diff --git a/policy-20070518.patch b/policy-20070518.patch index c56dde7..be11dd4 100644 --- a/policy-20070518.patch +++ b/policy-20070518.patch @@ -226,8 +226,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.6.5/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2007-03-26 10:39:08.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/admin/amanda.te 2007-05-23 11:17:15.000000000 -0400 -@@ -85,7 +85,7 @@ ++++ serefpolicy-2.6.5/policy/modules/admin/amanda.te 2007-05-25 08:29:31.000000000 -0400 +@@ -70,7 +70,7 @@ + + allow amanda_t self:capability { chown dac_override setuid kill }; + allow amanda_t self:process { setpgid signal }; +-allow amanda_t self:fifo_file { getattr read write ioctl lock }; ++allow amanda_t self:fifo_file rw_fifo_file_perms; + allow amanda_t self:unix_stream_socket create_stream_socket_perms; + allow amanda_t self:unix_dgram_socket create_socket_perms; + allow amanda_t self:tcp_socket create_stream_socket_perms; +@@ -85,18 +85,22 @@ # access to amandas data structure allow amanda_t amanda_data_t:dir { read search write }; @@ -236,7 +245,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; -@@ -97,6 +97,9 @@ + + can_exec(amanda_t,amanda_exec_t) ++can_exec(amanda_t,amanda_inetd_exec_t) + + # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) + allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; @@ -953,9 +967,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool hal_rw_pid_files(vbetool_t) + hal_write_log(vbetool_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-2.6.5/policy/modules/apps/cdrecord.te +--- nsaserefpolicy/policy/modules/apps/cdrecord.te 2007-04-23 09:35:56.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/apps/cdrecord.te 2007-05-25 08:57:00.000000000 -0400 +@@ -6,7 +6,6 @@ + # Declarations + # + +-ifdef(`strict_policy',` + ## + ##

+ ## Allow cdrecord to read various content. +@@ -15,7 +14,6 @@ + ##

+ ##
+ gen_tunable(cdrecord_read_content,false) +-') + + type cdrecord_exec_t; + corecmd_executable_file(cdrecord_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-2.6.5/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-02-19 11:32:52.000000000 -0500 -+++ serefpolicy-2.6.5/policy/modules/apps/gnome.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/apps/gnome.if 2007-05-24 15:02:17.000000000 -0400 @@ -35,6 +35,7 @@ template(`gnome_per_role_template',` gen_require(` @@ -964,18 +997,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if attribute gnomedomain; ') -@@ -105,6 +106,10 @@ - ') +@@ -102,6 +103,11 @@ optional_policy(` -+ ssh_dontaudit_use_user_ssh_agent_fds($1,$1_gconfd_t) + nscd_dontaudit_search_pid($1_gconfd_t) ++ nscd_socket_use($1_gconfd_t) + ') + + optional_policy(` - xserver_use_xdm_fds($1_gconfd_t) - xserver_rw_xdm_pipes($1_gconfd_t) ++ ssh_dontaudit_use_user_ssh_agent_fds($1,$1_gconfd_t) ') -@@ -136,13 +141,32 @@ + + optional_policy(` +@@ -136,13 +142,32 @@ allow $2 $1_gconfd_t:unix_stream_socket connectto; ') @@ -1138,6 +1172,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. dev_write_sound($1_mozilla_t) dev_read_sound($1_mozilla_t) dev_dontaudit_rw_dri($1_mozilla_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-2.6.5/policy/modules/apps/screen.fc +--- nsaserefpolicy/policy/modules/apps/screen.fc 2006-11-16 17:15:07.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/apps/screen.fc 2007-05-25 08:59:03.000000000 -0400 +@@ -1,9 +1,7 @@ + # + # /home + # +-ifdef(`strict_policy',` + HOME_DIR/\.screenrc -- gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0) +-') + + # + # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.6.5/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2007-04-30 11:25:12.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/apps/slocate.te 2007-05-23 09:29:08.000000000 -0400 @@ -1156,6 +1203,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate. libs_use_shared_libs(locate_t) libs_use_ld_so(locate_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-2.6.5/policy/modules/apps/thunderbird.fc +--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2006-11-16 17:15:07.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/apps/thunderbird.fc 2007-05-25 08:58:55.000000000 -0400 +@@ -3,6 +3,4 @@ + # + /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) + +-ifdef(`strict_policy',` + HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +-') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-2.6.5/policy/modules/apps/uml.fc +--- nsaserefpolicy/policy/modules/apps/uml.fc 2006-11-16 17:15:07.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/apps/uml.fc 2007-05-25 08:58:48.000000000 -0400 +@@ -8,6 +8,4 @@ + # + /var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) + +-ifdef(`strict_policy',` +- HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) +-') ++HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:ROLE_uml_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if serefpolicy-2.6.5/policy/modules/apps/uml.if --- nsaserefpolicy/policy/modules/apps/uml.if 2007-03-26 10:38:58.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/apps/uml.if 2007-05-22 14:41:13.000000000 -0400 @@ -1193,6 +1261,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if s ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-2.6.5/policy/modules/apps/usernetctl.te +--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-04-23 09:35:56.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/apps/usernetctl.te 2007-05-25 08:58:42.000000000 -0400 +@@ -6,7 +6,6 @@ + # Declarations + # + +-ifdef(`strict_policy',` + ## + ##

+ ## Allow users to control network interfaces +@@ -14,7 +13,6 @@ + ##

+ ##
+ gen_tunable(user_net_control,false) +-') + + type usernetctl_t; + type usernetctl_exec_t; +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-2.6.5/policy/modules/apps/vmware.fc +--- nsaserefpolicy/policy/modules/apps/vmware.fc 2006-11-16 17:15:07.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/apps/vmware.fc 2007-05-25 08:58:36.000000000 -0400 +@@ -1,11 +1,9 @@ + # + # HOME_DIR/ + # +-ifdef(`strict_policy',` + HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) + HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:ROLE_vmware_file_t,s0) + HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:ROLE_vmware_conf_t,s0) +-') + + # + # /etc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.5/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-04-11 15:52:53.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/kernel/corecommands.fc 2007-05-22 14:41:13.000000000 -0400 @@ -1986,7 +2088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te attribute privrangetrans; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.6.5/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500 -+++ serefpolicy-2.6.5/policy/modules/kernel/selinux.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/kernel/selinux.if 2007-05-24 15:28:25.000000000 -0400 @@ -51,6 +51,44 @@ ######################################## @@ -2416,7 +2518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/apache.te 2007-05-23 14:17:56.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/apache.te 2007-05-24 16:08:36.000000000 -0400 @@ -47,6 +47,13 @@ ## Allow http daemon to tcp connect ##

