diff --git a/booleans-targeted.conf b/booleans-targeted.conf index ea86836..44a901d 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -104,7 +104,7 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = false +httpd_tty_comm = true # Run CGI in the main httpd domain # diff --git a/policy-20071023.patch b/policy-20071023.patch index 9ae1ad4..5dbb0e1 100644 --- a/policy-20071023.patch +++ b/policy-20071023.patch @@ -705,8 +705,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors class key diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.1.0/policy/global_tunables 2007-10-23 18:51:10.000000000 -0400 -@@ -132,3 +132,19 @@ ++++ serefpolicy-3.1.0/policy/global_tunables 2007-10-23 23:27:45.000000000 -0400 +@@ -132,3 +132,12 @@ ##

## gen_tunable(write_untrusted_content,false) @@ -719,13 +719,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +gen_tunable(allow_console_login,false) + + -+## -+##

-+## Allow xen to manage nfs files -+##

-+##
-+gen_tunable(xen_use_nfs,false) -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.1.0/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2006-11-16 17:15:26.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/admin/alsa.fc 2007-10-23 18:51:10.000000000 -0400 @@ -4623,7 +4616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-10-23 18:51:10.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-10-23 23:15:09.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -4647,30 +4640,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Allow Apache to use mod_auth_pam ##

## -@@ -47,6 +56,13 @@ - ## Allow http daemon to tcp connect - ##

- ## +@@ -44,6 +53,13 @@ + + ## + ##

++## Allow http daemon to send mail ++##

++##
+gen_tunable(httpd_can_sendmail,false) + +## +##

-+## Allow http daemon to tcp connect -+##

-+##
- gen_tunable(httpd_can_network_connect,false) - - ## -@@ -97,7 +113,7 @@ - ## Allow http daemon to communicate with the TTY + ## Allow http daemon to tcp connect ##

