diff --git a/policy-F12.patch b/policy-F12.patch index 3fde6e9..73035bb 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2739,7 +2739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.16/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/mozilla.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/apps/mozilla.te 2009-06-18 09:37:19.000000000 -0400 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) @@ -2794,7 +2794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.16/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.if 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.if 2009-06-18 09:57:45.000000000 -0400 @@ -0,0 +1,313 @@ + +## policy for nsplugin @@ -3111,8 +3111,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.16/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.te 2009-06-12 15:59:08.000000000 -0400 -@@ -0,0 +1,286 @@ ++++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.te 2009-06-16 11:25:06.000000000 -0400 +@@ -0,0 +1,287 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3236,6 +3236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_getattr_xattr_fs(nsplugin_t) +fs_search_auto_mountpoints(nsplugin_t) +fs_rw_anon_inodefs_files(nsplugin_t) ++fs_list_inotifyfs(nsplugin_t) + +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) + @@ -4440,38 +4441,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive sambagui_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.16/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.fc 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.fc 2009-06-18 08:40:18.000000000 -0400 @@ -0,0 +1 @@ +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.16/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.if 2009-06-12 15:59:08.000000000 -0400 -@@ -0,0 +1,105 @@ ++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.if 2009-06-18 10:32:27.000000000 -0400 +@@ -0,0 +1,145 @@ + +## policy for sandbox + +######################################## +## -+## Execute a domain transition to run sandbox. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`sandbox_domtrans',` -+ gen_require(` -+ type sandbox_t; -+ type sandbox_exec_t; -+ ') -+ -+ domtrans_pattern($1,sandbox_exec_t,sandbox_t) -+') -+ -+ -+######################################## -+## +## Execute sandbox in the sandbox domain, and +## allow the specified role the sandbox domain. +## @@ -4486,41 +4467,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`sandbox_run',` ++interface(`sandbox_transition',` + gen_require(` -+ type sandbox_t; ++ type sandbox_xserver_t; ++ attribute sandbox_domain; + ') + -+ sandbox_domtrans($1) -+ role $2 types sandbox_t; ++ allow $1 sandbox_domain:process transition; ++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; ++ role $2 types sandbox_domain; ++ role $2 types sandbox_xserver_t; +') + +######################################## +## -+## Role access for sandbox ++## Creates types and rules for a basic ++## qemu process domain. +## -+## -+## -+## Role allowed access -+## -+## -+## ++## +## -+## User domain for the role ++## Prefix for the domain. +## +## +# -+interface(`sandbox_role',` ++template(`sandbox_domain_template',` ++ + gen_require(` -+ type sandbox_t; ++ attribute sandbox_domain; + ') + -+ role $2 types sandbox_t; ++ type $1_t, sandbox_domain; ++ domain_type($1_t) + -+ sandbox_domtrans($1) ++ type $1_file_t; ++ files_type($1_file_t) + -+ ps_process_pattern($2, sandbox_t) -+ allow $2 sandbox_t:process signal; ++ can_exec($1_t, $1_file_t) ++ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) ++ manage_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) +') + +######################################## @@ -4534,31 +4521,87 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`sandbox_domain_template',` -+ ++template(`sandbox_x_domain_template',` + gen_require(` -+ attribute sandbox_domain; ++ type xserver_exec_t; ++ type sandbox_xserver_t; ++ attribute sandbox_domain, sandbox_x_domain; + ') + -+ type $1_t, sandbox_domain; -+ domain_type($1_t) ++ sandbox_domain_template($1) + -+ type $1_file_t; -+ files_type($1_file_t) ++ ++ typeattribute $1_t sandbox_x_domain; + -+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) -+ manage_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) -+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) ++ # window manager ++ miscfiles_setattr_fonts($1_t) ++ allow $1_t self:capability setuid; ++ ++ type $1_client_t, sandbox_x_domain, sandbox_domain; ++ domain_type($1_client_t) ++ ++ type $1_client_tmpfs_t; ++ files_tmpfs_file($1_client_tmpfs_t) ++ ++ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; ++ term_create_pty($1_client_t,sandbox_devpts_t) ++ ++ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) ++ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) ++ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; ++ ++ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) ++ allow $1_t sandbox_xserver_t:process sigkill; ++ ++ domtrans_pattern($1_t, $1_file_t, $1_client_t) ++ domain_entry_file($1_client_t, $1_file_t) ++ ++ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) ++ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) ++ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t) ++ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms; ++ ps_process_pattern(sandbox_xserver_t, $1_client_t) ++ ps_process_pattern(sandbox_xserver_t, $1_t) ++ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; ++ allow sandbox_xserver_t $1_t:shm rw_shm_perms; ++ ++ can_exec($1_client_t, $1_file_t) ++ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t) ++ manage_files_pattern($1_client_t, $1_file_t, $1_file_t) ++ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t) ++ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t) ++ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t) ++ ++# permissive $1_client_t; +') ++ ++######################################## ++## ++## allow domain to read, ++## write sandbox_xserver tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sandbox_rw_xserver_tmpfs_files',` ++ gen_require(` ++ type sandbox_xserver_tmpfs_t; ++ ') ++ ++ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; ++') +Binary files nsaserefpolicy/policy/modules/apps/sandbox.pp and serefpolicy-3.6.16/policy/modules/apps/sandbox.pp differ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.16/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.te 2009-06-12 15:59:08.000000000 -0400 -@@ -0,0 +1,32 @@ ++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.te 2009-06-18 10:32:16.000000000 -0400 +@@ -0,0 +1,274 @@ +policy_module(sandbox,1.0.0) -+ ++dbus_stub() +attribute sandbox_domain; ++attribute sandbox_x_domain; + +######################################## +# @@ -4566,9 +4609,76 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +sandbox_domain_template(sandbox) -+sandbox_domain_template(sandbox_x) -+role system_r types sandbox_t; -+role system_r types sandbox_x_t; ++sandbox_x_domain_template(sandbox_x) ++sandbox_x_domain_template(sandbox_web) ++sandbox_x_domain_template(sandbox_net) ++ ++type sandbox_xserver_t; ++domain_type(sandbox_xserver_t) ++xserver_common_app(sandbox_xserver_t) ++permissive sandbox_xserver_t; ++ ++type sandbox_xserver_tmpfs_t; ++files_tmpfs_file(sandbox_xserver_tmpfs_t) ++ ++type sandbox_devpts_t; ++term_pty(sandbox_devpts_t) ++files_type(sandbox_devpts_t) ++ ++######################################## ++# ++# sandbox xserver policy ++# ++allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; ++allow sandbox_xserver_t self:shm create_shm_perms; ++allow sandbox_xserver_t self:tcp_socket create_socket_perms; ++ ++manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) ++fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++ ++corecmd_exec_bin(sandbox_xserver_t) ++corecmd_exec_shell(sandbox_xserver_t) ++ ++corenet_all_recvfrom_unlabeled(sandbox_xserver_t) ++corenet_all_recvfrom_netlabel(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_if(sandbox_xserver_t) ++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t) ++corenet_udp_sendrecv_generic_node(sandbox_xserver_t) ++corenet_tcp_sendrecv_all_ports(sandbox_xserver_t) ++corenet_udp_sendrecv_all_ports(sandbox_xserver_t) ++corenet_tcp_bind_generic_node(sandbox_xserver_t) ++corenet_tcp_bind_xserver_port(sandbox_xserver_t) ++corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) ++corenet_sendrecv_all_client_packets(sandbox_xserver_t) ++ ++files_read_etc_files(sandbox_xserver_t) ++files_read_usr_files(sandbox_xserver_t) ++files_search_home(sandbox_xserver_t) ++fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) ++ ++miscfiles_read_fonts(sandbox_xserver_t) ++miscfiles_read_localization(sandbox_xserver_t) ++ ++kernel_read_system_state(sandbox_xserver_t) ++ ++auth_use_nsswitch(sandbox_xserver_t) ++ ++userdom_use_user_terminals(sandbox_xserver_t) ++ ++xserver_entry_type(sandbox_xserver_t) ++ ++optional_policy(` ++ dbus_system_bus_client(sandbox_xserver_t) ++ ++ optional_policy(` ++ hal_dbus_chat(sandbox_xserver_t) ++ ') ++') + +######################################## +# @@ -4584,10 +4694,184 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(sandbox_domain) + -+userdom_use_user_ptys(sandbox_domain) -+ +kernel_dontaudit_read_system_state(sandbox_domain) +corecmd_exec_all_executables(sandbox_domain) ++ ++ ++######################################## ++# ++# sandbox_x_domain local policy ++# ++allow sandbox_x_domain self:process { signal_perms getsched setpgid }; ++allow sandbox_x_domain self:shm create_shm_perms; ++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow sandbox_x_domain self:unix_dgram_socket create_socket_perms; ++allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; ++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++ ++dev_read_urand(sandbox_x_domain) ++dev_dontaudit_read_rand(sandbox_x_domain) ++ ++files_read_etc_files(sandbox_x_domain) ++files_read_usr_files(sandbox_x_domain) ++files_read_usr_symlinks(sandbox_x_domain) ++ ++fs_getattr_tmpfs(sandbox_x_domain) ++fs_getattr_xattr_fs(sandbox_x_domain) ++ ++auth_dontaudit_read_login_records(sandbox_x_domain) ++ ++init_read_utmp(sandbox_x_domain) ++ ++term_getattr_pty_fs(sandbox_x_domain) ++term_use_ptmx(sandbox_x_domain) ++ ++logging_send_syslog_msg(sandbox_x_domain) ++ ++miscfiles_read_fonts(sandbox_x_domain) ++ ++optional_policy(` ++ gnome_read_gconf_config(sandbox_x_domain) ++') ++ ++optional_policy(` ++ cups_stream_connect(sandbox_x_domain) ++ cups_read_rw_config(sandbox_x_domain) ++') ++ ++######################################## ++# ++# sandbox_x_client_t local policy ++# ++allow sandbox_x_client_t self:tcp_socket create_socket_perms; ++allow sandbox_x_client_t self:udp_socket create_socket_perms; ++allow sandbox_x_client_t self:dbus { acquire_svc send_msg }; ++allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms; ++ ++dev_read_rand(sandbox_x_client_t) ++ ++corenet_tcp_connect_ipp_port(sandbox_x_client_t) ++ ++auth_use_nsswitch(sandbox_x_client_t) ++ ++dbus_system_bus_client(sandbox_x_client_t) ++dbus_read_config(sandbox_x_client_t) ++selinux_get_fs_mount(sandbox_x_client_t) ++selinux_validate_context(sandbox_x_client_t) ++selinux_compute_access_vector(sandbox_x_client_t) ++selinux_compute_create_context(sandbox_x_client_t) ++selinux_compute_relabel_context(sandbox_x_client_t) ++selinux_compute_user_contexts(sandbox_x_client_t) ++seutil_read_default_contexts(sandbox_x_client_t) ++ ++optional_policy(` ++ hal_dbus_chat(sandbox_x_client_t) ++') ++ ++######################################## ++# ++# sandbox_web_client_t local policy ++# ++allow sandbox_web_client_t self:capability { setuid setgid }; ++allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay; ++allow sandbox_web_client_t self:process setsched; ++ ++allow sandbox_web_client_t self:tcp_socket create_socket_perms; ++allow sandbox_web_client_t self:udp_socket create_socket_perms; ++allow sandbox_web_client_t self:dbus { acquire_svc send_msg }; ++allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms; ++ ++dev_read_rand(sandbox_web_client_t) ++ ++# Browse the web, connect to printer ++corenet_all_recvfrom_unlabeled(sandbox_web_client_t) ++corenet_all_recvfrom_netlabel(sandbox_web_client_t) ++corenet_tcp_sendrecv_generic_if(sandbox_web_client_t) ++corenet_raw_sendrecv_generic_if(sandbox_web_client_t) ++corenet_tcp_sendrecv_generic_node(sandbox_web_client_t) ++corenet_raw_sendrecv_generic_node(sandbox_web_client_t) ++corenet_tcp_sendrecv_http_port(sandbox_web_client_t) ++corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t) ++corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t) ++corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t) ++corenet_tcp_connect_http_port(sandbox_web_client_t) ++corenet_tcp_connect_http_cache_port(sandbox_web_client_t) ++corenet_tcp_connect_ftp_port(sandbox_web_client_t) ++corenet_tcp_connect_ipp_port(sandbox_web_client_t) ++corenet_tcp_connect_generic_port(sandbox_web_client_t) ++corenet_sendrecv_http_client_packets(sandbox_web_client_t) ++corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t) ++corenet_sendrecv_ftp_client_packets(sandbox_web_client_t) ++corenet_sendrecv_ipp_client_packets(sandbox_web_client_t) ++corenet_sendrecv_generic_client_packets(sandbox_web_client_t) ++# Should not need other ports ++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t) ++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t) ++corenet_tcp_connect_speech_port(sandbox_web_client_t) ++ ++auth_use_nsswitch(sandbox_web_client_t) ++ ++dbus_system_bus_client(sandbox_web_client_t) ++dbus_read_config(sandbox_web_client_t) ++selinux_get_fs_mount(sandbox_web_client_t) ++selinux_validate_context(sandbox_web_client_t) ++selinux_compute_access_vector(sandbox_web_client_t) ++selinux_compute_create_context(sandbox_web_client_t) ++selinux_compute_relabel_context(sandbox_web_client_t) ++selinux_compute_user_contexts(sandbox_web_client_t) ++seutil_read_default_contexts(sandbox_web_client_t) ++ ++optional_policy(` ++ nsplugin_read_rw_files(sandbox_web_client_t) ++ nsplugin_rw_exec(sandbox_web_client_t) ++') ++ ++optional_policy(` ++ hal_dbus_chat(sandbox_web_client_t) ++') ++ ++######################################## ++# ++# sandbox_net_client_t local policy ++# ++allow sandbox_net_client_t self:tcp_socket create_socket_perms; ++allow sandbox_net_client_t self:udp_socket create_socket_perms; ++allow sandbox_net_client_t self:dbus { acquire_svc send_msg }; ++allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms; ++ ++dev_read_rand(sandbox_net_client_t) ++ ++corenet_all_recvfrom_unlabeled(sandbox_net_client_t) ++corenet_all_recvfrom_netlabel(sandbox_net_client_t) ++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_if(sandbox_net_client_t) ++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t) ++corenet_udp_sendrecv_generic_node(sandbox_net_client_t) ++corenet_tcp_sendrecv_all_ports(sandbox_net_client_t) ++corenet_udp_sendrecv_all_ports(sandbox_net_client_t) ++corenet_tcp_connect_all_ports(sandbox_net_client_t) ++corenet_sendrecv_all_client_packets(sandbox_net_client_t) ++ ++auth_use_nsswitch(sandbox_net_client_t) ++ ++dbus_system_bus_client(sandbox_net_client_t) ++dbus_read_config(sandbox_net_client_t) ++selinux_get_fs_mount(sandbox_net_client_t) ++selinux_validate_context(sandbox_net_client_t) ++selinux_compute_access_vector(sandbox_net_client_t) ++selinux_compute_create_context(sandbox_net_client_t) ++selinux_compute_relabel_context(sandbox_net_client_t) ++selinux_compute_user_contexts(sandbox_net_client_t) ++seutil_read_default_contexts(sandbox_net_client_t) ++ ++optional_policy(` ++ nsplugin_read_rw_files(sandbox_web_client_t) ++ nsplugin_rw_exec(sandbox_web_client_t) ++') ++ ++optional_policy(` ++ hal_dbus_chat(sandbox_net_client_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.16/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.16/policy/modules/apps/screen.if 2009-06-12 15:59:08.000000000 -0400 @@ -5019,7 +5303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc 2009-06-18 09:27:34.000000000 -0400 @@ -139,6 +139,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5030,7 +5314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -312,3 +315,20 @@ +@@ -312,3 +315,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5051,6 +5335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.16/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.if 2009-06-12 15:59:08.000000000 -0400 @@ -5472,7 +5757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.16/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/kernel/domain.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/kernel/domain.te 2009-06-17 09:16:36.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5543,7 +5828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +174,49 @@ +@@ -153,3 +174,50 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5559,6 +5844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + cron_rw_system_job_pipes(domain) + +ifdef(`hide_broken_symptoms',` ++ fs_list_inotifyfs(domain) + allow domain domain:key { link search }; +') +') @@ -5628,7 +5914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.16/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/kernel/files.if 2009-06-15 10:43:32.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/kernel/files.if 2009-06-18 09:21:59.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -6328,8 +6614,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.16/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/roles/staff.te 2009-06-12 15:59:08.000000000 -0400 -@@ -15,156 +15,99 @@ ++++ serefpolicy-3.6.16/policy/modules/roles/staff.te 2009-06-18 08:41:56.000000000 -0400 +@@ -15,156 +15,103 @@ # Local policy # @@ -6352,7 +6638,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - cdrecord_role(staff_r, staff_t) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - cron_role(staff_r, staff_t) -') @@ -6360,11 +6650,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - ethereal_role(staff_r, staff_t) -') -- ++libs_manage_shared_libs(staff_t) + -optional_policy(` - evolution_role(staff_r, staff_t) -') @@ -6376,133 +6668,128 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - gift_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - --optional_policy(` -- gnome_role(staff_r, staff_t) --') -+auth_domtrans_pam_console(staff_t) - --optional_policy(` -- gpg_role(staff_r, staff_t) --') -+libs_manage_shared_libs(staff_t) - --optional_policy(` -- irc_role(staff_r, staff_t) --') +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) optional_policy(` -- java_role(staff_r, staff_t) +- gnome_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- lockdev_role(staff_r, staff_t) +- gpg_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- lpd_role(staff_r, staff_t) +- irc_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- mozilla_role(staff_r, staff_t) +- java_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- lockdev_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` -- mta_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mozilla_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- mplayer_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- mta_role(staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- secadm_role_change(staff_r) +- razor_role(staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- spamassassin_role(staff_r, staff_t) +- rssh_role(staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- screen_role_template(staff, staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- secadm_role_change(staff_r) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) +-') +- +-optional_policy(` +- ssh_role_template(staff, staff_r, staff_t) +-') +- +-optional_policy(` +- su_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) +- sudo_role_template(staff, staff_r, staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` -- thunderbird_role(staff_r, staff_t) +- sysadm_role_change(staff_r) +- userdom_dontaudit_use_user_terminals(staff_t) + gnomeclock_dbus_chat(staff_t) ') optional_policy(` -- tvtime_role(staff_r, staff_t) +- thunderbird_role(staff_r, staff_t) + kerneloops_dbus_chat(staff_t) ') optional_policy(` -- uml_role(staff_r, staff_t) +- tvtime_role(staff_r, staff_t) + rpm_dbus_chat(staff_usertype) ') optional_policy(` +- uml_role(staff_r, staff_t) ++ sandbox_transition(staff_t, staff_r) + ') + + optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) + screen_manage_var_run(staff_t) ') @@ -7539,7 +7826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te 2009-06-15 15:37:34.