 @@ +@@ -29,7 +37,13 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) @@ -7885,7 +6701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te files_execmod_all_files(wine_t) -@@ -40,7 +54,11 @@ +@@ -40,7 +54,11 @@ optional_policy(` ') optional_policy(` @@ -7898,10 +6714,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.te serefpolicy-3.8.8/policy/modules/apps/wireshark.te ---- nsaserefpolicy/policy/modules/apps/wireshark.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/wireshark.te 2010-07-30 14:06:53.000000000 -0400 -@@ -15,6 +15,7 @@ +diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te +index 4b3bdea..7c05189 100644 +--- a/policy/modules/apps/wireshark.te ++++ b/policy/modules/apps/wireshark.te +@@ -15,6 +15,7 @@ ubac_constrained(wireshark_t) type wireshark_home_t; typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; @@ -7909,7 +6726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar userdom_user_home_content(wireshark_home_t) type wireshark_tmp_t; -@@ -70,6 +71,8 @@ +@@ -70,6 +71,8 @@ kernel_read_kernel_sysctls(wireshark_t) kernel_read_system_state(wireshark_t) kernel_read_sysctl(wireshark_t) @@ -7918,10 +6735,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshar corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.8.8/policy/modules/apps/wm.if ---- nsaserefpolicy/policy/modules/apps/wm.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/wm.if 2010-07-30 14:06:53.000000000 -0400 -@@ -75,6 +75,10 @@ +diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if +index 82842a0..369c3b5 100644 +--- a/policy/modules/apps/wm.if ++++ b/policy/modules/apps/wm.if +@@ -75,6 +75,10 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) @@ -7932,21 +6750,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se optional_policy(` dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.fc 2010-08-19 06:39:36.000000000 -0400 -@@ -9,8 +9,10 @@ +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 0eb1d97..a71e2d5 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -9,8 +9,11 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) # -@@ -101,6 +103,9 @@ +@@ -101,6 +104,9 @@ ifdef(`distro_redhat',` /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7956,7 +6776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -126,6 +131,7 @@ +@@ -126,6 +132,7 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -7964,7 +6784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /sbin -@@ -145,6 +151,10 @@ +@@ -145,6 +152,10 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7975,7 +6795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -169,6 +179,7 @@ +@@ -169,6 +180,7 @@ ifdef(`distro_gentoo',` /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7983,7 +6803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -220,6 +231,7 @@ +@@ -220,6 +232,7 @@ ifdef(`distro_gentoo',` /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -7991,7 +6811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +240,8 @@ +@@ -228,6 +241,8 @@ ifdef(`distro_gentoo',` /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8000,7 +6820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,6 +328,7 @@ +@@ -314,6 +329,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -8008,7 +6828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ifdef(`distro_suse', ` -@@ -340,3 +355,27 @@ +@@ -340,3 +356,27 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8036,10 +6856,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco + +/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.8.8/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corecommands.if 2010-07-30 14:06:53.000000000 -0400 -@@ -931,6 +931,7 @@ +diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if +index 1cc7ef6..58b4e9d 100644 +--- a/policy/modules/kernel/corecommands.if ++++ b/policy/modules/kernel/corecommands.if +@@ -931,6 +931,7 @@ interface(`corecmd_exec_chroot',` read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) @@ -8047,7 +6868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## -@@ -1030,6 +1031,7 @@ +@@ -1030,6 +1031,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -8055,9 +6876,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.fc serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc ---- nsaserefpolicy/policy/modules/kernel/corenetwork.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc +index 9e5c83e..953e0e8 100644 +--- a/policy/modules/kernel/corenetwork.fc ++++ b/policy/modules/kernel/corenetwork.fc @@ -5,3 +5,6 @@ /dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) @@ -8065,10 +6887,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-23 17:15:30.000000000 -0400 -@@ -24,6 +24,7 @@ +diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in +index 2ecdde8..d739fc3 100644 +--- a/policy/modules/kernel/corenetwork.te.in ++++ b/policy/modules/kernel/corenetwork.te.in +@@ -24,6 +24,7 @@ dev_node(ppp_device_t) # type tun_tap_device_t; dev_node(tun_tap_device_t) @@ -8076,7 +6899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## # -@@ -64,6 +65,7 @@ +@@ -64,6 +65,7 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -8084,7 +6907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -72,12 +74,15 @@ +@@ -72,12 +74,15 @@ network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -8100,7 +6923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -85,6 +90,7 @@ +@@ -85,6 +90,7 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -8108,7 +6931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -97,7 +103,9 @@ +@@ -97,7 +103,9 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) @@ -8118,7 +6941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,7 +117,7 @@ +@@ -109,7 +117,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -8127,7 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -124,29 +132,32 @@ +@@ -124,29 +132,32 @@ network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -8164,7 +6987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -154,12 +165,20 @@ +@@ -154,12 +165,20 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -8185,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -174,24 +193,27 @@ +@@ -174,24 +193,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -8217,7 +7040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,16 +223,17 @@ +@@ -201,16 +223,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -8238,10 +7061,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) network_port(zope, tcp,8021,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.8.8/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -176,13 +176,12 @@ +diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc +index 3b2da10..7eed11d 100644 +--- a/policy/modules/kernel/devices.fc ++++ b/policy/modules/kernel/devices.fc +@@ -176,13 +176,12 @@ ifdef(`distro_suse', ` /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) @@ -8257,7 +7081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +190,8 @@ +@@ -191,3 +190,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -8266,10 +7090,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +# /sys +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-21 06:37:45.000000000 -0400 -@@ -461,6 +461,24 @@ +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index cac0c64..9223f7d 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',` ######################################## ## @@ -8294,7 +7119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Dontaudit getattr for generic character device files. ## ## -@@ -497,6 +515,24 @@ +@@ -497,6 +515,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` ######################################## ## @@ -8319,7 +7144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read and write generic character device files. ## ## -@@ -515,6 +551,24 @@ +@@ -515,6 +551,24 @@ interface(`dev_rw_generic_chr_files',` ######################################## ## @@ -8344,7 +7169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Create generic character device files. ## ## -@@ -606,6 +660,24 @@ +@@ -606,6 +660,24 @@ interface(`dev_delete_generic_symlinks',` ######################################## ## @@ -8369,7 +7194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1015,6 +1087,42 @@ +@@ -1015,6 +1087,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -8412,7 +7237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -1277,6 +1385,24 @@ +@@ -1277,6 +1385,24 @@ interface(`dev_getattr_autofs_dev',` ######################################## ## @@ -8437,7 +7262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -3540,6 +3666,24 @@ +@@ -3540,6 +3666,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -8462,7 +7287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of sysfs directories. ## ## -@@ -3851,6 +3995,24 @@ +@@ -3851,6 +3995,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -8487,7 +7312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -4161,11 +4323,10 @@ +@@ -4161,11 +4323,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -8501,10 +7326,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.8.8/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/devices.te 2010-07-30 14:06:53.000000000 -0400 -@@ -100,6 +100,7 @@ +diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te +index 102d130..ec8eb73 100644 +--- a/policy/modules/kernel/devices.te ++++ b/policy/modules/kernel/devices.te +@@ -100,6 +100,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -8512,17 +7338,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # # Type for /dev/lirc -@@ -300,5 +301,5 @@ +@@ -300,5 +301,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.8.8/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/domain.if 2010-07-30 14:06:53.000000000 -0400 -@@ -611,7 +611,7 @@ +diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if +index 41f36ed..3f2c4ad 100644 +--- a/policy/modules/kernel/domain.if ++++ b/policy/modules/kernel/domain.if +@@ -611,7 +611,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -8531,7 +7358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## ## ## -@@ -630,7 +630,7 @@ +@@ -630,7 +630,7 @@ interface(`domain_getattr_all_domains',` ######################################## ## @@ -8540,7 +7367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ## ## ## -@@ -1372,13 +1372,11 @@ +@@ -1372,13 +1372,11 @@ interface(`domain_entry_file_spec_domtrans',` ## ## # @@ -8555,7 +7382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain typeattribute $1 mmap_low_domain_type; ') -@@ -1445,3 +1443,22 @@ +@@ -1445,3 +1443,22 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') @@ -8578,10 +7405,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + dontaudit $1 domain:socket_class_set { read write }; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.8.8/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/domain.te 2010-07-30 14:06:53.000000000 -0400 -@@ -4,6 +4,21 @@ +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index aa02659..b9c5804 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -4,6 +4,21 @@ policy_module(domain, 1.8.0) # # Declarations # @@ -8603,7 +7431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Mark process types as domains attribute domain; -@@ -79,14 +94,17 @@ +@@ -79,14 +94,17 @@ allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -8622,7 +7450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Use trusted objects in /dev dev_rw_null(domain) -@@ -96,6 +114,13 @@ +@@ -96,6 +114,13 @@ term_use_controlling_term(domain) # list the root directory files_list_root(domain) @@ -8636,7 +7464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs -@@ -105,8 +130,13 @@ +@@ -105,8 +130,13 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -8650,7 +7478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') optional_policy(` -@@ -117,6 +147,8 @@ +@@ -117,6 +147,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -8659,7 +7487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain ') ######################################## -@@ -135,6 +167,8 @@ +@@ -135,6 +167,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -8668,7 +7496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -152,3 +186,77 @@ +@@ -152,3 +186,77 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -8746,10 +7574,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.8.8/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/files.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -18,6 +18,7 @@ +diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc +index 3517db2..bd4c23d 100644 +--- a/policy/modules/kernel/files.fc ++++ b/policy/modules/kernel/files.fc +@@ -18,6 +18,7 @@ ifdef(`distro_redhat',` /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -8757,7 +7586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ifdef(`distro_suse',` -@@ -64,6 +65,13 @@ +@@ -64,6 +65,13 @@ ifdef(`distro_suse',` /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -8771,7 +7600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -74,7 +82,8 @@ +@@ -74,7 +82,8 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -8781,7 +7610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -95,7 +104,7 @@ +@@ -95,7 +104,7 @@ ifdef(`distro_suse',` # HOME_ROOT # expanded by genhomedircon # @@ -8790,7 +7619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -159,6 +168,12 @@ +@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -8803,7 +7632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # /selinux # -@@ -172,12 +187,6 @@ +@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.* <> /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -8816,7 +7645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -217,7 +226,6 @@ +@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -8824,7 +7653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -233,6 +241,8 @@ +@@ -233,6 +241,8 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8833,7 +7662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -249,7 +259,7 @@ +@@ -249,7 +259,7 @@ ifndef(`distro_redhat',` /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8842,16 +7671,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -258,3 +268,5 @@ +@@ -258,3 +268,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-11 09:28:41.000000000 -0400 -@@ -1053,10 +1053,8 @@ +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 5302dac..73e4119 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8864,10 +7694,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1446,6 +1444,24 @@ +@@ -1446,6 +1444,42 @@ interface(`files_dontaudit_search_all_mountpoints',` ######################################## ## ++## Do not audit listing of all mount points. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:dir list_dir_perms; ++') ++ ++######################################## ++## +## Write all mount points. +## +## @@ -8889,7 +7737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -2435,6 +2451,24 @@ +@@ -2435,6 +2469,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -8914,7 +7762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -3086,6 +3120,7 @@ +@@ -3086,6 +3138,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -8922,7 +7770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3106,6 +3141,7 @@ +@@ -3106,6 +3159,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -8930,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3347,6 +3383,24 @@ +@@ -3347,6 +3401,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -8955,7 +7803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Mount a filesystem on /mnt. -@@ -3420,6 +3474,24 @@ +@@ -3420,6 +3492,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -8980,7 +7828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3711,6 +3783,82 @@ +@@ -3711,6 +3801,100 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9041,6 +7889,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + relabelto_files_pattern($1, system_conf_t, system_conf_t) +') + ++###################################### ++## ++## Relabel manageable system configuration files in /etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_system_conf_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ relabelfrom_files_pattern($1, system_conf_t, system_conf_t) ++') ++ +################################### +## +## Create files in /etc with the type used for @@ -9063,7 +7929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3896,6 +4044,32 @@ +@@ -3896,6 +4080,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -9096,7 +7962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -4109,6 +4283,13 @@ +@@ -4109,6 +4319,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -9110,7 +7976,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5298,6 +5479,43 @@ +@@ -5138,12 +5355,12 @@ interface(`files_getattr_generic_locks',` + ## + # + interface(`files_delete_generic_locks',` +- gen_require(` +- type var_t, var_lock_t; +- ') ++ gen_require(` ++ type var_t, var_lock_t; ++ ') + +- allow $1 var_t:dir search_dir_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ allow $1 var_t:dir search_dir_perms; ++ delete_files_pattern($1, var_lock_t, var_lock_t) + ') + + ######################################## +@@ -5317,6 +5534,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -9154,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5505,6 +5723,26 @@ +@@ -5524,6 +5778,26 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -9181,7 +8065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read all process ID files. ## ## -@@ -5522,6 +5760,7 @@ +@@ -5541,6 +5815,7 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -9189,7 +8073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5807,3 +6046,229 @@ +@@ -5826,3 +6101,229 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -9419,10 +8303,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + + allow $1 file_type:kernel_service create_files_as; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.8.8/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/files.te 2010-07-30 14:06:53.000000000 -0400 -@@ -11,6 +11,7 @@ +diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te +index 07352a5..12e9ecf 100644 +--- a/policy/modules/kernel/files.te ++++ b/policy/modules/kernel/files.te +@@ -11,6 +11,7 @@ attribute lockfile; attribute mountpoint; attribute pidfile; attribute configfile; @@ -9430,7 +8315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # For labeling types that are to be polyinstantiated attribute polydir; -@@ -58,12 +59,21 @@ +@@ -58,12 +59,21 @@ files_type(etc_t) typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -9453,18 +8338,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc ---- nsaserefpolicy/policy/modules/kernel/filesystem.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -1,3 +1,3 @@ +diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc +index 9306de6..9a1e6a7 100644 +--- a/policy/modules/kernel/filesystem.fc ++++ b/policy/modules/kernel/filesystem.fc +@@ -1,3 +1,4 @@ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-23 17:32:34.000000000 -0400 -@@ -1233,7 +1233,7 @@ ++/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index e3e17ba..3b34959 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -1233,7 +1233,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -9473,7 +8361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -1496,6 +1496,25 @@ +@@ -1496,6 +1496,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -9499,7 +8387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1923,7 +1942,26 @@ +@@ -1923,7 +1942,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -9527,7 +8415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -1938,6 +1976,41 @@ +@@ -1938,6 +1976,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -9569,7 +8457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## -@@ -1991,6 +2064,7 @@ +@@ -1991,6 +2064,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -9577,7 +8465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2387,6 +2461,25 @@ +@@ -2387,6 +2461,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -9603,7 +8491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2441,7 +2534,7 @@ +@@ -2441,7 +2534,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -9612,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2629,6 +2722,24 @@ +@@ -2629,6 +2722,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -9637,7 +8525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2837,7 +2948,7 @@ +@@ -2837,7 +2948,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -9646,7 +8534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3962,6 +4073,24 @@ +@@ -3962,6 +4073,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9671,7 +8559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4654,3 +4783,24 @@ +@@ -4654,3 +4783,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -9696,10 +8584,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + dontaudit $1 filesystem_type:lnk_file { read }; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-08-24 10:24:43.000000000 -0400 -@@ -52,6 +52,7 @@ +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index fb63c3a..712e644 100644 +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -52,6 +52,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -9707,7 +8596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type bdev_t; fs_type(bdev_t) -@@ -67,7 +68,7 @@ +@@ -67,7 +68,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -9716,7 +8605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -106,6 +107,15 @@ +@@ -106,6 +107,15 @@ fs_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) @@ -9732,7 +8621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) -@@ -148,6 +158,12 @@ +@@ -148,6 +158,12 @@ fs_type(squash_t) genfscon squash / gen_context(system_u:object_r:squash_t,s0) files_mountpoint(squash_t) @@ -9745,7 +8634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -248,6 +264,7 @@ +@@ -248,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -9753,10 +8642,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy files_mountpoint(removable_t) # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.8.8/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.if 2010-08-23 18:10:26.000000000 -0400 -@@ -698,6 +698,26 @@ +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index ed7667a..d676187 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -698,6 +698,26 @@ interface(`kernel_read_debugfs',` ######################################## ## @@ -9783,7 +8673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Mount a kernel VM filesystem. ## ## -@@ -1977,7 +1997,7 @@ +@@ -1977,7 +1997,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -9792,7 +8682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -2845,6 +2865,24 @@ +@@ -2845,6 +2865,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -9817,7 +8707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2860,3 +2898,23 @@ +@@ -2860,3 +2898,23 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; ') @@ -9841,10 +8731,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + allow $1 kernel_t:unix_stream_socket connectto; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.8.8/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/kernel.te 2010-07-30 14:06:53.000000000 -0400 -@@ -156,6 +156,7 @@ +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 6fa55f2..90ee6db 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -9852,7 +8743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -255,7 +256,8 @@ +@@ -255,7 +256,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -9862,7 +8753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,19 +271,29 @@ +@@ -269,19 +271,29 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -9892,7 +8783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel optional_policy(` hotplug_search_config(kernel_t) ') -@@ -358,6 +370,10 @@ +@@ -358,6 +370,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -9903,10 +8794,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## # # Unlabeled process local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.8.8/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/selinux.if 2010-08-23 17:02:47.000000000 -0400 -@@ -40,7 +40,7 @@ +diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if +index f8b357c..bc1ed0f 100644 +--- a/policy/modules/kernel/selinux.if ++++ b/policy/modules/kernel/selinux.if +@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` # because of this statement, any module which # calls this interface must be in the base module: @@ -9915,7 +8807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu ') ######################################## -@@ -202,10 +202,31 @@ +@@ -202,10 +202,31 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -9947,7 +8839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu ######################################## ## ## Allows the caller to get the mode of policy enforcement -@@ -223,6 +244,7 @@ +@@ -223,6 +244,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') @@ -9955,7 +8847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -404,6 +426,7 @@ +@@ -404,6 +426,7 @@ interface(`selinux_set_all_booleans',` ') allow $1 security_t:dir list_dir_perms; @@ -9963,7 +8855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { -@@ -622,3 +645,42 @@ +@@ -622,3 +645,42 @@ interface(`selinux_unconfined',` typeattribute $1 selinux_unconfined_type; ') @@ -10006,29 +8898,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu + allow $1 security_t:filesystem unmount; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.8.8/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/storage.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -5,7 +5,7 @@ - /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0) - /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0) - /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0) --/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/[shmvx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) -@@ -77,3 +77,6 @@ +diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc +index a9b8982..811b859 100644 +--- a/policy/modules/kernel/storage.fc ++++ b/policy/modules/kernel/storage.fc +@@ -77,3 +77,6 @@ ifdef(`distro_redhat', ` /dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) + +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if ---- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-16 07:00:32.000000000 -0400 -@@ -101,6 +101,8 @@ +diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if +index 3723150..bde6daa 100644 +--- a/policy/modules/kernel/storage.if ++++ b/policy/modules/kernel/storage.if +@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; @@ -10037,7 +8922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag typeattribute $1 fixed_disk_raw_read; ') -@@ -203,6 +205,8 @@ +@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',` type fixed_disk_device_t; ') @@ -10046,10 +8931,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; dev_add_entry_generic_dirs($1) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-24 10:01:21.000000000 -0400 -@@ -292,9 +292,11 @@ +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index 492bf76..f9930a3 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -292,9 +292,11 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -10062,7 +8948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -848,7 +850,7 @@ +@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -10071,7 +8957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -1215,7 +1217,7 @@ +@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -10080,7 +8966,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -1252,10 +1254,12 @@ +@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` + # + interface(`term_getattr_all_ttys',` + gen_require(` ++ type tty_device_t; + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file getattr; ++ allow $1 tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -10093,7 +8993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -1352,7 +1356,7 @@ +@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -10102,10 +9002,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.8.8/policy/modules/roles/auditadm.te ---- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/auditadm.te 2010-07-30 14:06:53.000000000 -0400 -@@ -28,10 +28,13 @@ +diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te +index 252913b..a1bbe8f 100644 +--- a/policy/modules/roles/auditadm.te ++++ b/policy/modules/roles/auditadm.te +@@ -28,10 +28,13 @@ logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t, auditadm_r) logging_run_auditd(auditadm_t, auditadm_r) @@ -10119,10 +9020,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad optional_policy(` consoletype_exec(auditadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.8.8/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/guest.te 2010-07-30 14:06:53.000000000 -0400 -@@ -14,4 +14,8 @@ +diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te +index 1875064..a3ddd43 100644 +--- a/policy/modules/roles/dbadm.te ++++ b/policy/modules/roles/dbadm.te +@@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false) + + role dbadm_r; + +-userdom_base_user_template(dbadm) ++userdom_unpriv_user_template(dbadm) + + ######################################## + # +@@ -58,3 +58,7 @@ optional_policy(` + optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) + ') ++ ++optional_policy(` ++ sudo_role_template(dbadm, dbadm_r, dbadm_t) ++') +diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te +index 531c616..321e5a7 100644 +--- a/policy/modules/roles/guest.te ++++ b/policy/modules/roles/guest.te +@@ -14,4 +14,8 @@ userdom_restricted_user_template(guest) # Local policy # @@ -10132,10 +9055,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t +') + +gen_user(guest_u, user, guest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.8.8/policy/modules/roles/secadm.te ---- nsaserefpolicy/policy/modules/roles/secadm.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/secadm.te 2010-07-30 14:06:53.000000000 -0400 -@@ -9,6 +9,8 @@ +diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te +index ebe6a9c..e3a1987 100644 +--- a/policy/modules/roles/secadm.te ++++ b/policy/modules/roles/secadm.te +@@ -9,6 +9,8 @@ role secadm_r; userdom_unpriv_user_template(secadm) userdom_security_admin_template(secadm_t, secadm_r) @@ -10144,10 +9068,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm. ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-24 23:01:42.000000000 -0400 -@@ -8,25 +8,60 @@ +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index 0c9876c..fabc1a0 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -8,17 +8,55 @@ policy_module(staff, 2.1.1) role staff_r; userdom_unpriv_user_template(staff) @@ -10165,14 +9090,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +kernel_getattr_core_if(staff_usertype) +kernel_getattr_message_if(staff_usertype) +kernel_read_software_raid_state(staff_usertype) ++kernel_read_fs_sysctls(staff_usertype) ++ ++domain_read_all_domains_state(staff_usertype) ++domain_getattr_all_domains(staff_usertype) ++domain_obj_id_change_exemption(staff_t) ++ ++files_read_kernel_modules(staff_usertype) ++ ++seutil_read_module_store(staff_t) ++seutil_run_newrole(staff_t, staff_r) ++ ++term_use_unallocated_ttys(staff_usertype) + +auth_domtrans_pam_console(staff_t) + +init_dbus_chat(staff_t) +init_dbus_chat_script(staff_t) + -+seutil_read_module_store(staff_t) -+seutil_run_newrole(staff_t, staff_r) ++miscfiles_read_hwdata(staff_usertype) ++ ++modutils_read_module_config(staff_usertype) ++modutils_read_module_deps(staff_usertype) ++ +netutils_run_ping(staff_t, staff_r) +netutils_signal_ping(staff_t) + @@ -10184,122 +9124,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t + mozilla_run_plugin(staff_t, staff_r) +') + -+ifndef(`distro_redhat',` -+ +optional_policy(` - auth_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') -+') - optional_policy(` - auditadm_role_change(staff_r) +@@ -27,6 +65,18 @@ optional_policy(` ') optional_policy(` -+ kerneloops_manage_tmp_files(staff_t) ++ logadm_role_change(staff_r) +') + +optional_policy(` -+ logadm_role_change(staff_r) ++ webadm_role_change(staff_r) +') + -+ifndef(`distro_redhat',` +optional_policy(` - bluetooth_role(staff_r, staff_t) - ') - -@@ -94,12 +129,18 @@ - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) - ') ++ kerneloops_manage_tmp_files(staff_t) +') - - optional_policy(` ++ ++optional_policy(` postgresql_role(staff_r, staff_t) ') +@@ -35,6 +85,18 @@ optional_policy(` + ') + optional_policy(` -+ rtkit_scheduled(staff_t) ++ unconfined_role_change(staff_r) +') + -+ifndef(`distro_redhat',` +optional_policy(` - pyzor_role(staff_r, staff_t) - ') - -@@ -114,22 +155,27 @@ - optional_policy(` - screen_role_template(staff, staff_r, staff_t) - ') ++ rtkit_scheduled(staff_t) +') - - optional_policy(` - secadm_role_change(staff_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - spamassassin_role(staff_r, staff_t) - ') ++ ++optional_policy(` ++ screen_role_template(staff, staff_r, staff_t) +') - - optional_policy(` ++ ++optional_policy(` ssh_role_template(staff, staff_r, staff_t) ') -+ifndef(`distro_redhat',` - optional_policy(` - su_role_template(staff, staff_r, staff_t) - ') -+') - - optional_policy(` - sudo_role_template(staff, staff_r, staff_t) -@@ -141,6 +187,11 @@ +@@ -48,6 +110,10 @@ optional_policy(` ') optional_policy(` + telepathy_dbus_session_role(staff_r, staff_t) +') + -+ifndef(`distro_redhat',` +optional_policy(` - thunderbird_role(staff_r, staff_t) + xserver_role(staff_r, staff_t) ') -@@ -164,6 +215,78 @@ - wireshark_role(staff_r, staff_t) - ') +@@ -137,10 +203,6 @@ ifndef(`distro_redhat',` + ') -+') -+ -+optional_policy(` -+ unconfined_role_change(staff_r) -+') -+ -+optional_policy(` -+ webadm_role_change(staff_r) -+') -+ - optional_policy(` - xserver_role(staff_r, staff_t) + optional_policy(` +- screen_role_template(staff, staff_r, staff_t) +- ') +- +- optional_policy(` + spamassassin_role(staff_r, staff_t) + ') + +@@ -172,3 +234,46 @@ ifndef(`distro_redhat',` + wireshark_role(staff_r, staff_t) + ') ') + -+domain_read_all_domains_state(staff_usertype) -+domain_getattr_all_domains(staff_usertype) -+domain_obj_id_change_exemption(staff_t) -+ -+files_read_kernel_modules(staff_usertype) -+ -+kernel_read_fs_sysctls(staff_usertype) -+ -+modutils_read_module_config(staff_usertype) -+modutils_read_module_deps(staff_usertype) -+ -+miscfiles_read_hwdata(staff_usertype) -+ -+term_use_unallocated_ttys(staff_usertype) -+ +optional_policy(` + accountsd_dbus_chat(staff_t) + accountsd_read_lib_files(staff_t) @@ -10330,10 +9223,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') + +optional_policy(` -+ screen_role_template(staff, staff_r, staff_t) -+') -+ -+optional_policy(` + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) + setroubleshoot_dbus_chat_fixit(staff_t) @@ -10346,15 +9235,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_usertype) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.8.8/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/sysadm.te 2010-08-18 09:32:07.000000000 -0400 -@@ -27,17 +27,30 @@ +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 2a19751..1a95085 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -24,20 +24,41 @@ ifndef(`enable_mls',` + # + # Local policy + # ++kernel_read_fs_sysctls(sysadm_t) corecmd_exec_shell(sysadm_t) +domain_dontaudit_read_all_domains_state(sysadm_t) + ++files_read_kernel_modules(sysadm_t) ++ mls_process_read_up(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) @@ -10368,6 +9264,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) ++init_script_role_transition(sysadm_r) ++ ++modutils_read_module_deps(sysadm_t) ++ ++miscfiles_read_hwdata(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) @@ -10380,7 +9281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +68,7 @@ +@@ -55,6 +76,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -10388,105 +9289,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') tunable_policy(`allow_ptrace',` -@@ -69,7 +83,9 @@ +@@ -69,7 +91,6 @@ optional_policy(` apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) -+ ifndef(`distro_redhat',` -+ apache_role(sysadm_r, sysadm_t) -+ ') ') optional_policy(` -@@ -85,9 +101,11 @@ - auditadm_role_change(sysadm_r) +@@ -98,6 +119,10 @@ optional_policy(` ') -+ifndef(`distro_redhat',` optional_policy(` - auth_role(sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - backup_run(sysadm_t, sysadm_r) -@@ -97,17 +115,25 @@ - bind_run_ndc(sysadm_t, sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - bluetooth_role(sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - bootloader_run(sysadm_t, sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - cdrecord_role(sysadm_r, sysadm_t) - ') ++ certmonger_dbus_chat(sysadm_t) +') + +optional_policy(` -+ certmonger_dbus_chat(sysadm_t) -+') - - optional_policy(` certwatch_run(sysadm_t, sysadm_r) -@@ -125,16 +151,18 @@ - consoletype_run(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` - optional_policy(` - cron_admin_role(sysadm_r, sysadm_t) +@@ -114,7 +139,7 @@ optional_policy(` ') optional_policy(` - cvs_exec(sysadm_t) -+ dbus_role_template(sysadm, sysadm_r, sysadm_t) -+') - ') - - optional_policy(` -- dbus_role_template(sysadm, sysadm_r, sysadm_t) + daemonstools_run_start(sysadm_t, sysadm_r) ') optional_policy(` -@@ -159,9 +187,11 @@ - dpkg_run(sysadm_t, sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - evolution_role(sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - firstboot_run(sysadm_t, sysadm_r) -@@ -171,6 +201,7 @@ - fstools_run(sysadm_t, sysadm_r) - ') - -+ifndef(`distro_redhat',` - optional_policy(` - games_role(sysadm_r, sysadm_t) - ') -@@ -186,6 +217,7 @@ - optional_policy(` - gpg_role(sysadm_r, sysadm_t) - ') -+') - - optional_policy(` - hostname_run(sysadm_t, sysadm_r) -@@ -199,6 +231,13 @@ +@@ -159,6 +184,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -10500,57 +9331,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -206,12 +245,18 @@ +@@ -166,15 +198,15 @@ optional_policy(` ') optional_policy(` +- kudzu_run(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) -+') -+ -+ifndef(`distro_redhat',` -+optional_policy(` - irc_role(sysadm_r, sysadm_t) - ') - - optional_policy(` - java_role(sysadm_r, sysadm_t) ') -+') optional_policy(` - kudzu_run(sysadm_t, sysadm_r) -@@ -221,9 +266,11 @@ - libs_run_ldconfig(sysadm_t, sysadm_r) +- libs_run_ldconfig(sysadm_t, sysadm_r) ++ kudzu_run(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` optional_policy(` - lockdev_role(sysadm_r, sysadm_t) +- lockdev_role(sysadm_r, sysadm_t) ++ libs_run_ldconfig(sysadm_t, sysadm_r) ') -+') optional_policy(` - logrotate_run(sysadm_t, sysadm_r) -@@ -246,8 +293,10 @@ +@@ -198,14 +230,7 @@ optional_policy(` optional_policy(` mount_run(sysadm_t, sysadm_r) +-') +- +-optional_policy(` +- mozilla_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` +- mplayer_role(sysadm_r, sysadm_t) + mount_run_showmount(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` - optional_policy(` - mozilla_role(sysadm_r, sysadm_t) - ') -@@ -255,6 +304,7 @@ - optional_policy(` - mplayer_role(sysadm_r, sysadm_t) - ') -+') - optional_policy(` - mta_role(sysadm_r, sysadm_t) -@@ -269,6 +319,10 @@ +@@ -221,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -10561,156 +9377,191 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -302,8 +356,14 @@ +@@ -254,7 +283,7 @@ optional_policy(` ') optional_policy(` +- pyzor_role(sysadm_r, sysadm_t) + prelink_run(sysadm_t, sysadm_r) -+') -+ -+ifndef(`distro_redhat',` -+optional_policy(` - pyzor_role(sysadm_r, sysadm_t) ') -+') optional_policy(` - quota_run(sysadm_t, sysadm_r) -@@ -313,9 +373,11 @@ - raid_domtrans_mdadm(sysadm_t) +@@ -266,10 +295,6 @@ optional_policy(` ') -+ifndef(`distro_redhat',` optional_policy(` - razor_role(sysadm_r, sysadm_t) +- razor_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + rpc_domtrans_nfsd(sysadm_t) ') -+') - optional_policy(` - rpc_domtrans_nfsd(sysadm_t) -@@ -325,9 +387,11 @@ +@@ -277,9 +302,6 @@ optional_policy(` rpm_run(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` - optional_policy(` - rssh_role(sysadm_r, sysadm_t) - ') -+') +-optional_policy(` +- rssh_role(sysadm_r, sysadm_t) +-') optional_policy(` rsync_exec(sysadm_t) -@@ -352,8 +416,14 @@ +@@ -304,9 +326,10 @@ optional_policy(` ') optional_policy(` +- spamassassin_role(sysadm_r, sysadm_t) + shutdown_run(sysadm_t, sysadm_r) -+') -+ -+ifndef(`distro_redhat',` -+optional_policy(` - spamassassin_role(sysadm_r, sysadm_t) ') -+') ++ optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -376,9 +446,11 @@ - sysnet_run_dhcpc(sysadm_t, sysadm_r) ') - -+ifndef(`distro_redhat',` - optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) +@@ -329,10 +352,6 @@ optional_policy(` ') -+') optional_policy(` +- thunderbird_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -387,17 +459,21 @@ - tripwire_run_twprint(sysadm_t, sysadm_r) + tripwire_run_tripwire(sysadm_t, sysadm_r) + tripwire_run_twadmin(sysadm_t, sysadm_r) +@@ -340,18 +359,10 @@ optional_policy(` ') -+ifndef(`distro_redhat',` - optional_policy(` - tvtime_role(sysadm_r, sysadm_t) - ') -+') - optional_policy(` +- tvtime_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` tzdata_domtrans(sysadm_t) ') -+ifndef(`distro_redhat',` - optional_policy(` - uml_role(sysadm_r, sysadm_t) - ') -+') - optional_policy(` +- uml_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` unconfined_domtrans(sysadm_t) -@@ -411,9 +487,11 @@ - usbmodules_run(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` - optional_policy(` - userhelper_role_template(sysadm, sysadm_r, sysadm_t) +@@ -364,17 +375,14 @@ optional_policy(` ') -+') optional_policy(` +- userhelper_role_template(sysadm, sysadm_r, sysadm_t) +-') +- +-optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -421,9 +499,15 @@ + usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) ') -+ifndef(`distro_redhat',` - optional_policy(` - vmware_role(sysadm_r, sysadm_t) - ') -+') + -+optional_policy(` + optional_policy(` +- vmware_role(sysadm_r, sysadm_t) + vpn_run(sysadm_t, sysadm_r) -+') + ') optional_policy(` - vpn_run(sysadm_t, sysadm_r) -@@ -434,13 +518,30 @@ +@@ -386,19 +394,22 @@ optional_policy(` ') optional_policy(` +- wireshark_role(sysadm_r, sysadm_t) + virt_stream_connect(sysadm_t) -+') -+ -+ifndef(`distro_redhat',` -+optional_policy(` - wireshark_role(sysadm_r, sysadm_t) ') optional_policy(` - xserver_role(sysadm_r, sysadm_t) +- xserver_role(sysadm_r, sysadm_t) ++ yam_run(sysadm_t, sysadm_r) ') -+') optional_policy(` - yam_run(sysadm_t, sysadm_r) +- yam_run(sysadm_t, sysadm_r) ++ zebra_stream_connect(sysadm_t) ') + + ifndef(`distro_redhat',` + optional_policy(` ++ apache_role(sysadm_r, sysadm_t) ++ ') ++ optional_policy(` + auth_role(sysadm_r, sysadm_t) + ') + +@@ -445,5 +456,60 @@ ifndef(`distro_redhat',` + optional_policy(` + java_role(sysadm_r, sysadm_t) + ') +-') + ++ optional_policy(` ++ lockdev_role(sysadm_r, sysadm_t) ++ ') + -+optional_policy(` -+ zebra_stream_connect(sysadm_t) -+') ++ optional_policy(` ++ mozilla_role(sysadm_r, sysadm_t) ++ ') + -+init_script_role_transition(sysadm_r) ++ optional_policy(` ++ mplayer_role(sysadm_r, sysadm_t) ++ ') + -+files_read_kernel_modules(sysadm_t) -+kernel_read_fs_sysctls(sysadm_t) -+modutils_read_module_deps(sysadm_t) -+miscfiles_read_hwdata(sysadm_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc ---- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.fc 2010-07-30 14:06:53.000000000 -0400 ++ optional_policy(` ++ pyzor_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ razor_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ rssh_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ spamassassin_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ thunderbird_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ tvtime_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ uml_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ userhelper_role_template(sysadm, sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ vmware_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ wireshark_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ xserver_role(sysadm_r, sysadm_t) ++ ') ++') +diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc +new file mode 100644 +index 0000000..0e8654b +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.fc @@ -0,0 +1,8 @@ +# Add programs here which should not be confined by SELinux +# e.g.: @@ -10720,9 +9571,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if ---- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.if 2010-08-18 09:42:34.000000000 -0400 +diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if +new file mode 100644 +index 0000000..8b2cdf3 +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.if @@ -0,0 +1,687 @@ +## Unconfiend user role + @@ -11411,9 +10264,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + allow $1 self:tun_socket relabelto; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te ---- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/roles/unconfineduser.te 2010-08-19 06:51:51.000000000 -0400 +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +new file mode 100644 +index 0000000..faef468 +--- /dev/null ++++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,458 @@ +policy_module(unconfineduser, 1.0.0) + @@ -11873,10 +10728,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.8.8/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/unprivuser.te 2010-08-19 06:52:56.000000000 -0400 -@@ -12,11 +12,18 @@ +diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te +index e8a507d..aac3fe1 100644 +--- a/policy/modules/roles/unprivuser.te ++++ b/policy/modules/roles/unprivuser.te +@@ -12,22 +12,48 @@ role user_r; userdom_unpriv_user_template(user) @@ -11890,17 +10746,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + mozilla_run_plugin(user_t, user_r) +') + -+ifndef(`distro_redhat',` -+optional_policy(` - auth_role(user_r, user_t) - ') - -@@ -104,12 +111,30 @@ - optional_policy(` - rssh_role(user_r, user_t) - ') -+') -+ +optional_policy(` + rpm_dontaudit_dbus_chat(user_t) +') @@ -11912,8 +10757,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +optional_policy(` + sandbox_transition(user_t, user_r) +') - - optional_policy(` ++ ++optional_policy(` screen_role_template(user, user_r, user_t) ') @@ -11921,28 +10766,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu + telepathy_dbus_session_role(user_r, user_t) +') + -+ifndef(`distro_redhat',` -+optional_policy(` - spamassassin_role(user_r, user_t) - ') - -@@ -149,6 +174,12 @@ - wireshark_role(user_r, user_t) - ') - -+') -+ +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') + - optional_policy(` ++optional_policy(` xserver_role(user_r, user_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.8.8/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/roles/xguest.te 2010-08-23 17:20:22.000000000 -0400 -@@ -14,7 +14,7 @@ + + ifndef(`distro_redhat',` + optional_policy(` + auth_role(user_r, user_t) +- ') ++ ') + + optional_policy(` + bluetooth_role(user_r, user_t) +@@ -44,7 +70,7 @@ ifndef(`distro_redhat',` + optional_policy(` + dbus_role_template(user, user_r, user_t) + ') +- ++ + optional_policy(` + evolution_role(user_r, user_t) + ') +@@ -97,7 +123,7 @@ ifndef(`distro_redhat',` + oident_manage_user_content(user_t) + oident_relabel_user_content(user_t) + ') +- ++ + optional_policy(` + postgresql_role(user_r, user_t) + ') +@@ -115,7 +141,7 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- spamassassin_role(user_r, user_t) ++ spamassassin_role(user_r, user_t) + ') + + optional_policy(` +diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te +index e88b95f..e76f7a7 100644 +--- a/policy/modules/roles/xguest.te ++++ b/policy/modules/roles/xguest.te +@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) ## ##