##
--gen_tunable(httpd_tty_comm,false) -+gen_tunable(httpd_tty_comm,true) - - ## - ##

-@@ -106,14 +122,33 @@ +@@ -106,6 +122,27 @@ ## gen_tunable(httpd_unified,false) @@ -4696,17 +4680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +gen_tunable(allow_httpd_sys_script_anon_write,false) + attribute httpdcontent; --attribute httpd_user_content_type; - - # domains that can exec all users scripts - attribute httpd_exec_scripts; + attribute httpd_user_content_type; - attribute httpd_script_exec_type; --attribute httpd_user_script_exec_type; - - # user script domains - attribute httpd_script_domains; -@@ -144,6 +179,9 @@ +@@ -144,6 +181,9 @@ type httpd_log_t; logging_log_file(httpd_log_t) @@ -4716,22 +4692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac # httpd_modules_t is the type given to module files (libraries) # that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; -@@ -184,6 +222,14 @@ - type httpd_tmpfs_t; - files_tmpfs_file(httpd_tmpfs_t) - -+# Unconfined domain for apache scripts. -+# Only to be used as a last resort -+type httpd_unconfined_script_t; -+type httpd_unconfined_script_exec_t; # customizable -+domain_type(httpd_unconfined_script_t) -+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t) -+role system_r types httpd_unconfined_script_t; -+ - # for apache2 memory mapped files - type httpd_var_lib_t; - files_type(httpd_var_lib_t) -@@ -204,9 +250,11 @@ +@@ -204,7 +244,7 @@ # Apache server local policy # @@ -4739,12 +4700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+dontaudit httpd_t self:process setfscreate; -+ allow httpd_t self:fd use; - allow httpd_t self:sock_file read_sock_file_perms; - allow httpd_t self:fifo_file rw_fifo_file_perms; -@@ -246,6 +294,7 @@ +@@ -246,6 +286,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -4752,7 +4709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -286,6 +335,7 @@ +@@ -286,6 +327,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -4760,7 +4717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -332,6 +382,10 @@ +@@ -332,6 +374,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -4771,18 +4728,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -350,7 +404,9 @@ +@@ -346,12 +392,8 @@ + + seutil_dontaudit_search_config(httpd_t) +-sysnet_read_config(httpd_t) +- userdom_use_unpriv_users_fds(httpd_t) -mta_send_mail(httpd_t) -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_t) -+') - +- tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) -@@ -362,6 +418,7 @@ + ') +@@ -362,6 +404,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -4790,7 +4749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -369,6 +426,16 @@ +@@ -369,6 +412,16 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -4807,7 +4766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -389,6 +456,17 @@ +@@ -389,6 +442,17 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -4825,7 +4784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -406,11 +484,21 @@ +@@ -406,11 +470,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -4847,7 +4806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -432,6 +520,12 @@ +@@ -432,6 +506,12 @@ ') optional_policy(` @@ -4860,7 +4819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -444,8 +538,15 @@ +@@ -444,8 +524,15 @@ ') optional_policy(` @@ -4877,7 +4836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -459,11 +560,11 @@ +@@ -459,11 +546,11 @@ optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -4890,7 +4849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -483,6 +584,7 @@ +@@ -483,6 +570,7 @@ ') optional_policy(` @@ -4898,11 +4857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -514,10 +616,16 @@ - tunable_policy(`httpd_tty_comm',` - # cjp: this is redundant: - term_use_controlling_term(httpd_helper_t) -- +@@ -518,6 +606,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -4916,7 +4871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -555,6 +663,7 @@ +@@ -555,6 +650,7 @@ optional_policy(` mysql_stream_connect(httpd_php_t) @@ -4924,7 +4879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -569,7 +678,6 @@ +@@ -569,7 +665,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -4932,7 +4887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -583,6 +691,10 @@ +@@ -583,6 +678,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4943,33 +4898,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -608,6 +720,10 @@ - - miscfiles_read_localization(httpd_suexec_t) - -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_suexec_t) -+') -+ - tunable_policy(`httpd_can_network_connect',` - allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; - allow httpd_suexec_t self:udp_socket create_socket_perms; -@@ -622,10 +738,13 @@ +@@ -622,8 +721,10 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) -- - sysnet_read_config(httpd_suexec_t) - ') ++') +- sysnet_read_config(httpd_suexec_t) +tunable_policy(`httpd_enable_cgi',` + domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) -+') -+ - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -636,6 +755,12 @@ + + tunable_policy(`httpd_enable_cgi && httpd_unified',` +@@ -636,6 +737,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4982,7 +4923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -653,18 +778,6 @@ +@@ -653,18 +760,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -5001,7 +4942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -674,7 +787,8 @@ +@@ -674,7 +769,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -5011,7 +4952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -688,15 +802,66 @@ +@@ -688,15 +784,62 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -5022,20 +4963,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -+tunable_policy(`httpd_enable_homedirs',` -+ userdom_search_generic_user_home_dirs(httpd_sys_script_t) ++tunable_policy(`httpd_use_nfs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) +') + -+tunable_policy(`httpd_use_nfs', ` ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -5079,28 +5016,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -709,6 +874,20 @@ +@@ -709,6 +852,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) -+') -+ -+######################################## -+# -+# Apache unconfined script local policy -+# -+ -+optional_policy(` -+ nscd_socket_use(httpd_unconfined_script_t) -+') -+ -+optional_policy(` -+ unconfined_domain(httpd_unconfined_script_t) ') ######################################## -@@ -730,3 +909,20 @@ +@@ -730,3 +874,20 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -6487,7 +6411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/services/exim.fc 2007-10-23 18:51:10.000000000 -0400 @@ -0,0 +1,15 @@ -+# $Id: policy-20071023.patch,v 1.1 2007/10/23 23:13:09 dwalsh Exp $ ++# $Id: policy-20071023.patch,v 1.2 2007/10/24 03:29:53 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -6667,7 +6591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/services/exim.te 2007-10-23 18:51:10.000000000 -0400 @@ -0,0 +1,232 @@ -+# $Id: policy-20071023.patch,v 1.1 2007/10/23 23:13:09 dwalsh Exp $ ++# $Id: policy-20071023.patch,v 1.2 2007/10/24 03:29:53 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -11192,7 +11116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-10-23 18:51:10.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-10-23 23:15:41.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -11706,9 +11630,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.1.0/policy/modules/system/fstools.if +--- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/fstools.if 2007-10-23 23:27:18.000000000 -0400 +@@ -142,3 +142,20 @@ + + allow $1 swapfile_t:file getattr; + ') ++ ++######################################## ++##