@@ -2459,7 +2561,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; # domains that can exec all users scripts -@@ -257,6 +285,7 @@ +@@ -201,11 +229,6 @@ + type squirrelmail_spool_t; + files_tmp_file(squirrelmail_spool_t) + +-ifdef(`targeted_policy',` +- typealias httpd_sys_content_t alias httpd_user_content_t; +- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t; +-') +- + optional_policy(` + prelink_object_file(httpd_modules_t) + ') +@@ -257,6 +280,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -2467,7 +2581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -297,6 +326,7 @@ +@@ -297,6 +321,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -2475,7 +2589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_non_ipsec_sendrecv(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) -@@ -342,6 +372,9 @@ +@@ -342,6 +367,9 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -2485,7 +2599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -362,6 +395,10 @@ +@@ -362,6 +390,10 @@ mta_send_mail(httpd_t) @@ -2496,7 +2610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(httpd_t) term_dontaudit_use_generic_ptys(httpd_t) -@@ -389,6 +426,14 @@ +@@ -389,6 +421,14 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -2511,7 +2625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -416,6 +461,10 @@ +@@ -416,6 +456,10 @@ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; ') @@ -2522,7 +2636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -433,11 +482,21 @@ +@@ -433,11 +477,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -2544,7 +2658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -668,6 +727,12 @@ +@@ -668,6 +722,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -2557,7 +2671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -706,7 +771,8 @@ +@@ -706,7 +766,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -2567,7 +2681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -730,11 +796,21 @@ +@@ -730,11 +791,21 @@ ') ') @@ -2589,7 +2703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -788,3 +864,19 @@ +@@ -788,3 +859,19 @@ term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t) ') @@ -2908,7 +3022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # fcron wants an instant update of a crontab change for the administrator diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.5/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-05-18 11:12:43.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/cron.te 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/cron.te 2007-05-24 16:01:30.000000000 -0400 @@ -42,6 +42,9 @@ type cron_log_t; logging_log_file(cron_log_t) @@ -2927,7 +3041,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -89,7 +93,7 @@ +@@ -75,11 +79,6 @@ + type system_crond_tmp_t; + files_tmp_file(system_crond_tmp_t) + +-ifdef(`targeted_policy',` +- type sysadm_cron_spool_t; +- files_type(sysadm_cron_spool_t) +-') +- + ifdef(`enable_mcs',` + init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) + ') +@@ -89,7 +88,7 @@ # Cron Local policy # @@ -2936,7 +3062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -108,14 +112,12 @@ +@@ -108,14 +107,12 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -2954,7 +3080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) -@@ -131,12 +133,22 @@ +@@ -131,12 +128,22 @@ fs_search_auto_mountpoints(crond_t) # need auth_chkpwd to check for locked accounts. @@ -2978,7 +3104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron domain_use_interactive_fds(crond_t) files_read_etc_files(crond_t) -@@ -152,6 +164,7 @@ +@@ -152,6 +159,7 @@ libs_use_shared_libs(crond_t) logging_send_syslog_msg(crond_t) @@ -2986,7 +3112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -165,6 +178,12 @@ +@@ -165,6 +173,12 @@ mta_send_mail(crond_t) @@ -2999,7 +3125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` optional_policy(` # Debian logcheck has the home dir set to its cache -@@ -258,17 +277,26 @@ +@@ -258,17 +272,26 @@ # System cron process domain # @@ -3026,7 +3152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # cjp: why? squid_domtrans(system_crond_t) ') -@@ -369,7 +397,7 @@ +@@ -369,7 +392,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -3035,7 +3161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron libs_use_ld_so(system_crond_t) libs_use_shared_libs(system_crond_t) -@@ -427,6 +455,10 @@ +@@ -427,6 +450,10 @@ ') optional_policy(` @@ -3143,7 +3269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.6.5/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/dbus.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/dbus.if 2007-05-24 14:21:05.000000000 -0400 @@ -49,6 +49,12 @@ ## # @@ -3505,7 +3631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.5/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/ftp.te 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/ftp.te 2007-05-24 16:25:41.000000000 -0400 @@ -168,6 +168,7 @@ libs_use_shared_libs(ftpd_t) @@ -3514,14 +3640,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) -@@ -223,10 +224,15 @@ +@@ -223,10 +224,14 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) + auth_manage_all_files_except_shadow(ftpd_t) ifdef(`targeted_policy',` - userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) +- userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) + files_manage_generic_tmp_files(ftpd_t) ') + auth_read_all_dirs_except_shadow(ftpd_t) @@ -3991,10 +4117,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ## Allow domain to read mailman archive files. ## ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.5/policy/modules/services/mta.if +--- nsaserefpolicy/policy/modules/services/mta.if 2007-05-18 11:12:43.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/mta.if 2007-05-25 09:01:36.000000000 -0400 +@@ -263,10 +263,8 @@ + type $1_mail_t; + ') + +- ifdef(`strict_policy',` +- # allow the sysadmin to do "mail someone < /home/user/whatever" +- userdom_read_unpriv_users_home_content_files($1_mail_t) +- ') ++ # allow the sysadmin to do "mail someone < /home/user/whatever" ++ userdom_read_unpriv_users_home_content_files($1_mail_t) + + optional_policy(` + gen_require(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-05-18 11:12:43.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/mta.te 2007-05-22 14:41:13.000000000 -0400 -@@ -27,6 +27,7 @@ ++++ serefpolicy-2.6.5/policy/modules/services/mta.te 2007-05-25 09:01:51.000000000 -0400 +@@ -27,18 +27,11 @@ type sendmail_exec_t; files_type(sendmail_exec_t) @@ -4002,7 +4144,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -91,6 +92,7 @@ + +-# cjp: need to resolve this, but require{} +-# does not work in the else part of the optional +-#ifdef(`strict_policy',` +-# optional_policy(`',` +-# init_system_domain(system_mail_t,sendmail_exec_t) +-# ') +-#') +- + ######################################## + # + # System mail local policy +@@ -61,7 +54,6 @@ + userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) + + ifdef(`targeted_policy',` +- typealias system_mail_t alias sysadm_mail_t; + + manage_dirs_pattern(system_mail_t,mail_spool_t,mail_spool_t) + manage_files_pattern(system_mail_t,mail_spool_t,mail_spool_t) +@@ -91,6 +83,7 @@ optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) @@ -4528,8 +4690,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.6.5/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/ppp.te 2007-05-22 14:41:13.000000000 -0400 -@@ -155,7 +155,7 @@ ++++ serefpolicy-2.6.5/policy/modules/services/ppp.te 2007-05-25 09:01:55.000000000 -0400 +@@ -13,14 +13,12 @@ + ## + gen_tunable(pppd_can_insmod,false) + +-ifdef(`strict_policy',` + ## + ##