@@ -11951,7 +10822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ##

## gen_tunable(xguest_connect_network, true) -@@ -29,12 +29,12 @@ +@@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true) role xguest_r; userdom_restricted_xwindows_user_template(xguest) @@ -11965,7 +10836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) -@@ -48,12 +48,21 @@ +@@ -48,12 +48,21 @@ ifndef(`enable_mls',` storage_raw_read_removable_device(xguest_t) ') ') @@ -11988,7 +10859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -62,10 +71,9 @@ +@@ -62,10 +71,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -12000,7 +10871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. ') ') -@@ -76,23 +84,90 @@ +@@ -76,23 +84,90 @@ optional_policy(` ') optional_policy(` @@ -12096,9 +10967,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest. -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.8.8/policy/modules/services/abrt.fc ---- nsaserefpolicy/policy/modules/services/abrt.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/abrt.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc +index 1bd5812..3b3ba64 100644 +--- a/policy/modules/services/abrt.fc ++++ b/policy/modules/services/abrt.fc @@ -15,6 +15,7 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -12107,39 +10979,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.8.8/policy/modules/services/abrt.if ---- nsaserefpolicy/policy/modules/services/abrt.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/abrt.if 2010-08-10 07:15:12.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -130,6 +130,10 @@ +diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if +index 0b827c5..8a5d6a4 100644 +--- a/policy/modules/services/abrt.if ++++ b/policy/modules/services/abrt.if +@@ -130,6 +130,10 @@ interface(`abrt_domtrans_helper',` ') domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + -+ifdef(`hide_broken_symptoms', ` -+ dontaudit abrt_helper_t $1:socket_class_set { read write }; -+') ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit abrt_helper_t $1:socket_class_set { read write }; ++ ') ') ######################################## -@@ -160,8 +164,25 @@ +@@ -160,8 +164,25 @@ interface(`abrt_run_helper',` ######################################## ## @@ -12153,7 +11008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +## +## +# -+interface(`abrt_append_cache_files',` ++interface(`abrt_cache_append',` + gen_require(` + type abrt_var_cache_t; + ') @@ -12167,16 +11022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## ## ## -@@ -169,7 +190,7 @@ - ## - ## - # --interface(`abrt_cache_manage',` -+interface(`abrt_manage_cache_files',` - gen_require(` - type abrt_var_cache_t; - ') -@@ -253,6 +274,24 @@ +@@ -253,6 +274,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -12201,10 +11047,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ##################################### ## ## All of the rules required to administrate -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.8/policy/modules/services/abrt.te ---- nsaserefpolicy/policy/modules/services/abrt.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/abrt.te 2010-08-23 09:53:21.000000000 -0400 -@@ -5,6 +5,14 @@ +diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te +index 93d31d5..65609e5 100644 +--- a/policy/modules/services/abrt.te ++++ b/policy/modules/services/abrt.te +@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1) # Declarations # @@ -12219,7 +11066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -50,7 +58,7 @@ +@@ -50,7 +58,7 @@ ifdef(`enable_mcs',` allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; dontaudit abrt_t self:capability sys_rawio; @@ -12228,7 +11075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -69,6 +77,7 @@ +@@ -69,6 +77,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -12236,7 +11083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +91,7 @@ +@@ -82,7 +91,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -12245,7 +11092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -121,6 +130,8 @@ +@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -12254,7 +11101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +142,7 @@ +@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -12263,7 +11110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +151,15 @@ +@@ -140,6 +151,15 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -12279,7 +11126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,7 +170,12 @@ +@@ -150,7 +170,12 @@ optional_policy(` ') optional_policy(` @@ -12293,7 +11140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -178,6 +203,12 @@ +@@ -178,6 +203,12 @@ optional_policy(` ') optional_policy(` @@ -12306,7 +11153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sssd_stream_connect(abrt_t) ') -@@ -203,6 +234,7 @@ +@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -12314,7 +11161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -217,11 +249,26 @@ +@@ -217,11 +249,26 @@ term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) ifdef(`hide_broken_symptoms', ` @@ -12341,22 +11188,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.8.8/policy/modules/services/afs.if ---- nsaserefpolicy/policy/modules/services/afs.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/afs.if 2010-07-30 14:06:53.000000000 -0400 -@@ -63,7 +63,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.8.8/policy/modules/services/afs.te ---- nsaserefpolicy/policy/modules/services/afs.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/afs.te 2010-07-30 14:06:53.000000000 -0400 -@@ -82,6 +82,10 @@ +diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te +index 1632f10..2724c11 100644 +--- a/policy/modules/services/accountsd.te ++++ b/policy/modules/services/accountsd.te +@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) + type accountsd_t; + type accountsd_exec_t; + dbus_system_domain(accountsd_t, accountsd_exec_t) ++init_daemon_domain(accountsd_t, accountsd_exec_t) ++role system_r types accountsd_t; + + type accountsd_var_lib_t; + files_type(accountsd_var_lib_t) +@@ -55,3 +57,8 @@ optional_policy(` + optional_policy(` + policykit_dbus_chat(accountsd_t) + ') ++ ++optional_policy(` ++ xserver_dbus_chat_xdm(accountsd_t) ++ xserver_manage_xdm_etc_files(accountsd_t) ++') +diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te +index de8b791..9ec36b9 100644 +--- a/policy/modules/services/afs.te ++++ b/policy/modules/services/afs.te +@@ -82,6 +82,10 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) @@ -12367,9 +11225,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs. corenet_all_recvfrom_unlabeled(afs_t) corenet_all_recvfrom_netlabel(afs_t) corenet_tcp_sendrecv_generic_if(afs_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.8.8/policy/modules/services/aiccu.fc ---- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/aiccu.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc +new file mode 100644 +index 0000000..069518f +--- /dev/null ++++ b/policy/modules/services/aiccu.fc @@ -0,0 +1,6 @@ +/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0) +/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0) @@ -12377,9 +11237,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) + +/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.8.8/policy/modules/services/aiccu.if ---- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/aiccu.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if +new file mode 100644 +index 0000000..420c856 +--- /dev/null ++++ b/policy/modules/services/aiccu.if @@ -0,0 +1,118 @@ +## Automatic IPv6 Connectivity Client Utility. + @@ -12499,9 +11361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + admin_pattern($1, aiccu_var_run_t) + files_search_pids($1) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.8/policy/modules/services/aiccu.te ---- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/aiccu.te 2010-07-30 14:55:47.000000000 -0400 +diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te +new file mode 100644 +index 0000000..d21aa69 +--- /dev/null ++++ b/policy/modules/services/aiccu.te @@ -0,0 +1,71 @@ +policy_module(aiccu, 1.0.0) + @@ -12574,10 +11438,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc + +sysnet_domtrans_ifconfig(aiccu_t) +sysnet_dns_name_resolve(aiccu_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.8/policy/modules/services/aisexec.te ---- nsaserefpolicy/policy/modules/services/aisexec.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/aisexec.te 2010-08-03 09:16:29.000000000 -0400 -@@ -32,7 +32,7 @@ +diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te +index 97c9cae..c24bd66 100644 +--- a/policy/modules/services/aisexec.te ++++ b/policy/modules/services/aisexec.te +@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t) # aisexec local policy # @@ -12586,7 +11451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; -@@ -81,6 +81,9 @@ +@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t) miscfiles_read_localization(aisexec_t) @@ -12596,10 +11461,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise optional_policy(` ccs_stream_connect(aisexec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.8.8/policy/modules/services/amavis.if ---- nsaserefpolicy/policy/modules/services/amavis.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/amavis.if 2010-08-19 05:56:46.000000000 -0400 -@@ -56,7 +56,7 @@ +diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if +index adb3d5f..de26af5 100644 +--- a/policy/modules/services/amavis.if ++++ b/policy/modules/services/amavis.if +@@ -56,7 +56,7 @@ interface(`amavis_read_spool_files',` ') files_search_spool($1) @@ -12608,10 +11474,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.8.8/policy/modules/services/amavis.te ---- nsaserefpolicy/policy/modules/services/amavis.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/amavis.te 2010-07-30 14:06:53.000000000 -0400 -@@ -92,9 +92,10 @@ +diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te +index cf34b4e..cc216a4 100644 +--- a/policy/modules/services/amavis.te ++++ b/policy/modules/services/amavis.te +@@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) # pid file @@ -12623,10 +11490,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav kernel_read_kernel_sysctls(amavis_t) # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl... -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.8/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.fc 2010-08-20 07:38:00.000000000 -0400 -@@ -2,7 +2,7 @@ +diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc +index 9e39aa5..b37de8e 100644 +--- a/policy/modules/services/apache.fc ++++ b/policy/modules/services/apache.fc +@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -12635,7 +11503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -@@ -24,7 +24,6 @@ +@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -12643,7 +11511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -43,8 +42,7 @@ +@@ -43,8 +42,7 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -12653,7 +11521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -74,7 +72,8 @@ +@@ -74,7 +72,8 @@ ifdef(`distro_suse', ` /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -12663,7 +11531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -86,7 +85,6 @@ +@@ -86,7 +85,6 @@ ifdef(`distro_suse', ` /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -12671,7 +11539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +107,16 @@ +@@ -109,3 +107,16 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -12688,9 +11556,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.8/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.if 2010-08-21 06:54:45.000000000 -0400 +diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if +index c9e1a44..7260bf6 100644 +--- a/policy/modules/services/apache.if ++++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -12711,7 +11580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) -@@ -41,11 +37,11 @@ +@@ -41,11 +37,11 @@ template(`apache_content_template',` corecmd_shell_entry_type(httpd_$1_script_t) domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) @@ -12725,7 +11594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; files_type(httpd_$1_ra_content_t) -@@ -54,7 +50,7 @@ +@@ -54,7 +50,7 @@ template(`apache_content_template',` domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms; @@ -12734,7 +11603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; -@@ -86,7 +82,6 @@ +@@ -86,7 +82,6 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -12742,7 +11611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) -@@ -95,6 +90,7 @@ +@@ -95,6 +90,7 @@ template(`apache_content_template',` dev_read_urand(httpd_$1_script_t) corecmd_exec_all_executables(httpd_$1_script_t) @@ -12750,7 +11619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_exec_etc_files(httpd_$1_script_t) files_read_etc_files(httpd_$1_script_t) -@@ -108,19 +104,6 @@ +@@ -108,19 +104,6 @@ template(`apache_content_template',` seutil_dontaudit_search_config(httpd_$1_script_t) @@ -12770,7 +11639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -@@ -140,6 +123,7 @@ +@@ -140,6 +123,7 @@ template(`apache_content_template',` allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t) @@ -12778,7 +11647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi',` -@@ -148,14 +132,19 @@ +@@ -148,14 +132,19 @@ template(`apache_content_template',` # privileged users run the script: domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) @@ -12798,7 +11667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_$1_script_t httpd_t:fd use; allow httpd_$1_script_t httpd_t:process sigchld; -@@ -172,6 +161,7 @@ +@@ -172,6 +161,7 @@ template(`apache_content_template',` libs_read_lib_files(httpd_$1_script_t) miscfiles_read_localization(httpd_$1_script_t) @@ -12806,7 +11675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -182,15 +172,13 @@ +@@ -182,15 +172,13 @@ template(`apache_content_template',` optional_policy(` postgresql_unpriv_client(httpd_$1_script_t) @@ -12824,7 +11693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -229,6 +217,13 @@ +@@ -229,6 +217,13 @@ interface(`apache_role',` relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) @@ -12838,7 +11707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -312,6 +307,25 @@ +@@ -312,6 +307,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -12864,7 +11733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +414,7 @@ +@@ -400,7 +414,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -12873,7 +11742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -526,6 +540,25 @@ +@@ -526,6 +540,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -12899,7 +11768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Apache cache. ## ## -@@ -740,6 +773,25 @@ +@@ -740,6 +773,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -12925,7 +11794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -756,6 +808,7 @@ +@@ -756,6 +808,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -12933,7 +11802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -814,6 +867,7 @@ +@@ -814,6 +867,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -12941,7 +11810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -836,11 +890,80 @@ +@@ -836,11 +890,80 @@ interface(`apache_manage_sys_content',` ') files_search_var($1) @@ -13022,7 +11891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +981,11 @@ +@@ -858,6 +981,11 @@ interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -13034,7 +11903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1073,7 @@ +@@ -945,7 +1073,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -13043,7 +11912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1086,6 +1214,25 @@ +@@ -1086,6 +1214,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -13069,7 +11938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1249,7 @@ +@@ -1102,7 +1249,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -13078,7 +11947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1319,7 @@ +@@ -1172,7 +1319,7 @@ interface(`apache_admin',` type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -13087,7 +11956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1349,43 @@ +@@ -1202,12 +1349,43 @@ interface(`apache_admin',` kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -13132,10 +12001,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.8.8/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apache.te 2010-08-23 17:21:05.000000000 -0400 -@@ -18,6 +18,8 @@ +diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te +index e33b9cd..08ec94f 100644 +--- a/policy/modules/services/apache.te ++++ b/policy/modules/services/apache.te +@@ -18,6 +18,8 @@ policy_module(apache, 2.2.0) # Declarations # @@ -13144,7 +12014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## ##

## Allow Apache to modify public files -@@ -36,6 +38,20 @@ +@@ -36,6 +38,20 @@ gen_tunable(allow_httpd_mod_auth_pam, false) ## ##

@@ -13165,7 +12035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow httpd to use built in scripting (usually php) ##

## -@@ -50,6 +66,13 @@ +@@ -50,6 +66,13 @@ gen_tunable(httpd_can_network_connect, false) ## ##

@@ -13179,7 +12049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD scripts and modules to connect to databases over the network. ##

## -@@ -71,6 +94,13 @@ +@@ -71,6 +94,13 @@ gen_tunable(httpd_can_sendmail, false) ## ##

@@ -13193,7 +12063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow Apache to communicate with avahi service via dbus ##

## -@@ -100,6 +130,13 @@ +@@ -100,6 +130,13 @@ gen_tunable(httpd_enable_homedirs, false) ## ##

@@ -13207,7 +12077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts. ##

## -@@ -107,6 +144,13 @@ +@@ -107,6 +144,13 @@ gen_tunable(httpd_ssi_exec, false) ## ##

@@ -13221,7 +12091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. -@@ -130,7 +174,7 @@ +@@ -130,7 +174,7 @@ gen_tunable(httpd_use_cifs, false) ## ##

@@ -13230,7 +12100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ##

## gen_tunable(httpd_use_gpg, false) -@@ -142,6 +186,13 @@ +@@ -142,6 +186,13 @@ gen_tunable(httpd_use_gpg, false) ## gen_tunable(httpd_use_nfs, false) @@ -13244,7 +12114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; attribute httpd_user_content_type; -@@ -216,7 +267,10 @@ +@@ -216,7 +267,10 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -13256,7 +12126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +280,10 @@ +@@ -226,6 +280,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -13267,7 +12137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +291,7 @@ +@@ -233,6 +291,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -13275,7 +12145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -286,6 +345,7 @@ +@@ -286,6 +345,7 @@ allow httpd_t self:udp_socket create_socket_perms; manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -13283,7 +12153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -355,6 +415,7 @@ +@@ -355,6 +415,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -13291,7 +12161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +426,10 @@ +@@ -365,8 +426,10 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -13302,7 +12172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +441,12 @@ +@@ -378,12 +441,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -13318,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domain_use_interactive_fds(httpd_t) -@@ -402,6 +465,10 @@ +@@ -402,6 +465,10 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -13329,7 +12199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -416,16 +483,31 @@ +@@ -416,16 +483,31 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -13363,7 +12233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -439,13 +521,25 @@ +@@ -439,13 +521,25 @@ tunable_policy(`httpd_can_network_relay',` corenet_tcp_connect_ftp_port(httpd_t) corenet_tcp_connect_http_port(httpd_t) corenet_tcp_connect_http_cache_port(httpd_t) @@ -13389,7 +12259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` fs_nfs_domtrans(httpd_t, httpd_sys_script_t) ') -@@ -456,6 +550,10 @@ +@@ -456,6 +550,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -13400,7 +12270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +568,25 @@ +@@ -470,11 +568,25 @@ tunable_policy(`httpd_enable_homedirs',` userdom_read_user_home_content_files(httpd_t) ') @@ -13426,7 +12296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +596,16 @@ +@@ -484,7 +596,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -13443,7 +12313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +621,10 @@ +@@ -500,8 +621,10 @@ tunable_policy(`httpd_ssi_exec',` # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -13454,14 +12324,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -513,7 +636,13 @@ +@@ -513,7 +636,13 @@ optional_policy(` ') optional_policy(` - cobbler_search_lib(httpd_t) + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) -+ cobbler_read_content(httpd_t) ++ cobbler_read_lib_files(httpd_t) + + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) @@ -13469,7 +12339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +657,7 @@ +@@ -528,7 +657,7 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -13478,7 +12348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +666,12 @@ +@@ -537,8 +666,12 @@ optional_policy(` ') optional_policy(` @@ -13492,7 +12362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -557,6 +690,7 @@ +@@ -557,6 +690,7 @@ optional_policy(` optional_policy(` # Allow httpd to work with mysql @@ -13500,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +701,7 @@ +@@ -567,6 +701,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -13508,7 +12378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +712,23 @@ +@@ -577,12 +712,23 @@ optional_policy(` ') optional_policy(` @@ -13532,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +737,11 @@ +@@ -591,6 +737,11 @@ optional_policy(` ') optional_policy(` @@ -13544,7 +12414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +754,10 @@ +@@ -603,6 +754,10 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -13555,7 +12425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache helper local policy -@@ -618,6 +773,10 @@ +@@ -618,6 +773,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -13566,7 +12436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +858,18 @@ +@@ -699,17 +858,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -13588,7 +12458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +900,21 @@ +@@ -740,10 +900,21 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -13611,7 +12481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +940,12 @@ +@@ -769,6 +940,12 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -13624,7 +12494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -792,9 +969,13 @@ +@@ -792,9 +969,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -13638,7 +12508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +984,28 @@ +@@ -803,6 +984,28 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -13667,7 +12537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1033,16 @@ +@@ -830,6 +1033,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -13684,7 +12554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1055,7 @@ +@@ -842,6 +1055,7 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -13692,7 +12562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1105,33 @@ +@@ -891,11 +1105,33 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13710,7 +12580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) -+') + ') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) @@ -13719,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',` + userdom_read_user_home_content_files(httpd_t) - ') ++') + +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; @@ -13729,10 +12599,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.8.8/policy/modules/services/apcupsd.te ---- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apcupsd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -94,6 +94,10 @@ +diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te +index 67c91aa..472ddad 100644 +--- a/policy/modules/services/apcupsd.te ++++ b/policy/modules/services/apcupsd.te +@@ -94,6 +94,10 @@ optional_policy(` ') optional_policy(` @@ -13743,31 +12614,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.if serefpolicy-3.8.8/policy/modules/services/apm.if ---- nsaserefpolicy/policy/modules/services/apm.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apm.if 2010-07-30 14:06:53.000000000 -0400 -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -43,7 +43,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te ---- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-08-24 15:48:30.000000000 -0400 -@@ -62,6 +62,7 @@ +diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te +index 1c8c27e..1a44ccb 100644 +--- a/policy/modules/services/apm.te ++++ b/policy/modules/services/apm.te +@@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; @@ -13775,7 +12626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; -@@ -81,6 +82,7 @@ +@@ -81,6 +82,7 @@ kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) @@ -13783,7 +12634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -144,6 +146,10 @@ +@@ -144,6 +146,10 @@ ifdef(`distro_redhat',` # ifconfig_exec_t needs to be run in its own domain for Red Hat optional_policy(` @@ -13794,7 +12645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. sysnet_domtrans_ifconfig(apmd_t) ') -@@ -218,9 +224,13 @@ +@@ -218,9 +224,13 @@ optional_policy(` udev_read_state(apmd_t) #necessary? ') @@ -13808,10 +12659,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. optional_policy(` vbetool_domtrans(apmd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400 -@@ -50,6 +50,7 @@ +diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te +index 0160ba4..f31b5c9 100644 +--- a/policy/modules/services/arpwatch.te ++++ b/policy/modules/services/arpwatch.te +@@ -50,6 +50,7 @@ kernel_read_network_state(arpwatch_t) kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) @@ -13819,7 +12671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw corenet_all_recvfrom_unlabeled(arpwatch_t) corenet_all_recvfrom_netlabel(arpwatch_t) -@@ -63,6 +64,7 @@ +@@ -63,6 +64,7 @@ corenet_tcp_sendrecv_all_ports(arpwatch_t) corenet_udp_sendrecv_all_ports(arpwatch_t) dev_read_sysfs(arpwatch_t) @@ -13827,10 +12679,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw dev_rw_generic_usb_dev(arpwatch_t) fs_getattr_all_fs(arpwatch_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.8.8/policy/modules/services/asterisk.te ---- nsaserefpolicy/policy/modules/services/asterisk.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/asterisk.te 2010-07-30 14:06:53.000000000 -0400 -@@ -99,6 +99,7 @@ +diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te +index b9e94c4..608e3a1 100644 +--- a/policy/modules/services/asterisk.te ++++ b/policy/modules/services/asterisk.te +@@ -99,6 +99,7 @@ corenet_udp_sendrecv_all_ports(asterisk_t) corenet_tcp_bind_generic_node(asterisk_t) corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) @@ -13838,7 +12691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste corenet_udp_bind_asterisk_port(asterisk_t) corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_asterisk_server_packets(asterisk_t) -@@ -109,6 +110,7 @@ +@@ -109,6 +110,7 @@ corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) @@ -13846,7 +12699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) -@@ -147,6 +149,10 @@ +@@ -147,6 +149,10 @@ optional_policy(` ') optional_policy(` @@ -13857,22 +12710,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste postgresql_stream_connect(asterisk_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.8.8/policy/modules/services/automount.if ---- nsaserefpolicy/policy/modules/services/automount.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/automount.if 2010-07-30 14:06:53.000000000 -0400 -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.8.8/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/automount.te 2010-07-30 14:06:53.000000000 -0400 -@@ -145,6 +145,7 @@ +diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te +index a3eaf94..ac13727 100644 +--- a/policy/modules/services/automount.te ++++ b/policy/modules/services/automount.te +@@ -145,6 +145,7 @@ miscfiles_read_certs(automount_t) # Run mount in the mount_t domain. mount_domtrans(automount_t) @@ -13880,28 +12722,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto mount_signal(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.8.8/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/avahi.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -90,6 +90,7 @@ +diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if +index 210ca0b..e51354d 100644 +--- a/policy/modules/services/avahi.if ++++ b/policy/modules/services/avahi.if +@@ -90,6 +90,7 @@ interface(`avahi_dbus_chat',` class dbus send_msg; ') @@ -13909,10 +12734,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.8.8/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/avahi.te 2010-07-30 14:06:53.000000000 -0400 -@@ -37,10 +37,11 @@ +diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te +index e4c76d0..0aa1998 100644 +--- a/policy/modules/services/avahi.te ++++ b/policy/modules/services/avahi.te +@@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) @@ -13925,10 +12751,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah kernel_read_system_state(avahi_t) kernel_read_kernel_sysctls(avahi_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-08-12 16:43:18.000000000 -0400 -@@ -308,6 +308,27 @@ +diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if +index 44a1e3d..71f5514 100644 +--- a/policy/modules/services/bind.if ++++ b/policy/modules/services/bind.if +@@ -308,6 +308,27 @@ interface(`bind_read_zone',` ######################################## ## @@ -13956,7 +12783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind ## Manage BIND zone files. ## ## -@@ -359,9 +380,9 @@ +@@ -359,9 +380,9 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -13968,7 +12795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind type named_initrc_exec_t; ') -@@ -391,8 +412,7 @@ +@@ -391,8 +412,7 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -13978,10 +12805,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind files_list_pids($1) admin_pattern($1, named_var_run_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.8.8/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/bind.te 2010-07-30 14:06:53.000000000 -0400 -@@ -89,9 +89,10 @@ +diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te +index 2be1518..190b0bc 100644 +--- a/policy/modules/services/bind.te ++++ b/policy/modules/services/bind.te +@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -13993,10 +12821,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind # read zone files allow named_t named_zone_t:dir list_dir_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.8/policy/modules/services/bitlbee.te ---- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/bitlbee.te 2010-07-30 14:06:53.000000000 -0400 -@@ -27,6 +27,7 @@ +diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te +index f42cdfc..e74f728 100644 +--- a/policy/modules/services/bitlbee.te ++++ b/policy/modules/services/bitlbee.te +@@ -27,6 +27,7 @@ files_type(bitlbee_var_t) # Local policy # # @@ -14004,7 +12833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; -@@ -80,6 +81,10 @@ +@@ -80,6 +81,10 @@ files_read_usr_files(bitlbee_t) libs_legacy_use_shared_libs(bitlbee_t) @@ -14015,19 +12844,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl miscfiles_read_localization(bitlbee_t) sysnet_dns_name_resolve(bitlbee_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.8/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/bluetooth.if 2010-07-30 14:06:53.000000000 -0400 -@@ -64,7 +64,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -117,11 +117,32 @@ +diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if +index 3e45431..328302d 100644 +--- a/policy/modules/services/bluetooth.if ++++ b/policy/modules/services/bluetooth.if +@@ -117,6 +117,27 @@ interface(`bluetooth_dbus_chat',` ######################################## ## @@ -14055,22 +12876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -136,7 +157,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -194,7 +215,7 @@ +@@ -194,7 +215,7 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; @@ -14079,7 +12885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue type bluetooth_conf_t, bluetooth_conf_rw_t; type bluetooth_initrc_exec_t; ') -@@ -217,9 +238,6 @@ +@@ -217,9 +238,6 @@ interface(`bluetooth_admin',` admin_pattern($1, bluetooth_conf_t) admin_pattern($1, bluetooth_conf_rw_t) @@ -14089,9 +12895,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.8.8/policy/modules/services/boinc.fc ---- nsaserefpolicy/policy/modules/services/boinc.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/boinc.fc 2010-08-10 07:13:34.000000000 -0400 +diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc +new file mode 100644 +index 0000000..c095160 +--- /dev/null ++++ b/policy/modules/services/boinc.fc @@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) @@ -14101,9 +12909,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.8.8/policy/modules/services/boinc.if ---- nsaserefpolicy/policy/modules/services/boinc.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/boinc.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if +new file mode 100644 +index 0000000..9f4885c +--- /dev/null ++++ b/policy/modules/services/boinc.if @@ -0,0 +1,151 @@ + +## policy for boinc @@ -14256,10 +13066,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te ---- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-24 22:47:01.000000000 -0400 -@@ -0,0 +1,152 @@ +diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te +new file mode 100644 +index 0000000..62a48ac +--- /dev/null ++++ b/policy/modules/services/boinc.te +@@ -0,0 +1,153 @@ +policy_module(boinc,1.0.0) + +######################################## @@ -14406,23 +13218,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +corenet_tcp_connect_boinc_port(boinc_project_t) + ++dev_read_urand(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) + +miscfiles_read_localization(boinc_project_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.8.8/policy/modules/services/bugzilla.fc ---- nsaserefpolicy/policy/modules/services/bugzilla.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc +new file mode 100644 +index 0000000..18f37e2 +--- /dev/null ++++ b/policy/modules/services/bugzilla.fc @@ -0,0 +1,4 @@ + +/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) +/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.if serefpolicy-3.8.8/policy/modules/services/bugzilla.if ---- nsaserefpolicy/policy/modules/services/bugzilla.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if +new file mode 100644 +index 0000000..922c4ba +--- /dev/null ++++ b/policy/modules/services/bugzilla.if @@ -0,0 +1,81 @@ +## Bugzilla server + @@ -14505,9 +13322,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz + admin_pattern($1, httpd_bugzilla_rw_content_t) + admin_pattern($1, httpd_bugzilla_ra_content_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.te serefpolicy-3.8.8/policy/modules/services/bugzilla.te ---- nsaserefpolicy/policy/modules/services/bugzilla.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/bugzilla.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te +new file mode 100644 +index 0000000..d31736b +--- /dev/null ++++ b/policy/modules/services/bugzilla.te @@ -0,0 +1,56 @@ +policy_module(bugzilla, 1.0) + @@ -14565,9 +13384,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugz + postgresql_stream_connect(httpd_bugzilla_script_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc ---- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc +new file mode 100644 +index 0000000..24d9837 +--- /dev/null ++++ b/policy/modules/services/cachefilesd.fc @@ -0,0 +1,29 @@ +############################################################################### +# @@ -14598,9 +13419,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.8.8/policy/modules/services/cachefilesd.if ---- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if +new file mode 100644 +index 0000000..89d19e0 +--- /dev/null ++++ b/policy/modules/services/cachefilesd.if @@ -0,0 +1,41 @@ +############################################################################### +# @@ -14643,9 +13466,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach + allow cachefilesd_t $1:fifo_file rw_file_perms; + allow cachefilesd_t $1:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.8.8/policy/modules/services/cachefilesd.te ---- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cachefilesd.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te +new file mode 100644 +index 0000000..8561265 +--- /dev/null ++++ b/policy/modules/services/cachefilesd.te @@ -0,0 +1,147 @@ +############################################################################### +# @@ -14794,10 +13619,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach +fs_getattr_xattr_fs(cachefiles_kernel_t) + +dev_search_sysfs(cachefiles_kernel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-3.8.8/policy/modules/services/canna.te ---- nsaserefpolicy/policy/modules/services/canna.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/canna.te 2010-07-30 14:06:53.000000000 -0400 -@@ -42,9 +42,10 @@ +diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te +index 358b757..b819a47 100644 +--- a/policy/modules/services/canna.te ++++ b/policy/modules/services/canna.te +@@ -42,9 +42,10 @@ manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) files_var_lib_filetrans(canna_t, canna_var_lib_t, file) @@ -14809,10 +13635,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cann kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.8.8/policy/modules/services/ccs.te ---- nsaserefpolicy/policy/modules/services/ccs.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ccs.te 2010-07-30 14:06:53.000000000 -0400 -@@ -118,5 +118,10 @@ +diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te +index 4c90b57..bffe6b6 100644 +--- a/policy/modules/services/ccs.te ++++ b/policy/modules/services/ccs.te +@@ -118,5 +118,10 @@ optional_policy(` ') optional_policy(` @@ -14823,10 +13650,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs. +optional_policy(` unconfined_use_fds(ccs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.8.8/policy/modules/services/certmaster.if ---- nsaserefpolicy/policy/modules/services/certmaster.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/certmaster.if 2010-07-30 14:06:53.000000000 -0400 -@@ -18,6 +18,25 @@ +diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if +index 27fe7ca..221ea9e 100644 +--- a/policy/modules/services/certmaster.if ++++ b/policy/modules/services/certmaster.if +@@ -18,6 +18,25 @@ interface(`certmaster_domtrans',` domtrans_pattern($1, certmaster_exec_t, certmaster_t) ') @@ -14852,19 +13680,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert ####################################### ## ## read certmaster logs. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.8.8/policy/modules/services/certmonger.if ---- nsaserefpolicy/policy/modules/services/certmonger.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/certmonger.if 2010-07-30 14:06:53.000000000 -0400 -@@ -45,7 +45,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -167,8 +167,8 @@ +diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if +index a3728d4..7a6e5ba 100644 +--- a/policy/modules/services/certmonger.if ++++ b/policy/modules/services/certmonger.if +@@ -167,8 +167,8 @@ interface(`certmonger_admin',` allow $2 system_r; files_search_var_lib($1) @@ -14875,20 +13695,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert - admin_pattern($1, cermonger_var_run_t) + admin_pattern($1, certmonger_var_run_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.8.8/policy/modules/services/certmonger.te ---- nsaserefpolicy/policy/modules/services/certmonger.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/certmonger.te 2010-07-30 14:06:53.000000000 -0400 -@@ -68,5 +68,5 @@ +diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te +index 9e83ed7..52312f5 100644 +--- a/policy/modules/services/certmonger.te ++++ b/policy/modules/services/certmonger.te +@@ -68,5 +68,5 @@ optional_policy(` ') optional_policy(` - unconfined_dbus_send(certmonger_t) + pcscd_stream_connect(certmonger_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.8/policy/modules/services/cgroup.te ---- nsaserefpolicy/policy/modules/services/cgroup.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cgroup.te 2010-08-10 07:20:55.000000000 -0400 -@@ -18,8 +18,8 @@ +diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te +index 8ca2333..63a18fc 100644 +--- a/policy/modules/services/cgroup.te ++++ b/policy/modules/services/cgroup.te +@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t) type cgrules_etc_t; files_config_file(cgrules_etc_t) @@ -14899,7 +13721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -33,7 +33,7 @@ +@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig personal policy. # @@ -14908,27 +13730,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro allow cgconfig_t cgconfig_etc_t:file read_file_perms; -@@ -53,7 +53,7 @@ - # cgred personal policy. - # - --allow cgred_t self:capability { net_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; - allow cgred_t self:netlink_socket { write bind create read }; - allow cgred_t self:unix_dgram_socket { write create connect }; - -@@ -65,6 +65,7 @@ - kernel_read_system_state(cgred_t) - - domain_read_all_domains_state(cgred_t) -+domain_setpriority_all_domains(cgred_t) - - files_getattr_all_files(cgred_t) - files_getattr_all_sockets(cgred_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.8/policy/modules/services/chronyd.if ---- nsaserefpolicy/policy/modules/services/chronyd.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/chronyd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -19,6 +19,24 @@ +diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if +index 9a0da94..5a98145 100644 +--- a/policy/modules/services/chronyd.if ++++ b/policy/modules/services/chronyd.if +@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` domtrans_pattern($1, chronyd_exec_t, chronyd_t) ') @@ -14953,7 +13759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro #################################### ## ## Execute chronyd -@@ -56,6 +74,64 @@ +@@ -56,6 +74,64 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') @@ -15018,7 +13824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro #################################### ## ## All of the rules required to administrate -@@ -77,6 +153,7 @@ +@@ -77,6 +153,7 @@ interface(`chronyd_admin',` gen_require(` type chronyd_t, chronyd_var_log_t; type chronyd_var_run_t, chronyd_var_lib_t; @@ -15026,7 +13832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro type chronyd_initrc_exec_t, chronyd_keys_t; ') -@@ -100,6 +177,5 @@ +@@ -100,6 +177,5 @@ interface(`chronyd_admin',` files_search_pids($1) admin_pattern($1, chronyd_var_run_t) @@ -15034,10 +13840,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro - admin_pattern($1, chronyd_tmp_t) + admin_pattern($1, chronyd_tmpfs_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.8.8/policy/modules/services/chronyd.te ---- nsaserefpolicy/policy/modules/services/chronyd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/chronyd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -15,6 +15,9 @@ +diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te +index fa82327..7f4ca47 100644 +--- a/policy/modules/services/chronyd.te ++++ b/policy/modules/services/chronyd.te +@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t) type chronyd_keys_t; files_type(chronyd_keys_t) @@ -15047,7 +13854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -37,6 +40,10 @@ +@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; @@ -15058,7 +13865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -@@ -50,6 +57,7 @@ +@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) @@ -15066,10 +13873,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro corenet_udp_bind_ntp_port(chronyd_t) # bind to udp/323 corenet_udp_bind_chronyd_port(chronyd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.8.8/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/clamav.te 2010-08-23 11:36:59.000000000 -0400 -@@ -80,6 +80,7 @@ +diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te +index 8c36027..0a0f374 100644 +--- a/policy/modules/services/clamav.te ++++ b/policy/modules/services/clamav.te +@@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t) files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir }) # var/lib files for clamd @@ -15077,11 +13885,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) -@@ -89,9 +90,10 @@ +@@ -89,9 +90,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) # pid file -+manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) ++manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { file dir }) @@ -15089,7 +13897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) -@@ -147,8 +149,10 @@ +@@ -147,8 +149,10 @@ optional_policy(` tunable_policy(`clamd_use_jit',` allow clamd_t self:process execmem; @@ -15100,7 +13908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ') ######################################## -@@ -182,6 +186,9 @@ +@@ -182,6 +186,9 @@ allow freshclam_t freshclam_var_log_t:dir setattr; allow freshclam_t clamd_var_log_t:dir search_dir_perms; logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) @@ -15110,7 +13918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +196,7 @@ +@@ -189,6 +196,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -15118,7 +13926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,6 +215,8 @@ +@@ -207,6 +215,8 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -15127,7 +13935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -@@ -251,6 +261,7 @@ +@@ -251,6 +261,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) @@ -15135,9 +13943,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.fc serefpolicy-3.8.8/policy/modules/services/cmirrord.fc ---- nsaserefpolicy/policy/modules/services/cmirrord.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc +new file mode 100644 +index 0000000..e500fa5 +--- /dev/null ++++ b/policy/modules/services/cmirrord.fc @@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) @@ -15145,9 +13955,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir +/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) + +/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.if serefpolicy-3.8.8/policy/modules/services/cmirrord.if ---- nsaserefpolicy/policy/modules/services/cmirrord.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if +new file mode 100644 +index 0000000..d5b410f +--- /dev/null ++++ b/policy/modules/services/cmirrord.if @@ -0,0 +1,118 @@ + +## policy for cmirrord @@ -15267,9 +14079,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir + admin_pattern($1, cmirrord_var_run_t) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.8.8/policy/modules/services/cmirrord.te ---- nsaserefpolicy/policy/modules/services/cmirrord.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/cmirrord.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te +new file mode 100644 +index 0000000..1e4adfa +--- /dev/null ++++ b/policy/modules/services/cmirrord.te @@ -0,0 +1,56 @@ +policy_module(cmirrord,1.0.0) + @@ -15327,9 +14141,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir +optional_policy(` + corosync_stream_connect(cmirrord_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.8.8/policy/modules/services/cobbler.fc ---- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cobbler.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc +index 1cf6c4e..90c60df 100644 +--- a/policy/modules/services/cobbler.fc ++++ b/policy/modules/services/cobbler.fc @@ -1,7 +1,32 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) @@ -15341,52 +14156,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb + +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) + -+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) ++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + -+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_content_t,s0) ++/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0) + +# This should removable when cobbler package installs /var/www/cobbler/rendered +/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0) + -+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) -+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_content_t,s0) ++/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.8.8/policy/modules/services/cobbler.if ---- nsaserefpolicy/policy/modules/services/cobbler.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cobbler.if 2010-07-30 14:06:53.000000000 -0400 -@@ -1,14 +1,4 @@ - ## Cobbler installation server. --## --##

--## Cobbler is a Linux installation server that allows for --## rapid setup of network installation environments. It --## glues together and automates many associated Linux --## tasks so you do not have to hop between lots of various --## commands and applications when rolling out new systems, --## and, in some cases, changing existing ones. --##