++## Create, read, write, and delete a nfs files ++## ++## ++## ++## Not used ++## ++## ++# ++interface(`fstools_manage_nfs',` ++ gen_require(` ++ type fsadm_t; ++ ') ++ fs_manage_nfs_files(fsadm_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.1.0/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/fstools.te 2007-10-23 18:51:10.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/fstools.te 2007-10-23 23:25:29.000000000 -0400 @@ -109,8 +109,7 @@ term_use_console(fsadm_t) @@ -11719,15 +11667,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool #RedHat bug #201164 corecmd_exec_shell(fsadm_t) -@@ -183,4 +182,9 @@ +@@ -183,4 +182,5 @@ optional_policy(` xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) -+') -+ -+tunable_policy(`xen_use_nfs',` -+ fs_manage_nfs_files(fsadm_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.1.0/policy/modules/system/fusermount.fc --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500 @@ -13897,7 +13841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-10-23 18:51:10.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-10-23 22:51:52.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -13931,7 +13875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') + +optional_policy(` -+ usermanage_dontaudit_useradd_use_fds(load_policy_t) ++ usermanage_dontaudit_use_useradd_fds(load_policy_t) +') + + @@ -14654,7 +14598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.0/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-10-23 19:06:14.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/unconfined.te 2007-10-23 23:11:40.000000000 -0400 @@ -5,17 +5,23 @@ # # Declarations @@ -14719,7 +14663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,14 +67,11 @@ +@@ -51,13 +67,12 @@ userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` @@ -14729,13 +14673,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -- apache_per_role_template(unconfined, unconfined_t, unconfined_r) + apache_per_role_template(unconfined, unconfined_t, unconfined_r) - # this is disallowed usage: -- unconfined_domain(httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) ') - optional_policy(` -@@ -107,6 +120,10 @@ +@@ -107,6 +122,10 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -14746,7 +14689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +135,11 @@ +@@ -118,11 +137,11 @@ ') optional_policy(` @@ -14760,7 +14703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,11 +151,7 @@ +@@ -134,11 +153,7 @@ ') optional_policy(` @@ -14773,7 +14716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -155,32 +168,23 @@ +@@ -155,32 +170,23 @@ optional_policy(` postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -14810,7 +14753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +209,22 @@ +@@ -205,11 +211,22 @@ ') optional_policy(` @@ -14835,7 +14778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -225,8 +240,21 @@ +@@ -225,8 +242,19 @@ init_dbus_chat_script(unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) @@ -14855,8 +14798,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + + ') ') -+ -+corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.1.0/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.1.0/policy/modules/system/userdomain.fc 2007-10-23 18:51:10.000000000 -0400 @@ -16460,7 +16401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-10-23 19:10:17.000000000 -0400 ++++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-10-23 19:10:51.000000000 -0400 @@ -24,13 +24,6 @@ ## @@ -16573,8 +16514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_runinit(sysadm_t, sysadm_r, admin_terminal) ifdef(`enable_mls',` -- userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) -+ userdom_security_admin_template(secadm_t,secadm_r, { secadm_tty_device_t sysadm_devpts_t }) + userdom_security_admin_template(secadm_t, secadm_r, { secadm_tty_device_t sysadm_devpts_t }) +# tunable_policy(`allow_sysadm_manage_security',` + userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) +# ') @@ -16713,8 +16653,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.1.0/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.1.0/policy/modules/system/xen.te 2007-10-23 18:51:10.000000000 -0400 -@@ -45,9 +45,7 @@ ++++ serefpolicy-3.1.0/policy/modules/system/xen.te 2007-10-23 23:28:04.000000000 -0400 +@@ -6,6 +6,13 @@ + # Declarations + # + ++## ++##

++## Allow xen to manage nfs files ++##

++##
++gen_tunable(xen_use_nfs,false) ++ + # console ptys + type xen_devpts_t; + term_pty(xen_devpts_t); +@@ -45,9 +52,7 @@ type xenstored_t; type xenstored_exec_t; @@ -16725,7 +16679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te # var/lib files type xenstored_var_lib_t; -@@ -59,8 +57,7 @@ +@@ -59,8 +64,7 @@ type xenconsoled_t; type xenconsoled_exec_t; @@ -16735,7 +16689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te role system_r types xenconsoled_t; # pid files -@@ -95,7 +92,7 @@ +@@ -95,7 +99,7 @@ read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t) rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t) @@ -16744,7 +16698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te dev_filetrans(xend_t, xenctl_t, fifo_file) manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t) -@@ -122,15 +119,13 @@ +@@ -122,15 +126,13 @@ manage_fifo_files_pattern(xend_t,xend_var_lib_t,xend_var_lib_t) files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) @@ -16764,7 +16718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) -@@ -176,6 +171,7 @@ +@@ -176,6 +178,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t,file) files_read_usr_files(xend_t) @@ -16772,7 +16726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te storage_raw_read_fixed_disk(xend_t) storage_raw_write_fixed_disk(xend_t) -@@ -214,6 +210,10 @@ +@@ -214,6 +217,10 @@ netutils_domtrans(xend_t) optional_policy(` @@ -16783,7 +16737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te consoletype_exec(xend_t) ') -@@ -224,7 +224,7 @@ +@@ -224,7 +231,7 @@ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; @@ -16792,7 +16746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; -@@ -257,7 +257,7 @@ +@@ -257,7 +264,7 @@ miscfiles_read_localization(xenconsoled_t) @@ -16801,7 +16755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te xen_stream_connect_xenstore(xenconsoled_t) ######################################## -@@ -265,7 +265,7 @@ +@@ -265,7 +272,7 @@ # Xen store local policy # @@ -16810,7 +16764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te allow xenstored_t self:unix_stream_socket create_stream_socket_perms; allow xenstored_t self:unix_dgram_socket create_socket_perms; -@@ -318,12 +318,13 @@ +@@ -318,12 +325,13 @@ allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; # internal communication is often done using fifo and unix sockets. @@ -16825,7 +16779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te files_search_var_lib(xm_t) allow xm_t xen_image_t:dir rw_dir_perms; -@@ -336,6 +337,7 @@ +@@ -336,6 +344,7 @@ kernel_write_xen_state(xm_t) corecmd_exec_bin(xm_t) @@ -16833,7 +16787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -351,8 +353,11 @@ +@@ -351,8 +360,11 @@ storage_raw_read_fixed_disk(xm_t) @@ -16845,7 +16799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te init_rw_script_stream_sockets(xm_t) init_use_fds(xm_t) -@@ -363,6 +368,19 @@ +@@ -363,6 +375,20 @@ sysnet_read_config(xm_t) @@ -16864,6 +16818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) ++ fstools_manage_nfs(xend_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.1.0/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500