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te 2009-06-18 08:41:31.000000000 -0400 @@ -0,0 +1,407 @@ +policy_module(unconfineduser, 1.0.0) + @@ -7826,7 +8113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ sandbox_run(unconfined_t, unconfined_r) ++ sandbox_transition(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -7950,8 +8237,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.16/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/roles/unprivuser.te 2009-06-12 15:59:08.000000000 -0400 -@@ -14,142 +14,13 @@ ++++ serefpolicy-3.6.16/policy/modules/roles/unprivuser.te 2009-06-18 08:42:17.000000000 -0400 +@@ -14,142 +14,17 @@ userdom_unpriv_user_template(user) optional_policy(` @@ -7966,9 +8253,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - bluetooth_role(user_r, user_t) --') -- --optional_policy(` ++ sandbox_transition(user_t, user_r) + ') + + optional_policy(` - cdrecord_role(user_r, user_t) -') - @@ -10007,8 +10295,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(bitlbee_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.16/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/services/bluetooth.te 2009-06-12 15:59:08.000000000 -0400 -@@ -152,6 +152,10 @@ ++++ serefpolicy-3.6.16/policy/modules/services/bluetooth.te 2009-06-17 09:19:22.000000000 -0400 +@@ -64,6 +64,7 @@ + allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow bluetooth_t self:tcp_socket create_stream_socket_perms; + allow bluetooth_t self:udp_socket create_socket_perms; ++allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; + + read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) + +@@ -152,6 +153,10 @@ optional_policy(` hal_dbus_chat(bluetooth_t) ') @@ -10295,7 +10591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.16/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/services/consolekit.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/consolekit.te 2009-06-17 11:27:29.000000000 -0400 @@ -11,7 +11,7 @@ init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -10345,7 +10641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat(consolekit_t) ') -@@ -97,11 +106,23 @@ +@@ -97,11 +106,27 @@ ') optional_policy(` @@ -10362,6 +10658,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_ptrace_xdm(consolekit_t) + xserver_common_app(consolekit_t) + corenet_tcp_connect_xserver_port(consolekit_t) ++') ++ ++optional_policy(` ++ udev_domtrans(consolekit_t) ') optional_policy(` @@ -13118,8 +13418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.16/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/fprintd.te 2009-06-12 15:59:08.000000000 -0400 -@@ -0,0 +1,54 @@ ++++ serefpolicy-3.6.16/policy/modules/services/fprintd.te 2009-06-17 09:18:32.000000000 -0400 +@@ -0,0 +1,55 @@ +policy_module(fprintd,1.0.0) + +######################################## @@ -13167,16 +13467,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ polkit_read_reload(fprintd_t) -+ polkit_read_lib(fprintd_t) ++ polkit_dbus_chat(fprintd_t) + polkit_domtrans_auth(fprintd_t) ++ polkit_read_lib(fprintd_t) ++ polkit_read_reload(fprintd_t) +') + +permissive fprintd_t; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.16/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/ftp.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/ftp.te 2009-06-16 08:25:34.000000000 -0400 @@ -26,7 +26,7 @@ ## ##

@@ -13216,7 +13517,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ftpd_t ftpd_etc_t:file read_file_perms; -@@ -160,6 +168,7 @@ +@@ -121,8 +129,7 @@ + allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink }; + + # Create and modify /var/log/xferlog. +-allow ftpd_t xferlog_t:dir search_dir_perms; +-allow ftpd_t xferlog_t:file manage_file_perms; ++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) + logging_log_filetrans(ftpd_t, xferlog_t, file) + + kernel_read_kernel_sysctls(ftpd_t) +@@ -160,6 +167,7 @@ fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) @@ -13224,7 +13535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) -@@ -222,9 +231,15 @@ +@@ -222,9 +230,15 @@ userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) userdom_manage_user_home_content_symlinks(ftpd_t) @@ -13241,7 +13552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) -@@ -258,7 +273,26 @@ +@@ -258,7 +272,26 @@ ') optional_policy(` @@ -13269,7 +13580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -270,6 +304,14 @@ +@@ -270,6 +303,14 @@ ') optional_policy(` @@ -15087,7 +15398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.16/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-15 08:31:33.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-16 11:24:19.000000000 -0400 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -15818,6 +16129,217 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.16/policy/modules/services/nslcd.fc +--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.16/policy/modules/services/nslcd.fc 2009-06-18 10:39:36.000000000 -0400 +@@ -0,0 +1,4 @@ ++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) ++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) ++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) ++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.16/policy/modules/services/nslcd.if +--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.16/policy/modules/services/nslcd.if 2009-06-18 10:39:36.000000000 -0400 +@@ -0,0 +1,145 @@ ++ ++##