--## - - ######################################## - ## -@@ -26,6 +16,7 @@ +diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if +index 293e08d..a57fe37 100644 +--- a/policy/modules/services/cobbler.if ++++ b/policy/modules/services/cobbler.if +@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',` ') domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) @@ -15394,16 +14195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') ######################################## -@@ -34,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed to transition. - ## - ## - # -@@ -48,7 +39,7 @@ +@@ -48,7 +49,7 @@ interface(`cobblerd_initrc_domtrans',` ######################################## ## @@ -15412,7 +14204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## ## ## -@@ -56,19 +47,18 @@ +@@ -56,19 +57,18 @@ interface(`cobblerd_initrc_domtrans',` ## ## # @@ -15423,7 +14215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); -+ list_dirs_pattern($1, cobbler_content_t, cobbler_content_t) ++ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_etc($1) ') @@ -15435,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## ## ## -@@ -76,17 +66,18 @@ +@@ -76,12 +76,13 @@ interface(`cobbler_read_config',` ## ## # @@ -15452,81 +14244,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') ######################################## - ## --## Search cobbler dirs in /var/lib -+## Manage cobbler content. - ## - ## - ## -@@ -94,18 +85,20 @@ - ## - ## - # --interface(`cobbler_search_lib',` -+interface(`cobbler_manage_content',` - gen_require(` -- type cobbler_var_lib_t; -+ type cobbler_content_t; +@@ -100,6 +101,7 @@ interface(`cobbler_search_lib',` ') -- search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ manage_dirs_pattern($1, cobbler_content_t, cobbler_content_t) -+ manage_files_pattern($1, cobbler_content_t, cobbler_content_t) -+ manage_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') - ######################################## - ## --## Read cobbler files in /var/lib -+## Read cobbler content. - ## - ## - ## -@@ -113,18 +106,19 @@ - ## - ## - # --interface(`cobbler_read_lib_files',` -+interface(`cobbler_read_content',` - gen_require(` -- type cobbler_var_lib_t; -+ type cobbler_content_t; +@@ -119,6 +121,7 @@ interface(`cobbler_read_lib_files',` ') -- read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ read_files_pattern($1, cobbler_content_t, cobbler_content_t) -+ read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') - ######################################## - ## --## Manage cobbler files in /var/lib -+## Search cobbler content. - ## - ## - ## -@@ -132,17 +126,56 @@ - ## - ## - # --interface(`cobbler_manage_lib_files',` -+interface(`cobbler_search_content',` - gen_require(` -- type cobbler_var_lib_t; -+ type cobbler_content_t; +@@ -137,12 +140,51 @@ interface(`cobbler_manage_lib_files',` + type cobbler_var_lib_t; ') -- manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) -+ search_dirs_pattern($1, cobbler_content_t, cobbler_content_t) -+ read_lnk_files_pattern($1, cobbler_content_t, cobbler_content_t) ++ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) files_search_var_lib($1) ') ######################################## ## -+## Read and write Cobbler log files. ++## dontaudit read and write Cobbler log files. +## +## +## @@ -15534,13 +14280,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +## +## +# -+interface(`cobbler_rw_log',` ++interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + -+ rw_files_pattern($1, cobbler_var_log_t, cobbler_var_log_t) -+ logging_search_logs($1) ++ dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms; +') + +######################################## @@ -15567,77 +14312,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## All of the rules required to administrate ## an cobblerd environment ## -@@ -160,26 +193,44 @@ - # - interface(`cobblerd_admin',` +@@ -162,6 +204,9 @@ interface(`cobblerd_admin',` gen_require(` -- type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; -- type cobbler_etc_t, cobblerd_initrc_exec_t; -+ type cobblerd_t, cobbler_var_log_t; -+ type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t; + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t; ++ type httpd_cobbler_content_t; ++ type httpd_cobbler_content_ra_t; ++ type httpd_cobbler_content_rw_t; ') allow $1 cobblerd_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cobblerd_t, cobblerd_t) - -- files_search_etc($1) -+ cobblerd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 cobblerd_initrc_exec_t system_r; -+ allow $2 system_r; -+ - admin_pattern($1, cobbler_etc_t) -+ files_search_etc($1) - -+ admin_pattern($1, cobbler_content_t) - files_list_var_lib($1) -- admin_pattern($1, cobbler_var_lib_t) - -- logging_search_logs($1) +@@ -176,10 +221,18 @@ interface(`cobblerd_admin',` + logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) -+ logging_search_logs($1) -- admin_pattern($1, httpd_cobbler_content_rw_t) -+ # below may want to be removed. -+ tunable_policy(`cobbler_anon_write',` -+ miscfiles_manage_public_files($1) -+ ') ++ apache_search_sys_content($1) ++ admin_pattern($1, httpd_cobbler_content_t) ++ admin_pattern($1, httpd_cobbler_content_ra_t) + admin_pattern($1, httpd_cobbler_content_rw_t) -- cobblerd_initrc_domtrans($1) -- domain_system_change_exemption($1) -- role_transition $2 cobblerd_initrc_exec_t system_r; -- allow $2 system_r; -+ optional_policy(` -+ gen_require(` -+ type httpd_cobbler_content_t; -+ ') -+ -+ # manage /var/www/cobbler -+ admin_pattern($1, httpd_cobbler_content_t) -+ apache_search_sys_content($1) -+ ') + cobblerd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cobblerd_initrc_exec_t system_r; + allow $2 system_r; + + optional_policy(` -+ # traverse /var/lib/tftpdir to get to cobbler_content_t there. ++ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there. + tftp_search_rw_content($1) + ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te ---- nsaserefpolicy/policy/modules/services/cobbler.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-08-05 09:43:50.000000000 -0400 -@@ -1,3 +1,4 @@ -+ - policy_module(cobbler, 1.1.0) - - ######################################## -@@ -7,11 +8,33 @@ - - ## - ##

--## Allow Cobbler to modify public files --## used for public file transfer services. -+## Allow Cobbler to modify public files -+## used for public file transfer services. +diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te +index 0258b48..6a6d7d7 100644 +--- a/policy/modules/services/cobbler.te ++++ b/policy/modules/services/cobbler.te +@@ -12,6 +12,28 @@ policy_module(cobbler, 1.1.0) ##

## gen_tunable(cobbler_anon_write, false) @@ -15666,28 +14374,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb type cobblerd_t; type cobblerd_exec_t; -@@ -23,28 +46,46 @@ - type cobbler_etc_t; - files_config_file(cobbler_etc_t) - -+type cobbler_content_t; -+typealias cobbler_content_t alias cobbler_var_lib_t; -+files_type(cobbler_content_t) -+ +@@ -26,25 +48,40 @@ files_config_file(cobbler_etc_t) type cobbler_var_log_t; logging_log_file(cobbler_var_log_t) -type cobbler_var_lib_t; --files_type(cobbler_var_lib_t) ++type cobbler_var_lib_t alias cobbler_content_t; + files_type(cobbler_var_lib_t) + +type cobbler_tmp_t; +files_tmp_file(cobbler_tmp_t) + -+# Cobbler check is not supported and is silently ignored. - ######################################## # --# Cobbler personal policy. -+# Cobbler local policy. + # Cobbler personal policy. # -allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; @@ -15704,23 +14404,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) --manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) --manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) --files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) -+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t. -+dontaudit cobblerd_t cobbler_content_t:dir relabel_dir_perms; ++# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t. ++dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms; + -+manage_dirs_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) -+manage_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) -+manage_lnk_files_pattern(cobblerd_t, cobbler_content_t, cobbler_content_t) -+files_var_lib_filetrans(cobblerd_t, cobbler_content_t, { dir file lnk_file }) + manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) + manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) +-files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) ++manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) ++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file }) + +# Something really needs to write to cobbler.log. Ideally this should not be happening. +allow cobblerd_t cobbler_var_log_t:file write; append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) -@@ -52,39 +93,93 @@ +@@ -52,7 +89,12 @@ read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) @@ -15733,18 +14431,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) - - corenet_all_recvfrom_netlabel(cobblerd_t) - corenet_all_recvfrom_unlabeled(cobblerd_t) --corenet_sendrecv_cobbler_server_packets(cobblerd_t) --corenet_tcp_bind_cobbler_port(cobblerd_t) - corenet_tcp_bind_generic_node(cobblerd_t) +@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_if(cobblerd_t) corenet_tcp_sendrecv_generic_node(cobblerd_t) corenet_tcp_sendrecv_generic_port(cobblerd_t) -+corenet_tcp_bind_cobbler_port(cobblerd_t) +corenet_tcp_sendrecv_cobbler_port(cobblerd_t) -+corenet_sendrecv_cobbler_server_packets(cobblerd_t) +# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect. +corenet_tcp_connect_ftp_port(cobblerd_t) +corenet_tcp_sendrecv_ftp_port(cobblerd_t) @@ -15818,7 +14509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb optional_policy(` bind_read_config(cobblerd_t) bind_write_config(cobblerd_t) -@@ -95,6 +190,10 @@ +@@ -95,6 +186,10 @@ optional_policy(` ') optional_policy(` @@ -15829,7 +14520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb dhcpd_domtrans(cobblerd_t) dhcpd_initrc_domtrans(cobblerd_t) ') -@@ -106,16 +205,28 @@ +@@ -106,16 +201,28 @@ optional_policy(` ') optional_policy(` @@ -15857,36 +14548,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb + # 2. no FILES in /var/lib/TFTPDIR are hard linked. + # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) + # are any of those hard linked? -+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_content_t, { dir file }) ++ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') ######################################## -@@ -123,6 +234,18 @@ - # Cobbler web local policy. - # - --apache_content_template(cobbler) --manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) --manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -+# This should be removable when cobbler package installs /var/www/cobbler/rendered. -+optional_policy(` -+ gen_require(` -+ attribute httpdcontent; -+ ') -+ -+ apache_content_template(cobbler) -+ # To filetrans the /var/www/cobbler/rendered directory to cobbler_content_t. -+ # I added "file" to it for now because fenris02 reported that cobbler buildiso tried to create a file with type -+ # httpd_cobbler_content_t and i do not know where exaclty. Google reports it should be /var/www/cobbler/pub but -+ # that directory should have been labeled cobbler_content_t. -+ filetrans_pattern(cobblerd_t, httpd_cobbler_content_t, cobbler_content_t, { dir file }) -+ # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_content_t dir to httpd_sys_content_t. -+ dontaudit cobblerd_t httpdcontent:dir relabel_dir_perms; -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.8.8/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/consolekit.if 2010-08-11 08:07:53.000000000 -0400 -@@ -95,3 +95,22 @@ +diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if +index 42c6bd7..51afa67 100644 +--- a/policy/modules/services/consolekit.if ++++ b/policy/modules/services/consolekit.if +@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',` files_search_pids($1) read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') @@ -15909,10 +14579,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + files_search_pids($1) + list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.8.8/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/consolekit.te 2010-07-30 14:06:53.000000000 -0400 -@@ -15,6 +15,9 @@ +diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te +index daf151d..cc2058b 100644 +--- a/policy/modules/services/consolekit.te ++++ b/policy/modules/services/consolekit.te +@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t) type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -15922,7 +14593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ######################################## # # consolekit local policy -@@ -69,7 +72,10 @@ +@@ -69,7 +72,10 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -15933,7 +14604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons userdom_read_user_tmp_files(consolekit_t) hal_ptrace(consolekit_t) -@@ -83,6 +89,10 @@ +@@ -83,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -15944,7 +14615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons dbus_system_domain(consolekit_t, consolekit_exec_t) optional_policy(` -@@ -99,16 +109,21 @@ +@@ -99,16 +109,21 @@ optional_policy(` ') optional_policy(` @@ -15969,16 +14640,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +140,6 @@ +@@ -125,5 +140,6 @@ optional_policy(` optional_policy(` #reading .Xauthity + unconfined_ptrace(consolekit_t) unconfined_stream_connect(consolekit_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.8.8/policy/modules/services/corosync.fc ---- nsaserefpolicy/policy/modules/services/corosync.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/corosync.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc +index 3a6d7eb..2098ee9 100644 +--- a/policy/modules/services/corosync.fc ++++ b/policy/modules/services/corosync.fc @@ -3,6 +3,7 @@ /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) @@ -15987,10 +14659,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.8.8/policy/modules/services/corosync.te ---- nsaserefpolicy/policy/modules/services/corosync.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/corosync.te 2010-07-30 14:06:53.000000000 -0400 -@@ -5,6 +5,13 @@ +diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te +index 7d2cf85..317b025 100644 +--- a/policy/modules/services/corosync.te ++++ b/policy/modules/services/corosync.te +@@ -5,6 +5,13 @@ policy_module(corosync, 1.0.0) # Declarations # @@ -16004,7 +14677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro type corosync_t; type corosync_exec_t; init_daemon_domain(corosync_t, corosync_exec_t) -@@ -32,8 +39,8 @@ +@@ -32,8 +39,8 @@ files_pid_file(corosync_var_run_t) # corosync local policy # @@ -16015,7 +14688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; -@@ -41,6 +48,8 @@ +@@ -41,6 +48,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; @@ -16024,7 +14697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) -@@ -63,8 +72,10 @@ +@@ -63,8 +72,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) @@ -16035,7 +14708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,6 +84,7 @@ +@@ -73,6 +84,7 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) @@ -16043,7 +14716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro auth_use_nsswitch(corosync_t) -@@ -83,19 +95,26 @@ +@@ -83,19 +95,26 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -16075,10 +14748,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.8.8/policy/modules/services/courier.if ---- nsaserefpolicy/policy/modules/services/courier.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/courier.if 2010-07-30 14:06:53.000000000 -0400 -@@ -38,10 +38,12 @@ +diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if +index 37b03f6..9971337 100644 +--- a/policy/modules/services/courier.if ++++ b/policy/modules/services/courier.if +@@ -38,10 +38,12 @@ template(`courier_domain_template',` read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t) allow courier_$1_t courier_etc_t:dir list_dir_perms; @@ -16091,10 +14765,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour kernel_read_system_state(courier_$1_t) kernel_read_kernel_sysctls(courier_$1_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.8.8/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/courier.te 2010-07-30 14:06:53.000000000 -0400 -@@ -48,6 +48,7 @@ +diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te +index b96c242..72901d8 100644 +--- a/policy/modules/services/courier.te ++++ b/policy/modules/services/courier.te +@@ -48,6 +48,7 @@ allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms; allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:process sigchld; @@ -16102,9 +14777,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms; allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.8.8/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc +index 2eefc08..3e8ad69 100644 +--- a/policy/modules/services/cron.fc ++++ b/policy/modules/services/cron.fc @@ -14,7 +14,7 @@ /var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -16114,7 +14790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -@@ -45,3 +45,7 @@ +@@ -45,3 +45,7 @@ ifdef(`distro_suse', ` /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -16122,9 +14798,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) + +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.8.8/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if +index 35241ed..cbd01be 100644 +--- a/policy/modules/services/cron.if ++++ b/policy/modules/services/cron.if @@ -12,6 +12,10 @@ ## # @@ -16136,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ############################## # # Declarations -@@ -34,8 +38,12 @@ +@@ -34,8 +38,12 @@ template(`cron_common_crontab_template',` allow $1_t self:process { setsched signal_perms }; allow $1_t self:fifo_file rw_fifo_file_perms; @@ -16151,7 +14828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -@@ -62,6 +70,7 @@ +@@ -62,6 +70,7 @@ template(`cron_common_crontab_template',` logging_send_syslog_msg($1_t) logging_send_audit_msgs($1_t) @@ -16159,7 +14836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_dontaudit_write_utmp($1_t) init_read_utmp($1_t) -@@ -76,6 +85,7 @@ +@@ -76,6 +85,7 @@ template(`cron_common_crontab_template',` userdom_use_user_terminals($1_t) # Read user crontabs userdom_read_user_home_content_files($1_t) @@ -16167,7 +14844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -106,6 +116,8 @@ +@@ -106,6 +116,8 @@ template(`cron_common_crontab_template',` interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; @@ -16176,7 +14853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') role $1 types { cronjob_t crontab_t }; -@@ -116,6 +128,13 @@ +@@ -116,6 +128,13 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -16190,7 +14867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # crontab shows up in user ps ps_process_pattern($2, crontab_t) allow $2 crontab_t:process signal; -@@ -154,27 +173,14 @@ +@@ -154,27 +173,14 @@ interface(`cron_role',` # interface(`cron_unconfined_role',` gen_require(` @@ -16220,16 +14897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` gen_require(` class dbus send_msg; -@@ -308,7 +314,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -408,7 +414,43 @@ +@@ -408,7 +414,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -16274,7 +14942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -554,7 +596,7 @@ +@@ -554,7 +596,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -16283,7 +14951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -587,11 +629,14 @@ +@@ -587,11 +629,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -16299,7 +14967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -627,7 +672,48 @@ +@@ -627,7 +672,48 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -16348,10 +15016,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-24 09:31:07.000000000 -0400 -@@ -63,9 +63,12 @@ +diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te +index f35b243..939877a 100644 +--- a/policy/modules/services/cron.te ++++ b/policy/modules/services/cron.te +@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t) type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -16364,7 +15033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type crontab_exec_t; application_executable_file(crontab_exec_t) -@@ -79,6 +82,7 @@ +@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; @@ -16372,7 +15041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type system_cron_spool_t, cron_spool_type; files_type(system_cron_spool_t) -@@ -87,6 +91,7 @@ +@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; @@ -16380,7 +15049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) -@@ -108,6 +113,14 @@ +@@ -108,6 +113,14 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; files_type(user_cron_spool_t) ubac_constrained(user_cron_spool_t) @@ -16395,7 +15064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ######################################## # -@@ -138,7 +151,7 @@ +@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', ` allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; dontaudit crond_t self:capability { sys_resource sys_tty_config }; @@ -16404,7 +15073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; -@@ -193,6 +206,8 @@ +@@ -193,6 +206,8 @@ corecmd_list_bin(crond_t) corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -16413,7 +15082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -208,7 +223,9 @@ +@@ -208,7 +223,9 @@ init_spec_domtrans_script(crond_t) auth_use_nsswitch(crond_t) @@ -16423,7 +15092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -219,8 +236,10 @@ +@@ -219,8 +236,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -16434,7 +15103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` # pam_limits is used -@@ -240,8 +259,17 @@ +@@ -240,8 +259,17 @@ ifdef(`distro_redhat', ` ') ') @@ -16454,7 +15123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -250,6 +278,20 @@ +@@ -250,6 +278,20 @@ optional_policy(` ') optional_policy(` @@ -16475,7 +15144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron amanda_search_var_lib(crond_t) ') -@@ -259,6 +301,8 @@ +@@ -259,6 +301,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -16484,7 +15153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -290,6 +334,8 @@ +@@ -290,6 +334,8 @@ optional_policy(` # allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; @@ -16493,7 +15162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +347,17 @@ +@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -16512,7 +15181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +377,7 @@ +@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -16520,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +389,13 @@ +@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -16535,7 +15204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +418,7 @@ +@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -16543,7 +15212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +445,7 @@ +@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -16551,7 +15220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -410,6 +470,8 @@ +@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -16560,7 +15229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +496,8 @@ +@@ -434,6 +496,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -16569,7 +15238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -441,6 +505,14 @@ +@@ -441,6 +505,14 @@ optional_policy(` ') optional_policy(` @@ -16584,7 +15253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ftp_read_log(system_cronjob_t) ') -@@ -451,15 +523,24 @@ +@@ -451,15 +523,24 @@ optional_policy(` ') optional_policy(` @@ -16609,7 +15278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -475,7 +556,7 @@ +@@ -475,7 +556,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -16618,7 +15287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -490,6 +571,7 @@ +@@ -490,6 +571,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -16626,7 +15295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -497,6 +579,9 @@ +@@ -497,6 +579,9 @@ optional_policy(` ') optional_policy(` @@ -16636,19 +15305,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,7 +675,9 @@ +@@ -590,7 +675,10 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++allow cronjob_t user_cron_spool_t:file create_lnk_perms; tunable_policy(`fcron_crond', ` allow crond_t user_cron_spool_t:file manage_file_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc +index 1b492ed..286ec9e 100644 +--- a/policy/modules/services/cups.fc ++++ b/policy/modules/services/cups.fc @@ -71,3 +71,9 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) @@ -16659,37 +15330,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.8.8/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cups.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -33,7 +33,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -124,7 +124,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -314,7 +314,7 @@ +diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if +index 305ddf4..2c2a551 100644 +--- a/policy/modules/services/cups.if ++++ b/policy/modules/services/cups.if +@@ -314,7 +314,7 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -16698,7 +15343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t; type ptal_var_run_t, hplip_var_run_t; -@@ -341,9 +341,6 @@ +@@ -341,9 +341,6 @@ interface(`cups_admin',` admin_pattern($1, cupsd_lpd_var_run_t) @@ -16708,10 +15353,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups admin_pattern($1, cupsd_tmp_t) files_list_tmp($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.8.8/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cups.te 2010-08-11 08:24:50.000000000 -0400 -@@ -15,6 +15,7 @@ +diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te +index 0f28095..11e74af 100644 +--- a/policy/modules/services/cups.te ++++ b/policy/modules/services/cups.te +@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) type cupsd_t; type cupsd_exec_t; init_daemon_domain(cupsd_t, cupsd_exec_t) @@ -16719,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups type cupsd_etc_t; files_config_file(cupsd_etc_t) -@@ -123,6 +124,7 @@ +@@ -123,6 +124,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -16727,7 +15373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -137,6 +139,7 @@ +@@ -137,6 +139,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; allow cupsd_t cupsd_lock_t:file manage_file_perms; files_lock_filetrans(cupsd_t, cupsd_lock_t, file) @@ -16735,7 +15381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -147,10 +150,11 @@ +@@ -147,10 +150,11 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:dir setattr; @@ -16748,7 +15394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_t:process { signal sigkill }; -@@ -297,8 +301,10 @@ +@@ -297,8 +301,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16759,7 +15405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') ') -@@ -371,8 +377,9 @@ +@@ -371,8 +377,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -16770,7 +15416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,6 +432,7 @@ +@@ -425,6 +432,7 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -16778,7 +15424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cups_stream_connect(cupsd_config_t) -@@ -453,6 +461,10 @@ +@@ -453,6 +461,10 @@ optional_policy(` ') optional_policy(` @@ -16789,7 +15435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -587,13 +599,19 @@ +@@ -587,13 +599,19 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -16809,19 +15455,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.8.8/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cvs.te 2010-07-30 14:06:53.000000000 -0400 -@@ -112,4 +112,5 @@ +diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te +index 88e7e97..9e8d14b 100644 +--- a/policy/modules/services/cvs.te ++++ b/policy/modules/services/cvs.te +@@ -112,4 +112,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.8.8/policy/modules/services/cyphesis.te ---- nsaserefpolicy/policy/modules/services/cyphesis.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cyphesis.te 2010-07-30 14:06:53.000000000 -0400 -@@ -36,9 +36,10 @@ +diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te +index 346f926..1f789f8 100644 +--- a/policy/modules/services/cyphesis.te ++++ b/policy/modules/services/cyphesis.te +@@ -36,9 +36,10 @@ logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file) @@ -16833,10 +15481,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph kernel_read_system_state(cyphesis_t) kernel_read_kernel_sysctls(cyphesis_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.8.8/policy/modules/services/cyrus.te ---- nsaserefpolicy/policy/modules/services/cyrus.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cyrus.te 2010-08-23 13:57:07.000000000 -0400 -@@ -26,7 +26,7 @@ +diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te +index 2a0f1c1..ab82c3c 100644 +--- a/policy/modules/services/cyrus.te ++++ b/policy/modules/services/cyrus.te +@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) # Local policy # @@ -16845,7 +15494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -135,6 +135,7 @@ +@@ -135,6 +135,7 @@ optional_policy(` ') optional_policy(` @@ -16853,10 +15502,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.8/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dbus.if 2010-07-30 14:06:53.000000000 -0400 -@@ -42,8 +42,10 @@ +diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if +index 39e901a..a93e5ca 100644 +--- a/policy/modules/services/dbus.if ++++ b/policy/modules/services/dbus.if +@@ -42,8 +42,10 @@ template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; @@ -16867,7 +15517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ############################## -@@ -76,7 +78,7 @@ +@@ -76,7 +78,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -16876,7 +15526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -91,7 +93,7 @@ +@@ -91,7 +93,7 @@ template(`dbus_role_template',` allow $3 $1_dbusd_t:process { signull sigkill signal }; # cjp: this seems very broken @@ -16885,7 +15535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -149,13 +151,20 @@ +@@ -149,13 +151,20 @@ template(`dbus_role_template',` term_use_all_terms($1_dbusd_t) @@ -16907,7 +15557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus hal_dbus_chat($1_dbusd_t) ') -@@ -181,10 +190,12 @@ +@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -16920,7 +15570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -434,10 +445,21 @@ +@@ -434,10 +445,21 @@ interface(`dbus_system_domain',` dbus_system_bus_client($1) dbus_connect_system_bus($1) @@ -16942,10 +15592,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.8.8/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dbus.te 2010-07-30 14:06:53.000000000 -0400 -@@ -74,9 +74,10 @@ +diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te +index b738e94..4b3d9c4 100644 +--- a/policy/modules/services/dbus.te ++++ b/policy/modules/services/dbus.te +@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -16957,7 +15608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) -@@ -121,7 +122,9 @@ +@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -16967,7 +15618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,7 +144,15 @@ +@@ -141,7 +144,15 @@ optional_policy(` ') optional_policy(` @@ -16984,7 +15635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) ') -@@ -158,5 +169,12 @@ +@@ -158,5 +169,12 @@ optional_policy(` # # Unconfined access to this module # @@ -16998,10 +15649,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + xserver_rw_xdm_pipes(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.8.8/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dcc.te 2010-07-30 14:06:53.000000000 -0400 -@@ -231,8 +231,9 @@ +diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te +index f02cfe4..0cb9ac9 100644 +--- a/policy/modules/services/dcc.te ++++ b/policy/modules/services/dcc.te +@@ -231,8 +231,9 @@ manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) @@ -17012,22 +15664,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.8.8/policy/modules/services/denyhosts.if ---- nsaserefpolicy/policy/modules/services/denyhosts.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.if 2010-07-30 14:06:53.000000000 -0400 -@@ -32,7 +32,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te ---- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-08-13 13:33:16.000000000 -0400 -@@ -25,7 +25,8 @@ +diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te +index 8ba9425..d53ee7e 100644 +--- a/policy/modules/services/denyhosts.te ++++ b/policy/modules/services/denyhosts.te +@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t) # # DenyHosts personal policy. # @@ -17037,7 +15678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; -@@ -53,20 +54,28 @@ +@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -17066,10 +15707,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +optional_policy(` + gnome_dontaudit_search_config(denyhosts_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te ---- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-24 15:48:30.000000000 -0400 -@@ -75,10 +75,12 @@ +diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te +index f231f17..a7de603 100644 +--- a/policy/modules/services/devicekit.te ++++ b/policy/modules/services/devicekit.te +@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -17082,7 +15724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -105,8 +107,10 @@ +@@ -105,8 +107,10 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -17094,7 +15736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,13 +182,25 @@ +@@ -178,13 +182,25 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -17121,37 +15763,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.8.8/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dhcp.if 2010-07-30 14:06:53.000000000 -0400 -@@ -45,7 +45,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.8.8/policy/modules/services/dhcp.te ---- nsaserefpolicy/policy/modules/services/dhcp.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dhcp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -111,6 +111,11 @@ +@@ -225,6 +241,8 @@ auth_use_nsswitch(devicekit_power_t) + + miscfiles_read_localization(devicekit_power_t) + ++modutils_domtrans_insmod(devicekit_power_t) ++ + sysnet_read_config(devicekit_power_t) + sysnet_domtrans_ifconfig(devicekit_power_t) + +diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te +index d4424ad..a307b51 100644 +--- a/policy/modules/services/dhcp.te ++++ b/policy/modules/services/dhcp.te +@@ -111,6 +111,10 @@ optional_policy(` ') optional_policy(` -+ # Should we dontaudit or not? -+ cobbler_rw_log(dhcpd_t) ++ cobbler_dontaudit_rw_log(dhcpd_t) +') + +optional_policy(` dbus_system_bus_client(dhcpd_t) dbus_connect_system_bus(dhcpd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.8.8/policy/modules/services/djbdns.te ---- nsaserefpolicy/policy/modules/services/djbdns.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/djbdns.te 2010-07-30 14:06:53.000000000 -0400 -@@ -22,6 +22,8 @@ +diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te +index 22221ad..bd97d09 100644 +--- a/policy/modules/services/djbdns.te ++++ b/policy/modules/services/djbdns.te +@@ -22,6 +22,8 @@ djbdns_daemontools_domain_template(tinydns) # Local policy for axfrdns component # @@ -17160,47 +15800,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd daemontools_ipc_domain(djbdns_axfrdns_t) daemontools_read_svc(djbdns_axfrdns_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.8.8/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -45,7 +45,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.8.8/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dnsmasq.te 2010-07-30 14:06:53.000000000 -0400 -@@ -92,7 +92,11 @@ - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) +diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te +index fdaeeba..a50a8a7 100644 +--- a/policy/modules/services/dnsmasq.te ++++ b/policy/modules/services/dnsmasq.te +@@ -96,6 +96,10 @@ optional_policy(` + ') optional_policy(` -- cobbler_read_lib_files(dnsmasq_t) -+ cobbler_read_content(dnsmasq_t) ++ cron_manage_pid_files(dnsmasq_t) +') + +optional_policy(` -+ cron_manage_pid_files(dnsmasq_t) + dbus_system_bus_client(dnsmasq_t) ') - optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.8.8/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dovecot.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -25,7 +25,7 @@ +diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc +index bfc880b..9a1dcba 100644 +--- a/policy/modules/services/dovecot.fc ++++ b/policy/modules/services/dovecot.fc +@@ -25,7 +25,7 @@ ifdef(`distro_debian', ` ifdef(`distro_redhat', ` /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) @@ -17209,10 +15828,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.8.8/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dovecot.if 2010-07-30 14:06:53.000000000 -0400 -@@ -93,12 +93,14 @@ +diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if +index e1d7dc5..09f6f30 100644 +--- a/policy/modules/services/dovecot.if ++++ b/policy/modules/services/dovecot.if +@@ -93,12 +93,14 @@ interface(`dovecot_dontaudit_unlink_lib_files',` # interface(`dovecot_admin',` gen_require(` @@ -17229,7 +15849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') allow $1 dovecot_t:process { ptrace signal_perms }; -@@ -112,8 +114,11 @@ +@@ -112,8 +114,11 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -17243,7 +15863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_list_spool($1) admin_pattern($1, dovecot_spool_t) -@@ -121,6 +126,9 @@ +@@ -121,6 +126,9 @@ interface(`dovecot_admin',` files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) @@ -17253,10 +15873,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_list_pids($1) admin_pattern($1, dovecot_var_run_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-24 10:17:59.000000000 -0400 -@@ -18,7 +18,7 @@ +diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te +index 14c6a2e..554ee5a 100644 +--- a/policy/modules/services/dovecot.te ++++ b/policy/modules/services/dovecot.te +@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; files_tmp_file(dovecot_auth_tmp_t) type dovecot_cert_t; @@ -17265,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_deliver_t; type dovecot_deliver_exec_t; -@@ -58,7 +58,7 @@ +@@ -58,7 +58,7 @@ files_pid_file(dovecot_var_run_t) allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; @@ -17274,7 +15895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; -@@ -72,7 +72,8 @@ +@@ -72,7 +72,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) @@ -17284,7 +15905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,10 +95,11 @@ +@@ -94,10 +95,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -17297,7 +15918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -159,6 +161,11 @@ +@@ -159,6 +161,11 @@ optional_policy(` ') optional_policy(` @@ -17309,7 +15930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postgresql_stream_connect(dovecot_t) ') -@@ -242,6 +249,7 @@ +@@ -242,6 +249,7 @@ optional_policy(` ') optional_policy(` @@ -17317,7 +15938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +261,26 @@ +@@ -253,19 +261,26 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; @@ -17346,15 +15967,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +317,5 @@ +@@ -302,4 +317,5 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.8.8/policy/modules/services/exim.fc ---- nsaserefpolicy/policy/modules/services/exim.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/exim.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc +index 298f066..c2570df 100644 +--- a/policy/modules/services/exim.fc ++++ b/policy/modules/services/exim.fc @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0) @@ -17362,10 +15984,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim /usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0) /var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.8.8/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/exim.if 2010-07-30 14:06:53.000000000 -0400 -@@ -20,6 +20,24 @@ +diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if +index 6bef7f8..0217906 100644 +--- a/policy/modules/services/exim.if ++++ b/policy/modules/services/exim.if +@@ -20,6 +20,24 @@ interface(`exim_domtrans',` ######################################## ## @@ -17390,7 +16013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## Do not audit attempts to read, ## exim tmp files ## -@@ -194,3 +212,46 @@ +@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') @@ -17437,10 +16060,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + files_search_pids($1) + admin_pattern($1, exim_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.8/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/exim.te 2010-07-30 14:06:53.000000000 -0400 -@@ -35,6 +35,9 @@ +diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te +index db36bfa..b55c438 100644 +--- a/policy/modules/services/exim.te ++++ b/policy/modules/services/exim.te +@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -17450,7 +16074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim type exim_log_t; logging_log_file(exim_log_t) -@@ -171,6 +174,10 @@ +@@ -171,6 +174,10 @@ optional_policy(` ') optional_policy(` @@ -17461,7 +16085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') -@@ -184,6 +191,7 @@ +@@ -184,6 +191,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -17469,10 +16093,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.8/policy/modules/services/fail2ban.if ---- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.if 2010-07-30 14:06:53.000000000 -0400 -@@ -138,6 +138,26 @@ +diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if +index f590a1f..e4261f5 100644 +--- a/policy/modules/services/fail2ban.if ++++ b/policy/modules/services/fail2ban.if +@@ -138,6 +138,26 @@ interface(`fail2ban_read_pid_files',` ######################################## ## @@ -17499,10 +16124,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ## All of the rules required to administrate ## an fail2ban environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.8.8/policy/modules/services/fail2ban.te ---- nsaserefpolicy/policy/modules/services/fail2ban.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/fail2ban.te 2010-07-30 14:06:53.000000000 -0400 -@@ -94,5 +94,9 @@ +diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te +index 2a69e5e..fd30b02 100644 +--- a/policy/modules/services/fail2ban.te ++++ b/policy/modules/services/fail2ban.te +@@ -94,5 +94,9 @@ optional_policy(` ') optional_policy(` @@ -17512,10 +16138,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +optional_policy(` iptables_domtrans(fail2ban_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.8.8/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/fetchmail.te 2010-07-30 14:06:53.000000000 -0400 -@@ -37,8 +37,9 @@ +diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te +index c92403b..f50e0f1 100644 +--- a/policy/modules/services/fetchmail.te ++++ b/policy/modules/services/fetchmail.te +@@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms; allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) @@ -17526,39 +16153,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.if serefpolicy-3.8.8/policy/modules/services/finger.if ---- nsaserefpolicy/policy/modules/services/finger.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/finger.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.8.8/policy/modules/services/fprintd.te ---- nsaserefpolicy/policy/modules/services/fprintd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/fprintd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -54,4 +54,5 @@ +diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te +index 7df52c7..54fada0 100644 +--- a/policy/modules/services/fprintd.te ++++ b/policy/modules/services/fprintd.te +@@ -54,4 +54,5 @@ optional_policy(` policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) + policykit_dbus_chat_auth(fprintd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.8.8/policy/modules/services/ftp.fc ---- nsaserefpolicy/policy/modules/services/ftp.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ftp.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc +index 69dcd2a..a9a9116 100644 +--- a/policy/modules/services/ftp.fc ++++ b/policy/modules/services/ftp.fc @@ -29,3 +29,4 @@ /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.8/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ftp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -40,6 +40,13 @@ +diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te +index 8a74a83..34a0014 100644 +--- a/policy/modules/services/ftp.te ++++ b/policy/modules/services/ftp.te +@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) ## ##

@@ -17572,7 +16190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ## Allow ftp to read and write files in the user home directories ##