+ ## Allow pppd to be run for a regular user + ##

+ ##
+ gen_tunable(pppd_for_user,false) +-') + + # pppd_t is the domain for the pppd program. + # pppd_exec_t is the type of the pppd executable. +@@ -155,7 +153,7 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) @@ -4572,6 +4749,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.6.5/policy/modules/services/pyzor.fc +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/services/pyzor.fc 2007-05-25 09:01:59.000000000 -0400 +@@ -6,6 +6,4 @@ + /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) + /var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0) + +-ifdef(`strict_policy',` + HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.6.5/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-04-23 09:36:01.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/services/pyzor.te 2007-05-22 14:41:13.000000000 -0400 @@ -4614,6 +4801,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi +optional_policy(` + samba_read_var_files(radiusd_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-2.6.5/policy/modules/services/razor.fc +--- nsaserefpolicy/policy/modules/services/razor.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/services/razor.fc 2007-05-25 09:02:03.000000000 -0400 +@@ -1,6 +1,4 @@ +-ifdef(`strict_policy',` + HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +-') + + /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.6.5/policy/modules/services/rhgb.te +--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-04-23 09:36:01.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/rhgb.te 2007-05-25 09:02:23.000000000 -0400 +@@ -113,19 +113,8 @@ + xserver_domtrans_xdm_xserver(rhgb_t) + xserver_signal_xdm_xserver(rhgb_t) + +-ifdef(`strict_policy',` +- allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; +- term_create_pty(rhgb_t,rhgb_devpts_t) +-', ` +- files_dontaudit_read_root_files(rhgb_t) +- +- term_use_generic_ptys(rhgb_t) +- term_setattr_generic_ptys(rhgb_t) +- term_dontaudit_use_unallocated_ttys(rhgb_t) +- +- xserver_domtrans_xdm_xserver(rhgb_t) +- xserver_read_xdm_tmp_files(rhgb_t) +-') ++allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr }; ++term_create_pty(rhgb_t,rhgb_devpts_t) + + optional_policy(` + consoletype_exec(rhgb_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.6.5/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2007-04-23 09:36:01.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/services/rlogin.te 2007-05-22 14:41:13.000000000 -0400 @@ -5136,7 +5358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.5/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/samba.te 2007-05-23 11:15:09.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/samba.te 2007-05-23 14:32:38.000000000 -0400 @@ -28,6 +28,35 @@ ## gen_tunable(samba_share_nfs,false) @@ -5455,9 +5677,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t snmpd_log_t:file manage_file_perms; logging_log_filetrans(snmpd_t,snmpd_log_t,file) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.6.5/policy/modules/services/spamassassin.fc +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-03-08 08:26:59.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/services/spamassassin.fc 2007-05-25 09:02:28.000000000 -0400 +@@ -10,6 +10,4 @@ + + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + +-ifdef(`strict_policy',` + HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.6.5/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/spamassassin.te 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/spamassassin.te 2007-05-24 16:47:42.000000000 -0400 @@ -6,14 +6,12 @@ # Declarations # @@ -5499,6 +5731,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam corenet_sendrecv_razor_client_packets(spamd_t) corenet_sendrecv_spamd_server_packets(spamd_t) # spamassassin 3.1 needs this for its +@@ -162,7 +161,7 @@ + userdom_manage_generic_user_home_content_dirs(spamd_t) + userdom_manage_generic_user_home_content_files(spamd_t) + userdom_manage_generic_user_home_content_symlinks(spamd_t) +- userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir) ++# userdom_generic_user_home_dir_filetrans_generic_user_home_content(spamd_t,dir) + ') + ') + @@ -192,6 +191,11 @@ ') @@ -5536,6 +5777,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi + sysnet_read_config(httpd_squid_script_t) + corenet_non_ipsec_sendrecv(httpd_squid_script_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-2.6.5/policy/modules/services/ssh.fc +--- nsaserefpolicy/policy/modules/services/ssh.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/services/ssh.fc 2007-05-24 13:35:36.000000000 -0400 +@@ -12,8 +12,6 @@ + + /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + +-ifdef(`targeted_policy', `', ` + /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) + + HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.6.5/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-04-30 10:41:38.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/services/ssh.if 2007-05-22 14:41:13.000000000 -0400 @@ -5663,10 +5916,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) + +miscfiles_read_certs(httpd_w3c_validator_script_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.5/policy/modules/services/xserver.fc +--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-02-19 11:32:53.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/services/xserver.fc 2007-05-25 09:03:12.000000000 -0400 +@@ -1,7 +1,6 @@ + # + # HOME_DIR + # +-ifdef(`strict_policy',` + HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:ROLE_fonts_config_t,s0) + HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:ROLE_fonts_t,s0) + HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:ROLE_fonts_cache_t,s0) +@@ -9,7 +8,6 @@ + HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:ROLE_iceauth_home_t,s0) + HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) + HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) +-') + + # + # /dev +@@ -29,6 +27,7 @@ + + /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) ++/etc/X11/init/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) + /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) + /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) +@@ -49,9 +48,7 @@ + /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) + /tmp/\.X11-unix/.* -s <> + +-ifdef(`strict_policy',` + /tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) +-') + + # + # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-04 12:19:22.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/services/xserver.if 2007-05-23 09:18:39.000000000 -0400 -@@ -1136,7 +1136,7 @@ ++++ serefpolicy-2.6.5/policy/modules/services/xserver.if 2007-05-25 09:03:19.000000000 -0400 +@@ -154,6 +154,8 @@ + + modutils_domtrans_insmod($1_xserver_t) + ++ selinux_get_fs_mount($1_xserver_t) ++ + seutil_dontaudit_search_config($1_xserver_t) + + sysnet_read_config($1_xserver_t) +@@ -732,12 +734,8 @@ + attribute xauth_home_type; + ') + +- ifdef(`strict_policy',` +- allow $1 xauth_home_type:file read_file_perms; +- userdom_search_all_users_home_dirs($1) +- ',` +- userdom_read_generic_user_home_content_files($1) +- ') ++ allow $1 xauth_home_type:file read_file_perms; ++ userdom_search_all_users_home_dirs($1) + ') + + ######################################## +@@ -1136,7 +1134,7 @@ type xdm_xserver_tmp_t; ') @@ -5675,6 +5989,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.6.5/policy/modules/services/xserver.te +--- nsaserefpolicy/policy/modules/services/xserver.te 2007-05-04 12:19:22.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/services/xserver.te 2007-05-24 16:22:38.000000000 -0400 +@@ -6,7 +6,6 @@ + # Declarations + # + +-ifdef(`strict_policy',` + ## + ##