policy for nslcd ++ ++######################################## ++## ++## Execute a domain transition to run nslcd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`nslcd_domtrans',` ++ gen_require(` ++ type nslcd_t; ++ type nslcd_exec_t; ++ ') ++ ++ domtrans_pattern($1,nslcd_exec_t,nslcd_t) ++') ++ ++ ++######################################## ++## ++## Execute nslcd server in the nslcd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`nslcd_initrc_domtrans',` ++ gen_require(` ++ type nslcd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1,nslcd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Read nslcd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nslcd_read_pid_files',` ++ gen_require(` ++ type nslcd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 nslcd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage nslcd var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nslcd_manage_var_run',` ++ gen_require(` ++ type nslcd_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ++ manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ++ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an nslcd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the nslcd domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`nslcd_admin',` ++ gen_require(` ++ type nslcd_t; ++ ') ++ ++ allow $1 nslcd_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, nslcd_t, nslcd_t) ++ allow $1 nslcd_conf_t:file read_file_perms; ++ ++ gen_require(` ++ type nslcd_initrc_exec_t; ++ ') ++ ++ # Allow nslcd_t to restart the apache service ++ nslcd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 nslcd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ nslcd_manage_var_run($1) ++') ++ ++ ++######################################## ++## ++## Connect to nslcd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nslcd_use',` ++ gen_require(` ++ type nslcd_t, var_run_t, nslcd_var_run_t; ++ ') ++ ++# list_dirs_pattern($1, var_run_t, nslcd_var_run_t) ++ write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ++ allow $1 nslcd_t:unix_stream_socket connectto; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.16/policy/modules/services/nslcd.te +--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.16/policy/modules/services/nslcd.te 2009-06-18 10:39:36.000000000 -0400 +@@ -0,0 +1,50 @@ ++policy_module(nslcd,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type nslcd_t; ++type nslcd_exec_t; ++init_daemon_domain(nslcd_t, nslcd_exec_t) ++ ++#permissive nslcd_t; ++ ++type nslcd_initrc_exec_t; ++init_script_file(nslcd_initrc_exec_t) ++ ++type nslcd_var_run_t; ++files_pid_file(nslcd_var_run_t) ++ ++type nslcd_conf_t; ++files_type(nslcd_conf_t) ++allow nslcd_t nslcd_conf_t:file read_file_perms; ++ ++######################################## ++# ++# nslcd local policy ++# ++ ++allow nslcd_t self:capability { setgid setuid dac_override }; ++ ++# Init script handling ++domain_use_interactive_fds(nslcd_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow nslcd_t self:sock_file rw_file_perms; ++allow nslcd_t self:unix_stream_socket create_stream_socket_perms; ++allow nslcd_t self:process signal; ++ ++files_read_etc_files(nslcd_t) ++ ++miscfiles_read_localization(nslcd_t) ++ ++manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) ++manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) ++files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir }) ++allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms; ++ ++auth_use_nsswitch(nslcd_t) ++ ++logging_send_syslog_msg(nslcd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.16/policy/modules/services/ntp.if --- nsaserefpolicy/policy/modules/services/ntp.if 2009-06-08 15:22:17.000000000 -0400 +++ serefpolicy-3.6.16/policy/modules/services/ntp.if 2009-06-12 15:59:08.000000000 -0400 @@ -16224,6 +16746,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + prelude_manage_spool(pads_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.16/policy/modules/services/pcscd.te +--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/pcscd.te 2009-06-16 09:52:14.000000000 -0400 +@@ -29,6 +29,7 @@ + + manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) ++manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) + +@@ -46,6 +47,8 @@ + files_read_etc_files(pcscd_t) + files_read_etc_runtime_files(pcscd_t) + ++kernel_read_system_state(pcscd_t) ++ + term_use_unallocated_ttys(pcscd_t) + term_dontaudit_getattr_pty_dirs(pcscd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.16/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.16/policy/modules/services/pegasus.te 2009-06-12 15:59:08.000000000 -0400 @@ -16300,13 +16842,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.16/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-15 16:34:08.000000000 -0400 @@ -0,0 +1,11 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) +/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) -+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) ++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) @@ -16315,7 +16857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.16/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-17 09:17:36.000000000 -0400 @@ -0,0 +1,241 @@ + +## policy for polkit_auth @@ -20174,7 +20716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-18 09:22:05.