## -@@ -70,6 +77,14 @@ +@@ -70,6 +77,14 @@ gen_tunable(sftpd_enable_homedirs, false) ## gen_tunable(sftpd_full_access, false) @@ -17587,7 +16205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. type anon_sftpd_t; typealias anon_sftpd_t alias sftpd_anon_t; domain_type(anon_sftpd_t) -@@ -115,6 +130,10 @@ +@@ -115,6 +130,10 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh) ') @@ -17598,7 +16216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ######################################## # # anon-sftp local policy -@@ -133,7 +152,7 @@ +@@ -133,7 +152,7 @@ tunable_policy(`sftpd_anon_write',` # ftpd local policy # @@ -17607,7 +16225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. dontaudit ftpd_t self:capability sys_tty_config; allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms }; allow ftpd_t self:fifo_file rw_fifo_file_perms; -@@ -151,7 +170,6 @@ +@@ -151,7 +170,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file) manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) @@ -17615,7 +16233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -270,10 +288,13 @@ +@@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -17633,7 +16251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -316,6 +337,23 @@ +@@ -316,6 +337,23 @@ optional_policy(` ') optional_policy(` @@ -17657,7 +16275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -362,21 +400,33 @@ +@@ -362,21 +400,33 @@ userdom_use_user_terminals(ftpdctl_t) # # sftpd local policy # @@ -17695,9 +16313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.8.8/policy/modules/services/git.fc ---- nsaserefpolicy/policy/modules/services/git.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/git.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc +index 54f0737..7ab4c92 100644 +--- a/policy/modules/services/git.fc ++++ b/policy/modules/services/git.fc @@ -1,3 +1,12 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t, s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t, s0) @@ -17711,9 +16330,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) +/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.8.8/policy/modules/services/git.if ---- nsaserefpolicy/policy/modules/services/git.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/git.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if +index 458aac6..63742a3 100644 +--- a/policy/modules/services/git.if ++++ b/policy/modules/services/git.if @@ -1 +1,525 @@ -## GIT revision control system +## Fast Version Control System. @@ -18241,9 +16861,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + userdom_search_user_home_dirs($1) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.8.8/policy/modules/services/git.te ---- nsaserefpolicy/policy/modules/services/git.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/git.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te +index 7382f85..cf17085 100644 +--- a/policy/modules/services/git.te ++++ b/policy/modules/services/git.te @@ -1,8 +1,192 @@ -policy_module(git, 1.0) +policy_module(git, 1.0.3) @@ -18440,10 +17061,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.8.8/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/gnomeclock.if 2010-07-30 14:06:53.000000000 -0400 -@@ -63,3 +63,24 @@ +diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if +index 671d8fd..da0e844 100644 +--- a/policy/modules/services/gnomeclock.if ++++ b/policy/modules/services/gnomeclock.if +@@ -63,3 +63,24 @@ interface(`gnomeclock_dbus_chat',` allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; ') @@ -18468,10 +17090,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + dontaudit $1 gnomeclock_t:dbus send_msg; + dontaudit gnomeclock_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.8.8/policy/modules/services/gpsd.te ---- nsaserefpolicy/policy/modules/services/gpsd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/gpsd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -56,6 +56,10 @@ +diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te +index 03742d8..7b9c543 100644 +--- a/policy/modules/services/gpsd.te ++++ b/policy/modules/services/gpsd.te +@@ -56,6 +56,10 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` @@ -18482,10 +17105,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd dbus_system_bus_client(gpsd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.8.8/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/hal.if 2010-07-30 14:06:53.000000000 -0400 -@@ -377,6 +377,26 @@ +diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if +index 7cf6763..d01cab6 100644 +--- a/policy/modules/services/hal.if ++++ b/policy/modules/services/hal.if +@@ -377,6 +377,26 @@ interface(`hal_read_pid_files',` ######################################## ## @@ -18512,10 +17136,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ## Read/Write hald PID files. ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.8/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/hal.te 2010-07-30 14:06:53.000000000 -0400 -@@ -54,6 +54,9 @@ +diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te +index 24c6253..0a54d67 100644 +--- a/policy/modules/services/hal.te ++++ b/policy/modules/services/hal.te +@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) type hald_var_lib_t; files_type(hald_var_lib_t) @@ -18525,7 +17150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local policy -@@ -99,7 +102,7 @@ +@@ -99,7 +102,7 @@ kernel_read_fs_sysctls(hald_t) kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) @@ -18534,7 +17159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. kernel_setsched(hald_t) kernel_request_load_module(hald_t) -@@ -125,6 +128,7 @@ +@@ -125,6 +128,7 @@ dev_rw_printer(hald_t) dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) dev_manage_generic_chr_files(hald_t) @@ -18542,7 +17167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) -@@ -211,10 +215,13 @@ +@@ -211,10 +215,13 @@ seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) @@ -18557,7 +17182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -268,6 +275,10 @@ +@@ -268,6 +275,10 @@ optional_policy(` ') optional_policy(` @@ -18568,7 +17193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -318,6 +329,10 @@ +@@ -318,6 +329,10 @@ optional_policy(` ') optional_policy(` @@ -18579,7 +17204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +353,10 @@ +@@ -338,6 +353,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -18590,7 +17215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Hal acl local policy -@@ -358,6 +377,7 @@ +@@ -358,6 +377,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -18598,7 +17223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. corecmd_exec_bin(hald_acl_t) -@@ -470,6 +490,10 @@ +@@ -470,6 +490,10 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -18609,19 +17234,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.8.8/policy/modules/services/hddtemp.fc ---- nsaserefpolicy/policy/modules/services/hddtemp.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/hddtemp.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -1,5 +1,3 @@ - /etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0) - --/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0) -- - /usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.8/policy/modules/services/icecast.te ---- nsaserefpolicy/policy/modules/services/icecast.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/icecast.te 2010-07-30 14:06:53.000000000 -0400 -@@ -37,6 +37,8 @@ +diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te +index a57ffc0..fbcdd74 100644 +--- a/policy/modules/services/icecast.te ++++ b/policy/modules/services/icecast.te +@@ -37,6 +37,8 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) @@ -18630,7 +17247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec corenet_tcp_bind_soundd_port(icecast_t) # Init script handling -@@ -51,5 +53,9 @@ +@@ -51,5 +53,9 @@ miscfiles_read_localization(icecast_t) sysnet_dns_name_resolve(icecast_t) optional_policy(` @@ -18640,31 +17257,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec +optional_policy(` rtkit_scheduled(icecast_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.8.8/policy/modules/services/inetd.if ---- nsaserefpolicy/policy/modules/services/inetd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/inetd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -178,7 +178,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -192,7 +192,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.8/policy/modules/services/inn.te ---- nsaserefpolicy/policy/modules/services/inn.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/inn.te 2010-07-30 14:06:53.000000000 -0400 -@@ -56,7 +56,7 @@ +diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te +index 9fab1dc..05119f7 100644 +--- a/policy/modules/services/inn.te ++++ b/policy/modules/services/inn.te +@@ -56,7 +56,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -18673,7 +17270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +105,7 @@ +@@ -105,6 +105,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -18681,10 +17278,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. mta_send_mail(innd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.8.8/policy/modules/services/kerberos.fc ---- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/kerberos.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -8,7 +8,7 @@ +diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc +index 3525d24..e5db539 100644 +--- a/policy/modules/services/kerberos.fc ++++ b/policy/modules/services/kerberos.fc +@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -18693,10 +17291,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.8/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/kerberos.te 2010-07-30 14:06:53.000000000 -0400 -@@ -126,10 +126,13 @@ +diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te +index 8edc29b..6deff48 100644 +--- a/policy/modules/services/kerberos.te ++++ b/policy/modules/services/kerberos.te +@@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) @@ -18710,7 +17309,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) -@@ -198,8 +201,7 @@ +@@ -149,6 +152,7 @@ selinux_validate_context(kadmind_t) + + logging_send_syslog_msg(kadmind_t) + ++miscfiles_read_certs(kadmind_t) + miscfiles_read_localization(kadmind_t) + + seutil_read_file_contexts(kadmind_t) +@@ -198,8 +202,7 @@ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr }; allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) @@ -18720,19 +17327,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc ---- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.fc 2010-07-30 14:06:53.000000000 -0400 +@@ -249,6 +252,7 @@ selinux_validate_context(krb5kdc_t) + + logging_send_syslog_msg(krb5kdc_t) + ++miscfiles_read_certs(krb5kdc_t) + miscfiles_read_localization(krb5kdc_t) + + seutil_read_file_contexts(krb5kdc_t) +diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc +index 9c0c835..8360166 100644 +--- a/policy/modules/services/ksmtuned.fc ++++ b/policy/modules/services/ksmtuned.fc @@ -3,3 +3,5 @@ /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) /var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) + +/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.8.8/policy/modules/services/ksmtuned.if ---- nsaserefpolicy/policy/modules/services/ksmtuned.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.if 2010-07-30 14:06:53.000000000 -0400 -@@ -60,7 +60,7 @@ +diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if +index 6fd0b4c..d17f349 100644 +--- a/policy/modules/services/ksmtuned.if ++++ b/policy/modules/services/ksmtuned.if +@@ -60,7 +60,7 @@ interface(`ksmtuned_admin',` ') allow $1 ksmtuned_t:process { ptrace signal_perms }; @@ -18741,10 +17358,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.8.8/policy/modules/services/ksmtuned.te ---- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ksmtuned.te 2010-07-30 14:06:53.000000000 -0400 -@@ -9,6 +9,9 @@ +diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te +index a73b7a1..ffe035c 100644 +--- a/policy/modules/services/ksmtuned.te ++++ b/policy/modules/services/ksmtuned.te +@@ -9,6 +9,9 @@ type ksmtuned_t; type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) @@ -18754,7 +17372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) -@@ -23,6 +26,10 @@ +@@ -23,6 +26,10 @@ files_pid_file(ksmtuned_var_run_t) allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; allow ksmtuned_t self:fifo_file rw_file_perms; @@ -18765,7 +17383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,15 @@ +@@ -31,9 +38,15 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -18781,9 +17399,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt + miscfiles_read_localization(ksmtuned_t) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.8.8/policy/modules/services/ldap.fc ---- nsaserefpolicy/policy/modules/services/ldap.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ldap.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc +index c62f23e..335fda1 100644 +--- a/policy/modules/services/ldap.fc ++++ b/policy/modules/services/ldap.fc @@ -1,6 +1,8 @@ /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0) @@ -18794,14 +17413,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) -@@ -15,3 +17,4 @@ +@@ -15,3 +17,4 @@ ifdef(`distro_debian',` /var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) -+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.8.8/policy/modules/services/ldap.if ---- nsaserefpolicy/policy/modules/services/ldap.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ldap.if 2010-07-30 14:06:53.000000000 -0400 ++/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) +diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if +index 3aa8fa7..e5684f4 100644 +--- a/policy/modules/services/ldap.if ++++ b/policy/modules/services/ldap.if @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18846,7 +17466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -@@ -21,6 +59,25 @@ +@@ -21,6 +59,25 @@ interface(`ldap_list_db',` ######################################## ## @@ -18872,7 +17492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ## Read the OpenLDAP configuration files. ## ## -@@ -71,6 +128,30 @@ +@@ -71,6 +128,30 @@ interface(`ldap_stream_connect',` files_search_pids($1) allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; @@ -18903,10 +17523,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.8.8/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ldap.te 2010-08-12 15:47:23.000000000 -0400 -@@ -10,7 +10,7 @@ +diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te +index ffa96c6..a715c65 100644 +--- a/policy/modules/services/ldap.te ++++ b/policy/modules/services/ldap.te +@@ -10,7 +10,7 @@ type slapd_exec_t; init_daemon_domain(slapd_t, slapd_exec_t) type slapd_cert_t; @@ -18915,7 +17536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap type slapd_db_t; files_type(slapd_db_t) -@@ -27,9 +27,15 @@ +@@ -27,9 +27,15 @@ files_lock_file(slapd_lock_t) type slapd_replog_t; files_type(slapd_replog_t) @@ -18931,7 +17552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap type slapd_var_run_t; files_pid_file(slapd_var_run_t) -@@ -67,13 +73,21 @@ +@@ -67,13 +73,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -18954,22 +17575,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.8.8/policy/modules/services/lircd.if ---- nsaserefpolicy/policy/modules/services/lircd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/lircd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -45,7 +45,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.8.8/policy/modules/services/lircd.te ---- nsaserefpolicy/policy/modules/services/lircd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/lircd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -24,6 +24,7 @@ +diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te +index 6a78de1..02f6985 100644 +--- a/policy/modules/services/lircd.te ++++ b/policy/modules/services/lircd.te +@@ -24,6 +24,7 @@ files_pid_file(lircd_var_run_t) # allow lircd_t self:capability { chown kill sys_admin }; @@ -18977,7 +17587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; -@@ -34,7 +35,7 @@ +@@ -34,7 +35,7 @@ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) @@ -18986,7 +17596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc # /dev/lircd socket dev_filetrans(lircd_t, lircd_var_run_t, sock_file) -@@ -44,7 +45,7 @@ +@@ -44,7 +45,7 @@ corenet_tcp_bind_lirc_port(lircd_t) corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) @@ -18995,10 +17605,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc dev_read_mouse(lircd_t) dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.te serefpolicy-3.8.8/policy/modules/services/lpd.te ---- nsaserefpolicy/policy/modules/services/lpd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/lpd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -145,9 +145,10 @@ +diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te +index 93c14ca..4d31118 100644 +--- a/policy/modules/services/lpd.te ++++ b/policy/modules/services/lpd.te +@@ -145,9 +145,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) @@ -19010,7 +17621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -@@ -308,12 +309,14 @@ +@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',` ') tunable_policy(`use_nfs_home_dirs',` @@ -19025,10 +17636,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. fs_list_auto_mountpoints(lpr_t) fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.8.8/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mailman.if 2010-08-18 09:30:10.000000000 -0400 -@@ -74,7 +74,7 @@ +diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if +index 67c7fdd..19bcae2 100644 +--- a/policy/modules/services/mailman.if ++++ b/policy/modules/services/mailman.if +@@ -74,7 +74,7 @@ template(`mailman_domain_template', ` corecmd_exec_all_executables(mailman_$1_t) files_exec_etc_files(mailman_$1_t) @@ -19037,10 +17649,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.8.8/policy/modules/services/memcached.if ---- nsaserefpolicy/policy/modules/services/memcached.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/memcached.if 2010-07-30 14:06:53.000000000 -0400 -@@ -59,6 +59,7 @@ +diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if +index db4fd6f..c28a876 100644 +--- a/policy/modules/services/memcached.if ++++ b/policy/modules/services/memcached.if +@@ -59,6 +59,7 @@ interface(`memcached_admin',` gen_require(` type memcached_t; type memcached_initrc_exec_t; @@ -19048,10 +17661,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc ') allow $1 memcached_t:process { ptrace signal_perms }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.8.8/policy/modules/services/milter.if ---- nsaserefpolicy/policy/modules/services/milter.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/milter.if 2010-07-30 14:06:53.000000000 -0400 -@@ -37,6 +37,8 @@ +diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if +index ed1af3c..96cba91 100644 +--- a/policy/modules/services/milter.if ++++ b/policy/modules/services/milter.if +@@ -37,6 +37,8 @@ template(`milter_template',` files_read_etc_files($1_milter_t) @@ -19060,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt miscfiles_read_localization($1_milter_t) logging_send_syslog_msg($1_milter_t) -@@ -82,6 +84,24 @@ +@@ -82,6 +84,24 @@ interface(`milter_getattr_all_sockets',` ######################################## ## @@ -19085,9 +17699,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt ## Manage spamassassin milter state ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.fc serefpolicy-3.8.8/policy/modules/services/mock.fc ---- nsaserefpolicy/policy/modules/services/mock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mock.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc +new file mode 100644 +index 0000000..42bb2a3 +--- /dev/null ++++ b/policy/modules/services/mock.fc @@ -0,0 +1,6 @@ + +/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) @@ -19095,9 +17711,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock +/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) + +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.if serefpolicy-3.8.8/policy/modules/services/mock.if ---- nsaserefpolicy/policy/modules/services/mock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mock.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if +new file mode 100644 +index 0000000..5a1698c +--- /dev/null ++++ b/policy/modules/services/mock.if @@ -0,0 +1,238 @@ + +## policy for mock @@ -19337,9 +17955,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock + admin_pattern($1, mock_var_lib_t) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.8.8/policy/modules/services/mock.te ---- nsaserefpolicy/policy/modules/services/mock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mock.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te +new file mode 100644 +index 0000000..6f8fda5 +--- /dev/null ++++ b/policy/modules/services/mock.te @@ -0,0 +1,98 @@ +policy_module(mock,1.0.0) + @@ -19439,10 +18059,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock +optional_policy(` + apache_read_sys_content_rw_files(mock_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.8.8/policy/modules/services/modemmanager.te ---- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/modemmanager.te 2010-07-30 14:06:53.000000000 -0400 -@@ -16,7 +16,8 @@ +diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te +index b3ace16..3dd940c 100644 +--- a/policy/modules/services/modemmanager.te ++++ b/policy/modules/services/modemmanager.te +@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; # ModemManager local policy # @@ -19452,7 +18073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,6 +29,7 @@ +@@ -28,6 +29,7 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -19460,7 +18081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -@@ -37,5 +39,9 @@ +@@ -37,5 +39,9 @@ logging_send_syslog_msg(modemmanager_t) networkmanager_dbus_chat(modemmanager_t) optional_policy(` @@ -19470,114 +18091,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode +optional_policy(` udev_read_db(modemmanager_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.fc serefpolicy-3.8.8/policy/modules/services/mojomojo.fc ---- nsaserefpolicy/policy/modules/services/mojomojo.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,5 @@ -+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) -+ -+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) -+ -+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.if serefpolicy-3.8.8/policy/modules/services/mojomojo.if ---- nsaserefpolicy/policy/modules/services/mojomojo.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.if 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,43 @@ -+## Mojomojo server -+ -+######################################## -+## -+## All of the rules required to administrate -+## an mojomojo environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the mojomojo domain. -+## -+## -+## -+# -+interface(`mojomojo_admin',` -+ gen_require(` -+ type httpd_mojomojo_script_t; -+ type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; +diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if +index 657a9fc..cf7968d 100644 +--- a/policy/modules/services/mojomojo.if ++++ b/policy/modules/services/mojomojo.if +@@ -21,13 +21,16 @@ interface(`mojomojo_admin',` + gen_require(` + type httpd_mojomojo_script_t; + type httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t; +- type httpd_mojomojo_rw_content_t; + type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t; -+ type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; -+ ') -+ -+ allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, httpd_mojomojo_script_t) -+ + type httpd_mojomojo_script_exec_t, httpd_mojomojo_htaccess_t; + ') + + allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; + ps_process_pattern($1, httpd_mojomojo_script_t) + + files_list_tmp($1) + admin_pattern($1, httpd_mojomojo_tmp_t) + -+ files_search_var_lib(httpd_mojomojo_script_t) -+ -+ apache_search_sys_content($1) -+ admin_pattern($1, httpd_mojomojo_script_exec_t) -+ admin_pattern($1, httpd_mojomojo_script_t) -+ admin_pattern($1, httpd_mojomojo_content_t) -+ admin_pattern($1, httpd_mojomojo_htaccess_t) -+ admin_pattern($1, httpd_mojomojo_rw_content_t) -+ admin_pattern($1, httpd_mojomojo_ra_content_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mojomojo.te serefpolicy-3.8.8/policy/modules/services/mojomojo.te ---- nsaserefpolicy/policy/modules/services/mojomojo.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mojomojo.te 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,45 @@ -+policy_module(mojomojo, 1.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+apache_content_template(mojomojo) -+ + files_search_var_lib(httpd_mojomojo_script_t) + + apache_search_sys_content($1) +diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te +index 83f002c..ed69996 100644 +--- a/policy/modules/services/mojomojo.te ++++ b/policy/modules/services/mojomojo.te +@@ -7,6 +7,9 @@ policy_module(mojomojo, 1.0.0) + + apache_content_template(mojomojo) + +type httpd_mojomojo_tmp_t; +files_tmp_file(httpd_mojomojo_tmp_t) + -+######################################## -+# -+# mojomojo local policy -+# -+ -+allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -+ + ######################################## + # + # mojomojo local policy +@@ -14,6 +17,10 @@ apache_content_template(mojomojo) + + allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; + +manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) +manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) +files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) + -+corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -+ -+corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -+ -+corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -+corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -+ -+files_search_var_lib(httpd_mojomojo_script_t) -+ -+mta_send_mail(httpd_mojomojo_script_t) -+ -+sysnet_dns_name_resolve(httpd_mojomojo_script_t) -+ -+optional_policy(` -+ mysql_stream_connect(httpd_mojomojo_script_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(httpd_mojomojo_script_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.fc serefpolicy-3.8.8/policy/modules/services/mpd.fc ---- nsaserefpolicy/policy/modules/services/mpd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mpd.fc 2010-07-30 14:06:53.000000000 -0400 + corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) + corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) + corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) +diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc +new file mode 100644 +index 0000000..564b22d +--- /dev/null ++++ b/policy/modules/services/mpd.fc @@ -0,0 +1,10 @@ + +/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) @@ -19589,9 +18154,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0) +/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.8.8/policy/modules/services/mpd.if ---- nsaserefpolicy/policy/modules/services/mpd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mpd.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if +new file mode 100644 +index 0000000..07dac12 +--- /dev/null ++++ b/policy/modules/services/mpd.if @@ -0,0 +1,274 @@ + +## policy for daemon for playing music @@ -19867,9 +18434,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + admin_pattern($1, mpd_log_t) + +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.8.8/policy/modules/services/mpd.te ---- nsaserefpolicy/policy/modules/services/mpd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/mpd.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te +new file mode 100644 +index 0000000..71464f6 +--- /dev/null ++++ b/policy/modules/services/mpd.te @@ -0,0 +1,111 @@ +policy_module(mpd,1.0.0) + @@ -19982,9 +18551,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +optional_policy(` + udev_read_db(mpd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.8.8/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.fc 2010-08-18 09:25:56.000000000 -0400 +diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc +index 256166a..c526ce8 100644 +--- a/policy/modules/services/mta.fc ++++ b/policy/modules/services/mta.fc @@ -1,4 +1,5 @@ -HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) +HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0) @@ -19992,7 +18562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -@@ -11,6 +12,9 @@ +@@ -11,6 +12,9 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') @@ -20002,10 +18572,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-08-18 06:49:03.000000000 -0400 -@@ -220,6 +220,25 @@ +diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if +index 343cee3..01af7c3 100644 +--- a/policy/modules/services/mta.if ++++ b/policy/modules/services/mta.if +@@ -220,6 +220,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -20031,7 +18602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ######################################## ## ## Make the specified type by a system MTA. -@@ -330,12 +349,6 @@ +@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -20044,7 +18615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -362,6 +375,10 @@ +@@ -362,6 +375,10 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; @@ -20055,7 +18626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -391,12 +408,15 @@ +@@ -391,12 +408,15 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -20073,7 +18644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -474,7 +494,8 @@ +@@ -474,7 +494,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -20083,7 +18654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -698,7 +719,7 @@ +@@ -698,7 +719,7 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr; @@ -20092,7 +18663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -899,3 +920,43 @@ +@@ -899,3 +920,43 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -20136,10 +18707,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + userdom_search_admin_dir($1) + read_files_pattern($1, mail_home_t, mail_home_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-23 10:08:13.000000000 -0400 -@@ -20,8 +20,8 @@ +diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te +index 64268e4..f99b9fc 100644 +--- a/policy/modules/services/mta.te ++++ b/policy/modules/services/mta.te +@@ -20,8 +20,8 @@ files_type(etc_aliases_t) type etc_mail_t; files_config_file(etc_mail_t) @@ -20150,7 +18722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -50,22 +50,9 @@ +@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; @@ -20173,7 +18745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -82,6 +69,9 @@ +@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) @@ -20183,7 +18755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,6 +82,12 @@ +@@ -92,6 +82,12 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -20196,7 +18768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -103,6 +99,11 @@ +@@ -103,6 +99,11 @@ optional_policy(` ') optional_policy(` @@ -20208,7 +18780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +112,8 @@ +@@ -111,6 +112,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -20217,7 +18789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -124,12 +127,8 @@ +@@ -124,12 +127,8 @@ optional_policy(` ') optional_policy(` @@ -20231,7 +18803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -146,6 +145,10 @@ +@@ -146,6 +145,10 @@ optional_policy(` ') optional_policy(` @@ -20242,7 +18814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +161,6 @@ +@@ -158,18 +161,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -20261,7 +18833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -189,6 +180,10 @@ +@@ -189,6 +180,10 @@ optional_policy(` ') optional_policy(` @@ -20272,7 +18844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') -@@ -220,7 +215,8 @@ +@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -20282,7 +18854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,11 +245,16 @@ +@@ -249,11 +245,16 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -20299,7 +18871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +293,44 @@ +@@ -292,3 +293,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -20344,9 +18916,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + exim_domtrans(user_mail_domain) + exim_manage_log(user_mail_domain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.8.8/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/munin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc +index fd71d69..bad9920 100644 +--- a/policy/modules/services/munin.fc ++++ b/policy/modules/services/munin.fc @@ -63,6 +63,7 @@ /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -20355,9 +18928,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.8.8/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/munin.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if +index c358d8f..5046738 100644 +--- a/policy/modules/services/munin.if ++++ b/policy/modules/services/munin.if @@ -13,10 +13,11 @@ # template(`munin_plugin_template',` @@ -20372,7 +18946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni type $1_munin_plugin_exec_t; typealias $1_munin_plugin_t alias munin_$1_plugin_t; typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; -@@ -36,17 +37,8 @@ +@@ -36,17 +37,8 @@ template(`munin_plugin_template',` # automatic transition rules from munin domain # to specific munin plugin domain domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) @@ -20391,7 +18965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') ######################################## -@@ -92,6 +84,24 @@ +@@ -92,6 +84,24 @@ interface(`munin_read_config',` files_search_etc($1) ') @@ -20416,10 +18990,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ####################################### ## ## Append to the munin log. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.8.8/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/munin.te 2010-08-05 16:45:38.000000000 -0400 -@@ -5,6 +5,8 @@ +diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te +index f17583b..13d365d 100644 +--- a/policy/modules/services/munin.te ++++ b/policy/modules/services/munin.te +@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) # Declarations # @@ -20428,7 +19003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni type munin_t alias lrrd_t; type munin_exec_t alias lrrd_exec_t; init_daemon_domain(munin_t, munin_exec_t) -@@ -24,6 +26,9 @@ +@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t) type munin_var_lib_t alias lrrd_var_lib_t; files_type(munin_var_lib_t) @@ -20438,7 +19013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) -@@ -40,7 +45,7 @@ +@@ -40,7 +45,7 @@ munin_plugin_template(system) # Local policy # @@ -20447,7 +19022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -71,9 +76,12 @@ +@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) files_search_var_lib(munin_t) @@ -20461,7 +19036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -116,6 +124,7 @@ +@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -20469,7 +19044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni sysnet_exec_ifconfig(munin_t) -@@ -145,6 +154,7 @@ +@@ -145,6 +154,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -20477,7 +19052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni mta_read_queue(munin_t) ') -@@ -159,6 +169,7 @@ +@@ -159,6 +169,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -20485,7 +19060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -182,6 +193,7 @@ +@@ -182,6 +193,7 @@ optional_policy(` # local policy for disk plugins # @@ -20493,7 +19068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +202,13 @@ +@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) @@ -20511,7 +19086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni sysnet_read_config(disk_munin_plugin_t) -@@ -221,19 +231,17 @@ +@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -20533,7 +19108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -255,10 +263,6 @@ +@@ -255,10 +263,6 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -20544,7 +19119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni sysnet_read_config(services_munin_plugin_t) optional_policy(` -@@ -286,6 +290,10 @@ +@@ -286,6 +290,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -20555,7 +19130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ################################## # # local policy for system plugins -@@ -298,10 +306,6 @@ +@@ -298,10 +306,6 @@ rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -20566,7 +19141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +317,29 @@ +@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -20596,10 +19171,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +fs_getattr_all_fs(munin_plugin_domain) + +miscfiles_read_localization(munin_plugin_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.8.8/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/mysql.te 2010-07-30 14:06:53.000000000 -0400 -@@ -64,6 +64,7 @@ +diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te +index 0a0d63c..b370d53 100644 +--- a/policy/modules/services/mysql.te ++++ b/policy/modules/services/mysql.te +@@ -64,6 +64,7 @@ allow mysqld_t self:udp_socket create_socket_perms; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -20607,7 +19183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) -@@ -78,9 +79,10 @@ +@@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -20619,7 +19195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) -@@ -156,6 +158,7 @@ +@@ -156,6 +158,7 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -20627,7 +19203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,6 +178,7 @@ +@@ -175,6 +178,7 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -20635,10 +19211,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.8.8/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nagios.if 2010-07-30 14:06:53.000000000 -0400 -@@ -159,6 +159,26 @@ +diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if +index 8581040..e3c8272 100644 +--- a/policy/modules/services/nagios.if ++++ b/policy/modules/services/nagios.if +@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',` ######################################## ## @@ -20665,10 +19242,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ## Execute the nagios NRPE with ## a domain transition. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.8.8/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nagios.te 2010-07-30 14:06:53.000000000 -0400 -@@ -107,13 +107,11 @@ +diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te +index da5b33d..0c4ac5b 100644 +--- a/policy/modules/services/nagios.te ++++ b/policy/modules/services/nagios.te +@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) files_search_spool(nagios_t) @@ -20683,7 +19261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -126,8 +124,6 @@ +@@ -126,8 +124,6 @@ userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) optional_policy(` @@ -20692,7 +19270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi netutils_kill_ping(nagios_t) ') -@@ -340,6 +336,8 @@ +@@ -340,6 +336,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -20701,9 +19279,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.8.8/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc +index 386543b..d15cc4b 100644 +--- a/policy/modules/services/networkmanager.fc ++++ b/policy/modules/services/networkmanager.fc @@ -2,6 +2,10 @@ /etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -20715,10 +19294,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) /sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.8.8/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.if 2010-07-30 14:06:53.000000000 -0400 -@@ -137,6 +137,27 @@ +diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if +index 2324d9e..1a1bfe4 100644 +--- a/policy/modules/services/networkmanager.if ++++ b/policy/modules/services/networkmanager.if +@@ -137,6 +137,27 @@ interface(`networkmanager_dbus_chat',` ######################################## ## @@ -20746,7 +19326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +212,50 @@ +@@ -191,3 +212,50 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -20797,10 +19377,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.8/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/networkmanager.te 2010-07-30 14:06:53.000000000 -0400 -@@ -35,7 +35,7 @@ +diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te +index 442cff9..9677236 100644 +--- a/policy/modules/services/networkmanager.te ++++ b/policy/modules/services/networkmanager.te +@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -20809,7 +19390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -44,7 +44,7 @@ +@@ -44,7 +44,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; allow NetworkManager_t self:tcp_socket create_stream_socket_perms; @@ -20818,7 +19399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -55,6 +55,7 @@ +@@ -55,6 +55,7 @@ can_exec(NetworkManager_t, NetworkManager_exec_t) manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -20826,7 +19407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -141,22 +142,32 @@ +@@ -141,22 +142,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t) sysnet_domtrans_dhcpc(NetworkManager_t) sysnet_signal_dhcpc(NetworkManager_t) sysnet_read_dhcpc_pid(NetworkManager_t) @@ -20859,7 +19440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -172,7 +183,7 @@ +@@ -172,7 +183,7 @@ optional_policy(` ') optional_policy(` @@ -20868,7 +19449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -202,6 +213,13 @@ +@@ -202,6 +213,13 @@ optional_policy(` ') optional_policy(` @@ -20882,7 +19463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw iptables_domtrans(NetworkManager_t) ') -@@ -263,6 +281,7 @@ +@@ -263,6 +281,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -20890,9 +19471,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.8/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nis.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc +index 15448d5..0c97dab 100644 +--- a/policy/modules/services/nis.fc ++++ b/policy/modules/services/nis.fc @@ -1,5 +1,5 @@ /etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) -/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) @@ -20908,19 +19490,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.8.8/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-08-05 14:51:55.000000000 -0400 -@@ -19,7 +19,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -49,12 +49,12 @@ +diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if +index abe3f7f..c42c268 100644 +--- a/policy/modules/services/nis.if ++++ b/policy/modules/services/nis.if +@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -20936,19 +19510,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_connect_generic_port($1) corenet_dontaudit_tcp_connect_all_ports($1) corenet_sendrecv_portmap_client_packets($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.8/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nscd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -60,7 +60,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -121,6 +121,24 @@ +diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if +index 85188dc..ded2734 100644 +--- a/policy/modules/services/nscd.if ++++ b/policy/modules/services/nscd.if +@@ -121,6 +121,24 @@ interface(`nscd_socket_use',` ######################################## ## @@ -20973,7 +19539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ## Use NSCD services by mapping the database from ## an inherited NSCD file descriptor. ## -@@ -168,7 +186,7 @@ +@@ -168,7 +186,7 @@ interface(`nscd_dontaudit_search_pid',` type nscd_var_run_t; ') @@ -20982,9 +19548,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.8.8/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nscd.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te +index 7936e09..6a174f5 100644 +--- a/policy/modules/services/nscd.te ++++ b/policy/modules/services/nscd.te @@ -1,9 +1,16 @@ -policy_module(nscd, 1.10.0) +policy_module(nscd, 1.10.1) @@ -21003,7 +19570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd ######################################## # # Declarations -@@ -30,7 +37,7 @@ +@@ -30,7 +37,7 @@ logging_log_file(nscd_log_t) # Local policy # @@ -21012,7 +19579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; -@@ -47,9 +54,10 @@ +@@ -47,9 +54,10 @@ allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) @@ -21024,7 +19591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd corecmd_search_bin(nscd_t) can_exec(nscd_t, nscd_exec_t) -@@ -90,6 +98,7 @@ +@@ -90,6 +98,7 @@ selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) @@ -21032,7 +19599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -112,6 +121,10 @@ +@@ -112,6 +121,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` @@ -21043,7 +19610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +140,16 @@ +@@ -127,3 +140,16 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -21060,22 +19627,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.8.8/policy/modules/services/nslcd.if ---- nsaserefpolicy/policy/modules/services/nslcd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nslcd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.8.8/policy/modules/services/nslcd.te ---- nsaserefpolicy/policy/modules/services/nslcd.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nslcd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -34,6 +34,8 @@ +diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te +index 21360e8..b314c0d 100644 +--- a/policy/modules/services/nslcd.te ++++ b/policy/modules/services/nslcd.te +@@ -34,6 +34,8 @@ manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) @@ -21084,49 +19640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslc files_read_etc_files(nslcd_t) auth_use_nsswitch(nslcd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.8.8/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ntp.if 2010-07-30 14:06:53.000000000 -0400 -@@ -22,7 +22,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -67,7 +67,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -86,7 +86,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -104,7 +104,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.8.8/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ntp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -96,9 +96,12 @@ +diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te +index c61adc8..b5b5992 100644 +--- a/policy/modules/services/ntp.te ++++ b/policy/modules/services/ntp.te +@@ -96,9 +96,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) @@ -21139,10 +19657,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. term_use_ptmx(ntpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te ---- nsaserefpolicy/policy/modules/services/nut.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-08-25 09:16:11.000000000 -0400 -@@ -41,7 +41,7 @@ +diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te +index 181bd88..35b9bfa 100644 +--- a/policy/modules/services/nut.te ++++ b/policy/modules/services/nut.te +@@ -41,7 +41,7 @@ read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) @@ -21151,7 +19670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. kernel_read_kernel_sysctls(nut_upsd_t) -@@ -65,6 +65,7 @@ +@@ -65,6 +65,7 @@ miscfiles_read_localization(nut_upsd_t) allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -21159,7 +19678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. allow nut_upsmon_t self:tcp_socket create_socket_perms; read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) -@@ -103,6 +104,10 @@ +@@ -103,6 +104,10 @@ miscfiles_read_localization(nut_upsmon_t) mta_send_mail(nut_upsmon_t) @@ -21170,10 +19689,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. ######################################## # # Local policy for upsdrvctl -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.8.8/policy/modules/services/nx.if ---- nsaserefpolicy/policy/modules/services/nx.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nx.if 2010-07-30 14:06:53.000000000 -0400 -@@ -35,6 +35,7 @@ +diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if +index 79a225c..b1384ad 100644 +--- a/policy/modules/services/nx.if ++++ b/policy/modules/services/nx.if +@@ -35,6 +35,7 @@ interface(`nx_read_home_files',` allow $1 nx_server_var_lib_t:dir search_dir_perms; read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) @@ -21181,10 +19701,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.8.8/policy/modules/services/nx.te ---- nsaserefpolicy/policy/modules/services/nx.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/nx.te 2010-07-30 14:06:53.000000000 -0400 -@@ -27,6 +27,9 @@ +diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te +index ebb9582..c1825de 100644 +--- a/policy/modules/services/nx.te ++++ b/policy/modules/services/nx.te +@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) @@ -21194,7 +19715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t ######################################## # # NX server local policy -@@ -50,6 +53,9 @@ +@@ -50,6 +53,9 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) @@ -21204,19 +19725,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.8.8/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/oddjob.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc +index bdf8c89..5ee1598 100644 +--- a/policy/modules/services/oddjob.fc ++++ b/policy/modules/services/oddjob.fc @@ -1,4 +1,5 @@ /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.8.8/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/oddjob.if 2010-08-10 05:23:35.000000000 -0400 -@@ -22,6 +22,25 @@ +diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if +index bd76ec2..85f6ada 100644 +--- a/policy/modules/services/oddjob.if ++++ b/policy/modules/services/oddjob.if +@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',` domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') @@ -21242,7 +19765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ######################################## ## ## Make the specified program domain accessable -@@ -44,6 +63,7 @@ +@@ -44,6 +63,7 @@ interface(`oddjob_system_entry',` ') domtrans_pattern(oddjob_t, $2, $1) @@ -21250,7 +19773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ') ######################################## -@@ -67,6 +87,24 @@ +@@ -67,6 +87,24 @@ interface(`oddjob_dbus_chat',` allow oddjob_t $1:dbus send_msg; ') @@ -21275,10 +19798,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj ######################################## ## ## Execute a domain transition to run oddjob_mkhomedir. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.8.8/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/oddjob.te 2010-07-30 14:06:53.000000000 -0400 -@@ -99,8 +99,7 @@ +diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te +index cadfc63..ef6919f 100644 +--- a/policy/modules/services/oddjob.te ++++ b/policy/modules/services/oddjob.te +@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) @@ -21289,10 +19813,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) +userdom_manage_user_home_content(oddjob_mkhomedir_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.8.8/policy/modules/services/oident.te ---- nsaserefpolicy/policy/modules/services/oident.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/oident.te 2010-07-30 14:06:53.000000000 -0400 -@@ -48,6 +48,7 @@ +diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te +index 0a244b1..9097656 100644 +--- a/policy/modules/services/oident.te ++++ b/policy/modules/services/oident.te +@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(oidentd_t) kernel_read_network_state(oidentd_t) kernel_read_network_state_symlinks(oidentd_t) kernel_read_sysctl(oidentd_t) @@ -21300,10 +19825,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide logging_send_syslog_msg(oidentd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.8.8/policy/modules/services/openct.te ---- nsaserefpolicy/policy/modules/services/openct.