+ ## Allows clients to write to the X server shared +@@ -14,7 +13,6 @@ + ##

+ ##
+ gen_tunable(allow_write_xshm,false) +-') + + ## + ##

+@@ -276,9 +274,9 @@ + xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) + + ifdef(`targeted_policy',` +- unconfined_domain(xdm_t) ++# unconfined_domain(xdm_t) + unconfined_domtrans(xdm_t) +- userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir }) ++# userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir }) + + ifndef(`distro_redhat',` + allow xdm_t self:process { execheap execmem }; +@@ -321,6 +319,8 @@ + + optional_policy(` + consolekit_dbus_chat(xdm_t) ++ dbus_system_bus_client_template(xdm, xdm_t) ++ dbus_send_system_bus(xdm_t) + ') + + optional_policy(` +@@ -427,7 +427,7 @@ + ') + + ifdef(`targeted_policy',` +- unconfined_domain_noaudit(xdm_xserver_t) ++# unconfined_domain_noaudit(xdm_xserver_t) + unconfined_domtrans(xdm_xserver_t) + + ifndef(`distro_redhat',` +@@ -449,28 +449,6 @@ + ') + + ifdef(`TODO',` +-# Need to further investigate these permissions and +-# perhaps define derived types. +-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink }; +-allow xdm_t var_lib_t:file { create write unlink }; +- +-# Do not audit attempts to write to index files under /usr +-dontaudit xdm_t usr_t:file write; +- +-ifdef(`rhgb.te', ` +-allow xdm_xserver_t ramfs_t:dir rw_dir_perms; +-allow xdm_xserver_t ramfs_t:file manage_file_perms; +-allow rhgb_t xdm_xserver_t:process signal; +-') +- +-tunable_policy(`allow_polyinstantiation',` +-# xdm needs access for linking .X11-unix to poly /tmp +-allow xdm_t polymember:dir { add_name remove_name write }; +-allow xdm_t polymember:lnk_file { create unlink }; +-# xdm needs access for copying .Xauthority into new home +-allow xdm_t polymember:file { create getattr write }; +-') +- + # + # Wants to delete .xsession-errors file + # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.6.5/policy/modules/system/application.fc --- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.5/policy/modules/system/application.fc 2007-05-22 14:41:13.000000000 -0400 @@ -5819,13 +6211,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.5/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-03-26 10:39:07.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/authlogin.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/authlogin.if 2007-05-24 15:13:17.000000000 -0400 @@ -27,11 +27,9 @@ domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) - allow $1_chkpwd_t self:capability { audit_control setuid }; -+ allow $1_chkpwd_t self:capability setuid; ++ allow $1_chkpwd_t self:capability { dac_override setuid }; allow $1_chkpwd_t self:process getattr; - send_audit_msgs_pattern($1_chkpwd_t) @@ -5887,17 +6279,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -187,6 +180,9 @@ +@@ -187,6 +180,12 @@ domain_obj_id_change_exemption($1) role system_r types $1; + auth_keyring_domain($1) + allow $1 keyring_type:key { search link }; + ++ logging_send_audit_msg($1) ++ logging_set_loginuid($1) ++ # for SSP/ProPolice dev_read_urand($1) -@@ -211,9 +207,11 @@ +@@ -211,9 +210,11 @@ auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) @@ -5910,7 +6305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_rw_utmp($1) logging_send_syslog_msg($1) -@@ -221,6 +219,7 @@ +@@ -221,6 +222,7 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -5918,7 +6313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -320,10 +319,6 @@ +@@ -320,10 +322,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -5929,7 +6324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -357,6 +352,37 @@ +@@ -357,6 +355,37 @@ ######################################## ##

@@ -5967,7 +6362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -1391,3 +1417,114 @@ +@@ -1391,3 +1420,114 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -6084,7 +6479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.5/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-04-30 10:41:38.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/authlogin.te 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/authlogin.te 2007-05-24 15:01:06.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -6107,7 +6502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -252,6 +258,8 @@ +@@ -252,12 +258,16 @@ # System check password local policy # @@ -6116,7 +6511,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo allow system_chkpwd_t shadow_t:file { getattr read }; corecmd_search_bin(system_chkpwd_t) -@@ -305,3 +313,30 @@ + + domain_dontaudit_use_interactive_fds(system_chkpwd_t) + ++selinux_get_fs_mount(system_chkpwd_t) ++ + term_dontaudit_use_unallocated_ttys(system_chkpwd_t) + term_dontaudit_use_generic_ptys(system_chkpwd_t) + +@@ -305,3 +315,30 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -6342,6 +6745,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +optional_policy(` + unconfined_dontaudit_rw_pipes(hostname_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.6.5/policy/modules/system/init.fc +--- nsaserefpolicy/policy/modules/system/init.fc 2006-11-16 17:15:24.000000000 -0500 ++++ serefpolicy-2.6.5/policy/modules/system/init.fc 2007-05-25 09:03:41.000000000 -0400 +@@ -14,9 +14,7 @@ + /etc/x11/startDM.sh -- gen_context(system_u:object_r:initrc_exec_t,s0) + ') + +-ifdef(`strict_policy',` + /etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0) +-') + + # + # /dev diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.6.5/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-05-18 11:12:44.000000000 -0400 +++ serefpolicy-2.6.5/policy/modules/system/init.if 2007-05-22 14:41:13.000000000 -0400 @@ -6719,7 +7135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.5/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-03-26 10:39:07.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/logging.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/logging.if 2007-05-24 15:05:14.000000000 -0400 @@ -223,6 +223,25 @@ ######################################## @@ -6834,7 +7250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + typeattribute $1 can_set_loginuid, can_send_audit_msg; + + allow $1 self:capability audit_control; -+ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay }; ++ allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay }; +') + +######################################## @@ -7330,7 +7746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.5/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.te 2007-05-23 10:42:16.