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -20209,7 +20751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +76,24 @@ +@@ -68,16 +76,25 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -20225,6 +20767,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_files(setroubleshootd_t) +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) ++files_read_all_symlinks(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) @@ -20235,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,22 +110,28 @@ +@@ -94,22 +111,28 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -21833,8 +22376,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.16/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-12 15:59:08.000000000 -0400 -@@ -0,0 +1,72 @@ ++++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-16 11:24:47.000000000 -0400 +@@ -0,0 +1,74 @@ +policy_module(sssd,1.0.0) + +######################################## @@ -21892,6 +22435,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_files(sssd_t) +files_read_usr_files(sssd_t) + ++fs_list_inotifyfs(sssd_t) ++ +auth_use_nsswitch(sssd_t) +auth_domtrans_chk_passwd(sssd_t) +auth_domtrans_upd_passwd(sssd_t) @@ -22484,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.16/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-16 11:25:30.000000000 -0400 @@ -8,19 +8,31 @@ ## @@ -22599,7 +23144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,30 +140,50 @@ +@@ -96,30 +140,51 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -22640,6 +23185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) ++fs_list_inotifyfs(virtd_t) +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) @@ -22653,7 +23199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -129,7 +193,15 @@ +@@ -129,7 +194,15 @@ logging_send_syslog_msg(virtd_t) @@ -22669,7 +23215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -167,22 +239,34 @@ +@@ -167,22 +240,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -22709,7 +23255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +279,86 @@ +@@ -195,8 +280,86 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -22820,7 +23366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.16/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-18 08:45:33.000000000 -0400 @@ -3,12 +3,16 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -22850,15 +23396,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt # -@@ -61,6 +60,7 @@ +@@ -61,7 +60,9 @@ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +89,26 @@ + ifdef(`distro_debian', ` +@@ -89,16 +90,26 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -22890,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.16/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-18 08:45:02.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -23117,7 +23665,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -872,6 +936,27 @@ +@@ -797,6 +861,24 @@ + + ######################################## + ## ++## Make an X executable an entrypoint for the specified domain. ++## ++## ++## ++## The domain for which the shell is an entrypoint. ++## ++## ++# ++interface(`xserver_entry_type',` ++ gen_require(` ++ type xserver_exec_t; ++ ') ++ ++ domain_entry_file($1, xserver_exec_t) ++') ++ ++######################################## ++## + ## Execute an X session in the target domain. This + ## is an explicit transition, requiring the + ## caller to use setexeccon(). +@@ -872,6 +954,27 @@ ######################################## ## @@ -23145,7 +23718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write the X server ## log files. ## -@@ -1018,10 +1103,11 @@ +@@ -1018,10 +1121,11 @@ # interface(`xserver_domtrans',` gen_require(` @@ -23158,7 +23731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1245,275 @@ +@@ -1159,6 +1263,275 @@ ######################################## ## @@ -23434,7 +24007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1527,103 @@ +@@ -1172,7 +1545,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -23465,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + class x_drawable all_x_drawable_perms; + class x_resource all_x_resource_perms; - ') ++') + + allow $1 $2:x_drawable all_x_drawable_perms; + allow $2 $1:x_drawable all_x_drawable_perms; @@ -23496,7 +24069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + class x_selection all_x_selection_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; -+ ') + ') + + # Type attributes + typeattribute $1 x_domain; @@ -23540,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.16/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-18 08:43:27.