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/openct.te 2010-07-30 14:06:53.000000000 -0400 -@@ -20,9 +20,10 @@ +diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te +index 4996f62..975deca 100644 +--- a/policy/modules/services/openct.te ++++ b/policy/modules/services/openct.te +@@ -20,9 +20,10 @@ files_pid_file(openct_var_run_t) dontaudit openct_t self:capability sys_tty_config; allow openct_t self:process signal_perms; @@ -21315,10 +19841,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-18 09:44:00.000000000 -0400 -@@ -24,6 +24,9 @@ +diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te +index f3d5790..9be673c 100644 +--- a/policy/modules/services/openvpn.te ++++ b/policy/modules/services/openvpn.te +@@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -21328,7 +19855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -58,9 +61,13 @@ +@@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) @@ -21342,7 +19869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) -@@ -68,6 +75,7 @@ +@@ -68,6 +75,7 @@ kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) @@ -21350,7 +19877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -113,6 +121,8 @@ +@@ -113,6 +121,8 @@ sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -21359,7 +19886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open tunable_policy(`openvpn_enable_homedirs',` userdom_read_user_home_content_files(openvpn_t) -@@ -138,3 +148,7 @@ +@@ -138,3 +148,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -21367,10 +19894,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te ---- nsaserefpolicy/policy/modules/services/pcscd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/pcscd.te 2010-08-04 14:25:34.000000000 -0400 -@@ -44,7 +44,8 @@ +diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te +index b881672..da06e9f 100644 +--- a/policy/modules/services/pcscd.te ++++ b/policy/modules/services/pcscd.te +@@ -44,7 +44,8 @@ corenet_tcp_connect_http_port(pcscd_t) dev_rw_generic_usb_dev(pcscd_t) dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) @@ -21380,10 +19908,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.8/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/pegasus.te 2010-07-30 14:06:53.000000000 -0400 -@@ -29,7 +29,7 @@ +diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te +index 3185114..e2e2f67 100644 +--- a/policy/modules/services/pegasus.te ++++ b/policy/modules/services/pegasus.te +@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t) # Local policy # @@ -21392,7 +19921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -57,14 +57,17 @@ +@@ -57,14 +57,17 @@ manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; @@ -21411,7 +19940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,13 +98,12 @@ +@@ -95,13 +98,12 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -21427,7 +19956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega files_read_var_lib_symlinks(pegasus_t) hostname_exec(pegasus_t) -@@ -114,7 +116,6 @@ +@@ -114,7 +116,6 @@ logging_send_syslog_msg(pegasus_t) miscfiles_read_localization(pegasus_t) @@ -21435,7 +19964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega sysnet_domtrans_ifconfig(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -@@ -125,6 +126,14 @@ +@@ -125,6 +126,14 @@ optional_policy(` ') optional_policy(` @@ -21450,7 +19979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +145,13 @@ +@@ -136,3 +145,13 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -21464,21 +19993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perdition.if serefpolicy-3.8.8/policy/modules/services/perdition.if ---- nsaserefpolicy/policy/modules/services/perdition.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/perdition.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.8.8/policy/modules/services/piranha.fc ---- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-08-04 13:10:54.000000000 -0400 +diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc +new file mode 100644 +index 0000000..2c7e06f +--- /dev/null ++++ b/policy/modules/services/piranha.fc @@ -0,0 +1,26 @@ + +/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) @@ -21506,9 +20025,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0) +/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.8.8/policy/modules/services/piranha.if ---- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/piranha.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if +new file mode 100644 +index 0000000..8ecd276 +--- /dev/null ++++ b/policy/modules/services/piranha.if @@ -0,0 +1,175 @@ + +## policy for piranha @@ -21685,9 +20206,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira + manage_files_pattern($1, piranha_log_t, piranha_log_t) + manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te ---- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-10 05:23:35.000000000 -0400 +diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te +new file mode 100644 +index 0000000..17d6b45 +--- /dev/null ++++ b/policy/modules/services/piranha.te @@ -0,0 +1,216 @@ +policy_module(piranha,1.0.0) + @@ -21905,10 +20428,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +miscfiles_read_localization(piranha_domain) + +sysnet_read_config(piranha_domain) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.8.8/policy/modules/services/plymouthd.te ---- nsaserefpolicy/policy/modules/services/plymouthd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/plymouthd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -60,10 +60,14 @@ +diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te +index fb8dc84..c30505a 100644 +--- a/policy/modules/services/plymouthd.te ++++ b/policy/modules/services/plymouthd.te +@@ -60,10 +60,14 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -21923,7 +20447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym ######################################## # # Plymouth private policy -@@ -74,6 +78,7 @@ +@@ -74,6 +78,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -21931,9 +20455,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym domain_use_interactive_fds(plymouth_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.8.8/policy/modules/services/policykit.fc ---- nsaserefpolicy/policy/modules/services/policykit.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/policykit.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc +index 27c739c..c65d18f 100644 +--- a/policy/modules/services/policykit.fc ++++ b/policy/modules/services/policykit.fc @@ -6,10 +6,13 @@ /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) @@ -21949,10 +20474,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.8.8/policy/modules/services/policykit.if ---- nsaserefpolicy/policy/modules/services/policykit.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/policykit.if 2010-07-30 14:06:53.000000000 -0400 -@@ -17,12 +17,37 @@ +diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if +index 48ff1e8..29c9906 100644 +--- a/policy/modules/services/policykit.if ++++ b/policy/modules/services/policykit.if +@@ -17,12 +17,37 @@ interface(`policykit_dbus_chat',` class dbus send_msg; ') @@ -21990,7 +20516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ## Execute a domain transition to run polkit_auth. ## ## -@@ -62,6 +87,9 @@ +@@ -62,6 +87,9 @@ interface(`policykit_run_auth',` policykit_domtrans_auth($1) role $2 types policykit_auth_t; @@ -22000,7 +20526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') ######################################## -@@ -206,4 +234,47 @@ +@@ -206,4 +234,47 @@ interface(`policykit_read_lib',` files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) @@ -22048,10 +20574,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli + + allow $1 policykit_auth_t:process signal; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.8.8/policy/modules/services/policykit.te ---- nsaserefpolicy/policy/modules/services/policykit.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/policykit.te 2010-08-23 13:23:59.000000000 -0400 -@@ -24,6 +24,9 @@ +diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te +index 1e7169d..ab881a1 100644 +--- a/policy/modules/services/policykit.te ++++ b/policy/modules/services/policykit.te +@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t) type policykit_reload_t alias polkit_reload_t; files_type(policykit_reload_t) @@ -22061,7 +20588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli type policykit_var_lib_t alias polkit_var_lib_t; files_type(policykit_var_lib_t) -@@ -35,11 +38,12 @@ +@@ -35,11 +38,12 @@ files_pid_file(policykit_var_run_t) # policykit local policy # @@ -22078,7 +20605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli policykit_domtrans_auth(policykit_t) -@@ -56,10 +60,16 @@ +@@ -56,10 +60,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -22095,7 +20622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli auth_use_nsswitch(policykit_t) -@@ -67,45 +77,90 @@ +@@ -67,45 +77,90 @@ logging_send_syslog_msg(policykit_t) miscfiles_read_localization(policykit_t) @@ -22192,7 +20719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,6 +173,14 @@ +@@ -118,6 +173,14 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -22207,7 +20734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ######################################## # # polkit_grant local policy -@@ -125,7 +188,8 @@ +@@ -125,7 +188,8 @@ optional_policy(` allow policykit_grant_t self:capability setuid; allow policykit_grant_t self:process getattr; @@ -22217,7 +20744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -155,9 +219,12 @@ +@@ -155,9 +219,12 @@ miscfiles_read_localization(policykit_grant_t) userdom_read_all_users_state(policykit_grant_t) optional_policy(` @@ -22231,7 +20758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -169,7 +236,8 @@ +@@ -169,7 +236,8 @@ optional_policy(` allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; allow policykit_resolve_t self:process getattr; @@ -22241,30 +20768,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.if serefpolicy-3.8.8/policy/modules/services/portmap.if ---- nsaserefpolicy/policy/modules/services/portmap.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/portmap.if 2010-07-30 14:06:53.000000000 -0400 -@@ -52,7 +52,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -80,7 +80,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.8.8/policy/modules/services/portreserve.fc ---- nsaserefpolicy/policy/modules/services/portreserve.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/portreserve.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc +index c69d047..1d9fa76 100644 +--- a/policy/modules/services/portreserve.fc ++++ b/policy/modules/services/portreserve.fc @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) @@ -22272,10 +20779,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.8.8/policy/modules/services/portreserve.if ---- nsaserefpolicy/policy/modules/services/portreserve.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/portreserve.if 2010-07-30 14:06:53.000000000 -0400 -@@ -18,6 +18,24 @@ +diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if +index 10300a0..4af4422 100644 +--- a/policy/modules/services/portreserve.if ++++ b/policy/modules/services/portreserve.if +@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',` domtrans_pattern($1, portreserve_exec_t, portreserve_t) ') @@ -22300,7 +20808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port ####################################### ## ## Allow the specified domain to read -@@ -64,3 +82,40 @@ +@@ -64,3 +82,40 @@ interface(`portreserve_manage_config',` manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ') @@ -22341,10 +20849,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port + files_search_pids($1) + admin_pattern($1, portreserve_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.8.8/policy/modules/services/portreserve.te ---- nsaserefpolicy/policy/modules/services/portreserve.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/portreserve.te 2010-07-30 14:06:53.000000000 -0400 -@@ -9,6 +9,9 @@ +diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te +index 4f2dae1..e091aba 100644 +--- a/policy/modules/services/portreserve.te ++++ b/policy/modules/services/portreserve.te +@@ -9,6 +9,9 @@ type portreserve_t; type portreserve_exec_t; init_daemon_domain(portreserve_t, portreserve_exec_t) @@ -22354,7 +20863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port type portreserve_etc_t; files_type(portreserve_etc_t) -@@ -35,7 +38,7 @@ +@@ -35,7 +38,7 @@ read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) @@ -22363,22 +20872,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port corecmd_getattr_bin_files(portreserve_t) -@@ -47,3 +50,5 @@ +@@ -47,3 +50,5 @@ corenet_tcp_bind_all_ports(portreserve_t) corenet_udp_bind_all_ports(portreserve_t) files_read_etc_files(portreserve_t) + +userdom_dontaudit_search_user_home_content(portreserve_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.8.8/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postfix.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc +index 55e62d2..c114a40 100644 +--- a/policy/modules/services/postfix.fc ++++ b/policy/modules/services/postfix.fc @@ -1,4 +1,5 @@ # postfix +/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0) ifdef(`distro_redhat', ` /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -@@ -29,12 +30,10 @@ +@@ -29,12 +30,10 @@ ifdef(`distro_redhat', ` /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) @@ -22391,10 +20901,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0) /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-08-25 09:35:31.000000000 -0400 -@@ -77,6 +77,7 @@ +diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if +index c48b45b..18996a5 100644 +--- a/policy/modules/services/postfix.if ++++ b/policy/modules/services/postfix.if +@@ -77,6 +77,7 @@ template(`postfix_domain_template',` files_read_etc_files(postfix_$1_t) files_read_etc_runtime_files(postfix_$1_t) @@ -22402,7 +20913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) -@@ -376,6 +377,25 @@ +@@ -376,6 +377,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -22428,7 +20939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Execute the master postfix program in the -@@ -529,6 +549,25 @@ +@@ -529,6 +549,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -22454,7 +20965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Search postfix mail spool directories. ## ## -@@ -539,10 +578,10 @@ +@@ -539,10 +578,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -22467,7 +20978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -558,10 +597,10 @@ +@@ -558,10 +597,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -22480,7 +20991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -577,11 +616,11 @@ +@@ -577,11 +616,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -22494,7 +21005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -596,11 +635,11 @@ +@@ -596,11 +635,11 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -22508,7 +21019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -621,3 +660,101 @@ +@@ -621,3 +660,101 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -22610,10 +21121,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + role $2 types postfix_postdrop_t; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-08-25 09:35:15.000000000 -0400 -@@ -5,6 +5,15 @@ +diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te +index 06e37d4..87043e1 100644 +--- a/policy/modules/services/postfix.te ++++ b/policy/modules/services/postfix.te +@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.0) # Declarations # @@ -22629,7 +21141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -12,7 +21,7 @@ +@@ -12,7 +21,7 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) @@ -22638,7 +21150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_type(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) -@@ -26,12 +35,21 @@ +@@ -26,12 +35,21 @@ application_executable_file(postfix_exec_t) postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) @@ -22661,7 +21173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) -@@ -41,6 +59,9 @@ +@@ -41,6 +59,9 @@ typealias postfix_master_t alias postfix_t; # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) @@ -22671,7 +21183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post postfix_server_domain_template(pickup) postfix_server_domain_template(pipe) -@@ -49,6 +70,7 @@ +@@ -49,6 +70,7 @@ postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) postfix_user_domain_template(postqueue) @@ -22679,7 +21191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_private_t; files_type(postfix_private_t) -@@ -65,13 +87,13 @@ +@@ -65,13 +87,13 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) @@ -22696,7 +21208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_type(postfix_spool_flush_t) type postfix_public_t; -@@ -99,7 +121,9 @@ +@@ -99,7 +121,9 @@ allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; allow postfix_master_t self:process setrlimit; @@ -22706,7 +21218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post can_exec(postfix_master_t, postfix_exec_t) -@@ -150,6 +174,9 @@ +@@ -150,6 +174,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -22716,7 +21228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +194,8 @@ +@@ -167,6 +194,8 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -22725,7 +21237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post term_dontaudit_search_ptys(postfix_master_t) -@@ -304,9 +333,17 @@ +@@ -304,9 +333,17 @@ optional_policy(` ') optional_policy(` @@ -22743,7 +21255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix map local policy -@@ -401,6 +438,8 @@ +@@ -401,6 +438,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -22752,7 +21264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +459,7 @@ +@@ -420,6 +459,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -22760,7 +21272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -588,6 +628,11 @@ +@@ -588,6 +628,11 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -22772,7 +21284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_smtpd_t) optional_policy(` -@@ -630,3 +675,8 @@ +@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -22781,22 +21293,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.8.8/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postgresql.if 2010-07-30 14:06:53.000000000 -0400 -@@ -223,7 +223,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.8.8/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postgresql.te 2010-07-30 14:06:53.000000000 -0400 -@@ -202,9 +202,10 @@ +diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te +index c0652ec..a5b6508 100644 +--- a/policy/modules/services/postgresql.te ++++ b/policy/modules/services/postgresql.te +@@ -202,9 +202,10 @@ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -22808,10 +21309,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.8.8/policy/modules/services/postgrey.te ---- nsaserefpolicy/policy/modules/services/postgrey.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/postgrey.te 2010-07-30 14:06:53.000000000 -0400 -@@ -47,9 +47,10 @@ +diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te +index 2c066b0..afaf453 100644 +--- a/policy/modules/services/postgrey.te ++++ b/policy/modules/services/postgrey.te +@@ -47,9 +47,10 @@ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) @@ -22823,22 +21325,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.8.8/policy/modules/services/ppp.if ---- nsaserefpolicy/policy/modules/services/ppp.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ppp.if 2010-07-30 14:06:53.000000000 -0400 -@@ -326,7 +326,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.8.8/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ppp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -70,7 +70,7 @@ +diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te +index 2af42e7..74f07f8 100644 +--- a/policy/modules/services/ppp.te ++++ b/policy/modules/services/ppp.te +@@ -70,7 +70,7 @@ files_pid_file(pptp_var_run_t) # PPPD Local policy # @@ -22847,7 +21338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process { getsched signal }; allow pppd_t self:fifo_file rw_fifo_file_perms; -@@ -104,8 +104,9 @@ +@@ -104,8 +104,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) @@ -22858,7 +21349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. allow pppd_t pptp_t:process signal; -@@ -194,6 +195,8 @@ +@@ -194,6 +195,8 @@ optional_policy(` optional_policy(` mta_send_mail(pppd_t) @@ -22867,7 +21358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` -@@ -243,9 +246,10 @@ +@@ -243,9 +246,10 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -22879,10 +21370,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.8.8/policy/modules/services/prelude.te ---- nsaserefpolicy/policy/modules/services/prelude.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/prelude.te 2010-07-30 14:06:53.000000000 -0400 -@@ -72,9 +72,10 @@ +diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te +index 4d66b76..3a12d03 100644 +--- a/policy/modules/services/prelude.te ++++ b/policy/modules/services/prelude.te +@@ -72,9 +72,10 @@ manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) files_search_var_lib(prelude_t) @@ -22894,10 +21386,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel kernel_read_system_state(prelude_t) kernel_read_sysctl(prelude_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.8.8/policy/modules/services/privoxy.te ---- nsaserefpolicy/policy/modules/services/privoxy.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/privoxy.te 2010-08-23 17:21:38.000000000 -0400 -@@ -58,10 +58,12 @@ +diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te +index 0d295a8..19138e1 100644 +--- a/policy/modules/services/privoxy.te ++++ b/policy/modules/services/privoxy.te +@@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t) corenet_tcp_bind_http_cache_port(privoxy_t) corenet_tcp_connect_http_port(privoxy_t) corenet_tcp_connect_http_cache_port(privoxy_t) @@ -22910,19 +21403,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv corenet_sendrecv_http_cache_server_packets(privoxy_t) corenet_sendrecv_http_client_packets(privoxy_t) corenet_sendrecv_ftp_client_packets(privoxy_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.8.8/policy/modules/services/procmail.fc ---- nsaserefpolicy/policy/modules/services/procmail.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/procmail.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc +index 1343621..4b36a13 100644 +--- a/policy/modules/services/procmail.fc ++++ b/policy/modules/services/procmail.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.8.8/policy/modules/services/procmail.if ---- nsaserefpolicy/policy/modules/services/procmail.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/procmail.if 2010-07-30 14:06:53.000000000 -0400 -@@ -77,3 +77,23 @@ +diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if +index b64b02f..5bfbd7b 100644 +--- a/policy/modules/services/procmail.if ++++ b/policy/modules/services/procmail.if +@@ -77,3 +77,23 @@ interface(`procmail_rw_tmp_files',` files_search_tmp($1) rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') @@ -22946,10 +21441,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc + read_files_pattern($1, procmail_home_t, procmail_home_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.8.8/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/procmail.te 2010-07-30 14:06:53.000000000 -0400 -@@ -10,6 +10,9 @@ +diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te +index 29b9295..b558811 100644 +--- a/policy/modules/services/procmail.te ++++ b/policy/modules/services/procmail.te +@@ -10,6 +10,9 @@ type procmail_exec_t; application_domain(procmail_t, procmail_exec_t) role system_r types procmail_t; @@ -22959,7 +21455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc type procmail_log_t; logging_log_file(procmail_log_t) -@@ -76,9 +79,15 @@ +@@ -76,9 +79,15 @@ files_search_pids(procmail_t) files_read_usr_files(procmail_t) logging_send_syslog_msg(procmail_t) @@ -22975,7 +21471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +96,8 @@ +@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -22986,7 +21482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -128,6 +137,10 @@ +@@ -128,6 +137,10 @@ optional_policy(` ') optional_policy(` @@ -22997,10 +21493,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.8.8/policy/modules/services/psad.if ---- nsaserefpolicy/policy/modules/services/psad.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/psad.if 2010-07-30 14:06:53.000000000 -0400 -@@ -176,6 +176,26 @@ +diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if +index bc329d1..a5ec9f5 100644 +--- a/policy/modules/services/psad.if ++++ b/policy/modules/services/psad.if +@@ -176,6 +176,26 @@ interface(`psad_append_log',` ######################################## ## @@ -23027,7 +21524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad ## Read and write psad fifo files. ## ## -@@ -234,7 +254,7 @@ +@@ -234,7 +254,7 @@ interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; type psad_initrc_exec_t, psad_var_lib_t; @@ -23036,10 +21533,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad ') allow $1 psad_t:process { ptrace signal_perms }; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.8.8/policy/modules/services/psad.te ---- nsaserefpolicy/policy/modules/services/psad.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/psad.te 2010-07-30 14:06:53.000000000 -0400 -@@ -53,9 +53,10 @@ +diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te +index d4000e0..c23cd14 100644 +--- a/policy/modules/services/psad.te ++++ b/policy/modules/services/psad.te +@@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) # pid file @@ -23051,7 +21549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad # tmp files manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) -@@ -85,6 +86,7 @@ +@@ -85,6 +86,7 @@ corenet_sendrecv_whois_client_packets(psad_t) dev_read_urand(psad_t) files_read_etc_runtime_files(psad_t) @@ -23059,10 +21557,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad fs_getattr_all_fs(psad_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.8.8/policy/modules/services/puppet.te ---- nsaserefpolicy/policy/modules/services/puppet.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/puppet.te 2010-07-30 14:06:53.000000000 -0400 -@@ -63,7 +63,7 @@ +diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te +index 64c5f95..3588ebb 100644 +--- a/policy/modules/services/puppet.te ++++ b/policy/modules/services/puppet.te +@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib(puppet_t) @@ -23071,7 +21570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -179,21 +179,26 @@ +@@ -179,21 +179,26 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr }; allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) @@ -23098,7 +21597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -214,13 +219,19 @@ +@@ -214,13 +219,19 @@ domain_read_all_domains_state(puppetmaster_t) files_read_etc_files(puppetmaster_t) files_search_var_lib(puppetmaster_t) @@ -23118,9 +21617,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp optional_policy(` hostname_exec(puppetmaster_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.8.8/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/pyzor.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc +index d4a7750..705196e 100644 +--- a/policy/modules/services/pyzor.fc ++++ b/policy/modules/services/pyzor.fc @@ -1,6 +1,10 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -23132,10 +21632,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.8.8/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/pyzor.if 2010-07-30 14:06:53.000000000 -0400 -@@ -88,3 +88,50 @@ +diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if +index 494f7e2..6443f30 100644 +--- a/policy/modules/services/pyzor.if ++++ b/policy/modules/services/pyzor.if +@@ -88,3 +88,50 @@ interface(`pyzor_exec',` corecmd_search_bin($1) can_exec($1, pyzor_exec_t) ') @@ -23186,10 +21687,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo +') + + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.8.8/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/pyzor.te 2010-07-30 14:06:53.000000000 -0400 -@@ -5,6 +5,38 @@ +diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te +index cd683f9..2f03bad 100644 +--- a/policy/modules/services/pyzor.te ++++ b/policy/modules/services/pyzor.te +@@ -5,6 +5,38 @@ policy_module(pyzor, 2.1.0) # Declarations # @@ -23228,7 +21730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo type pyzor_t; type pyzor_exec_t; typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t }; -@@ -39,6 +71,7 @@ +@@ -39,6 +71,7 @@ init_daemon_domain(pyzord_t, pyzord_exec_t) type pyzord_log_t; logging_log_file(pyzord_log_t) @@ -23236,7 +21738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## # -@@ -76,12 +109,16 @@ +@@ -76,12 +109,16 @@ corenet_tcp_connect_http_port(pyzor_t) dev_read_urand(pyzor_t) @@ -23253,9 +21755,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.8.8/policy/modules/services/qpidd.fc ---- nsaserefpolicy/policy/modules/services/qpidd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/qpidd.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc +new file mode 100644 +index 0000000..f3b89e4 +--- /dev/null ++++ b/policy/modules/services/qpidd.fc @@ -0,0 +1,9 @@ + +/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0) @@ -23266,9 +21770,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid + +/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.8.8/policy/modules/services/qpidd.if ---- nsaserefpolicy/policy/modules/services/qpidd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/qpidd.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if +new file mode 100644 +index 0000000..039bd27 +--- /dev/null ++++ b/policy/modules/services/qpidd.if @@ -0,0 +1,236 @@ + +## policy for qpidd @@ -23506,9 +22012,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid + + allow $1 qpidd_t:shm rw_shm_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.8/policy/modules/services/qpidd.te ---- nsaserefpolicy/policy/modules/services/qpidd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/qpidd.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te +new file mode 100644 +index 0000000..cf9a327 +--- /dev/null ++++ b/policy/modules/services/qpidd.te @@ -0,0 +1,59 @@ +policy_module(qpidd,1.0.0) + @@ -23569,10 +22077,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.8.8/policy/modules/services/radius.te ---- nsaserefpolicy/policy/modules/services/radius.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/radius.te 2010-07-30 14:06:53.000000000 -0400 -@@ -36,7 +36,7 @@ +diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te +index c53f222..df6769b 100644 +--- a/policy/modules/services/radius.te ++++ b/policy/modules/services/radius.te +@@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t) # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; @@ -23581,7 +22090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; -@@ -59,8 +59,9 @@ +@@ -59,8 +59,9 @@ logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir }) manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) @@ -23592,10 +22101,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.8.8/policy/modules/services/radvd.te ---- nsaserefpolicy/policy/modules/services/radvd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/radvd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -33,8 +33,9 @@ +@@ -129,6 +130,7 @@ optional_policy(` + ') + + optional_policy(` ++ samba_domtrans_winbind_helper(radiusd_t) + samba_read_var_files(radiusd_t) + ') + +diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te +index 87fdb1c..2943342 100644 +--- a/policy/modules/services/radvd.te ++++ b/policy/modules/services/radvd.te +@@ -33,8 +33,9 @@ allow radvd_t self:fifo_file rw_file_perms; allow radvd_t radvd_etc_t:file read_file_perms; @@ -23606,18 +22124,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv kernel_read_kernel_sysctls(radvd_t) kernel_rw_net_sysctls(radvd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.8.8/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/razor.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc +index 1efba0c..71d657c 100644 +--- a/policy/modules/services/razor.fc ++++ b/policy/modules/services/razor.fc @@ -1,3 +1,4 @@ +/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.8.8/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/razor.if 2010-07-30 14:06:53.000000000 -0400 -@@ -157,3 +157,45 @@ +diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if +index f04a595..9011506 100644 +--- a/policy/modules/services/razor.if ++++ b/policy/modules/services/razor.if +@@ -157,3 +157,45 @@ interface(`razor_domtrans',` domtrans_pattern($1, razor_exec_t, razor_t) ') @@ -23663,10 +22183,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.8.8/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/razor.te 2010-07-30 14:06:53.000000000 -0400 -@@ -5,6 +5,32 @@ +diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te +index 340a6c0..eaa8706 100644 +--- a/policy/modules/services/razor.te ++++ b/policy/modules/services/razor.te +@@ -5,6 +5,32 @@ policy_module(razor, 2.1.1) # Declarations # @@ -23699,7 +22220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo type razor_exec_t; corecmd_executable_file(razor_exec_t) -@@ -14,6 +40,7 @@ +@@ -14,6 +40,7 @@ files_config_file(razor_etc_t) type razor_home_t; typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; @@ -23707,7 +22228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo userdom_user_home_content(razor_home_t) type razor_log_t; -@@ -100,6 +127,8 @@ +@@ -100,6 +127,8 @@ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t) manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) @@ -23716,7 +22237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo logging_send_syslog_msg(razor_t) userdom_search_user_home_dirs(razor_t) -@@ -118,5 +147,7 @@ +@@ -118,5 +147,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -23725,31 +22246,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.8.8/policy/modules/services/remotelogin.if ---- nsaserefpolicy/policy/modules/services/remotelogin.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/remotelogin.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -24,7 +24,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.8.8/policy/modules/services/remotelogin.te ---- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/remotelogin.te 2010-08-24 09:11:29.000000000 -0400 -@@ -114,7 +114,6 @@ +diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te +index 0a76027..cdd0542 100644 +--- a/policy/modules/services/remotelogin.te ++++ b/policy/modules/services/remotelogin.te +@@ -114,7 +114,6 @@ optional_policy(` ') optional_policy(` @@ -23757,19 +22258,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo unconfined_shell_domtrans(remote_login_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc ---- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc +index 3c97ef0..c025d59 100644 +--- a/policy/modules/services/rgmanager.fc ++++ b/policy/modules/services/rgmanager.fc @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.8.8/policy/modules/services/rgmanager.if ---- nsaserefpolicy/policy/modules/services/rgmanager.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.if 2010-07-30 14:06:53.000000000 -0400 -@@ -75,3 +75,64 @@ +diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if +index 7dc38d1..91dbe71 100644 +--- a/policy/modules/services/rgmanager.if ++++ b/policy/modules/services/rgmanager.if +@@ -75,3 +75,64 @@ interface(`rgmanager_manage_tmpfs_files',` fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ') @@ -23834,10 +22337,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + files_search_pids($1) + admin_pattern($1, rgmanager_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te ---- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-08-24 09:12:13.000000000 -0400 -@@ -17,6 +17,9 @@ +diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te +index 00fa514..ce5dbc0 100644 +--- a/policy/modules/services/rgmanager.te ++++ b/policy/modules/services/rgmanager.te +@@ -17,6 +17,9 @@ type rgmanager_exec_t; domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) @@ -23847,7 +22351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) -@@ -55,11 +58,14 @@ +@@ -55,11 +58,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) @@ -23863,7 +22367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -78,14 +84,19 @@ +@@ -78,14 +84,19 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -23884,7 +22388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma storage_getattr_fixed_disk_dev(rgmanager_t) term_getattr_pty_fs(rgmanager_t) -@@ -140,6 +151,11 @@ +@@ -140,6 +151,11 @@ optional_policy(` ') optional_policy(` @@ -23896,7 +22400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -193,9 +209,13 @@ +@@ -193,9 +209,13 @@ optional_policy(` virt_stream_connect(rgmanager_t) ') @@ -23910,9 +22414,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma optional_policy(` xen_domtrans_xm(rgmanager_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc ---- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400 +diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc +index c2ba53b..b19961e 100644 +--- a/policy/modules/services/rhcs.fc ++++ b/policy/modules/services/rhcs.fc @@ -1,6 +1,7 @@ /usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) /usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -23921,9 +22426,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs /usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) /usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.8.8/policy/modules/services/rhcs.if ---- nsaserefpolicy/policy/modules/services/rhcs.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rhcs.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if +index de37806..b6a524b 100644 +--- a/policy/modules/services/rhcs.if ++++ b/policy/modules/services/rhcs.if @@ -14,6 +14,8 @@ template(`rhcs_domain_template',` gen_require(` @@ -23933,7 +22439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ') ############################## -@@ -25,13 +27,13 @@ +@@ -25,13 +27,13 @@ template(`rhcs_domain_template',` type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) @@ -23949,7 +22455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs files_pid_file($1_var_run_t) ############################## -@@ -335,6 +337,67 @@ +@@ -335,6 +337,67 @@ interface(`rhcs_rw_groupd_shm',` manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') @@ -24017,7 +22523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ###################################### ## ## Execute a domain transition to run qdiskd. -@@ -353,3 +416,21 @@ +@@ -353,3 +416,21 @@ interface(`rhcs_domtrans_qdiskd',` corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') @@ -24039,10 +22545,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + + allow $1 qdiskd_tmpfs_t:file read_file_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.8.8/policy/modules/services/rhcs.te ---- nsaserefpolicy/policy/modules/services/rhcs.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rhcs.te 2010-07-30 14:06:53.000000000 -0400 -@@ -13,6 +13,8 @@ +diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te +index 93c896a..68f2b99 100644 +--- a/policy/modules/services/rhcs.te ++++ b/policy/modules/services/rhcs.te +@@ -13,6 +13,8 @@ policy_module(rhcs, 1.1.0) gen_tunable(fenced_can_network_connect, false) attribute cluster_domain; @@ -24051,7 +22558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs rhcs_domain_template(dlm_controld) -@@ -55,17 +57,13 @@ +@@ -55,17 +57,13 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -24070,7 +22577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; -@@ -82,7 +80,10 @@ +@@ -82,7 +80,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -24081,7 +22588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs corenet_tcp_connect_http_port(fenced_t) -@@ -106,7 +107,6 @@ +@@ -106,7 +107,6 @@ tunable_policy(`fenced_can_network_connect',` optional_policy(` ccs_read_config(fenced_t) @@ -24089,7 +22596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs ') optional_policy(` -@@ -139,10 +139,6 @@ +@@ -139,10 +139,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -24100,7 +22607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -168,7 +164,7 @@ +@@ -168,7 +164,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -24109,7 +22616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +203,6 @@ +@@ -207,10 +203,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -24120,7 +22627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs netutils_domtrans_ping(qdiskd_t) ') -@@ -236,5 +228,9 @@ +@@ -236,5 +228,9 @@ logging_send_syslog_msg(cluster_domain) miscfiles_read_localization(cluster_domain) optional_policy(` @@ -24130,66 +22637,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` corosync_stream_connect(cluster_domain) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.8.8/policy/modules/services/rhgb.if ---- nsaserefpolicy/policy/modules/services/rhgb.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-08-03 15:21:15.000000000 -0400 -@@ -22,7 +22,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -76,7 +76,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -95,7 +95,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -113,7 +113,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -131,7 +131,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -185,7 +185,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.8.8/policy/modules/services/ricci.fc ---- nsaserefpolicy/policy/modules/services/ricci.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ricci.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc +index 5b08327..ed5dc05 100644 +--- a/policy/modules/services/ricci.fc ++++ b/policy/modules/services/ricci.fc @@ -1,3 +1,6 @@ + +/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0) @@ -24197,10 +22648,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc /usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0) /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if ---- nsaserefpolicy/policy/modules/services/ricci.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-10 05:23:35.000000000 -0400 -@@ -18,6 +18,24 @@ +diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if +index f7826f9..f326085 100644 +--- a/policy/modules/services/ricci.if ++++ b/policy/modules/services/ricci.if +@@ -18,6 +18,24 @@ interface(`ricci_domtrans',` domtrans_pattern($1, ricci_exec_t, ricci_t) ') @@ -24225,7 +22677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ######################################## ## ## Execute a domain transition to run ricci_modcluster. -@@ -96,6 +114,24 @@ +@@ -96,6 +114,24 @@ interface(`ricci_stream_connect_modclusterd',` ######################################## ## @@ -24250,7 +22702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ## Execute a domain transition to run ricci_modlog. ## ## -@@ -165,3 +201,67 @@ +@@ -165,3 +201,67 @@ interface(`ricci_domtrans_modstorage',` domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') @@ -24318,10 +22770,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc + files_search_pids($1) + admin_pattern($1, ricci_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-24 09:12:28.000000000 -0400 -@@ -10,6 +10,9 @@ +diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te +index 33e72e8..e2434cb 100644 +--- a/policy/modules/services/ricci.te ++++ b/policy/modules/services/ricci.te +@@ -10,6 +10,9 @@ type ricci_exec_t; domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) @@ -24331,7 +22784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc type ricci_tmp_t; files_tmp_file(ricci_tmp_t) -@@ -42,6 +45,9 @@ +@@ -42,6 +45,9 @@ type ricci_modclusterd_exec_t; domain_type(ricci_modclusterd_t) init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t) @@ -24341,7 +22794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc type ricci_modlog_t; type ricci_modlog_exec_t; domain_type(ricci_modlog_t) -@@ -105,6 +111,7 @@ +@@ -105,6 +111,7 @@ manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) @@ -24349,7 +22802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc corecmd_exec_bin(ricci_t) -@@ -170,6 +177,10 @@ +@@ -170,6 +177,10 @@ optional_policy(` ') optional_policy(` @@ -24360,7 +22813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_t) ') -@@ -241,8 +252,7 @@ +@@ -241,8 +252,7 @@ optional_policy(` ') optional_policy(` @@ -24370,7 +22823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ') ######################################## -@@ -261,6 +271,10 @@ +@@ -261,6 +271,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -24381,7 +22834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +286,7 @@ +@@ -272,6 +286,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -24389,7 +22842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +459,12 @@ +@@ -444,6 +459,12 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -24402,9 +22855,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc storage_raw_read_fixed_disk(ricci_modstorage_t) term_dontaudit_use_console(ricci_modstorage_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.fc serefpolicy-3.8.8/policy/modules/services/rlogin.fc ---- nsaserefpolicy/policy/modules/services/rlogin.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rlogin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc +index 2785337..c3c2775 100644 +--- a/policy/modules/services/rlogin.fc ++++ b/policy/modules/services/rlogin.fc @@ -1,4 +1,7 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) @@ -24413,22 +22867,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.if serefpolicy-3.8.8/policy/modules/services/rlogin.if ---- nsaserefpolicy/policy/modules/services/rlogin.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rlogin.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.8.8/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rlogin.te 2010-07-30 14:06:53.000000000 -0400 -@@ -43,7 +43,6 @@ +diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te +index 779fa44..a142c36 100644 +--- a/policy/modules/services/rlogin.te ++++ b/policy/modules/services/rlogin.te +@@ -43,7 +43,6 @@ can_exec(rlogind_t, rlogind_exec_t) manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) @@ -24436,7 +22879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -88,6 +87,9 @@ +@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -24446,98 +22889,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.8.8/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.fc 2010-08-20 07:30:37.000000000 -0400 -@@ -2,6 +2,7 @@ - - /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) - -+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) - - /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.8.8/policy/modules/services/rpcbind.if ---- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.if 2010-07-30 14:06:53.000000000 -0400 -@@ -141,7 +141,7 @@ - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - -- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) -+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.8/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rpcbind.te 2010-07-30 14:06:53.000000000 -0400 -@@ -71,3 +71,7 @@ - ifdef(`hide_broken_symptoms',` - dontaudit rpcbind_t self:udp_socket listen; - ') -+ -+optional_policy(` -+ nis_use_ypbind(rpcbind_t) -+') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.8/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rpc.if 2010-07-30 14:06:53.000000000 -0400 -@@ -128,7 +128,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -143,7 +143,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -161,7 +161,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -179,7 +179,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -197,7 +197,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -233,7 +233,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -246,6 +246,26 @@ +diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if +index cda37bb..b0eac5b 100644 +--- a/policy/modules/services/rpc.if ++++ b/policy/modules/services/rpc.if +@@ -246,6 +246,26 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -24564,16 +22920,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ####################################### ## ## Execute domain in rpcd domain. -@@ -414,4 +434,5 @@ +@@ -414,4 +434,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.8.8/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rpc.te 2010-07-30 14:06:53.000000000 -0400 -@@ -63,8 +63,9 @@ +diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te +index a3b9f86..eae7d14 100644 +--- a/policy/modules/services/rpc.te ++++ b/policy/modules/services/rpc.te +@@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; allow rpcd_t rpcd_var_run_t:dir setattr; @@ -24584,7 +22941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) -@@ -97,15 +98,26 @@ +@@ -97,15 +98,26 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -24611,7 +22968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ######################################## # # NFSD local policy -@@ -120,6 +132,7 @@ +@@ -120,6 +132,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -24619,7 +22976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -160,6 +173,7 @@ +@@ -160,6 +173,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -24627,7 +22984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -218,6 +232,8 @@ +@@ -218,6 +232,8 @@ tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -24636,22 +22993,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.if serefpolicy-3.8.8/policy/modules/services/rshd.if ---- nsaserefpolicy/policy/modules/services/rshd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rshd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.8.8/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rshd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -66,6 +66,7 @@ +diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc +index f5c47d6..5a965e9 100644 +--- a/policy/modules/services/rpcbind.fc ++++ b/policy/modules/services/rpcbind.fc +@@ -2,6 +2,7 @@ + + /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) + ++/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) + + /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) +diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if +index a96249c..ca97ead 100644 +--- a/policy/modules/services/rpcbind.if ++++ b/policy/modules/services/rpcbind.if +@@ -141,7 +141,7 @@ interface(`rpcbind_admin',` + allow $1 rpcbind_t:process { ptrace signal_perms }; + ps_process_pattern($1, rpcbind_t) + +- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) ++ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rpcbind_initrc_exec_t system_r; + allow $2 system_r; +diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te +index d6d76e1..af3353c 100644 +--- a/policy/modules/services/rpcbind.te ++++ b/policy/modules/services/rpcbind.te +@@ -71,3 +71,7 @@ sysnet_dns_name_resolve(rpcbind_t) + ifdef(`hide_broken_symptoms',` + dontaudit rpcbind_t self:udp_socket listen; + ') ++ ++optional_policy(` ++ nis_use_ypbind(rpcbind_t) ++') +diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te +index 0b405d1..49a4283 100644 +--- a/policy/modules/services/rshd.te ++++ b/policy/modules/services/rshd.te +@@ -66,6 +66,7 @@ seutil_read_config(rshd_t) seutil_read_default_contexts(rshd_t) userdom_search_user_home_content(rshd_t) @@ -24659,10 +23042,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.8.8/policy/modules/services/rsync.if ---- nsaserefpolicy/policy/modules/services/rsync.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rsync.if 2010-07-30 14:06:53.000000000 -0400 -@@ -119,7 +119,7 @@ +diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if +index 3386f29..eefa329 100644 +--- a/policy/modules/services/rsync.if ++++ b/policy/modules/services/rsync.if +@@ -119,7 +119,7 @@ interface(`rsync_read_config',` type rsync_etc_t; ') @@ -24671,7 +23055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn files_search_etc($1) ') -@@ -138,6 +138,49 @@ +@@ -138,6 +138,49 @@ interface(`rsync_write_config',` type rsync_etc_t; ') @@ -24722,10 +23106,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn + + files_etc_filetrans($1, rsync_etc_t, $2) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.8.8/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rsync.te 2010-07-30 14:06:53.000000000 -0400 -@@ -7,6 +7,13 @@ +diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te +index 39015ae..5e7b7cf 100644 +--- a/policy/modules/services/rsync.te ++++ b/policy/modules/services/rsync.te +@@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0) ## ##