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/selinuxutil.te 2007-05-24 15:37:32.000000000 -0400 @@ -1,10 +1,8 @@ policy_module(selinuxutil,1.5.1) @@ -7403,7 +7819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +domain_type(setfiles_t) +role system_r types setfiles_t; + -+type setfiles_exec_t; ++type setfiles_exec_t alias restorecon_exec_t; +domain_entry_file(setfiles_t,setfiles_exec_t) ifdef(`distro_redhat',` @@ -7502,7 +7918,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dev_read_urand(semanage_t) -@@ -492,6 +497,8 @@ +@@ -483,6 +488,7 @@ + mls_rangetrans_target(semanage_t) + mls_file_read_up(semanage_t) + ++selinux_get_fs_mount(semanage_t) + selinux_validate_context(semanage_t) + selinux_get_enforce_mode(semanage_t) + # for setsebool: +@@ -492,6 +498,8 @@ # Running genhomedircon requires this for finding all users auth_use_nsswitch(semanage_t) @@ -7511,7 +7935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -@@ -518,6 +525,15 @@ +@@ -518,6 +526,15 @@ userdom_search_sysadm_home_dirs(semanage_t) @@ -7754,7 +8178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf init_dbus_chat_script(unconfined_execmem_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/userdomain.if 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/userdomain.if 2007-05-24 14:35:27.000000000 -0400 @@ -114,6 +114,18 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; @@ -7862,7 +8286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # - allow $1_t self:capability ~sys_module; -+ allow $1_t self:capability ~{ sys_module audit_control }; ++ allow $1_t self:capability ~{ sys_module audit_control audit_write }; allow $1_t self:process { setexec setfscreate }; # Set password information for other users. @@ -8052,7 +8476,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5352,14 +5350,13 @@ +@@ -4682,18 +4680,14 @@ + ## + # + interface(`userdom_read_sysadm_home_content_files',` +- ifdef(`strict_policy',` +- gen_require(` +- type sysadm_home_dir_t, sysadm_home_t; +- ') +- +- files_search_home($1) +- allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; +- read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) +- read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) +- ',` +- userdom_read_generic_user_home_content_files($1) ++ gen_require(` ++ type sysadm_home_dir_t, sysadm_home_t; + ') ++ ++ files_search_home($1) ++ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; ++ read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) ++ read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) + ') + + ######################################## +@@ -4707,18 +4701,14 @@ + ## + # + interface(`userdom_read_sysadm_tmp_files',` +- ifdef(`strict_policy',` +- gen_require(` +- type sysadm_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 sysadm_tmp_t:dir list_dir_perms; +- read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) +- read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) +- ',` +- files_read_generic_tmp_files($1) ++ gen_require(` ++ type sysadm_tmp_t; + ') ++ ++ files_search_tmp($1) ++ allow $1 sysadm_tmp_t:dir list_dir_perms; ++ read_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) ++ read_lnk_files_pattern($1,sysadm_tmp_t,sysadm_tmp_t) + ') + + ######################################## +@@ -5352,14 +5342,13 @@ interface(`userdom_use_unpriv_users_ptys',` ifdef(`targeted_policy',` term_use_generic_ptys($1) @@ -8073,7 +8549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5376,13 +5373,13 @@ +@@ -5376,13 +5365,13 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',` ifdef(`targeted_policy',` term_dontaudit_use_generic_ptys($1) @@ -8092,7 +8568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5435,13 +5432,12 @@ +@@ -5435,13 +5424,12 @@ interface(`userdom_list_unpriv_users_tmp',` ifdef(`targeted_policy',` files_list_tmp($1) @@ -8111,7 +8587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5457,13 +5453,12 @@ +@@ -5457,13 +5445,12 @@ interface(`userdom_read_unpriv_users_tmp_files',` ifdef(`targeted_policy',` files_read_generic_tmp_files($1) @@ -8130,7 +8606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5479,13 +5474,12 @@ +@@ -5479,13 +5466,12 @@ interface(`userdom_read_unpriv_users_tmp_symlinks',` ifdef(`targeted_policy',` files_read_generic_tmp_symlinks($1) @@ -8149,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5519,13 +5513,12 @@ +@@ -5519,13 +5505,12 @@ interface(`userdom_use_unpriv_users_ttys',` ifdef(`targeted_policy',` term_use_unallocated_ttys($1) @@ -8168,7 +8644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5542,13 +5535,12 @@ +@@ -5542,13 +5527,12 @@ interface(`userdom_dontaudit_use_unpriv_users_ttys',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys($1) @@ -8187,7 +8663,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5720,3 +5712,112 @@ +@@ -5672,15 +5656,11 @@ + ## + # + interface(`userdom_create_all_users_keys',` +- ifdef(`strict_policy',` +- gen_require(` +- attribute userdomain; +- ') +- +- allow $1 userdomain:key create; +- ',` +- unconfined_create_keys($1) ++ gen_require(` ++ attribute userdomain; + ') ++ ++ allow $1 userdomain:key create; + ') + + ######################################## +@@ -5720,3 +5700,112 @@ allow $1 user_home_dir_t:dir manage_dir_perms; files_home_filetrans($1,user_home_dir_t,dir) ') @@ -8302,7 +8798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.6.5/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-05-18 11:12:44.000000000 -0400 -+++ serefpolicy-2.6.5/policy/modules/system/userdomain.te 2007-05-22 14:41:13.000000000 -0400 ++++ serefpolicy-2.6.5/policy/modules/system/userdomain.te 2007-05-25 08:27:29.000000000 -0400 @@ -15,7 +15,6 @@ # Declarations # @@ -8329,121 +8825,732 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -101,10 +102,27 @@ +@@ -101,440 +102,421 @@ # Local policy # -+userdom_unpriv_user_template(user) - ifdef(`strict_policy',` - userdom_admin_user_template(sysadm) -+ -+ optional_policy(` -+ cron_admin_template(sysadm,sysadm_t,sysadm_r) -+ ') -+ -+ optional_policy(` -+ ethereal_admin_template(sysadm,sysadm_t,sysadm_r) -+ ') -+ -+ optional_policy(` -+ lpr_admin_template(sysadm,sysadm_t,sysadm_r) -+ ') -+ -+ optional_policy(` -+ mta_admin_template(sysadm,sysadm_t,sysadm_r) -+ ') -+ - userdom_unpriv_user_template(staff) +-ifdef(`strict_policy',` +- userdom_admin_user_template(sysadm) +- userdom_unpriv_user_template(staff) - userdom_unpriv_user_template(user) +- +- # user role change rules: +- # sysadm_r can change to user roles +- userdom_role_change_template(sysadm, user) +- userdom_role_change_template(sysadm, staff) +- +- # only staff_r can change to sysadm_r +- userdom_role_change_template(staff, sysadm) +- dontaudit staff_t admin_terminal:chr_file { read write }; ++userdom_unpriv_user_template(user) ++userdom_admin_user_template(sysadm) - # user role change rules: - # sysadm_r can change to user roles -@@ -157,6 +175,11 @@ +- ifdef(`enable_mls',` +- userdom_unpriv_user_template(secadm) +- userdom_unpriv_user_template(auditadm) ++optional_policy(` ++ cron_admin_template(sysadm,sysadm_t,sysadm_r) ++') - init_exec(sysadm_t) +- userdom_role_change_template(staff,auditadm) +- userdom_role_change_template(staff,secadm) ++optional_policy(` ++ ethereal_admin_template(sysadm,sysadm_t,sysadm_r) ++') -+ kernel_sigstop_unlabeled(sysadm_t) -+ kernel_signal_unlabeled(sysadm_t) -+ kernel_kill_unlabeled(sysadm_t) -+ kernel_read_unlabeled_state(sysadm_t) -+ - # Following for sending reboot and wall messages - userdom_use_unpriv_users_ptys(sysadm_t) - userdom_use_unpriv_users_ttys(sysadm_t) -@@ -227,6 +250,10 @@ - ') +- userdom_role_change_template(sysadm,secadm) +- userdom_role_change_template(sysadm,auditadm) ++optional_policy(` ++ lpr_admin_template(sysadm,sysadm_t,sysadm_r) ++') - optional_policy(` -+ amtu_run(sysadm_t,sysadm_r,admin_terminal) -+ ') -+ -+ optional_policy(` - apache_run_helper(sysadm_t,sysadm_r,admin_terminal) - #apache_run_all_scripts(sysadm_t,sysadm_r) - #apache_domtrans_sys_script(sysadm_t) -@@ -286,18 +313,6 @@ - ') +- userdom_role_change_template(auditadm,secadm) +- userdom_role_change_template(auditadm,sysadm) ++optional_policy(` ++ mta_admin_template(sysadm,sysadm_t,sysadm_r) ++') - optional_policy(` -- consoletype_exec(sysadm_t) -- -- ifdef(`enable_mls',` -- consoletype_exec(auditadm_t) +- userdom_role_change_template(secadm,auditadm) +- userdom_role_change_template(secadm,sysadm) +- ') ++userdom_unpriv_user_template(staff) + +- # this should be tunable_policy, but +- # currently type_change and RBAC allow +- # do not work in conditionals +- ifdef(`user_canbe_sysadm',` +- userdom_role_change_template(user,sysadm) +- ') ++# user role change rules: ++# sysadm_r can change to user roles ++userdom_role_change_template(sysadm, user) ++userdom_role_change_template(sysadm, staff) + +- ######################################## +- # +- # Sysadm local policy +- # ++# only staff_r can change to sysadm_r ++userdom_role_change_template(staff, sysadm) ++dontaudit staff_t admin_terminal:chr_file { read write }; + +- # for su +- allow sysadm_t userdomain:fd use; ++ifdef(`enable_mls',` ++ userdom_unpriv_user_template(secadm) ++ userdom_unpriv_user_template(auditadm) + +- # Add/remove user home directories +- allow sysadm_t user_home_dir_t:dir manage_dir_perms; +- files_home_filetrans(sysadm_t,user_home_dir_t,dir) ++ userdom_role_change_template(staff,auditadm) ++ userdom_role_change_template(staff,secadm) + +- corecmd_exec_shell(sysadm_t) ++ userdom_role_change_template(sysadm,secadm) ++ userdom_role_change_template(sysadm,auditadm) + +- mls_process_read_up(sysadm_t) ++ userdom_role_change_template(auditadm,secadm) ++ userdom_role_change_template(auditadm,sysadm) + +- init_exec(sysadm_t) ++ userdom_role_change_template(secadm,auditadm) ++ userdom_role_change_template(secadm,sysadm) ++') + +- # Following for sending reboot and wall messages +- userdom_use_unpriv_users_ptys(sysadm_t) +- userdom_use_unpriv_users_ttys(sysadm_t) ++# this should be tunable_policy, but ++# currently type_change and RBAC allow ++# do not work in conditionals ++ifdef(`user_canbe_sysadm',` ++ userdom_role_change_template(user,sysadm) ++') + +- ifdef(`direct_sysadm_daemon',` +- optional_policy(` +- init_run_daemon(sysadm_t,sysadm_r,admin_terminal) +- ') +- ',` +- ifdef(`distro_gentoo',` +- optional_policy(` +- seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) +- ') - ') - ') ++######################################## ++# ++# Sysadm local policy ++# + +- ifdef(`enable_mls',` +- allow auditadm_t self:capability { dac_read_search dac_override }; +- seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +- domain_kill_all_domains(auditadm_t) +- seutil_read_bin_policy(auditadm_t) +- corecmd_exec_shell(auditadm_t) +- logging_send_syslog_msg(auditadm_t) +- logging_read_generic_logs(auditadm_t) +- logging_manage_audit_log(auditadm_t) +- logging_manage_audit_config(auditadm_t) +- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) +- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) +- userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) - +- allow secadm_t self:capability { dac_read_search dac_override }; +- corecmd_exec_shell(secadm_t) +- domain_obj_id_change_exemption(secadm_t) +- mls_process_read_up(secadm_t) +- mls_file_read_up(secadm_t) +- mls_file_write_down(secadm_t) +- mls_file_upgrade(secadm_t) +- mls_file_downgrade(secadm_t) +- auth_relabel_all_files_except_shadow(secadm_t) +- dev_relabel_all_dev_nodes(secadm_t) +- auth_relabel_shadow(secadm_t) +- init_exec(secadm_t) +- logging_read_audit_log(secadm_t) +- logging_read_generic_logs(secadm_t) +- logging_read_audit_config(secadm_t) +- userdom_dontaudit_append_staff_home_content_files(secadm_t) +- userdom_dontaudit_read_sysadm_home_content_files(secadm_t) ++# for su ++allow sysadm_t userdomain:fd use; + +- optional_policy(` +- aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) +- ') ++# Add/remove user home directories ++allow sysadm_t user_home_dir_t:dir manage_dir_perms; ++files_home_filetrans(sysadm_t,user_home_dir_t,dir) + ++corecmd_exec_shell(sysadm_t) ++ ++mls_process_read_up(sysadm_t) ++ ++init_exec(sysadm_t) ++ ++kernel_sigstop_unlabeled(sysadm_t) ++kernel_signal_unlabeled(sysadm_t) ++kernel_kill_unlabeled(sysadm_t) ++kernel_read_unlabeled_state(sysadm_t) ++ ++# Following for sending reboot and wall messages ++userdom_use_unpriv_users_ptys(sysadm_t) ++userdom_use_unpriv_users_ttys(sysadm_t) ++ ++ifdef(`direct_sysadm_daemon',` ++ optional_policy(` ++ init_run_daemon(sysadm_t,sysadm_r,admin_terminal) ++ ') ++',` ++ ifdef(`distro_gentoo',` + optional_policy(` +- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) ++ seutil_init_script_run_runinit(sysadm_t,sysadm_r,admin_terminal) + ') +- ',` +- logging_manage_audit_log(sysadm_t) +- logging_manage_audit_config(sysadm_t) +- logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal) + ') ++') + +- tunable_policy(`allow_ptrace',` +- domain_ptrace_all_domains(sysadm_t) ++ifdef(`enable_mls',` ++ allow auditadm_t self:capability { dac_read_search dac_override }; ++ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) ++ domain_kill_all_domains(auditadm_t) ++ seutil_read_bin_policy(auditadm_t) ++ corecmd_exec_shell(auditadm_t) ++ logging_send_syslog_msg(auditadm_t) ++ logging_read_generic_logs(auditadm_t) ++ logging_manage_audit_log(auditadm_t) ++ logging_manage_audit_config(auditadm_t) ++ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t }) ++ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t }) ++ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t) ++ ++ allow secadm_t self:capability { dac_read_search dac_override }; ++ corecmd_exec_shell(secadm_t) ++ domain_obj_id_change_exemption(secadm_t) ++ mls_process_read_up(secadm_t) ++ mls_file_read_up(secadm_t) ++ mls_file_write_down(secadm_t) ++ mls_file_upgrade(secadm_t) ++ mls_file_downgrade(secadm_t) ++ auth_relabel_all_files_except_shadow(secadm_t) ++ dev_relabel_all_dev_nodes(secadm_t) ++ auth_relabel_shadow(secadm_t) ++ init_exec(secadm_t) ++ logging_read_audit_log(secadm_t) ++ logging_read_generic_logs(secadm_t) ++ logging_read_audit_config(secadm_t) ++ userdom_dontaudit_append_staff_home_content_files(secadm_t) ++ userdom_dontaudit_read_sysadm_home_content_files(secadm_t) ++ ++ optional_policy(` ++ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) + ') + + optional_policy(` +- amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) +- ') ++ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t }) ++ ') ++',` ++ logging_manage_audit_log(sysadm_t) ++ logging_manage_audit_config(sysadm_t) ++ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- apache_run_helper(sysadm_t,sysadm_r,admin_terminal) +- #apache_run_all_scripts(sysadm_t,sysadm_r) +- #apache_domtrans_sys_script(sysadm_t) +- ') ++tunable_policy(`allow_ptrace',` ++ domain_ptrace_all_domains(sysadm_t) ++') + +- optional_policy(` +- tzdata_domtrans(sysadm_t) +- ') ++optional_policy(` ++ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- raid_domtrans_mdadm(sysadm_t) +- ') ++optional_policy(` ++ amtu_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- # cjp: why is this not apm_run_client +- apm_domtrans_client(sysadm_t) +- ') ++optional_policy(` ++ apache_run_helper(sysadm_t,sysadm_r,admin_terminal) ++ #apache_run_all_scripts(sysadm_t,sysadm_r) ++ #apache_domtrans_sys_script(sysadm_t) ++') + +- optional_policy(` +- apt_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ tzdata_domtrans(sysadm_t) ++') + +- optional_policy(` +- backup_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ raid_domtrans_mdadm(sysadm_t) ++') + +- optional_policy(` +- bootloader_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ # cjp: why is this not apm_run_client ++ apm_domtrans_client(sysadm_t) ++') + +- optional_policy(` +- bind_run_ndc(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ apt_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ backup_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- consoletype_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ bootloader_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- clock_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ bind_run_ndc(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ bluetooth_run_helper(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- certwatach_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ consoletype_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- cvs_exec(sysadm_t) +- ') ++optional_policy(` ++ clock_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- consoletype_exec(sysadm_t) ++optional_policy(` ++ clockspeed_run_cli(sysadm_t,sysadm_r,admin_terminal) ++') + +- ifdef(`enable_mls',` +- consoletype_exec(auditadm_t) +- ') +- ') ++optional_policy(` ++ certwatach_run(sysadm_t,sysadm_r,admin_terminal) ++') + - optional_policy(` - cron_admin_template(sysadm,sysadm_t,sysadm_r) - ') -- ++optional_policy(` ++ cvs_exec(sysadm_t) ++') + - optional_policy(` - dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal) - dcc_run_client(sysadm_t,sysadm_r,admin_terminal) - dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal) -@@ -325,7 +340,6 @@ +- dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal) +- dcc_run_client(sysadm_t,sysadm_r,admin_terminal) +- dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ dcc_run_cdcc(sysadm_t,sysadm_r,admin_terminal) ++ dcc_run_client(sysadm_t,sysadm_r,admin_terminal) ++ dcc_run_dbclean(sysadm_t,sysadm_r,admin_terminal) ++') - optional_policy(` - ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) -- ethereal_admin_template(sysadm,sysadm_t,sysadm_r) +- optional_policy(` +- ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ ddcprobe_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- dmesg_exec(sysadm_t) ++optional_policy(` ++ dmesg_exec(sysadm_t) + +- ifdef(`enable_mls',` +- dmesg_exec(auditadm_t) +- ') ++ ifdef(`enable_mls',` ++ dmesg_exec(auditadm_t) ') ++') - optional_policy(` -@@ -368,7 +382,6 @@ +- optional_policy(` +- dmidecode_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ dmidecode_run(sysadm_t,sysadm_r,admin_terminal) ++') - optional_policy(` - lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) +- optional_policy(` +- dpkg_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ dpkg_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) +- ethereal_admin_template(sysadm,sysadm_t,sysadm_r) +- ') ++optional_policy(` ++ ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) +- ') ++optional_policy(` ++ firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) ++') + +- optional_policy(` +- fstools_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ fstools_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- hostname_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ hostname_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- # allow system administrator to use the ipsec script to look +- # at things (e.g., ipsec auto --status) +- # probably should create an ipsec_admin role for this kind of thing +- ipsec_exec_mgmt(sysadm_t) +- ipsec_stream_connect(sysadm_t) +- # for lsof +- ipsec_getattr_key_sockets(sysadm_t) +- ') ++optional_policy(` ++ # allow system administrator to use the ipsec script to look ++ # at things (e.g., ipsec auto --status) ++ # probably should create an ipsec_admin role for this kind of thing ++ ipsec_exec_mgmt(sysadm_t) ++ ipsec_stream_connect(sysadm_t) ++ # for lsof ++ ipsec_getattr_key_sockets(sysadm_t) ++') + +- optional_policy(` +- iptables_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ iptables_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- lvm_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ lvm_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- logrotate_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ logrotate_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) - lpr_admin_template(sysadm,sysadm_t,sysadm_r) - ') +- ') ++optional_policy(` ++ lpd_run_checkpc(sysadm_t,sysadm_r,admin_terminal) ++') - optional_policy(` -@@ -386,11 +399,11 @@ - ') +- optional_policy(` +- kudzu_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ kudzu_run(sysadm_t,sysadm_r,admin_terminal) ++') - optional_policy(` +- optional_policy(` +- modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) +- modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) +- modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal) ++ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal) ++ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- mount_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ mount_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` - mta_admin_template(sysadm,sysadm_t,sysadm_r) -+ mysql_stream_connect(sysadm_t) - ') +- ') ++optional_policy(` ++ mysql_stream_connect(sysadm_t) ++') - optional_policy(` +- optional_policy(` - mysql_stream_connect(sysadm_t) -+ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal) - ') +- ') ++optional_policy(` ++ netlabel_run_mgmt(sysadm_t,sysadm_r,admin_terminal) ++') - optional_policy(` -@@ -452,6 +465,9 @@ - - ifdef(`enable_mls',` - userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) -+# tunable_policy(`allow_sysadm_manage_security',` -+ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) -+# ') - ', ` +- optional_policy(` +- netutils_run(sysadm_t,sysadm_r,admin_terminal) +- netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) +- netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ netutils_run(sysadm_t,sysadm_r,admin_terminal) ++ netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) ++ netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- rpc_domtrans_nfsd(sysadm_t) +- ') ++optional_policy(` ++ rpc_domtrans_nfsd(sysadm_t) ++') + +- optional_policy(` +- munin_stream_connect(sysadm_t) +- ') ++optional_policy(` ++ munin_stream_connect(sysadm_t) ++') + +- optional_policy(` +- ntp_stub() +- corenet_udp_bind_ntp_port(sysadm_t) +- ') ++optional_policy(` ++ ntp_stub() ++ corenet_udp_bind_ntp_port(sysadm_t) ++') + +- optional_policy(` +- oav_run_update(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ oav_run_update(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- portage_run(sysadm_t,sysadm_r,admin_terminal) +- portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ portage_run(sysadm_t,sysadm_r,admin_terminal) ++ portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- quota_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ quota_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- rpm_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ rpm_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- rsync_exec(sysadm_t) +- ') ++optional_policy(` ++ rsync_exec(sysadm_t) ++') + +- optional_policy(` +- samba_run_net(sysadm_t,sysadm_r,admin_terminal) +- samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ samba_run_net(sysadm_t,sysadm_r,admin_terminal) ++ samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) +- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ++optional_policy(` ++ seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) ++ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) + +- ifdef(`enable_mls',` +- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) +- ', ` ++ ifdef(`enable_mls',` ++ userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) ++# tunable_policy(`allow_sysadm_manage_security',` userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) - ') -@@ -504,15 +520,15 @@ - unconfined_alias_domain(sysadm_t) +- ') ++# ') ++ ', ` ++ userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) + ') ++') + +- optional_policy(` +- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) +- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal) ++ sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal) +- tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal) +- tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal) +- tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal) ++ tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal) ++ tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal) ++ tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- usbmodules_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ usbmodules_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) +- usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) +- usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal) ++ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal) ++ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- vpn_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ vpn_run(sysadm_t,sysadm_r,admin_terminal) ++') - # User home directory type. +- optional_policy(` +- webalizer_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ webalizer_run(sysadm_t,sysadm_r,admin_terminal) ++') + +- optional_policy(` +- yam_run(sysadm_t,sysadm_r,admin_terminal) +- ') ++optional_policy(` ++ yam_run(sysadm_t,sysadm_r,admin_terminal) + ') + + ifdef(`targeted_policy',` +- # Define some type aliases to help with compatibility with +- # strict policy. +- unconfined_alias_domain(secadm_t) +- unconfined_alias_domain(auditadm_t) +- unconfined_alias_domain(sysadm_t) +- +- # User home directory type. - type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type; - files_type(user_home_t) - files_associate_tmp(user_home_t) @@ -8453,27 +9560,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - files_type(user_home_dir_t) - files_associate_tmp(user_home_dir_t) - fs_associate_tmpfs(user_home_dir_t) -+ typealias user_home_t alias { staff_home_t sysadm_home_t }; -+# files_type(user_home_t) -+# files_associate_tmp(user_home_t) -+# fs_associate_tmpfs(user_home_t) -+ -+ typealias user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }; -+# files_type(user_home_dir_t) -+# files_associate_tmp(user_home_dir_t) -+# fs_associate_tmpfs(user_home_dir_t) - - # compatibility for switching from strict - # dominance { role secadm_r { role system_r; }} -@@ -548,4 +564,13 @@ - optional_policy(` - samba_per_role_template(user) +- +- # compatibility for switching from strict +-# dominance { role secadm_r { role system_r; }} +-# dominance { role auditadm_r { role system_r; }} +-# dominance { role sysadm_r { role system_r; }} +-# dominance { role user_r { role system_r; }} +-# dominance { role staff_r { role system_r; }} +- + # dont need to use the full role_change() + allow sysadm_r system_r; + allow sysadm_r user_r; +- allow user_r system_r; +- allow user_r sysadm_r; + allow system_r sysadm_r; + allow system_r sysadm_r; + +- manage_dirs_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) +- manage_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) +- manage_lnk_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) +- manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) +- manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t) +- filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file }) + files_search_home(privhome) + + ifdef(`enable_mls',` +@@ -545,7 +527,8 @@ + allow staff_r auditadm_r; ') -+ -+ optional_policy(` -+ gnome_per_role_template(user, user_t, user_r) -+ ') -+ + +- optional_policy(` +- samba_per_role_template(user) +- ') +') + +tunable_policy(`allow_console_login', ` @@ -8650,6 +9768,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +fs_read_nfs_files(xend_t) +fs_getattr_all_fs(xend_t) +fs_read_dos_files(xend_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.6.5/policy/rolemap +--- nsaserefpolicy/policy/rolemap 2006-11-16 17:15:26.000000000 -0500 ++++ serefpolicy-2.6.5/policy/rolemap 2007-05-24 15:51:16.000000000 -0400 +@@ -8,13 +8,11 @@ + # syntax: role prefix user_domain + # + +-ifdef(`strict_policy',` +- user_r user user_t +- staff_r staff staff_t +- sysadm_r sysadm sysadm_t ++user_r user user_t ++staff_r staff staff_t ++sysadm_r sysadm sysadm_t + +- ifdef(`enable_mls',` +- secadm_r secadm secadm_t +- auditadm_r auditadm auditadm_t +- ') ++ifdef(`enable_mls',` ++ secadm_r secadm secadm_t ++ auditadm_r auditadm auditadm_t + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-2.6.5/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2007-01-02 12:57:51.000000000 -0500 +++ serefpolicy-2.6.5/policy/support/misc_patterns.spt 2007-05-22 14:41:13.000000000 -0400 @@ -8699,6 +9840,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_association', `{ sendto recvfrom setcontext polmatch } ') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.6.5/policy/users +--- nsaserefpolicy/policy/users 2006-11-16 17:15:26.000000000 -0500 ++++ serefpolicy-2.6.5/policy/users 2007-05-24 15:42:41.000000000 -0400 +@@ -25,13 +25,9 @@ + # SELinux user identity for a Linux user. If you do not want to + # permit any access to such users, then remove this entry. + # +-ifdef(`targeted_policy',` +-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +-',` + gen_user(user_u, user, user_r, s0, s0) + gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) + gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +-') + + # + # The following users correspond to Unix identities. diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.6.5/Rules.modular --- nsaserefpolicy/Rules.modular 2007-03-22 14:30:10.000000000 -0400 +++ serefpolicy-2.6.5/Rules.modular 2007-05-22 14:41:13.000000000 -0400