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -24122,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +924,16 @@ +@@ -774,12 +924,20 @@ ') optional_policy(` @@ -24136,11 +24709,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - unconfined_domain_noaudit(xserver_t) ++ sandbox_rw_xserver_tmpfs_files(xserver_t) ++') ++ ++optional_policy(` + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') -@@ -806,7 +960,7 @@ +@@ -806,7 +964,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24149,7 +24726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +981,14 @@ +@@ -827,9 +985,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24164,7 +24741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +1003,14 @@ +@@ -844,11 +1007,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -24180,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1018,11 @@ +@@ -856,6 +1022,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -24192,7 +24769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1048,8 @@ +@@ -881,6 +1052,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -24201,7 +24778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1074,8 @@ +@@ -905,6 +1078,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24210,7 +24787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1143,49 @@ +@@ -972,17 +1147,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -24358,7 +24935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.16/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-12 15:45:03.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-15 15:31:30.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-18 10:39:36.000000000 -0400 @@ -46,11 +46,23 @@ ') @@ -24440,12 +25017,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + nis_authenticate($1) -+ ') + ') + + optional_policy(` + ssh_agent_exec($1) + userdom_read_user_home_content_files($1) - ') ++ ') + ') @@ -24464,11 +25041,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) - - optional_policy(` +- optional_policy(` - kerberos_use($1) - ') - -- optional_policy(` + optional_policy(` - nis_use_ypbind($1) + kerberos_read_keytab($1) + kerberos_connect_524($1) @@ -24546,7 +25123,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1395,6 +1494,14 @@ +@@ -1254,6 +1353,25 @@ + + ######################################## + ## ++## dontaudit read login records files (/var/log/wtmp). ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`auth_dontaudit_read_login_records',` ++ gen_require(` ++ type wtmp_t; ++ ') ++ ++ dontaudit $1 wtmp_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to write to + ## login records files. + ## +@@ -1395,6 +1513,14 @@ ') optional_policy(` @@ -24561,10 +25164,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1403,8 +1510,13 @@ +@@ -1403,8 +1529,17 @@ ') optional_policy(` ++ nslcd_use($1) ++ ') ++ ++ optional_policy(` + sssd_stream_connect($1) + ') + @@ -24896,7 +25503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.16/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-15 10:43:51.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-18 08:29:05.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25442,7 +26049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.16/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-16 09:44:00.000000000 -0400 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_run_t,file) @@ -25451,7 +26058,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -73,6 +74,6 @@ +@@ -68,11 +69,12 @@ + dev_rw_sysfs(iscsid_t) + + domain_use_interactive_fds(iscsid_t) ++domain_read_all_domains_state(iscsid_t) + + files_read_etc_files(iscsid_t) logging_send_syslog_msg(iscsid_t) @@ -27713,6 +28326,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(ifconfig_t) kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.16/policy/modules/system/udev.fc +--- nsaserefpolicy/policy/modules/system/udev.fc 2009-03-20 12:39:40.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/system/udev.fc 2009-06-16 12:04:16.000000000 -0400 +@@ -8,6 +8,8 @@ + + /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) + ++/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) ++ + /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.16/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 +++ serefpolicy-3.6.16/policy/modules/system/udev.te 2009-06-15 11:24:20.000000000 -0400 @@ -28578,7 +29203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.16/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-12 15:59:08.000000000 -0400 ++++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-18 09:38:54.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e42913d..3a19d54 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.16 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Tue Jun 16 2009 Dan Walsh 3.6.16-3 +- Add label for udev-acl + * Mon Jun 15 2009 Dan Walsh 3.6.16-2 - Additional rules for consolekit/udev, privoxy and various other fixes