@@ -24739,7 +23124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn ## Allow rsync to export any files/directories read only. ##

## -@@ -23,7 +30,6 @@ +@@ -23,7 +30,6 @@ gen_tunable(allow_rsync_anon_write, false) type rsync_t; type rsync_exec_t; @@ -24747,7 +23132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn application_executable_file(rsync_exec_t) role system_r types rsync_t; -@@ -59,7 +65,7 @@ +@@ -59,7 +65,7 @@ allow rsync_t self:udp_socket connected_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd @@ -24756,7 +23141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -@@ -122,6 +128,7 @@ +@@ -122,6 +128,7 @@ optional_policy(` ') tunable_policy(`rsync_export_all_ro',` @@ -24764,7 +23149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn fs_read_noxattr_fs_files(rsync_t) fs_read_nfs_files(rsync_t) fs_read_cifs_files(rsync_t) -@@ -130,4 +137,19 @@ +@@ -130,4 +137,19 @@ tunable_policy(`rsync_export_all_ro',` auth_read_all_symlinks_except_shadow(rsync_t) auth_tunable_read_shadow(rsync_t) ') @@ -24784,10 +23169,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +') + auth_can_read_shadow_passwords(rsync_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.8.8/policy/modules/services/rtkit.if ---- nsaserefpolicy/policy/modules/services/rtkit.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rtkit.if 2010-07-30 14:06:53.000000000 -0400 -@@ -41,6 +41,27 @@ +diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if +index 46dad1f..21079f8 100644 +--- a/policy/modules/services/rtkit.if ++++ b/policy/modules/services/rtkit.if +@@ -41,6 +41,27 @@ interface(`rtkit_daemon_dbus_chat',` ######################################## ## @@ -24815,10 +23201,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki ## Allow rtkit to control scheduling for your process ## ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.8.8/policy/modules/services/rtkit.te ---- nsaserefpolicy/policy/modules/services/rtkit.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rtkit.te 2010-07-30 14:06:53.000000000 -0400 -@@ -8,6 +8,7 @@ +diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te +index 6f8e268..7d64285 100644 +--- a/policy/modules/services/rtkit.te ++++ b/policy/modules/services/rtkit.te +@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0) type rtkit_daemon_t; type rtkit_daemon_exec_t; dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) @@ -24826,9 +23213,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki ######################################## # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.8.8/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/samba.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc +index 69a6074..73db5ba 100644 +--- a/policy/modules/services/samba.fc ++++ b/policy/modules/services/samba.fc @@ -51,3 +51,7 @@ /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) @@ -24837,37 +23225,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.8.8/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/samba.if 2010-07-30 14:06:53.000000000 -0400 -@@ -10,7 +10,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -46,7 +46,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -64,7 +64,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -79,12 +79,31 @@ +diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if +index 82cb169..89935be 100644 +--- a/policy/modules/services/samba.if ++++ b/policy/modules/services/samba.if +@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -24893,14 +23255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -103,13 +122,57 @@ +@@ -103,6 +122,50 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -24951,24 +23306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## ## ## Execute smbmount in the smbmount domain. - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -260,7 +323,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -412,6 +475,7 @@ +@@ -412,6 +475,7 @@ interface(`samba_manage_var_files',` files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) @@ -24976,25 +23314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -464,7 +528,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -554,7 +618,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -564,6 +628,7 @@ +@@ -564,6 +628,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -25002,16 +23322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -573,7 +638,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -644,6 +709,36 @@ +@@ -644,6 +709,36 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -25048,7 +23359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## All of the rules required to administrate ## an samba environment ## -@@ -664,7 +759,7 @@ +@@ -664,7 +759,7 @@ interface(`samba_admin',` type nmbd_t, nmbd_var_run_t; type smbd_t, smbd_tmp_t; type smbd_var_run_t; @@ -25057,7 +23368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_log_t, samba_var_t; type samba_etc_t, samba_share_t; -@@ -675,7 +770,7 @@ +@@ -675,7 +770,7 @@ interface(`samba_admin',` type winbind_var_run_t, winbind_tmp_t; type winbind_log_t; @@ -25066,7 +23377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +779,9 @@ +@@ -684,6 +779,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -25076,7 +23387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +807,6 @@ +@@ -709,9 +807,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -25086,16 +23397,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +822,5 @@ +@@ -727,4 +822,5 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) + admin_pattern($1, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-08-12 16:45:59.000000000 -0400 -@@ -152,9 +152,6 @@ +diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te +index e30bb63..2a5981d 100644 +--- a/policy/modules/services/samba.te ++++ b/policy/modules/services/samba.te +@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) type winbind_log_t; logging_log_file(winbind_log_t) @@ -25105,7 +23417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -230,7 +227,7 @@ +@@ -230,7 +227,7 @@ optional_policy(` # # smbd Local policy # @@ -25114,7 +23426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -279,7 +276,7 @@ +@@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -25123,7 +23435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t swat_t:process signal; -@@ -323,6 +320,7 @@ +@@ -323,6 +320,7 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -25131,7 +23443,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) -@@ -385,12 +383,7 @@ +@@ -343,6 +341,7 @@ files_read_usr_files(smbd_t) + files_search_spool(smbd_t) + # smbd seems to getattr all mountpoints + files_dontaudit_getattr_all_dirs(smbd_t) ++files_dontaudit_list_all_mountpoints(smbd_t) + # Allow samba to list mnt_t for potential mounted dirs + files_list_mnt(smbd_t) + +@@ -385,12 +384,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -25145,7 +23465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') # Support Samba sharing of NFS mount points -@@ -445,8 +438,8 @@ +@@ -445,8 +439,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -25155,7 +23475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) -@@ -462,8 +455,8 @@ +@@ -462,8 +456,8 @@ tunable_policy(`samba_export_all_rw',` auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -25165,7 +23485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -484,8 +477,9 @@ +@@ -484,8 +478,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -25176,7 +23496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -567,6 +561,7 @@ +@@ -567,6 +562,7 @@ allow smbcontrol_t smbd_t:process signal; allow smbcontrol_t winbind_t:process { signal signull }; @@ -25184,7 +23504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -677,7 +672,7 @@ +@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -25193,7 +23513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +687,14 @@ +@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -25208,7 +23528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +707,7 @@ +@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -25216,7 +23536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +752,8 @@ +@@ -754,6 +753,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -25225,7 +23545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,14 +806,14 @@ +@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -25245,7 +23565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +833,7 @@ +@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -25253,7 +23573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +923,18 @@ +@@ -922,6 +924,18 @@ optional_policy(` # optional_policy(` @@ -25272,7 +23592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +945,12 @@ +@@ -932,9 +946,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -25286,10 +23606,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.8.8/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sasl.te 2010-07-30 14:06:53.000000000 -0400 -@@ -42,13 +42,17 @@ +diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te +index 41d60ad..8655cb0 100644 +--- a/policy/modules/services/sasl.te ++++ b/policy/modules/services/sasl.te +@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr; manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) @@ -25308,9 +23629,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.8.8/policy/modules/services/sendmail.fc ---- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sendmail.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc +index a86ec50..ef4199b 100644 +--- a/policy/modules/services/sendmail.fc ++++ b/policy/modules/services/sendmail.fc @@ -1,4 +1,6 @@ +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) @@ -25318,10 +23640,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send /var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0) /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.8.8/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sendmail.if 2010-07-30 14:06:53.000000000 -0400 -@@ -57,6 +57,24 @@ +diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if +index 7e94c7c..4f7eb51 100644 +--- a/policy/modules/services/sendmail.if ++++ b/policy/modules/services/sendmail.if +@@ -57,6 +57,24 @@ interface(`sendmail_domtrans',` allow sendmail_t $1:process sigchld; ') @@ -25346,7 +23669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ######################################## ## ## Execute the sendmail program in the sendmail domain. -@@ -295,3 +313,50 @@ +@@ -295,3 +313,50 @@ interface(`sendmail_run_unconfined',` sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') @@ -25397,10 +23720,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + files_search_spool($1) + admin_pattern($1, mail_spool_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.8.8/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sendmail.te 2010-07-30 14:06:53.000000000 -0400 -@@ -19,6 +19,9 @@ +diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te +index 53dd7d0..668ce83 100644 +--- a/policy/modules/services/sendmail.te ++++ b/policy/modules/services/sendmail.te +@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t) mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -25410,7 +23734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send type unconfined_sendmail_t; application_domain(unconfined_sendmail_t, sendmail_exec_t) role system_r types unconfined_sendmail_t; -@@ -84,12 +87,14 @@ +@@ -84,12 +87,14 @@ files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) @@ -25425,7 +23749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send auth_use_nsswitch(sendmail_t) -@@ -103,7 +108,7 @@ +@@ -103,7 +108,7 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -25434,7 +23758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -149,7 +154,9 @@ +@@ -149,7 +154,9 @@ optional_policy(` ') optional_policy(` @@ -25444,7 +23768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,6 +175,10 @@ +@@ -168,6 +175,10 @@ optional_policy(` ') optional_policy(` @@ -25455,17 +23779,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -183,5 +194,5 @@ +@@ -183,5 +194,5 @@ optional_policy(` optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) + unconfined_domain_noaudit(unconfined_sendmail_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.if 2010-07-30 14:06:53.000000000 -0400 -@@ -105,6 +105,25 @@ +diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if +index 22dfeb4..9dc4091 100644 +--- a/policy/modules/services/setroubleshoot.if ++++ b/policy/modules/services/setroubleshoot.if +@@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` ######################################## ## @@ -25491,7 +23816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr ## All of the rules required to administrate ## an setroubleshoot environment ## -@@ -117,7 +136,7 @@ +@@ -117,7 +136,7 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` gen_require(` @@ -25500,7 +23825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; ') -@@ -125,7 +144,7 @@ +@@ -125,7 +144,7 @@ interface(`setroubleshoot_admin',` ps_process_pattern($1, setroubleshootd_t) logging_list_logs($1) @@ -25509,10 +23834,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/setroubleshoot.te 2010-07-30 14:06:53.000000000 -0400 -@@ -32,6 +32,8 @@ +diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te +index 086cd5f..679558c 100644 +--- a/policy/modules/services/setroubleshoot.te ++++ b/policy/modules/services/setroubleshoot.te +@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; @@ -25521,7 +23847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,14 +51,17 @@ +@@ -49,14 +51,17 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -25540,7 +23866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -121,6 +126,10 @@ +@@ -121,6 +126,10 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -25551,7 +23877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +161,7 @@ +@@ -152,6 +161,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -25559,7 +23885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +174,13 @@ +@@ -164,6 +174,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -25573,10 +23899,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.8.8/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-08-05 14:48:00.000000000 -0400 -@@ -82,6 +82,8 @@ +diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te +index 4804f14..894f62d 100644 +--- a/policy/modules/services/smartmon.te ++++ b/policy/modules/services/smartmon.te +@@ -82,6 +82,8 @@ mls_file_read_all_levels(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) @@ -25585,10 +23912,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar term_dontaudit_search_ptys(fsdaemon_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.8.8/policy/modules/services/smokeping.te ---- nsaserefpolicy/policy/modules/services/smokeping.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/smokeping.te 2010-07-30 14:06:53.000000000 -0400 -@@ -23,6 +23,7 @@ +diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te +index 4ca5449..058bfc9 100644 +--- a/policy/modules/services/smokeping.te ++++ b/policy/modules/services/smokeping.te +@@ -23,6 +23,7 @@ files_type(smokeping_var_lib_t) # smokeping local policy # @@ -25596,7 +23924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; -@@ -44,6 +45,7 @@ +@@ -44,6 +45,7 @@ files_read_usr_files(smokeping_t) files_search_tmp(smokeping_t) auth_use_nsswitch(smokeping_t) @@ -25604,9 +23932,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok logging_send_syslog_msg(smokeping_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.8.8/policy/modules/services/snmp.fc ---- nsaserefpolicy/policy/modules/services/snmp.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/snmp.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc +index 623c8fa..ac10740 100644 +--- a/policy/modules/services/snmp.fc ++++ b/policy/modules/services/snmp.fc @@ -18,7 +18,7 @@ /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) @@ -25616,10 +23945,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.8.8/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/snmp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,7 @@ +diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te +index 3d8d1b3..b5cd366 100644 +--- a/policy/modules/services/snmp.te ++++ b/policy/modules/services/snmp.te +@@ -24,7 +24,7 @@ files_type(snmpd_var_lib_t) # # Local policy # @@ -25628,7 +23958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; -@@ -43,8 +43,9 @@ +@@ -43,8 +43,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) @@ -25639,7 +23969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,6 +98,7 @@ +@@ -97,6 +98,7 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -25647,10 +23977,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.8.8/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/snort.te 2010-07-30 14:06:53.000000000 -0400 -@@ -61,6 +61,7 @@ +diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te +index bf59f60..814a47a 100644 +--- a/policy/modules/services/snort.te ++++ b/policy/modules/services/snort.te +@@ -61,6 +61,7 @@ kernel_list_proc(snort_t) kernel_read_proc_symlinks(snort_t) kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) @@ -25658,7 +23989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor corenet_all_recvfrom_unlabeled(snort_t) corenet_all_recvfrom_netlabel(snort_t) -@@ -77,6 +78,7 @@ +@@ -77,6 +78,7 @@ corenet_tcp_connect_prelude_port(snort_t) dev_read_sysfs(snort_t) dev_read_rand(snort_t) dev_read_urand(snort_t) @@ -25666,9 +23997,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor # Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon # Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect? dev_rw_generic_usb_dev(snort_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.8.8/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc +index 6b3abf9..540981f 100644 +--- a/policy/modules/services/spamassassin.fc ++++ b/policy/modules/services/spamassassin.fc @@ -1,15 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -25698,19 +24030,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.8.8/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.if 2010-07-30 14:06:53.000000000 -0400 -@@ -64,7 +64,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -111,6 +111,45 @@ +diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if +index c954f31..76cfada 100644 +--- a/policy/modules/services/spamassassin.if ++++ b/policy/modules/services/spamassassin.if +@@ -111,6 +111,45 @@ interface(`spamassassin_domtrans_client',` ') domtrans_pattern($1, spamc_exec_t, spamc_t) @@ -25756,7 +24080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -166,7 +205,9 @@ +@@ -166,7 +205,9 @@ interface(`spamassassin_read_lib_files',` ') files_search_var_lib($1) @@ -25766,16 +24090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -195,7 +236,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -225,3 +266,69 @@ +@@ -225,3 +266,69 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -25845,10 +24160,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.8.8/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/spamassassin.te 2010-07-30 14:06:53.000000000 -0400 -@@ -19,6 +19,35 @@ +diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te +index 9d40380..9ad4eff 100644 +--- a/policy/modules/services/spamassassin.te ++++ b/policy/modules/services/spamassassin.te +@@ -19,6 +19,35 @@ gen_tunable(spamassassin_can_network, false) ## gen_tunable(spamd_enable_home_dirs, true) @@ -25884,7 +24200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamassassin_t; type spamassassin_exec_t; typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t }; -@@ -30,6 +59,7 @@ +@@ -30,6 +59,7 @@ type spamassassin_home_t; typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t }; typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t }; userdom_user_home_content(spamassassin_home_t) @@ -25892,7 +24208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamassassin_tmp_t; typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t }; -@@ -49,10 +79,21 @@ +@@ -49,10 +79,21 @@ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tm typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; files_tmp_file(spamc_tmp_t) ubac_constrained(spamc_tmp_t) @@ -25914,7 +24230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamd_spool_t; files_type(spamd_spool_t) -@@ -108,6 +149,7 @@ +@@ -108,6 +149,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) @@ -25922,7 +24238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -148,6 +190,9 @@ +@@ -148,6 +190,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -25932,7 +24248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam sysnet_read_config(spamassassin_t) ') -@@ -184,6 +229,8 @@ +@@ -184,6 +229,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -25941,7 +24257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -205,16 +252,33 @@ +@@ -205,16 +252,33 @@ allow spamc_t self:unix_dgram_socket sendto; allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -25975,7 +24291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -244,9 +308,16 @@ +@@ -244,9 +308,16 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -25992,7 +24308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -254,27 +325,40 @@ +@@ -254,27 +325,40 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -26039,7 +24355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -286,7 +370,7 @@ +@@ -286,7 +370,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -26048,7 +24364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -302,10 +386,17 @@ +@@ -302,10 +386,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -26067,7 +24383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +405,13 @@ +@@ -314,11 +405,13 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -26083,7 +24399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +460,27 @@ +@@ -367,22 +460,27 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -26115,7 +24431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +497,9 @@ +@@ -399,7 +497,9 @@ optional_policy(` ') optional_policy(` @@ -26125,7 +24441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') -@@ -416,10 +516,6 @@ +@@ -416,10 +516,6 @@ optional_policy(` ') optional_policy(` @@ -26136,7 +24452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam postfix_read_config(spamd_t) ') -@@ -437,6 +533,10 @@ +@@ -437,6 +533,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -26147,30 +24463,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.8.8/policy/modules/services/squid.if ---- nsaserefpolicy/policy/modules/services/squid.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/squid.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.8.8/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ssh.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc +index 078bcd7..dd706b0 100644 +--- a/policy/modules/services/ssh.fc ++++ b/policy/modules/services/ssh.fc @@ -1,4 +1,9 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) @@ -26181,7 +24477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -14,3 +19,7 @@ +@@ -14,3 +19,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -26189,10 +24485,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.8.8/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ssh.if 2010-07-30 14:06:53.000000000 -0400 -@@ -36,6 +36,7 @@ +diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if +index 5437ffb..8dad56a 100644 +--- a/policy/modules/services/ssh.if ++++ b/policy/modules/services/ssh.if +@@ -36,6 +36,7 @@ template(`ssh_basic_client_template',` gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; @@ -26200,7 +24497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ############################## -@@ -47,10 +48,6 @@ +@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; @@ -26211,7 +24508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ############################## # # Client local policy -@@ -93,18 +90,18 @@ +@@ -93,18 +90,18 @@ template(`ssh_basic_client_template',` ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config @@ -26238,7 +24535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) -@@ -116,6 +113,8 @@ +@@ -116,6 +113,8 @@ template(`ssh_basic_client_template',` corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) @@ -26247,7 +24544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand($1_ssh_t) -@@ -181,9 +180,9 @@ +@@ -181,9 +180,9 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -26259,7 +24556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: -@@ -206,6 +205,7 @@ +@@ -206,6 +205,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) @@ -26267,7 +24564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +220,11 @@ +@@ -220,8 +220,11 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -26280,7 +24577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. fs_dontaudit_getattr_all_fs($1_t) -@@ -234,6 +237,7 @@ +@@ -234,6 +237,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -26288,7 +24585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,9 +247,9 @@ +@@ -243,9 +247,9 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) @@ -26299,7 +24596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow checking users mail at login mta_getattr_spool($1_t) -@@ -268,6 +272,14 @@ +@@ -268,6 +272,14 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') @@ -26314,7 +24611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## -@@ -338,6 +350,7 @@ +@@ -338,6 +350,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -26322,7 +24619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ############################## # -@@ -584,6 +597,25 @@ +@@ -584,6 +597,25 @@ interface(`ssh_domtrans',` domtrans_pattern($1, sshd_exec_t, sshd_t) ') @@ -26348,7 +24645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ######################################## ## ## Execute the ssh client in the caller domain. -@@ -735,3 +767,22 @@ +@@ -735,3 +767,22 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -26371,10 +24668,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + allow $1 sshd_t:process signull; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.8.8/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ssh.te 2010-07-30 14:06:53.000000000 -0400 -@@ -19,6 +19,13 @@ +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index 2dad3c8..68c3057 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false) ## gen_tunable(ssh_sysadm_login, false) @@ -26388,7 +24686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. attribute ssh_server; attribute ssh_agent_type; -@@ -33,13 +40,12 @@ +@@ -33,13 +40,12 @@ corecmd_executable_file(sshd_exec_t) ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -26405,7 +24703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`enable_mcs',` init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) ') -@@ -99,11 +105,6 @@ +@@ -99,11 +105,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms; # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; @@ -26417,7 +24715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,6 +114,7 @@ +@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -26425,7 +24723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -124,9 +126,10 @@ +@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config @@ -26439,7 +24737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +141,8 @@ +@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -26448,7 +24746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand(ssh_t) -@@ -169,8 +174,10 @@ +@@ -169,8 +174,10 @@ userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) # Write to the user domain tty. userdom_use_user_terminals(ssh_t) @@ -26460,7 +24758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -200,6 +207,54 @@ +@@ -200,6 +207,54 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -26515,7 +24813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ############################## # # ssh_keysign_t local policy -@@ -233,44 +288,65 @@ +@@ -233,44 +288,65 @@ optional_policy(` allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -26590,7 +24888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -284,6 +360,11 @@ +@@ -284,6 +360,11 @@ optional_policy(` ') optional_policy(` @@ -26602,7 +24900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. unconfined_shell_domtrans(sshd_t) ') -@@ -353,10 +434,6 @@ +@@ -353,10 +434,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -26613,10 +24911,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_sigchld_newrole(ssh_keygen_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.8.8/policy/modules/services/sssd.te ---- nsaserefpolicy/policy/modules/services/sssd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sssd.te 2010-08-18 07:03:35.000000000 -0400 -@@ -28,9 +28,10 @@ +diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te +index 8ffa257..07d6748 100644 +--- a/policy/modules/services/sssd.te ++++ b/policy/modules/services/sssd.te +@@ -28,9 +28,10 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # @@ -26628,7 +24927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -48,6 +49,7 @@ +@@ -48,6 +49,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -26636,7 +24935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd kernel_read_system_state(sssd_t) corecmd_exec_bin(sssd_t) -@@ -80,6 +82,8 @@ +@@ -80,6 +82,8 @@ logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -26645,10 +24944,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.8.8/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/stunnel.te 2010-07-30 14:06:53.000000000 -0400 -@@ -46,8 +46,9 @@ +diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te +index 02e751d..733250d 100644 +--- a/policy/modules/services/stunnel.te ++++ b/policy/modules/services/stunnel.te +@@ -46,8 +46,9 @@ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) @@ -26659,10 +24959,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stun kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.8.8/policy/modules/services/sysstat.te ---- nsaserefpolicy/policy/modules/services/sysstat.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/sysstat.te 2010-07-30 14:06:53.000000000 -0400 -@@ -18,8 +18,7 @@ +diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te +index 52f0d6c..111b041 100644 +--- a/policy/modules/services/sysstat.te ++++ b/policy/modules/services/sysstat.te +@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t) # Local policy # @@ -26672,7 +24973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) -@@ -68,3 +67,8 @@ +@@ -68,3 +67,8 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(sysstat_t) ') @@ -26681,22 +24982,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss + nscd_socket_use(sysstat_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.8.8/policy/modules/services/tcpd.if ---- nsaserefpolicy/policy/modules/services/tcpd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tcpd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.8.8/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/telnet.te 2010-07-30 14:06:53.000000000 -0400 -@@ -38,7 +38,6 @@ +diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te +index f40e67b..a0eeea9 100644 +--- a/policy/modules/services/telnet.te ++++ b/policy/modules/services/telnet.te +@@ -38,7 +38,6 @@ term_create_pty(telnetd_t, telnetd_devpts_t) manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) @@ -26704,7 +24994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -85,6 +84,8 @@ +@@ -85,6 +84,8 @@ remotelogin_domtrans(telnetd_t) userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) @@ -26713,10 +25003,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln optional_policy(` kerberos_keytab_template(telnetd, telnetd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.8.8/policy/modules/services/tftp.if ---- nsaserefpolicy/policy/modules/services/tftp.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tftp.if 2010-07-30 14:06:53.000000000 -0400 -@@ -16,6 +16,26 @@ +diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if +index 38bb312..4d10dda 100644 +--- a/policy/modules/services/tftp.if ++++ b/policy/modules/services/tftp.if +@@ -16,6 +16,26 @@ interface(`tftp_read_content',` ') read_files_pattern($1, tftpdir_t, tftpdir_t) @@ -26743,7 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ') ######################################## -@@ -40,6 +60,36 @@ +@@ -40,6 +60,36 @@ interface(`tftp_manage_rw_content',` ######################################## ## @@ -26780,24 +25071,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ## All of the rules required to administrate ## an tftp environment ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.8.8/policy/modules/services/tftp.te ---- nsaserefpolicy/policy/modules/services/tftp.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tftp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -94,6 +94,10 @@ +diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te +index d50c10d..66bfd1c 100644 +--- a/policy/modules/services/tftp.te ++++ b/policy/modules/services/tftp.te +@@ -94,6 +94,10 @@ tunable_policy(`tftp_anon_write',` ') optional_policy(` -+ cobbler_read_content(tftpd_t) ++ cobbler_read_lib_files(tftpd_t) +') + +optional_policy(` inetd_udp_service_domain(tftpd_t, tftpd_exec_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.8.8/policy/modules/services/tgtd.te ---- nsaserefpolicy/policy/modules/services/tgtd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tgtd.te 2010-07-30 14:06:53.000000000 -0400 -@@ -59,8 +59,12 @@ +diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te +index aa0cc45..debff69 100644 +--- a/policy/modules/services/tgtd.te ++++ b/policy/modules/services/tgtd.te +@@ -59,8 +59,12 @@ corenet_sendrecv_iscsi_server_packets(tgtd_t) files_read_etc_files(tgtd_t) @@ -26810,10 +25103,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd miscfiles_read_localization(tgtd_t) + +iscsi_manage_semaphores(tgtd_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.8.8/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tor.te 2010-08-18 07:42:58.000000000 -0400 -@@ -67,9 +67,10 @@ +diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te +index 9fa94e4..81e8d3c 100644 +--- a/policy/modules/services/tor.te ++++ b/policy/modules/services/tor.te +@@ -67,9 +67,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) # pid file @@ -26825,7 +25119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. kernel_read_system_state(tor_t) -@@ -88,6 +89,7 @@ +@@ -88,6 +89,7 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -26833,7 +25127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. # tor uses crypto and needs random dev_read_urand(tor_t) -@@ -100,6 +102,8 @@ +@@ -100,6 +102,8 @@ files_read_usr_files(tor_t) auth_use_nsswitch(tor_t) @@ -26842,22 +25136,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor. miscfiles_read_localization(tor_t) tunable_policy(`tor_bind_all_unreserved_ports', ` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.8.8/policy/modules/services/tuned.if ---- nsaserefpolicy/policy/modules/services/tuned.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tuned.if 2010-07-30 14:06:53.000000000 -0400 -@@ -81,7 +81,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.8.8/policy/modules/services/tuned.te ---- nsaserefpolicy/policy/modules/services/tuned.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/tuned.te 2010-07-30 14:06:53.000000000 -0400 -@@ -24,6 +24,7 @@ +diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te +index db9d2a5..b3983a9 100644 +--- a/policy/modules/services/tuned.te ++++ b/policy/modules/services/tuned.te +@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t) # dontaudit tuned_t self:capability { dac_override sys_tty_config }; @@ -26865,7 +25148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -@@ -58,6 +59,10 @@ +@@ -58,6 +59,10 @@ optional_policy(` fstools_domtrans(tuned_t) ') @@ -26876,10 +25159,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.8.8/policy/modules/services/ucspitcp.te ---- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ucspitcp.te 2010-07-30 14:06:53.000000000 -0400 -@@ -91,3 +91,8 @@ +diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te +index a0794bf..dd23a9c 100644 +--- a/policy/modules/services/ucspitcp.te ++++ b/policy/modules/services/ucspitcp.te +@@ -91,3 +91,8 @@ optional_policy(` daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t) daemontools_read_svc(ucspitcp_t) ') @@ -26888,10 +25172,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.8.8/policy/modules/services/ulogd.te ---- nsaserefpolicy/policy/modules/services/ulogd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ulogd.te 2010-08-23 09:53:33.000000000 -0400 -@@ -31,6 +31,9 @@ +diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te +index eeaa641..eb4d8d5 100644 +--- a/policy/modules/services/ulogd.te ++++ b/policy/modules/services/ulogd.te +@@ -31,6 +31,9 @@ logging_log_file(ulogd_var_log_t) allow ulogd_t self:capability net_admin; allow ulogd_t self:netlink_nflog_socket create_socket_perms; @@ -26901,7 +25186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -43,6 +46,18 @@ +@@ -43,6 +46,18 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) @@ -26921,18 +25206,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulog + postgresql_stream_connect(ulogd_t) + postgresql_tcp_connect(ulogd_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc ---- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/usbmuxd.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc +index fa54aee..40b8b8d 100644 +--- a/policy/modules/services/usbmuxd.fc ++++ b/policy/modules/services/usbmuxd.fc @@ -1,3 +1,3 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.8.8/policy/modules/services/uucp.te ---- nsaserefpolicy/policy/modules/services/uucp.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/uucp.te 2010-08-04 13:17:33.000000000 -0400 -@@ -83,6 +83,7 @@ +diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te +index b775aaf..ec1562b 100644 +--- a/policy/modules/services/uucp.te ++++ b/policy/modules/services/uucp.te +@@ -83,6 +83,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t) corenet_udp_sendrecv_generic_node(uucpd_t) corenet_tcp_sendrecv_all_ports(uucpd_t) corenet_udp_sendrecv_all_ports(uucpd_t) @@ -26940,7 +25227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp dev_read_urand(uucpd_t) -@@ -113,6 +114,10 @@ +@@ -113,6 +114,10 @@ optional_policy(` kerberos_use(uucpd_t) ') @@ -26951,28 +25238,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp ######################################## # # UUX Local policy -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.8.8/policy/modules/services/varnishd.if ---- nsaserefpolicy/policy/modules/services/varnishd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/varnishd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -56,6 +56,25 @@ +diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if +index b4d90ac..9214237 100644 +--- a/policy/modules/services/varnishd.if ++++ b/policy/modules/services/varnishd.if +@@ -56,6 +56,25 @@ interface(`varnishd_read_config',` read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) ') @@ -26998,10 +25268,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn ####################################### ## ## Read varnish logs. -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.8.8/policy/modules/services/varnishd.te ---- nsaserefpolicy/policy/modules/services/varnishd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/varnishd.te 2010-07-30 14:55:56.000000000 -0400 -@@ -50,7 +50,8 @@ +diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te +index 1cc80e8..95c6dc3 100644 +--- a/policy/modules/services/varnishd.te ++++ b/policy/modules/services/varnishd.te +@@ -50,7 +50,8 @@ files_type(varnishlog_log_t) # varnishd local policy # @@ -27011,28 +25282,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn allow varnishd_t self:process signal; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket create_stream_socket_perms; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.8.8/policy/modules/services/vhostmd.if ---- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.if 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -42,7 +42,7 @@ - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # -@@ -209,7 +209,7 @@ +diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if +index 1f872b5..dadae8e 100644 +--- a/policy/modules/services/vhostmd.if ++++ b/policy/modules/services/vhostmd.if +@@ -209,7 +209,7 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') @@ -27041,10 +25295,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos ps_process_pattern($1, vhostmd_t) vhostmd_initrc_domtrans($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.8.8/policy/modules/services/vhostmd.te ---- nsaserefpolicy/policy/modules/services/vhostmd.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/vhostmd.te 2010-08-10 07:10:27.000000000 -0400 -@@ -44,6 +44,8 @@ +diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te +index 32a3c13..f56f51f 100644 +--- a/policy/modules/services/vhostmd.te ++++ b/policy/modules/services/vhostmd.te +@@ -44,6 +44,8 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) @@ -27053,7 +25308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) -@@ -66,6 +68,7 @@ +@@ -66,6 +68,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) @@ -27061,10 +25316,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-08-13 13:57:22.000000000 -0400 -@@ -13,17 +13,19 @@ +diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc +index 2124b6a..be4b00f 100644 +--- a/policy/modules/services/virt.fc ++++ b/policy/modules/services/virt.fc +@@ -1,3 +1,4 @@ ++HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) + HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -27087,10 +25348,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.8/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/virt.if 2010-08-10 07:08:50.000000000 -0400 -@@ -21,6 +21,7 @@ +diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if +index 7c5d8d8..1a0701b 100644 +--- a/policy/modules/services/virt.if ++++ b/policy/modules/services/virt.if +@@ -21,6 +21,7 @@ template(`virt_domain_template',` type $1_t, virt_domain; domain_type($1_t) domain_user_exemption_target($1_t) @@ -27098,7 +25360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt role system_r types $1_t; type $1_devpts_t; -@@ -35,17 +36,18 @@ +@@ -35,17 +36,18 @@ template(`virt_domain_template',` type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -27120,7 +25382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +59,6 @@ +@@ -57,18 +59,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -27139,7 +25401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt optional_policy(` xserver_rw_shm($1_t) ') -@@ -171,6 +161,7 @@ +@@ -171,6 +161,7 @@ interface(`virt_read_config',` files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -27147,7 +25409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -192,6 +183,7 @@ +@@ -192,6 +183,7 @@ interface(`virt_manage_config',` files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -27155,7 +25417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -231,6 +223,24 @@ +@@ -231,6 +223,24 @@ interface(`virt_read_content',` ######################################## ## @@ -27180,7 +25442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ## Read virt PID files. ## ## -@@ -308,6 +318,24 @@ +@@ -308,6 +318,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -27205,7 +25467,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ## Create, read, write, and delete ## virt lib files. ## -@@ -433,15 +461,15 @@ +@@ -424,6 +452,24 @@ interface(`virt_read_images',` + + ######################################## + ## ++## Allow domain to read virt blk image files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_read_blk_images',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## svirt cache files. + ## +@@ -433,15 +479,15 @@ interface(`virt_read_images',` ## ## # @@ -27226,7 +25513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +544,51 @@ +@@ -516,3 +562,51 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -27278,10 +25565,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-24 09:12:59.000000000 -0400 -@@ -4,6 +4,7 @@ +diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te +index 3cce663..8040c74 100644 +--- a/policy/modules/services/virt.te ++++ b/policy/modules/services/virt.te +@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0) # # Declarations # @@ -27289,7 +25577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ## ##

-@@ -50,12 +51,12 @@ +@@ -50,12 +51,12 @@ gen_tunable(virt_use_usb, true) virt_domain_template(svirt) role system_r types svirt_t; @@ -27305,7 +25593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virt_etc_t; files_config_file(virt_etc_t) -@@ -65,20 +66,25 @@ +@@ -65,20 +66,25 @@ files_type(virt_etc_rw_t) # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) @@ -27332,7 +25620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virtd_t; type virtd_exec_t; -@@ -89,6 +95,11 @@ +@@ -89,6 +95,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -27344,7 +25632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -104,15 +115,12 @@ +@@ -104,15 +115,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -27361,7 +25649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -147,11 +155,15 @@ +@@ -147,11 +155,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -27377,7 +25665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') tunable_policy(`virt_use_sysfs',` -@@ -160,6 +172,7 @@ +@@ -160,6 +172,7 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -27385,7 +25673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') -@@ -168,28 +181,39 @@ +@@ -168,28 +181,39 @@ optional_policy(` xen_rw_image_files(svirt_t) ') @@ -27428,7 +25716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,9 +224,15 @@ +@@ -200,9 +224,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -27444,7 +25732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) logging_log_filetrans(virtd_t, virt_log_t, { file dir }) -@@ -220,6 +250,7 @@ +@@ -220,6 +250,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -27452,7 +25740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -243,18 +274,25 @@ +@@ -243,18 +274,27 @@ dev_read_rand(virtd_t) dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -27471,6 +25759,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) -files_manage_etc_files(virtd_t) ++files_relabelto_system_conf_files(virtd_t) ++files_relabelfrom_system_conf_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) @@ -27479,7 +25769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +300,17 @@ +@@ -262,6 +302,17 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -27497,7 +25787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) -@@ -286,15 +335,22 @@ +@@ -286,15 +337,24 @@ modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -27517,10 +25807,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) ++ ++consoletype_exec(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +421,7 @@ +@@ -365,6 +425,7 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -27528,7 +25820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -385,9 +442,13 @@ +@@ -385,9 +446,13 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -27542,7 +25834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## # -@@ -402,6 +463,19 @@ +@@ -402,6 +467,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms; allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -27562,7 +25854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +496,7 @@ +@@ -422,6 +500,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -27570,7 +25862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +504,12 @@ +@@ -429,10 +508,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -27583,7 +25875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +517,11 @@ +@@ -440,6 +521,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -27595,7 +25887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +539,121 @@ +@@ -457,8 +543,121 @@ optional_policy(` ') optional_policy(` @@ -27717,10 +26009,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + userdom_search_admin_dir(virsh_ssh_t) +') + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.8.8/policy/modules/services/w3c.te ---- nsaserefpolicy/policy/modules/services/w3c.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/w3c.te 2010-07-30 14:06:53.000000000 -0400 -@@ -7,11 +7,18 @@ +diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te +index 2dec92e..c37d690 100644 +--- a/policy/modules/services/w3c.te ++++ b/policy/modules/services/w3c.te +@@ -7,11 +7,18 @@ policy_module(w3c, 1.0.0) apache_content_template(w3c_validator) @@ -27739,15 +26032,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -@@ -22,3 +29,5 @@ +@@ -22,3 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) miscfiles_read_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.8.8/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/xserver.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc +index 6f1e3c7..39c2bb3 100644 +--- a/policy/modules/services/xserver.fc ++++ b/policy/modules/services/xserver.fc @@ -2,13 +2,23 @@ # HOME_DIR # @@ -27772,7 +26066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /dev # -@@ -20,6 +30,8 @@ +@@ -20,6 +30,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -27781,7 +26075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) -@@ -32,11 +44,6 @@ +@@ -32,11 +44,6 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -27793,7 +26087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # # /opt # -@@ -47,21 +54,23 @@ +@@ -47,21 +54,23 @@ ifdef(`distro_redhat',` # /tmp # @@ -27822,7 +26116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +98,43 @@ +@@ -89,17 +98,43 @@ ifdef(`distro_debian', ` /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -27869,9 +26163,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-24 10:28:17.000000000 -0400 +diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if +index da2601a..8696a6e 100644 +--- a/policy/modules/services/xserver.if ++++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -27884,7 +26179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') role $1 types { xserver_t xauth_t iceauth_t }; -@@ -31,7 +32,7 @@ +@@ -31,7 +32,7 @@ interface(`xserver_restricted_role',` allow xserver_t $2:shm rw_shm_perms; domtrans_pattern($2, xserver_exec_t, xserver_t) @@ -27893,7 +26188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t $2:shm rw_shm_perms; -@@ -45,6 +46,7 @@ +@@ -45,6 +46,7 @@ interface(`xserver_restricted_role',` manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -27901,7 +26196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_search_tmp($2) # Communicate via System V shared memory. -@@ -56,6 +58,10 @@ +@@ -56,6 +58,10 @@ interface(`xserver_restricted_role',` domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -27912,7 +26207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $2 iceauth_home_t:file read_file_perms; domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +77,13 @@ +@@ -71,9 +77,13 @@ interface(`xserver_restricted_role',` # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file { getattr read write ioctl }; @@ -27927,7 +26222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $2 xserver_t:fd use; -@@ -89,14 +99,19 @@ +@@ -89,14 +99,19 @@ interface(`xserver_restricted_role',` dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) @@ -27949,7 +26244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -148,6 +163,7 @@ +@@ -148,6 +163,7 @@ interface(`xserver_role',` allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -27957,7 +26252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) -@@ -197,7 +213,7 @@ +@@ -197,7 +213,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -27966,7 +26261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +307,12 @@ +@@ -291,12 +307,12 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -27982,7 +26277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -355,6 +371,12 @@ +@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',` class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -27995,7 +26290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -386,6 +408,15 @@ +@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -28011,7 +26306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -476,6 +507,7 @@ +@@ -476,6 +507,7 @@ template(`xserver_user_x_domain_template',` xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -28019,7 +26314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +577,27 @@ +@@ -545,6 +577,27 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -28047,7 +26342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -598,6 +651,7 @@ +@@ -598,6 +651,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -28055,7 +26350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -725,10 +779,12 @@ +@@ -725,10 +779,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` interface(`xserver_stream_connect_xdm',` gen_require(` type xdm_t, xdm_tmp_t; @@ -28068,7 +26363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -805,7 +861,7 @@ +@@ -805,7 +861,7 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -28077,7 +26372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -916,7 +972,7 @@ +@@ -916,7 +972,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -28086,7 +26381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -964,6 +1020,44 @@ +@@ -963,6 +1019,44 @@ interface(`xserver_read_xkb_libs',` ######################################## ##

@@ -28131,7 +26426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm temporary files. ## ## -@@ -1224,9 +1318,20 @@ +@@ -1224,9 +1318,20 @@ interface(`xserver_manage_core_devices',` class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -28152,7 +26447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1355,329 @@ +@@ -1250,3 +1355,329 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -28482,10 +26777,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-24 10:03:23.000000000 -0400 -@@ -35,6 +35,13 @@ +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index 8084740..288d513 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false) ## ##

@@ -28499,7 +26795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Allow xdm logins as sysadm ##

## -@@ -47,6 +54,16 @@ +@@ -47,6 +54,16 @@ gen_tunable(xdm_sysadm_login, false) ## gen_tunable(xserver_object_manager, false) @@ -28516,7 +26812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser attribute x_domain; # X Events -@@ -109,21 +126,26 @@ +@@ -109,21 +126,26 @@ xserver_common_x_domain_template(remote,remote_t) type user_fonts_t; typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t }; @@ -28543,7 +26839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; application_domain(iceauth_t, iceauth_exec_t) ubac_constrained(iceauth_t) -@@ -131,22 +153,28 @@ +@@ -131,22 +153,28 @@ ubac_constrained(iceauth_t) type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; @@ -28572,7 +26868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; files_tmp_file(xauth_tmp_t) ubac_constrained(xauth_tmp_t) -@@ -161,15 +189,21 @@ +@@ -161,15 +189,21 @@ type xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -28596,7 +26892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -177,13 +211,27 @@ +@@ -177,13 +211,27 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -28625,7 +26921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -196,15 +244,9 @@ +@@ -196,15 +244,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -28643,7 +26939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -234,9 +276,13 @@ +@@ -234,9 +276,13 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; @@ -28657,7 +26953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -246,30 +292,64 @@ +@@ -246,30 +292,64 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') @@ -28725,7 +27021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -279,17 +359,37 @@ +@@ -279,17 +359,37 @@ auth_use_nsswitch(xauth_t) userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -28763,7 +27059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -301,20 +401,33 @@ +@@ -301,20 +401,33 @@ optional_policy(` # XDM Local policy # @@ -28800,7 +27096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -322,32 +435,55 @@ +@@ -322,32 +435,55 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -28861,7 +27157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -355,10 +491,13 @@ +@@ -355,10 +491,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -28875,7 +27171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -367,15 +506,22 @@ +@@ -367,15 +506,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -28899,7 +27195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -390,11 +536,14 @@ +@@ -390,11 +536,14 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -28914,7 +27210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -402,6 +551,7 @@ +@@ -402,6 +551,7 @@ dev_setattr_framebuffer_dev(xdm_t) dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28922,7 +27218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +560,22 @@ +@@ -410,18 +560,22 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28948,7 +27244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +586,17 @@ +@@ -432,9 +586,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28966,7 +27262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +605,36 @@ +@@ -443,28 +605,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -29005,7 +27301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,6 +643,13 @@ +@@ -473,6 +643,13 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29019,7 +27315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,11 +681,17 @@ +@@ -504,11 +681,17 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -29037,7 +27333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -516,12 +699,51 @@ +@@ -516,12 +699,51 @@ optional_policy(` ') optional_policy(` @@ -29089,7 +27385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -539,20 +761,63 @@ +@@ -539,20 +761,63 @@ optional_policy(` ') optional_policy(` @@ -29155,7 +27451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -561,7 +826,6 @@ +@@ -561,7 +826,6 @@ optional_policy(` ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -29163,7 +27459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -572,6 +836,10 @@ +@@ -572,6 +836,10 @@ optional_policy(` ') optional_policy(` @@ -29174,7 +27470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -596,10 +864,9 @@ +@@ -596,10 +864,9 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29186,7 +27482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -611,6 +878,18 @@ +@@ -611,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29205,7 +27501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -630,12 +909,19 @@ +@@ -630,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29227,7 +27523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -643,6 +929,7 @@ +@@ -643,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -29235,7 +27531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -669,7 +956,6 @@ +@@ -669,7 +956,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29243,7 +27539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -679,9 +965,12 @@ +@@ -679,9 +965,12 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -29257,7 +27553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -696,8 +985,13 @@ +@@ -696,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29271,7 +27567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -719,11 +1013,14 @@ +@@ -719,11 +1013,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -29286,7 +27582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,14 +1072,34 @@ +@@ -775,14 +1072,34 @@ optional_policy(` ') optional_policy(` @@ -29322,7 +27618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_search_config(xserver_t) -@@ -804,10 +1121,10 @@ +@@ -804,10 +1121,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29335,7 +27631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -828,6 +1145,13 @@ +@@ -828,6 +1145,13 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29349,7 +27645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -843,11 +1167,14 @@ +@@ -843,11 +1167,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -29366,7 +27662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -993,3 +1320,33 @@ +@@ -993,3 +1320,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -29400,10 +27696,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.8.8/policy/modules/services/zabbix.te ---- nsaserefpolicy/policy/modules/services/zabbix.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/zabbix.te 2010-07-30 14:06:53.000000000 -0400 -@@ -35,8 +35,9 @@ +diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te +index 2e0f6f6..2ae7a3d 100644 +--- a/policy/modules/services/zabbix.te ++++ b/policy/modules/services/zabbix.te +@@ -35,8 +35,9 @@ manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) logging_log_filetrans(zabbix_t, zabbix_log_t, file) # pid file @@ -29414,9 +27711,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb files_read_etc_files(zabbix_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.fc serefpolicy-3.8.8/policy/modules/services/zarafa.fc ---- nsaserefpolicy/policy/modules/services/zarafa.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/zarafa.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc +new file mode 100644 +index 0000000..56cb5af +--- /dev/null ++++ b/policy/modules/services/zarafa.fc @@ -0,0 +1,27 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) @@ -29445,9 +27744,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.if serefpolicy-3.8.8/policy/modules/services/zarafa.if ---- nsaserefpolicy/policy/modules/services/zarafa.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/zarafa.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if +new file mode 100644 +index 0000000..bba3124 +--- /dev/null ++++ b/policy/modules/services/zarafa.if @@ -0,0 +1,105 @@ + +## policy for zarafa services @@ -29554,9 +27855,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara + + stream_connect_pattern($1, zarafa_server_t, zarafa_server_var_run_t, zarafa_server_t) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zarafa.te serefpolicy-3.8.8/policy/modules/services/zarafa.te ---- nsaserefpolicy/policy/modules/services/zarafa.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/zarafa.te 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te +new file mode 100644 +index 0000000..3509088 +--- /dev/null ++++ b/policy/modules/services/zarafa.te @@ -0,0 +1,133 @@ +policy_module(zarafa, 1.0.0) + @@ -29691,10 +27994,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zara +optional_policy(` + apache_content_template(zarafa) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.8.8/policy/modules/services/zebra.te ---- nsaserefpolicy/policy/modules/services/zebra.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/zebra.te 2010-07-30 14:06:53.000000000 -0400 -@@ -61,9 +61,10 @@ +diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te +index 086cbef..9939bff 100644 +--- a/policy/modules/services/zebra.te ++++ b/policy/modules/services/zebra.te +@@ -61,9 +61,10 @@ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) @@ -29706,10 +28010,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr kernel_read_system_state(zebra_t) kernel_read_network_state(zebra_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.8.8/policy/modules/system/application.if ---- nsaserefpolicy/policy/modules/system/application.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/application.if 2010-08-03 14:32:57.000000000 -0400 -@@ -130,3 +130,21 @@ +diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if +index ac50333..108595b 100644 +--- a/policy/modules/system/application.if ++++ b/policy/modules/system/application.if +@@ -130,3 +130,21 @@ interface(`application_signull',` allow $1 application_domain_type:process signull; ') @@ -29731,10 +28036,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic + + allow $1 application_domain_type:process signal; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.8.8/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/application.te 2010-07-30 14:06:53.000000000 -0400 -@@ -6,6 +6,22 @@ +diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te +index 88df85d..2fa3974 100644 +--- a/policy/modules/system/application.te ++++ b/policy/modules/system/application.te +@@ -6,6 +6,22 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; @@ -29757,9 +28063,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic optional_policy(` ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.8.8/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/authlogin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 1c4b1e7..2997dd7 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc @@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) @@ -29768,10 +28075,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-23 08:32:56.000000000 -0400 -@@ -91,9 +91,12 @@ +@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', ` + + /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) + ++/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 7fddc24..06185fd 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -91,9 +91,12 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -29784,7 +28100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -107,6 +110,7 @@ +@@ -107,6 +110,7 @@ interface(`auth_login_pgm_domain',` allow $1 self:capability ipc_lock; allow $1 self:process setkeycreate; allow $1 self:key manage_key_perms; @@ -29792,7 +28108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) -@@ -126,6 +130,8 @@ +@@ -126,6 +130,8 @@ interface(`auth_login_pgm_domain',` files_read_etc_files($1) fs_list_auto_mountpoints($1) @@ -29801,7 +28117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -141,6 +147,7 @@ +@@ -141,6 +147,7 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -29809,7 +28125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +158,38 @@ +@@ -151,8 +158,38 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -29850,7 +28166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -365,13 +402,15 @@ +@@ -365,13 +402,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -29867,7 +28183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -418,6 +457,7 @@ +@@ -418,6 +457,7 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -29875,7 +28191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -874,6 +914,26 @@ +@@ -874,6 +914,26 @@ interface(`auth_exec_pam',` ######################################## ## @@ -29902,7 +28218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -1500,6 +1560,8 @@ +@@ -1500,6 +1560,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -29911,7 +28227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1593,15 @@ +@@ -1531,7 +1593,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -29928,10 +28244,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.8.8/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/authlogin.te 2010-07-30 14:06:53.000000000 -0400 -@@ -8,6 +8,7 @@ +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 7233a6d..bd9d529 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0) attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; @@ -29939,7 +28256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo type auth_cache_t; logging_log_file(auth_cache_t) -@@ -83,7 +84,7 @@ +@@ -83,7 +84,7 @@ logging_log_file(wtmp_t) allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; @@ -29948,7 +28265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) -@@ -394,3 +395,11 @@ +@@ -394,3 +395,11 @@ optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -29960,40 +28277,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + userdom_relabelto_user_home_dirs(polydomain) + userdom_relabelto_user_home_files(polydomain) +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.if serefpolicy-3.8.8/policy/modules/system/clock.if ---- nsaserefpolicy/policy/modules/system/clock.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/clock.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -50,7 +50,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.8.8/policy/modules/system/daemontools.if ---- nsaserefpolicy/policy/modules/system/daemontools.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/daemontools.if 2010-07-30 14:06:53.000000000 -0400 -@@ -71,6 +71,32 @@ +diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if +index 89cc088..81e5ed4 100644 +--- a/policy/modules/system/daemontools.if ++++ b/policy/modules/system/daemontools.if +@@ -71,6 +71,32 @@ interface(`daemontools_domtrans_start',` domtrans_pattern($1, svc_start_exec_t, svc_start_t) ') @@ -30026,7 +28314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon ######################################## ## ## Execute in the svc_run_t domain. -@@ -127,6 +153,24 @@ +@@ -127,6 +153,24 @@ interface(`daemontools_read_svc',` allow $1 svc_svc_t:file read_file_perms; ') @@ -30051,7 +28339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon ######################################## ## ## Allow a domain to create svc_svc_t files. -@@ -148,3 +192,21 @@ +@@ -148,3 +192,21 @@ interface(`daemontools_manage_svc',` allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file { read create }; ') @@ -30073,10 +28361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + + allow $1 svc_run_t:process sigchld; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.8.8/policy/modules/system/daemontools.te ---- nsaserefpolicy/policy/modules/system/daemontools.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/daemontools.te 2010-07-30 14:06:53.000000000 -0400 -@@ -38,7 +38,10 @@ +diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te +index 183fcf1..699451c 100644 +--- a/policy/modules/system/daemontools.te ++++ b/policy/modules/system/daemontools.te +@@ -38,7 +38,10 @@ files_type(svc_svc_t) # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -30087,7 +28376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon # writes to /var/log/*/* logging_manage_generic_logs(svc_multilog_t) -@@ -52,7 +55,7 @@ +@@ -52,7 +55,7 @@ daemontools_ipc_domain(svc_multilog_t) # ie. softlimit, setuidgid, envuidgid, envdir, fghack .. # @@ -30096,7 +28385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon allow svc_run_t self:process setrlimit; allow svc_run_t self:fifo_file rw_fifo_file_perms; allow svc_run_t self:unix_stream_socket create_stream_socket_perms; -@@ -64,9 +67,13 @@ +@@ -64,9 +67,13 @@ can_exec(svc_run_t, svc_run_exec_t) kernel_read_system_state(svc_run_t) @@ -30110,7 +28399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon files_read_etc_files(svc_run_t) files_read_etc_runtime_files(svc_run_t) files_search_pids(svc_run_t) -@@ -88,21 +95,36 @@ +@@ -88,21 +95,36 @@ optional_policy(` # ie svc, svscan, supervise ... # @@ -30148,9 +28437,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon + daemontools_domtrans_run(svc_start_t) daemontools_manage_svc(svc_start_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.8.8/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/fstools.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc +index a97a096..dd65c15 100644 +--- a/policy/modules/system/fstools.fc ++++ b/policy/modules/system/fstools.fc @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -30164,67 +28454,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.8.8/policy/modules/system/fstools.if ---- nsaserefpolicy/policy/modules/system/fstools.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/fstools.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -26,7 +26,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -51,7 +51,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -106,7 +106,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -125,7 +125,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -143,7 +143,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-24 15:48:29.000000000 -0400 -@@ -55,6 +55,7 @@ +diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te +index a442acc..f7828f1 100644 +--- a/policy/modules/system/fstools.te ++++ b/policy/modules/system/fstools.te +@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) @@ -30232,7 +28466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Allow console log change (updfstab) kernel_change_ring_buffer_level(fsadm_t) # mkreiserfs needs this -@@ -117,6 +118,8 @@ +@@ -117,6 +118,8 @@ fs_remount_xattr_fs(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -30241,7 +28475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -147,12 +150,16 @@ +@@ -147,12 +150,16 @@ modutils_read_module_deps(fsadm_t) seutil_read_config(fsadm_t) @@ -30259,7 +28493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool ') optional_policy(` -@@ -166,6 +173,14 @@ +@@ -166,6 +173,14 @@ optional_policy(` ') optional_policy(` @@ -30274,10 +28508,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool nis_use_ypbind(fsadm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.8.8/policy/modules/system/getty.te ---- nsaserefpolicy/policy/modules/system/getty.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/getty.te 2010-07-30 14:06:53.000000000 -0400 -@@ -83,7 +83,7 @@ +@@ -175,6 +190,10 @@ optional_policy(` + ') + + optional_policy(` ++ virt_read_blk_images(fsadm_t) ++') ++ ++optional_policy(` + xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) + ') +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index 408f4e6..55c2d03 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t) term_setattr_all_ttys(getty_t) term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) @@ -30286,10 +28532,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty. auth_rw_login_records(getty_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.8.8/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/hostname.te 2010-07-30 14:06:53.000000000 -0400 -@@ -26,15 +26,18 @@ +diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te +index b9efd1b..f1edb15 100644 +--- a/policy/modules/system/hostname.te ++++ b/policy/modules/system/hostname.te +@@ -26,15 +26,18 @@ kernel_read_proc_symlinks(hostname_t) dev_read_sysfs(hostname_t) @@ -30308,7 +28555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -@@ -53,6 +56,10 @@ +@@ -53,6 +56,10 @@ sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) optional_policy(` @@ -30319,22 +28566,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna xen_append_log(hostname_t) xen_dontaudit_use_fds(hostname_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.if serefpolicy-3.8.8/policy/modules/system/hotplug.if ---- nsaserefpolicy/policy/modules/system/hotplug.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/hotplug.if 2010-07-30 14:06:53.000000000 -0400 -@@ -139,7 +139,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.8.8/policy/modules/system/hotplug.te ---- nsaserefpolicy/policy/modules/system/hotplug.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/hotplug.te 2010-08-11 08:14:12.000000000 -0400 -@@ -23,7 +23,7 @@ +diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te +index 15e02e4..7c6933f 100644 +--- a/policy/modules/system/hotplug.te ++++ b/policy/modules/system/hotplug.te +@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) # allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; @@ -30343,7 +28579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -@@ -39,14 +39,16 @@ +@@ -39,14 +39,16 @@ allow hotplug_t hotplug_etc_t:dir list_dir_perms; can_exec(hotplug_t, hotplug_exec_t) @@ -30362,10 +28598,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu files_read_kernel_modules(hotplug_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,13 @@ +diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc +index 9775375..b338481 100644 +--- a/policy/modules/system/init.fc ++++ b/policy/modules/system/init.fc +@@ -24,7 +24,13 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -30379,7 +28616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f ifdef(`distro_gentoo', ` /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) -@@ -44,6 +50,9 @@ +@@ -44,6 +50,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -30389,10 +28626,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # # /var -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-08-25 07:50:48.000000000 -0400 -@@ -105,7 +105,11 @@ +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index f6aafe7..7da8294 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -105,7 +105,11 @@ interface(`init_domain',` role system_r types $1; @@ -30405,7 +28643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -193,8 +197,10 @@ +@@ -193,8 +197,10 @@ interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; @@ -30416,7 +28654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') typeattribute $1 daemon; -@@ -205,6 +211,20 @@ +@@ -205,6 +211,20 @@ interface(`init_daemon_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -30437,7 +28675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i # daemons started from init will # inherit fds from init for the console -@@ -285,7 +305,7 @@ +@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',` type initrc_t; ') @@ -30446,7 +28684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; -@@ -336,8 +356,10 @@ +@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -30457,7 +28695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') application_domain($1,$2) -@@ -345,6 +367,17 @@ +@@ -345,6 +367,17 @@ interface(`init_system_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -30475,7 +28713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +386,37 @@ +@@ -353,6 +386,37 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -30513,7 +28751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -669,12 +733,14 @@ +@@ -669,12 +733,14 @@ interface(`init_telinit',` type initctl_t; ') @@ -30529,7 +28767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i gen_require(` type init_t; ') -@@ -682,6 +748,8 @@ +@@ -682,6 +748,8 @@ interface(`init_telinit',` # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; @@ -30538,7 +28776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -754,18 +822,19 @@ +@@ -754,18 +822,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -30562,7 +28800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ') -@@ -781,19 +850,41 @@ +@@ -781,23 +850,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -30585,11 +28823,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -30602,13 +28840,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -849,8 +940,10 @@ ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -849,8 +940,10 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -30619,7 +28861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1338,6 +1431,27 @@ +@@ -1338,6 +1431,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -30647,7 +28889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ## init scripts over dbus. ## ## -@@ -1637,7 +1751,7 @@ +@@ -1637,7 +1751,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -30656,7 +28898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1712,3 +1826,94 @@ +@@ -1712,3 +1826,94 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -30751,10 +28993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-23 17:03:04.000000000 -0400 -@@ -16,6 +16,27 @@ +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index bd45076..cd266c0 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -16,6 +16,27 @@ gen_require(` ## gen_tunable(init_upstart, false) @@ -30782,7 +29025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # used for direct running of init scripts # by admin domains attribute direct_run_init; -@@ -25,6 +46,7 @@ +@@ -25,6 +46,7 @@ attribute direct_init_entry; attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -30790,7 +29033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # Mark process types as daemons attribute daemon; -@@ -32,7 +54,7 @@ +@@ -32,7 +54,7 @@ attribute daemon; # # init_t is the domain of the init process. # @@ -30799,7 +29042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -63,6 +85,7 @@ +@@ -63,6 +85,7 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -30807,7 +29050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -87,7 +110,7 @@ +@@ -87,7 +110,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -30816,7 +29059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -100,7 +123,9 @@ +@@ -100,7 +123,9 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -30827,7 +29070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -120,15 +145,19 @@ +@@ -120,15 +145,19 @@ corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) dev_read_sysfs(init_t) @@ -30847,7 +29090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -167,6 +196,8 @@ +@@ -167,6 +196,8 @@ seutil_read_config(init_t) miscfiles_read_localization(init_t) @@ -30856,7 +29099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -177,7 +208,7 @@ +@@ -177,7 +208,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -30865,7 +29108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,15 +216,70 @@ +@@ -185,15 +216,73 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -30873,6 +29116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +modutils_domtrans_insmod(init_t) + +tunable_policy(`init_systemd',` ++ allow init_t self:unix_dgram_socket create_socket_perms; + allow init_t self:process { setsockcreate setfscreate }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -30909,6 +29153,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) ++ ++ storage_getattr_removable_dev(init_t) +') + optional_policy(` @@ -30936,7 +29182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -202,6 +288,10 @@ +@@ -202,6 +291,10 @@ optional_policy(` ') optional_policy(` @@ -30947,7 +29193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t unconfined_domain(init_t) ') -@@ -211,7 +301,7 @@ +@@ -211,7 +304,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30956,7 +29202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +330,7 @@ +@@ -240,6 +333,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30964,7 +29210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +348,22 @@ +@@ -257,11 +351,22 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30987,7 +29233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -297,11 +399,13 @@ +@@ -297,11 +402,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -31001,7 +29247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +424,10 @@ +@@ -320,8 +427,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -31013,16 +29259,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,6 +443,8 @@ +@@ -337,8 +446,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) - fs_delete_cgroup_dirs(initrc_t) - fs_list_cgroup_dirs(initrc_t) -@@ -350,6 +458,8 @@ +-fs_write_cgroup_files(initrc_t) ++fs_delete_cgroup_dirs(initrc_t) ++fs_list_cgroup_dirs(initrc_t) ++fs_rw_cgroup_files(initrc_t) + fs_list_inotifyfs(initrc_t) + fs_register_binary_executable_type(initrc_t) + # rhgb-console writes to ramfs +@@ -348,6 +461,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -31031,7 +29282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -362,6 +472,7 @@ +@@ -360,6 +475,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -31039,7 +29290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -393,13 +504,14 @@ +@@ -391,13 +507,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -31055,7 +29306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -472,7 +584,7 @@ +@@ -470,7 +587,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -31064,7 +29315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -518,6 +630,19 @@ +@@ -516,6 +633,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -31084,7 +29335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -525,10 +650,17 @@ +@@ -523,10 +653,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -31102,7 +29353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -543,6 +675,35 @@ +@@ -541,6 +678,35 @@ ifdef(`distro_suse',` ') ') @@ -31138,7 +29389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -555,6 +716,8 @@ +@@ -553,6 +719,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -31147,15 +29398,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -571,6 +734,7 @@ +@@ -569,6 +737,7 @@ optional_policy(` optional_policy(` - cgroup_stream_connect(initrc_t) + cgroup_stream_connect_cgred(initrc_t) + domain_setpriority_all_domains(initrc_t) ') optional_policy(` -@@ -583,6 +747,11 @@ +@@ -581,6 +750,11 @@ optional_policy(` ') optional_policy(` @@ -31167,7 +29418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -599,6 +768,7 @@ +@@ -597,6 +771,7 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -31175,7 +29426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -700,7 +870,12 @@ +@@ -698,7 +873,12 @@ optional_policy(` ') optional_policy(` @@ -31188,7 +29439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -723,6 +898,10 @@ +@@ -721,6 +901,10 @@ optional_policy(` ') optional_policy(` @@ -31199,7 +29450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -744,6 +923,10 @@ +@@ -742,6 +926,10 @@ optional_policy(` ') optional_policy(` @@ -31210,7 +29461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -765,8 +948,6 @@ +@@ -763,8 +951,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -31219,7 +29470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -775,14 +956,21 @@ +@@ -773,14 +959,21 @@ optional_policy(` ') optional_policy(` @@ -31241,7 +29492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -804,11 +992,19 @@ +@@ -802,11 +995,19 @@ optional_policy(` ') optional_policy(` @@ -31262,7 +29513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -818,6 +1014,25 @@ +@@ -816,6 +1017,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -31288,7 +29539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -843,3 +1058,55 @@ +@@ -841,3 +1061,55 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31344,9 +29595,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.8/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/ipsec.fc 2010-08-03 13:29:20.000000000 -0400 +diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc +index 07eba2b..942bea1 100644 +--- a/policy/modules/system/ipsec.fc ++++ b/policy/modules/system/ipsec.fc @@ -25,6 +25,7 @@ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -31364,19 +29616,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.8/policy/modules/system/ipsec.if ---- nsaserefpolicy/policy/modules/system/ipsec.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/ipsec.if 2010-08-11 07:44:10.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -20,11 +20,29 @@ +diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if +index 8232f91..cba1b30 100644 +--- a/policy/modules/system/ipsec.if ++++ b/policy/modules/system/ipsec.if +@@ -20,6 +20,24 @@ interface(`ipsec_domtrans',` ######################################## ## @@ -31401,76 +29645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. ## Connect to IPSEC using a unix domain stream socket. ## ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -43,7 +61,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -62,7 +80,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -80,7 +98,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -98,7 +116,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -175,7 +193,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -194,7 +212,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -237,7 +255,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -273,3 +291,81 @@ +@@ -273,3 +291,81 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -31552,10 +29727,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. + allow $1 ipsec_mgmt_t:dbus send_msg; + allow ipsec_mgmt_t $1:dbus send_msg; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-11 08:20:05.000000000 -0400 -@@ -72,7 +72,7 @@ +diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te +index d82ff45..6de1ab4 100644 +--- a/policy/modules/system/ipsec.te ++++ b/policy/modules/system/ipsec.te +@@ -72,7 +72,7 @@ role system_r types setkey_t; # allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; @@ -31564,7 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; -@@ -94,9 +94,10 @@ +@@ -94,9 +94,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) @@ -31576,7 +29752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. can_exec(ipsec_t, ipsec_mgmt_exec_t) -@@ -107,7 +108,7 @@ +@@ -107,7 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t) corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; @@ -31585,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t ipsec_t:process sigchld; kernel_read_kernel_sysctls(ipsec_t) -@@ -149,6 +150,7 @@ +@@ -149,6 +150,7 @@ domain_use_interactive_fds(ipsec_t) files_list_tmp(ipsec_t) files_read_etc_files(ipsec_t) files_read_usr_files(ipsec_t) @@ -31593,7 +29769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) -@@ -166,6 +168,8 @@ +@@ -166,6 +168,8 @@ logging_send_syslog_msg(ipsec_t) miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) @@ -31602,7 +29778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -184,8 +188,8 @@ +@@ -184,8 +188,8 @@ optional_policy(` # allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; @@ -31613,7 +29789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -224,7 +228,6 @@ +@@ -224,7 +228,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) @@ -31621,7 +29797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # whack needs to connect to pluto stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) -@@ -243,6 +246,17 @@ +@@ -243,6 +246,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -31639,7 +29815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -257,7 +271,7 @@ +@@ -257,7 +271,7 @@ dev_read_urand(ipsec_mgmt_t) domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. @@ -31648,7 +29824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -@@ -275,8 +289,11 @@ +@@ -275,8 +289,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -31661,7 +29837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) -@@ -290,7 +307,9 @@ +@@ -290,7 +307,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t) seutil_dontaudit_search_config(ipsec_mgmt_t) @@ -31671,7 +29847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. userdom_use_user_terminals(ipsec_mgmt_t) -@@ -299,6 +318,23 @@ +@@ -299,6 +318,23 @@ optional_policy(` ') optional_policy(` @@ -31695,7 +29871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. nscd_socket_use(ipsec_mgmt_t) ') -@@ -385,6 +421,8 @@ +@@ -385,6 +421,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -31704,7 +29880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -411,6 +449,7 @@ +@@ -411,6 +449,7 @@ domain_ipsec_setcontext_all_domains(setkey_t) files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -31712,14 +29888,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -422,3 +461,4 @@ +@@ -422,3 +461,4 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.8.8/policy/modules/system/iptables.fc ---- nsaserefpolicy/policy/modules/system/iptables.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/iptables.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc +index 13f62a6..fd99a6e 100644 +--- a/policy/modules/system/iptables.fc ++++ b/policy/modules/system/iptables.fc @@ -1,12 +1,19 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -31742,10 +29919,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.8.8/policy/modules/system/iptables.if ---- nsaserefpolicy/policy/modules/system/iptables.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/iptables.if 2010-08-05 15:53:11.000000000 -0400 -@@ -17,6 +17,10 @@ +diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if +index 5c94dfe..59bfb17 100644 +--- a/policy/modules/system/iptables.if ++++ b/policy/modules/system/iptables.if +@@ -17,6 +17,10 @@ interface(`iptables_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) @@ -31756,28 +29934,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') ######################################## -@@ -76,7 +80,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -134,7 +138,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.8.8/policy/modules/system/iptables.te ---- nsaserefpolicy/policy/modules/system/iptables.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/iptables.te 2010-07-30 14:06:53.000000000 -0400 -@@ -13,9 +13,6 @@ +diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te +index a3fdcb3..e9bd52a 100644 +--- a/policy/modules/system/iptables.te ++++ b/policy/modules/system/iptables.te +@@ -13,9 +13,6 @@ role system_r types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -31787,12 +29948,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl type iptables_tmp_t; files_tmp_file(iptables_tmp_t) -@@ -29,12 +26,14 @@ - - allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; +@@ -31,10 +28,12 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra dontaudit iptables_t self:capability sys_tty_config; --allow iptables_t self:fifo_file rw_fifo_file_perms; -+allow iptables_t self:fifo_file rw_file_perms; + allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +# needed by ipvsadm +allow iptables_t self:netlink_socket create_socket_perms; @@ -31805,7 +29963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -52,10 +51,17 @@ +@@ -52,10 +51,17 @@ kernel_read_kernel_sysctls(iptables_t) kernel_read_modprobe_sysctls(iptables_t) kernel_use_fds(iptables_t) @@ -31823,7 +29981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -64,11 +70,13 @@ +@@ -64,11 +70,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -31837,7 +29995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl auth_use_nsswitch(iptables_t) -@@ -77,6 +85,7 @@ +@@ -77,6 +85,7 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -31845,7 +30003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl logging_send_syslog_msg(iptables_t) -@@ -90,6 +99,7 @@ +@@ -90,6 +99,7 @@ userdom_use_all_users_fds(iptables_t) optional_policy(` fail2ban_append_log(iptables_t) @@ -31853,7 +30011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -@@ -112,6 +122,7 @@ +@@ -112,6 +122,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -31861,19 +30019,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.8.8/policy/modules/system/iscsi.if ---- nsaserefpolicy/policy/modules/system/iscsi.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/iscsi.if 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -56,3 +56,21 @@ +diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if +index 663a47b..ad0b864 100644 +--- a/policy/modules/system/iscsi.if ++++ b/policy/modules/system/iscsi.if +@@ -56,3 +56,21 @@ interface(`iscsi_read_lib_files',` allow $1 iscsi_var_lib_t:dir list_dir_perms; files_search_var_lib($1) ') @@ -31895,10 +30045,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. + + allow $1 iscsid_t:sem create_sem_perms; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.8/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/iscsi.te 2010-07-30 14:06:53.000000000 -0400 -@@ -76,6 +76,8 @@ +diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te +index 1d1c399..0787687 100644 +--- a/policy/modules/system/iscsi.te ++++ b/policy/modules/system/iscsi.te +@@ -76,6 +76,8 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -31907,31 +30058,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.8.8/policy/modules/system/kdump.if ---- nsaserefpolicy/policy/modules/system/kdump.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/kdump.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te ---- nsaserefpolicy/policy/modules/system/kdump.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-08-04 13:52:39.000000000 -0400 -@@ -29,6 +29,8 @@ +diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te +index 57c645b..7682697 100644 +--- a/policy/modules/system/kdump.te ++++ b/policy/modules/system/kdump.te +@@ -29,6 +29,8 @@ files_read_kernel_img(kdump_t) kernel_read_system_state(kdump_t) kernel_read_core_if(kdump_t) @@ -31940,10 +30071,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.8/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/libraries.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -129,15 +129,13 @@ +diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc +index 9df8c4d..1d2236b 100644 +--- a/policy/modules/system/libraries.fc ++++ b/policy/modules/system/libraries.fc +@@ -129,15 +129,13 @@ ifdef(`distro_redhat',` /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31962,7 +30094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,6 +149,7 @@ +@@ -151,6 +149,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31970,7 +30102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +207,7 @@ +@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31978,7 +30110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -247,6 +247,7 @@ +@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -31986,7 +30118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -@@ -302,13 +303,8 @@ +@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -32002,7 +30134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +315,149 @@ +@@ -319,14 +315,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -32154,10 +30286,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-08-24 09:14:30.000000000 -0400 -@@ -61,7 +61,7 @@ +diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te +index bf416a4..6f36eca 100644 +--- a/policy/modules/system/libraries.te ++++ b/policy/modules/system/libraries.te +@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) @@ -32166,7 +30299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -79,6 +79,7 @@ +@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t) domain_use_interactive_fds(ldconfig_t) @@ -32174,7 +30307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) -@@ -94,6 +95,7 @@ +@@ -94,6 +95,7 @@ miscfiles_read_localization(ldconfig_t) logging_send_syslog_msg(ldconfig_t) @@ -32182,7 +30315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar userdom_use_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) -@@ -103,6 +105,10 @@ +@@ -103,6 +105,10 @@ ifdef(`distro_ubuntu',` ') ') @@ -32193,7 +30326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -141,6 +147,10 @@ +@@ -141,6 +147,10 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -32204,38 +30337,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +, ` + permissive ldconfig_t; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc ---- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc +index 7570583..be6a81b 100644 +--- a/policy/modules/system/locallogin.fc ++++ b/policy/modules/system/locallogin.fc @@ -1,2 +1,3 @@ /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) +/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-3.8.8/policy/modules/system/locallogin.if ---- nsaserefpolicy/policy/modules/system/locallogin.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/locallogin.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -28,7 +28,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.8.8/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/locallogin.te 2010-07-30 14:06:53.000000000 -0400 -@@ -32,9 +32,8 @@ +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 3fb1915..26e9f79 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -32,9 +32,8 @@ role system_r types sulogin_t; # Local login local policy # @@ -32247,7 +30361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; -@@ -73,6 +72,8 @@ +@@ -73,6 +72,8 @@ dev_getattr_power_mgmt_dev(local_login_t) dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) dev_setattr_sound_dev(local_login_t) @@ -32256,7 +30370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall dev_dontaudit_getattr_apm_bios_dev(local_login_t) dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -@@ -125,6 +126,7 @@ +@@ -125,6 +126,7 @@ auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) init_dontaudit_use_fds(local_login_t) @@ -32264,7 +30378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall miscfiles_read_localization(local_login_t) -@@ -151,6 +153,12 @@ +@@ -151,6 +153,12 @@ tunable_policy(`use_samba_home_dirs',` fs_read_cifs_symlinks(local_login_t) ') @@ -32277,7 +30391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall optional_policy(` alsa_domtrans(local_login_t) ') -@@ -180,7 +188,7 @@ +@@ -180,7 +188,7 @@ optional_policy(` ') optional_policy(` @@ -32286,7 +30400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') optional_policy(` -@@ -197,9 +205,10 @@ +@@ -197,9 +205,10 @@ optional_policy(` # Sulogin local policy # @@ -32298,7 +30412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall allow sulogin_t self:unix_dgram_socket create_socket_perms; allow sulogin_t self:unix_stream_socket create_stream_socket_perms; allow sulogin_t self:unix_dgram_socket sendto; -@@ -219,6 +228,7 @@ +@@ -219,6 +228,7 @@ files_read_etc_files(sulogin_t) files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -32306,7 +30420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall init_getpgid_script(sulogin_t) -@@ -232,14 +242,23 @@ +@@ -232,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -32332,7 +30446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -250,11 +269,3 @@ +@@ -250,11 +269,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -32344,9 +30458,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -optional_policy(` - nscd_socket_use(sulogin_t) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.8.8/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/logging.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc +index 362614c..a76d2fc 100644 +--- a/policy/modules/system/logging.fc ++++ b/policy/modules/system/logging.fc @@ -17,6 +17,10 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) @@ -32358,7 +30473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0) -@@ -54,14 +58,16 @@ +@@ -54,14 +58,16 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -32379,16 +30494,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -@@ -69,3 +75,5 @@ +@@ -69,3 +75,5 @@ ifdef(`distro_redhat',` /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.8.8/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/logging.if 2010-07-30 14:06:53.000000000 -0400 -@@ -545,6 +545,25 @@ +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index c7cfb62..aa09d1c 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -545,6 +545,25 @@ interface(`logging_send_syslog_msg',` ######################################## ## @@ -32414,7 +30530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ## Read the auditd configuration files. ## ## -@@ -715,7 +734,25 @@ +@@ -715,7 +734,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -32441,7 +30557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -798,7 +835,7 @@ +@@ -798,7 +835,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -32450,7 +30566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -996,6 +1033,8 @@ +@@ -996,6 +1033,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -32459,10 +30575,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.8/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/logging.te 2010-08-18 07:09:50.000000000 -0400 -@@ -60,6 +60,7 @@ +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 828156a..4762f02 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -60,6 +60,7 @@ files_type(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -32470,7 +30587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -179,6 +180,8 @@ +@@ -179,6 +180,8 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -32479,7 +30596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(auditd_t) mls_file_read_all_levels(auditd_t) -@@ -234,7 +237,12 @@ +@@ -234,7 +237,12 @@ domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -32492,7 +30609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(audisp_t) -@@ -244,14 +252,22 @@ +@@ -244,14 +252,22 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -32516,7 +30633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) -@@ -266,9 +282,16 @@ +@@ -266,9 +282,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) logging_send_syslog_msg(audisp_remote_t) @@ -32533,7 +30650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -369,9 +392,15 @@ +@@ -369,9 +392,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -32549,7 +30666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +441,7 @@ +@@ -412,6 +441,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -32557,7 +30674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(syslogd_t) -@@ -488,6 +518,10 @@ +@@ -488,6 +518,10 @@ optional_policy(` ') optional_policy(` @@ -32568,10 +30685,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin udev_read_db(syslogd_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.8.8/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/lvm.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -28,10 +28,12 @@ +diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc +index 879bb1e..31efcb2 100644 +--- a/policy/modules/system/lvm.fc ++++ b/policy/modules/system/lvm.fc +@@ -28,10 +28,12 @@ ifdef(`distro_gentoo',` # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -32584,49 +30702,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.8.8/policy/modules/system/lvm.if ---- nsaserefpolicy/policy/modules/system/lvm.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/lvm.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -25,7 +25,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -44,7 +44,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -69,7 +69,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-24 15:48:29.000000000 -0400 -@@ -135,9 +135,18 @@ +diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te +index 86ef2da..4eef596 100644 +--- a/policy/modules/system/lvm.te ++++ b/policy/modules/system/lvm.te +@@ -135,9 +135,18 @@ lvm_domtrans(clvmd_t) lvm_read_config(clvmd_t) ifdef(`distro_redhat',` @@ -32645,7 +30725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ') optional_policy(` -@@ -170,6 +179,7 @@ +@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -32653,7 +30733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -210,12 +220,15 @@ +@@ -210,12 +220,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) @@ -32669,7 +30749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -242,6 +255,7 @@ +@@ -242,6 +255,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -32677,7 +30757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -251,8 +265,9 @@ +@@ -251,8 +265,9 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -32688,7 +30768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -262,6 +277,7 @@ +@@ -262,6 +277,7 @@ fs_rw_anon_inodefs_files(lvm_t) mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -32696,7 +30776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -303,9 +319,18 @@ +@@ -303,9 +319,18 @@ ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) @@ -32715,7 +30795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ') optional_policy(` -@@ -329,6 +354,10 @@ +@@ -329,6 +354,10 @@ optional_policy(` ') optional_policy(` @@ -32726,10 +30806,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te modutils_domtrans_insmod(lvm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.8.8/policy/modules/system/miscfiles.fc ---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -75,13 +75,11 @@ +diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc +index 7711464..63c1b2f 100644 +--- a/policy/modules/system/miscfiles.fc ++++ b/policy/modules/system/miscfiles.fc +@@ -75,13 +75,11 @@ ifdef(`distro_redhat',` /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -32745,9 +30826,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ifdef(`distro_debian',` /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.8.8/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.if 2010-08-11 09:33:51.000000000 -0400 +diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if +index 17de283..4eeb1a5 100644 +--- a/policy/modules/system/miscfiles.if ++++ b/policy/modules/system/miscfiles.if @@ -2,6 +2,50 @@ ######################################## @@ -32816,7 +30898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -@@ -305,9 +349,6 @@ +@@ -305,9 +349,6 @@ interface(`miscfiles_read_localization',` allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -32826,10 +30908,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.8.8/policy/modules/system/miscfiles.te ---- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/miscfiles.te 2010-08-11 09:33:09.000000000 -0400 -@@ -4,12 +4,13 @@ +diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te +index 4ac5d56..eb75070 100644 +--- a/policy/modules/system/miscfiles.te ++++ b/policy/modules/system/miscfiles.te +@@ -4,12 +4,13 @@ policy_module(miscfiles, 1.8.0) # # Declarations # @@ -32844,10 +30927,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi # # fonts_t is the type of various font -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.8.8/policy/modules/system/modutils.if ---- nsaserefpolicy/policy/modules/system/modutils.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/modutils.if 2010-07-30 14:06:53.000000000 -0400 -@@ -39,6 +39,26 @@ +diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if +index 9c0faab..def8d5a 100644 +--- a/policy/modules/system/modutils.if ++++ b/policy/modules/system/modutils.if +@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',` ######################################## ## @@ -32874,10 +30958,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## Read the configuration options used when ## loading modules. ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-08-24 09:16:21.000000000 -0400 -@@ -18,6 +18,7 @@ +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index 74a4466..a3b7b0d 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -18,6 +18,7 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) @@ -32885,7 +30970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti role system_r types insmod_t; # module loading config -@@ -55,12 +56,14 @@ +@@ -55,12 +56,14 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -32900,7 +30985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(depmod_t) -@@ -74,6 +77,7 @@ +@@ -74,6 +77,7 @@ userdom_use_user_terminals(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) @@ -32908,7 +30993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ifdef(`distro_ubuntu',` optional_policy(` -@@ -94,17 +98,21 @@ +@@ -94,17 +98,21 @@ optional_policy(` rpm_manage_script_tmp_files(depmod_t) ') @@ -32931,7 +31016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -125,6 +133,7 @@ +@@ -125,6 +133,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -32939,7 +31024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +151,7 @@ +@@ -142,6 +151,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -32947,7 +31032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +170,15 @@ +@@ -160,11 +170,15 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -32963,7 +31048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +187,7 @@ +@@ -173,8 +187,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -32973,7 +31058,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -229,10 +242,18 @@ +@@ -191,6 +204,10 @@ optional_policy(` + ') + + optional_policy(` ++ firewallgui_dontaudit_rw_pipes(insmod_t) ++') ++ ++optional_policy(` + hal_write_log(insmod_t) + ') + +@@ -229,10 +246,18 @@ optional_policy(` rpm_rw_pipes(insmod_t) ') @@ -32992,9 +31088,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti optional_policy(` # cjp: why is this needed: -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc +index 72c746e..e3d06fd 100644 +--- a/policy/modules/system/mount.fc ++++ b/policy/modules/system/mount.fc @@ -1,4 +1,10 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -33007,19 +31104,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.8.8/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/mount.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -16,6 +16,14 @@ +diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if +index 8b5c196..3490497 100644 +--- a/policy/modules/system/mount.if ++++ b/policy/modules/system/mount.if +@@ -16,6 +16,14 @@ interface(`mount_domtrans',` ') domtrans_pattern($1, mount_exec_t, mount_t) @@ -33034,16 +31123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -26,7 +34,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -45,17 +53,63 @@ +@@ -45,12 +53,58 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -33103,13 +31183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ## Execute mount in the caller domain. ## ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -84,9 +138,11 @@ +@@ -84,9 +138,11 @@ interface(`mount_exec',` interface(`mount_signal',` gen_require(` type mount_t; @@ -33121,7 +31195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -95,7 +151,7 @@ +@@ -95,7 +151,7 @@ interface(`mount_signal',` ## ## ## @@ -33130,7 +31204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ## ## # -@@ -176,4 +232,109 @@ +@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; @@ -33240,10 +31314,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. + mount_domtrans_showmount($1) + role $2 types showmount_t; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.8/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/mount.te 2010-08-23 16:56:51.000000000 -0400 -@@ -17,8 +17,15 @@ +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index ee6520c..e36909c 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -17,8 +17,15 @@ type mount_exec_t; init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -33259,7 +31334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. type mount_tmp_t; files_tmp_file(mount_tmp_t) -@@ -28,6 +35,17 @@ +@@ -28,6 +35,17 @@ files_tmp_file(mount_tmp_t) # policy--duplicate type declaration type unconfined_mount_t; application_domain(unconfined_mount_t, mount_exec_t) @@ -33277,7 +31352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -35,7 +53,11 @@ +@@ -35,7 +53,11 @@ application_domain(unconfined_mount_t, mount_exec_t) # # setuid/setgid needed to mount cifs @@ -33290,7 +31365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,30 +68,54 @@ +@@ -46,30 +68,54 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -33347,7 +31422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -79,25 +125,32 @@ +@@ -79,25 +125,32 @@ files_read_isid_type_files(mount_t) files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -33383,7 +31458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -106,6 +159,8 @@ +@@ -106,6 +159,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -33392,7 +31467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -116,6 +171,12 @@ +@@ -116,6 +171,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -33405,7 +31480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -131,10 +192,17 @@ +@@ -131,10 +192,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -33423,7 +31498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -164,6 +232,8 @@ +@@ -164,6 +232,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -33432,7 +31507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -171,6 +241,25 @@ +@@ -171,6 +241,25 @@ optional_policy(` ') optional_policy(` @@ -33458,7 +31533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +267,11 @@ +@@ -178,6 +267,11 @@ optional_policy(` ') ') @@ -33470,7 +31545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +279,19 @@ +@@ -185,6 +279,19 @@ optional_policy(` optional_policy(` samba_domtrans_smbmount(mount_t) @@ -33490,7 +31565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -193,6 +300,42 @@ +@@ -193,6 +300,42 @@ optional_policy(` # optional_policy(` @@ -33534,61 +31609,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.if serefpolicy-3.8.8/policy/modules/system/pcmcia.if ---- nsaserefpolicy/policy/modules/system/pcmcia.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/pcmcia.if 2010-07-30 14:06:53.000000000 -0400 -@@ -22,7 +22,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -58,7 +58,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -77,7 +77,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.if serefpolicy-3.8.8/policy/modules/system/raid.if ---- nsaserefpolicy/policy/modules/system/raid.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/raid.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -33,7 +33,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-08-24 09:17:23.000000000 -0400 -@@ -30,8 +30,9 @@ +diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te +index 09845c4..5ccaca7 100644 +--- a/policy/modules/system/raid.te ++++ b/policy/modules/system/raid.te +@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t mdadm_map_t:file manage_file_perms; dev_filetrans(mdadm_t, mdadm_map_t, file) @@ -33599,7 +31624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) -@@ -57,6 +58,7 @@ +@@ -57,6 +58,7 @@ domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) @@ -33607,7 +31632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) -@@ -95,6 +97,10 @@ +@@ -95,6 +97,10 @@ optional_policy(` udev_read_db(mdadm_t) ') @@ -33618,9 +31643,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t +', ` + permissive mdadm_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc +index 2cc4bda..9e81136 100644 +--- a/policy/modules/system/selinuxutil.fc ++++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,13 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) @@ -33660,10 +31686,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.8.8/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.if 2010-07-30 14:06:53.000000000 -0400 -@@ -361,6 +361,27 @@ +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 170e2c7..3f27d1b 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -361,6 +361,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -33691,7 +31718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute run_init in the run_init domain. ## ## -@@ -545,6 +566,53 @@ +@@ -545,6 +566,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -33745,7 +31772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +758,7 @@ +@@ -690,6 +758,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -33753,7 +31780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -1009,6 +1078,26 @@ +@@ -1009,6 +1078,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -33780,16 +31807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1020,7 +1109,7 @@ - ## - ## - ## --## The role to be allowed the checkpolicy domain. -+## The role to be allowed the semanage domain. - ## - ## - ## -@@ -1038,6 +1127,54 @@ +@@ -1038,6 +1127,54 @@ interface(`seutil_run_semanage',` ######################################## ## @@ -33844,7 +31862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1149,3 +1286,194 @@ +@@ -1149,3 +1286,194 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -34039,10 +32057,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + hotplug_use_fds($1) +') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-24 09:17:28.000000000 -0400 -@@ -22,6 +22,9 @@ +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index ff5d72d..a0cf928 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; type selinux_config_t; files_type(selinux_config_t) @@ -34052,7 +32071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -57,8 +60,9 @@ +@@ -57,8 +60,9 @@ domain_interactive_fd(newrole_t) # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # @@ -34064,7 +32083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -74,7 +78,6 @@ +@@ -74,7 +78,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -34072,7 +32091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -88,9 +91,14 @@ +@@ -88,9 +91,14 @@ role system_r types run_init_t; type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) @@ -34087,7 +32106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type semanage_store_t; files_type(semanage_store_t) -@@ -108,6 +116,11 @@ +@@ -108,6 +116,11 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -34099,7 +32118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Checkpolicy local policy -@@ -176,6 +189,7 @@ +@@ -176,6 +189,7 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -34107,7 +32126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu miscfiles_read_localization(load_policy_t) -@@ -216,7 +230,7 @@ +@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -34116,7 +32135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -260,25 +274,25 @@ +@@ -260,25 +274,25 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -34148,7 +32167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -312,6 +326,8 @@ +@@ -312,6 +326,8 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -34157,7 +32176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) fs_getattr_xattr_fs(restorecond_t) -@@ -335,6 +351,8 @@ +@@ -335,6 +351,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -34166,7 +32185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -353,7 +371,7 @@ +@@ -353,7 +371,7 @@ optional_policy(` allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -34175,7 +32194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -405,6 +423,10 @@ +@@ -405,6 +423,10 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -34186,7 +32205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -420,61 +442,22 @@ +@@ -420,61 +442,22 @@ optional_policy(` # semodule local policy # @@ -34196,22 +32215,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - -allow semanage_t policy_config_t:file rw_file_perms; -+seutil_semanage_policy(semanage_t) -+allow semanage_t self:fifo_file rw_fifo_file_perms; - +- -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - +- -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -dev_read_urand(semanage_t) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -34230,12 +32249,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +can_exec(semanage_t, semanage_exec_t) -term_use_all_terms(semanage_t) +- +-# Running genhomedircon requires this for finding all users +-auth_use_nsswitch(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) --# Running genhomedircon requires this for finding all users --auth_use_nsswitch(semanage_t) -- -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) @@ -34256,7 +32275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -483,12 +466,23 @@ +@@ -483,12 +466,23 @@ ifdef(`distro_debian',` files_read_var_lib_symlinks(semanage_t) ') @@ -34280,7 +32299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -498,112 +492,54 @@ +@@ -498,112 +492,54 @@ ifdef(`enable_mls',` userdom_read_user_tmp_files(semanage_t) ') @@ -34330,12 +32349,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -fs_list_all(setfiles_t) -fs_search_auto_mountpoints(setfiles_t) -fs_relabelfrom_noxattr_fs(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -mls_file_read_all_levels(setfiles_t) -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) -- ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_config(setsebool_t) + -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) @@ -34363,7 +32388,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -userdom_use_all_users_fds(setfiles_t) -# for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) ++######################################## ++# ++# Setfiles local policy ++# -ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes @@ -34371,11 +32399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) -') -+# Bug in semanage -+seutil_domtrans_setfiles(setsebool_t) -+seutil_manage_file_contexts(setsebool_t) -+seutil_manage_default_contexts(setsebool_t) -+seutil_manage_config(setsebool_t) ++seutil_setfiles(setfiles_t) ++# During boot in Rawhide ++term_use_generic_ptys(setfiles_t) -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) @@ -34383,23 +32409,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - fs_relabel_tmpfs_blk_file(setfiles_t) - fs_relabel_tmpfs_chr_file(setfiles_t) -') -+######################################## -+# -+# Setfiles local policy -+# ++seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) - ') -+seutil_setfiles(setfiles_t) -+# During boot in Rawhide -+term_use_generic_ptys(setfiles_t) -+ -+seutil_setfiles(setfiles_mac_t) -+allow setfiles_mac_t self:capability2 mac_admin; -+kernel_relabelto_unlabeled(setfiles_mac_t) -+ +optional_policy(` + files_dontaudit_write_isid_chr_files(setfiles_mac_t) + livecd_dontaudit_leaks(setfiles_mac_t) @@ -34429,22 +32446,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +', ` + permissive lvm_t; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/setrans.if 2010-07-30 14:06:53.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.8.8/policy/modules/system/setrans.te ---- nsaserefpolicy/policy/modules/system/setrans.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/setrans.te 2010-07-30 14:06:53.000000000 -0400 -@@ -12,6 +12,7 @@ +diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te +index 4ec45a4..4488c6d 100644 +--- a/policy/modules/system/setrans.te ++++ b/policy/modules/system/setrans.te +@@ -12,6 +12,7 @@ gen_require(` type setrans_t; type setrans_exec_t; init_daemon_domain(setrans_t, setrans_exec_t) @@ -34452,7 +32458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) -@@ -44,9 +45,10 @@ +@@ -44,9 +45,10 @@ can_exec(setrans_t, setrans_exec_t) corecmd_search_bin(setrans_t) # create unix domain socket in /var @@ -34464,15 +32470,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran kernel_read_kernel_sysctls(setrans_t) kernel_read_proc_symlinks(setrans_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.8.8/policy/modules/system/sosreport.fc ---- nsaserefpolicy/policy/modules/system/sosreport.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/system/sosreport.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/sosreport.fc b/policy/modules/system/sosreport.fc +new file mode 100644 +index 0000000..0928140 +--- /dev/null ++++ b/policy/modules/system/sosreport.fc @@ -0,0 +1,2 @@ + +/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.8.8/policy/modules/system/sosreport.if ---- nsaserefpolicy/policy/modules/system/sosreport.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/system/sosreport.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/sosreport.if b/policy/modules/system/sosreport.if +new file mode 100644 +index 0000000..fec3374 +--- /dev/null ++++ b/policy/modules/system/sosreport.if @@ -0,0 +1,131 @@ + +## policy for sosreport @@ -34605,9 +32615,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + + allow $1 sosreport_tmp_t:file append; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te ---- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-08-24 15:48:28.000000000 -0400 +diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te +new file mode 100644 +index 0000000..593a206 +--- /dev/null ++++ b/policy/modules/system/sosreport.te @@ -0,0 +1,158 @@ +policy_module(sosreport,1.0.0) + @@ -34767,61 +32779,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +', ` + permissive sosreport_t; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400 -@@ -64,3 +64,5 @@ +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 726619b..4bb3158 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -64,3 +64,5 @@ ifdef(`distro_redhat',` ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.8.8/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.if 2010-08-10 05:23:35.000000000 -0400 -@@ -6,7 +6,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -26,7 +26,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -60,25 +60,24 @@ +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index 8e71fb7..350d003 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',` netutils_run(dhcpc_t, $2) netutils_run_ping(dhcpc_t, $2) ') --') - --######################################## --## --## Do not audit attempts to use --## the dhcp file descriptors. --## --## --## --## The domain sending the SIGCHLD. --## --## --# --interface(`sysnet_dontaudit_use_dhcpc_fds',` -- gen_require(` -- type dhcpc_t; ++ + optional_policy(` + networkmanager_run(dhcpc_t, $2) - ') - -- dontaudit $1 dhcpc_t:fd use; ++ ') ++ + optional_policy(` + nis_run_ypbind(dhcpc_t, $2) + ') @@ -34838,7 +32818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -249,6 +248,43 @@ +@@ -249,6 +267,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -34882,7 +32862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ####################################### ## ## Set the attributes of network config files. -@@ -270,6 +306,44 @@ +@@ -270,6 +325,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -34927,25 +32907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ## Read network config files. ## ## -@@ -376,7 +450,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -394,7 +468,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -403,11 +477,8 @@ +@@ -403,11 +496,8 @@ interface(`sysnet_manage_config',` type net_conf_t; ') @@ -34959,25 +32921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -416,7 +487,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -435,7 +506,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -444,6 +515,7 @@ +@@ -444,6 +534,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -34985,16 +32929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow $1 dhcpc_var_run_t:file unlink; ') -@@ -453,7 +525,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -464,6 +536,10 @@ +@@ -464,6 +555,10 @@ interface(`sysnet_domtrans_ifconfig',` corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) @@ -35005,16 +32940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -474,7 +550,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - ## -@@ -534,6 +610,25 @@ +@@ -534,6 +629,25 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -35040,7 +32966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ## Read the DHCP configuration files. ## ## -@@ -677,7 +772,10 @@ +@@ -677,7 +791,10 @@ interface(`sysnet_use_ldap',` corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) @@ -35052,7 +32978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -709,5 +807,52 @@ +@@ -709,5 +826,52 @@ interface(`sysnet_use_portmap',` corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) @@ -35106,10 +33032,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + + role_transition $1 dhcpc_exec_t system_r; ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-08-25 07:51:06.000000000 -0400 -@@ -5,6 +5,13 @@ +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index dfbe736..3663802 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) # Declarations # @@ -35123,7 +33050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # this is shared between dhcpc and dhcpd: type dhcp_etc_t; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; -@@ -19,6 +26,9 @@ +@@ -19,6 +26,9 @@ type dhcpc_exec_t; init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -35133,7 +33060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -57,8 +67,11 @@ +@@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -35145,7 +33072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -66,6 +79,8 @@ +@@ -66,6 +79,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -35154,7 +33081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -105,11 +120,14 @@ +@@ -105,11 +120,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -35169,7 +33096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,6 +148,7 @@ +@@ -130,6 +148,7 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) @@ -35177,7 +33104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet logging_send_syslog_msg(dhcpc_t) -@@ -155,6 +174,10 @@ +@@ -155,6 +174,10 @@ optional_policy(` ') optional_policy(` @@ -35188,7 +33115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet init_dbus_chat_script(dhcpc_t) dbus_system_bus_client(dhcpc_t) -@@ -171,6 +194,8 @@ +@@ -171,6 +194,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -35197,7 +33124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -192,6 +217,13 @@ +@@ -192,6 +217,13 @@ optional_policy(` ') optional_policy(` @@ -35211,7 +33138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet nis_read_ypbind_pid(dhcpc_t) ') -@@ -213,6 +245,7 @@ +@@ -213,6 +245,7 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -35219,7 +33146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -276,8 +309,11 @@ +@@ -276,8 +309,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -35231,7 +33158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -305,6 +341,8 @@ +@@ -305,6 +341,8 @@ modutils_domtrans_insmod(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) @@ -35240,7 +33167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -314,6 +352,10 @@ +@@ -314,6 +352,10 @@ ifdef(`distro_ubuntu',` ') ') @@ -35251,7 +33178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) -@@ -327,6 +369,8 @@ +@@ -327,6 +369,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) @@ -35260,7 +33187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -334,6 +378,10 @@ +@@ -334,6 +378,10 @@ optional_policy(` ') optional_policy(` @@ -35271,7 +33198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet nis_use_ypbind(ifconfig_t) ') -@@ -355,3 +403,9 @@ +@@ -355,3 +403,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -35281,27 +33208,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + iptables_domtrans(dhcpc_t) + ') +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.8.8/policy/modules/system/udev.fc ---- nsaserefpolicy/policy/modules/system/udev.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/udev.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc +index 0291685..44fe366 100644 +--- a/policy/modules/system/udev.fc ++++ b/policy/modules/system/udev.fc @@ -22,3 +22,4 @@ /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.8.8/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/udev.if 2010-07-30 14:06:53.000000000 -0400 -@@ -24,7 +24,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -34,6 +34,7 @@ +diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if +index 025348a..59bc26b 100644 +--- a/policy/modules/system/udev.if ++++ b/policy/modules/system/udev.if +@@ -34,6 +34,7 @@ interface(`udev_domtrans',` ') domtrans_pattern($1, udev_exec_t, udev_t) @@ -35309,28 +33229,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i ') ######################################## -@@ -60,7 +61,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -@@ -199,7 +200,7 @@ - ## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-08-24 09:18:25.000000000 -0400 -@@ -52,6 +52,7 @@ +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index a054cf5..a5d4a43 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -35338,7 +33241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -72,7 +73,7 @@ +@@ -72,7 +73,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -35347,7 +33250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -116,10 +117,13 @@ +@@ -116,10 +117,13 @@ files_exec_etc_files(udev_t) files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) @@ -35361,7 +33264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t mcs_ptrace_all(udev_t) -@@ -192,9 +196,13 @@ +@@ -192,9 +196,13 @@ ifdef(`distro_redhat',` # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -35375,7 +33278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') optional_policy(` -@@ -216,6 +224,10 @@ +@@ -216,6 +224,10 @@ optional_policy(` ') optional_policy(` @@ -35386,7 +33289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -259,6 +271,10 @@ +@@ -259,6 +271,10 @@ optional_policy(` ') optional_policy(` @@ -35397,7 +33300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +289,10 @@ +@@ -273,6 +289,10 @@ optional_policy(` ') optional_policy(` @@ -35408,9 +33311,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t unconfined_signal(udev_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.8.8/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/unconfined.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc +index ce2fbb9..8b34dbc 100644 +--- a/policy/modules/system/unconfined.fc ++++ b/policy/modules/system/unconfined.fc @@ -1,15 +1 @@ # Add programs here which should not be confined by SELinux -# e.g.: @@ -35427,9 +33331,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.8.8/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/unconfined.if 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if +index 416e668..bdb4c7b 100644 +--- a/policy/modules/system/unconfined.if ++++ b/policy/modules/system/unconfined.if @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -35446,7 +33351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. -@@ -27,12 +26,14 @@ +@@ -27,12 +26,14 @@ interface(`unconfined_domain_noaudit',` # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; @@ -35465,7 +33370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +45,16 @@ +@@ -44,6 +45,16 @@ interface(`unconfined_domain_noaudit',` fs_unconfined($1) selinux_unconfined($1) @@ -35482,7 +33387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -57,8 +68,8 @@ +@@ -57,8 +68,8 @@ interface(`unconfined_domain_noaudit',` tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; @@ -35493,7 +33398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf # auditallow $1 self:process execstack; ') -@@ -69,6 +80,7 @@ +@@ -69,6 +80,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -35501,7 +33406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -122,6 +134,10 @@ +@@ -122,6 +134,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -35512,17 +33417,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -179,411 +195,3 @@ +@@ -178,412 +194,3 @@ interface(`unconfined_alias_domain',` + interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') - +- -######################################## -## -## Transition to the unconfined domain. -## -## -## --## Domain allowed access. +-## Domain allowed to transition. -## -## -# @@ -35540,7 +33446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -## -## -## --## The type of the process performing this action. +-## Domain allowed to transition. -## -## -## @@ -35564,7 +33470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -## -## -## --## Domain allowed access. +-## Domain allowed to transition. -## -## -# @@ -35750,7 +33656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -## -## -## --## Domain allowed access. +-## Domain to not audit. -## -## -# @@ -35924,10 +33830,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - - allow $1 unconfined_t:dbus acquire_svc; -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.8.8/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/unconfined.te 2010-07-30 14:06:53.000000000 -0400 -@@ -4,227 +4,5 @@ +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index f976344..4474379 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -4,227 +4,5 @@ policy_module(unconfined, 3.2.0) # # Declarations # @@ -36156,9 +34063,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - hal_dbus_chat(unconfined_execmem_t) - ') -') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.8.8/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/userdomain.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc +index db75976..9068325 100644 +--- a/policy/modules/system/userdomain.fc ++++ b/policy/modules/system/userdomain.fc @@ -1,4 +1,14 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) @@ -36175,10 +34083,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-25 09:41:50.000000000 -0400 -@@ -30,8 +30,9 @@ +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 8b4f6d8..1456a83 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -30,8 +30,9 @@ template(`userdom_base_user_template',` ') attribute $1_file_type; @@ -36189,12 +34098,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,92 @@ +@@ -43,69 +44,92 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) -+ term_dontaudit_getattr_generic_ptys($1_t) - +- - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; @@ -36206,6 +34114,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; +- +- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; +- term_create_pty($1_t, user_devpts_t) ++ term_dontaudit_getattr_generic_ptys($1_t) ++ + allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_t:key { create view read write search link setattr }; @@ -36219,9 +34132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1_usertype $1_usertype:msg { send receive }; + allow $1_usertype $1_usertype:context contains; + dontaudit $1_usertype $1_usertype:socket create; - -- allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; -- term_create_pty($1_t, user_devpts_t) ++ + allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change @@ -36232,10 +34143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; -+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl; -+ -+ application_exec_all($1_usertype) - +- - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) @@ -36244,6 +34152,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) +- +- dev_dontaudit_getattr_all_blk_files($1_t) +- dev_dontaudit_getattr_all_chr_files($1_t) ++ dontaudit $1_usertype user_tty_device_t:chr_file ioctl; ++ ++ application_exec_all($1_usertype) ++ + kernel_read_kernel_sysctls($1_usertype) + kernel_read_all_sysctls($1_usertype) + kernel_dontaudit_list_unlabeled($1_usertype) @@ -36254,9 +34169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) + kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) + kernel_dontaudit_list_proc($1_usertype) - -- dev_dontaudit_getattr_all_blk_files($1_t) -- dev_dontaudit_getattr_all_chr_files($1_t) ++ + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) @@ -36329,7 +34242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +140,16 @@ +@@ -116,6 +140,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -36346,7 +34259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -149,6 +183,8 @@ +@@ -149,6 +183,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -36355,7 +34268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Domain access to home dir -@@ -166,27 +202,6 @@ +@@ -166,27 +202,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -36383,7 +34296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -218,8 +233,11 @@ +@@ -218,8 +233,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -36395,7 +34308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Domain access to home dir -@@ -228,17 +246,21 @@ +@@ -228,17 +246,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -36427,7 +34340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +268,23 @@ +@@ -246,25 +268,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -36457,7 +34370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -289,6 +309,8 @@ +@@ -289,6 +309,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -36466,7 +34379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +319,45 @@ +@@ -297,6 +319,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -36512,7 +34425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -316,6 +377,7 @@ +@@ -316,6 +377,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -36520,7 +34433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -350,6 +412,8 @@ +@@ -350,6 +412,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -36529,7 +34442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +424,41 @@ +@@ -360,46 +424,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -36551,13 +34464,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - gen_require(` - type $1_t; - ') -+interface(`userdom_basic_networking',` - +- - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; -+ allow $1 self:tcp_socket create_stream_socket_perms; -+ allow $1 self:udp_socket create_socket_perms; - +- - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) @@ -36570,6 +34480,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - corenet_sendrecv_all_client_packets($1_t) - - corenet_all_recvfrom_labeled($1_t, $1_t) ++interface(`userdom_basic_networking',` ++ ++ allow $1 self:tcp_socket create_stream_socket_perms; ++ allow $1 self:udp_socket create_socket_perms; ++ + corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_netlabel($1) + corenet_tcp_sendrecv_generic_if($1) @@ -36596,7 +34511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -430,6 +489,7 @@ +@@ -430,6 +489,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -36604,7 +34519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +550,7 @@ +@@ -490,7 +550,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -36613,7 +34528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -500,73 +560,78 @@ +@@ -500,73 +560,78 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -36673,14 +34588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + files_read_var_lib_files($1_usertype) # Stat lost+found. - files_getattr_lost_found_dirs($1_t) -- -- fs_rw_cgroup_files($1_t) + files_getattr_lost_found_dirs($1_usertype) + files_read_config_files($1_usertype) + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) -+ + +- fs_rw_cgroup_files($1_t) + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -36732,7 +34646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`user_ttyfile_stat',` -@@ -574,65 +639,108 @@ +@@ -574,65 +639,108 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -36744,19 +34658,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ canna_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) ++ chrome_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -36846,20 +34760,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ ') -+ -+ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -643,41 +751,50 @@ +@@ -643,41 +751,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -36886,42 +34800,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ slrnpull_search_spool($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') + ++ optional_policy(` ++ seunshare_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ') ####################################### -@@ -705,13 +822,26 @@ +@@ -705,13 +822,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -36930,12 +34844,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -36943,9 +34859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -36953,7 +34867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -729,72 +859,74 @@ +@@ -729,72 +859,74 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -37021,10 +34935,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -37063,7 +34977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -826,6 +958,9 @@ +@@ -826,6 +958,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -37073,7 +34987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Local policy -@@ -867,45 +1002,103 @@ +@@ -867,45 +1002,103 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -37089,12 +35003,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) -+ + +- logging_send_syslog_msg($1_t) + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) - -- logging_send_syslog_msg($1_t) ++ + tunable_policy(`user_rw_noexattrfile',` + dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_usertype) @@ -37135,39 +35049,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ consolekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) - ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ ') -+ -+ optional_policy(` + fprintd_dbus_chat($1_t) -+ ') + ') + ') + + optional_policy(` +- java_role($1_r, $1_t) ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` -+ openoffice_role_template($1, $1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) + ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) + ') + @@ -37188,7 +35102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -940,7 +1133,7 @@ +@@ -940,7 +1133,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -37197,7 +35111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -949,54 +1142,77 @@ +@@ -949,54 +1142,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -37274,38 +35188,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + execmem_role_template($1, $1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) -+ java_role_template($1, $1_r, $1_t) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) -+ mono_role_template($1, $1_r, $1_t) + ') + + optional_policy(` -+ mount_run_fusermount($1_t, $1_r) ++ java_role_template($1, $1_r, $1_t) + ') + + optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ++ mono_role_template($1, $1_r, $1_t) + ') + + optional_policy(` -+ postfix_run_postdrop($1_t, $1_r) ++ mount_run_fusermount($1_t, $1_r) + ') + -+ # Run pppd in pppd_t by default for user + optional_policy(` ++ wine_role_template($1, $1_r, $1_t) + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) ++ postfix_run_postdrop($1_t, $1_r) + ') + ++ # Run pppd in pppd_t by default for user + optional_policy(` +- setroubleshoot_stream_connect($1_t) + ppp_run_cond($1_t, $1_r) ') ') -@@ -1032,7 +1248,7 @@ +@@ -1032,7 +1248,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -37314,7 +35228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1067,6 +1283,9 @@ +@@ -1067,6 +1283,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -37324,7 +35238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1081,6 +1300,7 @@ +@@ -1081,6 +1300,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -37332,7 +35246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1112,10 +1332,13 @@ +@@ -1112,10 +1332,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -37346,7 +35260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1135,6 +1358,7 @@ +@@ -1135,6 +1358,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -37354,7 +35268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1203,6 +1427,8 @@ +@@ -1203,6 +1427,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -37363,7 +35277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1230,6 +1456,7 @@ +@@ -1230,6 +1456,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -37371,7 +35285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_setfiles($1, $2) optional_policy(` -@@ -1268,12 +1495,15 @@ +@@ -1268,12 +1495,15 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -37388,7 +35302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1384,6 +1614,7 @@ +@@ -1384,6 +1614,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -37396,7 +35310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1430,6 +1661,14 @@ +@@ -1430,6 +1661,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -37411,7 +35325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1445,9 +1684,11 @@ +@@ -1445,9 +1684,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -37423,7 +35337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1504,6 +1745,42 @@ +@@ -1504,6 +1745,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -37466,7 +35380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1578,6 +1855,8 @@ +@@ -1578,6 +1855,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -37475,7 +35389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1592,10 +1871,12 @@ +@@ -1592,10 +1871,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -37490,7 +35404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1638,6 +1919,25 @@ +@@ -1638,6 +1919,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -37516,7 +35430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1689,13 +1989,14 @@ +@@ -1689,13 +1989,14 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -37532,7 +35446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -1703,18 +2004,40 @@ +@@ -1703,13 +2004,35 @@ interface(`userdom_read_user_home_content_files',` ## ## # @@ -37547,11 +35461,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_type:dir getattr; + dontaudit $1 user_home_type:file getattr; - ') - - ######################################## - ## --## Do not audit attempts to append user home files. ++') ++ ++######################################## ++## +## Do not audit attempts to read user home files. +## +## @@ -37570,15 +35483,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to append user home files. - ## - ## - ## -@@ -1799,8 +2122,7 @@ + ') + + ######################################## +@@ -1799,8 +2122,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -37588,7 +35496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1816,20 +2138,14 @@ +@@ -1816,20 +2138,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37613,7 +35521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -2171,7 +2487,7 @@ +@@ -2171,7 +2487,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -37622,7 +35530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2424,13 +2740,14 @@ +@@ -2424,13 +2740,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37638,7 +35546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2451,26 +2768,6 @@ +@@ -2451,26 +2768,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -37665,7 +35573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2804,7 +3101,7 @@ +@@ -2804,7 +3101,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37674,7 +35582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2820,11 +3117,13 @@ +@@ -2820,11 +3117,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -37690,7 +35598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2961,7 +3260,45 @@ +@@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -37737,7 +35645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2998,6 +3335,7 @@ +@@ -2998,6 +3335,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -37745,7 +35653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3128,3 +3466,854 @@ +@@ -3128,3 +3466,854 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -38600,10 +36508,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + domain_transition_pattern($1, user_tmp_t, $2) + type_transition $1 user_tmp_t:process $2; +') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.8.8/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/userdomain.te 2010-08-12 15:46:21.000000000 -0400 -@@ -43,6 +43,13 @@ +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 60937f0..0aa5ce3 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false) ## ##

@@ -38617,7 +36526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Allow w to display everyone ##

## -@@ -59,6 +66,15 @@ +@@ -59,6 +66,15 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; @@ -38633,7 +36542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,18 +87,21 @@ +@@ -71,18 +87,21 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -38656,7 +36565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) -@@ -94,3 +113,25 @@ +@@ -94,3 +113,25 @@ userdom_user_home_content(user_tmpfs_t) type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -38682,9 +36591,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.8.8/policy/modules/system/xen.fc ---- nsaserefpolicy/policy/modules/system/xen.fc 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/xen.fc 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc +index 8c827f8..744fa64 100644 +--- a/policy/modules/system/xen.fc ++++ b/policy/modules/system/xen.fc @@ -1,7 +1,5 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) @@ -38693,10 +36603,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) ifdef(`distro_debian',` -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.8.8/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/xen.if 2010-07-30 14:06:53.000000000 -0400 -@@ -87,6 +87,26 @@ +diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if +index 77d41b6..4af4e6b 100644 +--- a/policy/modules/system/xen.if ++++ b/policy/modules/system/xen.if +@@ -87,6 +87,26 @@ interface(`xen_read_image_files',` ## ## # @@ -38723,7 +36634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; -@@ -213,8 +233,9 @@ +@@ -213,8 +233,9 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; @@ -38734,10 +36645,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if domtrans_pattern($1, xm_exec_t, xm_t) ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-08-24 09:18:35.000000000 -0400 -@@ -4,6 +4,7 @@ +diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te +index f661f5a..ff472d0 100644 +--- a/policy/modules/system/xen.te ++++ b/policy/modules/system/xen.te +@@ -4,6 +4,7 @@ policy_module(xen, 1.10.0) # # Declarations # @@ -38745,7 +36657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ## ##

-@@ -34,6 +35,7 @@ +@@ -34,6 +35,7 @@ type xen_image_t; # customizable files_type(xen_image_t) # xen_image_t can be assigned to blk devices dev_node(xen_image_t) @@ -38753,7 +36665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te type xenctl_t; files_type(xenctl_t) -@@ -89,11 +91,6 @@ +@@ -89,11 +91,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) @@ -38765,7 +36677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te ####################################### # # evtchnd local policy -@@ -317,9 +314,10 @@ +@@ -317,9 +314,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -38777,7 +36689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -346,6 +344,7 @@ +@@ -346,6 +344,7 @@ dev_read_sysfs(xenstored_t) files_read_usr_files(xenstored_t) @@ -38785,7 +36697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te fs_manage_xenfs_files(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) -@@ -353,6 +352,7 @@ +@@ -353,6 +352,7 @@ storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) @@ -38793,7 +36705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -365,98 +365,9 @@ +@@ -365,98 +365,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -38892,7 +36804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -469,8 +380,4 @@ +@@ -469,8 +380,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') @@ -38901,10 +36813,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te - unconfined_domain(xend_t) - ') ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt ---- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400 -+++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400 -@@ -15,7 +15,7 @@ +diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt +index 22ca011..df6b5de 100644 +--- a/policy/support/misc_patterns.spt ++++ b/policy/support/misc_patterns.spt +@@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` domain_transition_pattern($1,$2,$3) allow $3 $1:fd use; @@ -38913,7 +36826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns allow $3 $1:process sigchld; ') -@@ -34,8 +34,12 @@ +@@ -34,8 +34,12 @@ define(`domtrans_pattern',` domain_auto_transition_pattern($1,$2,$3) allow $3 $1:fd use; @@ -38927,10 +36840,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns ') # -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.8.8/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.8/policy/support/obj_perm_sets.spt 2010-07-30 14:06:53.000000000 -0400 -@@ -28,7 +28,7 @@ +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index b785e35..d9b0868 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # @@ -38939,7 +36853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets # -@@ -105,7 +105,7 @@ +@@ -105,7 +105,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. # @@ -38948,7 +36862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets # # Permissions for creating and using sockets. -@@ -199,12 +199,14 @@ +@@ -199,12 +199,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -38965,7 +36879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -@@ -225,7 +227,7 @@ +@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -38974,7 +36888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -238,7 +240,8 @@ +@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') @@ -38984,7 +36898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -254,7 +257,8 @@ +@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') @@ -38994,7 +36908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_sock_file_perms',`{ getattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') -@@ -271,7 +275,8 @@ +@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') @@ -39004,7 +36918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -288,7 +293,8 @@ +@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') @@ -39014,7 +36928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -305,7 +311,8 @@ +@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # @@ -39024,7 +36938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets # # Sockets -@@ -317,3 +324,14 @@ +@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') @@ -39039,9 +36953,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8.8/policy/users ---- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.8.8/policy/users 2010-07-30 14:06:53.000000000 -0400 +diff --git a/policy/users b/policy/users +index c4ebc7e..7ae41a6 100644 +--- a/policy/users ++++ b/policy/users @@ -15,7 +15,7 @@ # and a user process should never be assigned the system user # identity. @@ -39051,7 +36966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8 # # user_u is a generic user identity for Linux users who have no -@@ -25,11 +25,8 @@ +@@ -25,11 +25,8 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) @@ -39065,7 +36980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8 # # The following users correspond to Unix identities. -@@ -38,8 +35,4 @@ +@@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. # @@ -39075,17 +36990,3 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.8 - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.8.8/support/Makefile.devel ---- nsaserefpolicy/support/Makefile.devel 2010-07-14 11:21:53.000000000 -0400 -+++ serefpolicy-3.8.8/support/Makefile.devel 2010-07-30 14:06:53.000000000 -0400 -@@ -68,8 +68,8 @@ - - # default MLS/MCS sensitivity and category settings. - MLS_SENS ?= 16 --MLS_CATS ?= 1024 --MCS_CATS ?= 1024 -+MLS_CATS ?= 256 -+MCS_CATS ?= 256 - - ifeq ($(QUIET),y) - verbose := @ diff --git a/selinux-policy.spec b/selinux-policy.spec index cfdf87e..4e87e9a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.8.8 -Release: 21%{?dist} +Version: 3.9.0 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Thu Aug 26 2010 Dan Walsh 3.9.0-1 +- Merge with upstream + * Tue Aug 24 2010 Dan Walsh 3.8.8-21 - Allow seunshare to fowner diff --git a/sources b/sources index 581c4ed..5304f11 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 1f8151f0184945098f3cc3ca0b53e861 serefpolicy-3.8.8.tgz +9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz