diff --git a/policy-20071130.patch b/policy-20071130.patch index 8465ee9..fadb74c 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -703,8 +703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.2.7/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,58 @@ ++++ serefpolicy-3.2.7/policy/modules/admin/kismet.te 2008-02-08 14:32:32.000000000 -0500 +@@ -0,0 +1,55 @@ ++ +policy_module(kismet,1.0.0) + +######################################## @@ -717,7 +718,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +application_domain(kismet_t, kismet_exec_t) +role system_r types kismet_t; + -+ +type kismet_var_run_t; +files_pid_file(kismet_var_run_t) + @@ -732,8 +732,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +# kismet local policy +# + -+## internal communication is often done using fifo and unix sockets. -+#============= kismet_t ============== +allow kismet_t self:capability { net_admin setuid setgid }; + +corecmd_exec_bin(kismet_t) @@ -750,7 +748,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + +miscfiles_read_localization(kismet_t) + -+ +allow kismet_t kismet_var_run_t:file manage_file_perms; +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir }) @@ -2137,7 +2134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.7/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/gpg.if 2008-02-11 14:15:31.000000000 -0500 @@ -38,6 +38,10 @@ gen_require(` type gpg_exec_t, gpg_helper_exec_t; @@ -2149,7 +2146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ######################################## -@@ -45,275 +49,51 @@ +@@ -45,275 +49,53 @@ # Declarations # @@ -2387,8 +2384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - # - # Pinentry local policy - # -+ userdom_use_user_terminals($1,gpg_agent_t) - +- - allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write }; - allow $1_gpg_pinentry_t self:fifo_file rw_fifo_file_perms; - @@ -2423,7 +2419,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - optional_policy(` - xserver_stream_connect_xdm_xserver($1_gpg_pinentry_t) - ') -- ++ userdom_use_user_terminals($1,gpg_agent_t) + - ifdef(`TODO',` - allow $1_gpg_pinentry_t tmp_t:dir { getattr search }; - @@ -2435,14 +2432,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - dontaudit $1_gpg_pinentry_t nfs_t:dir write; - dontaudit $1_gpg_pinentry_t nfs_t:file write; - ') -- ++ # communicate with the user ++ allow gpg_helper_t $2:fd use; ++ allow gpg_helper_t $2:fifo_file rw_fifo_file_perms; + - tunable_policy(`use_samba_home_dirs',` - dontaudit $1_gpg_pinentry_t cifs_t:dir write; - dontaudit $1_gpg_pinentry_t cifs_t:file write; - ') -+ # communicate with the user -+ allow gpg_helper_t $2:fd use; -+ allow gpg_helper_t $2:fifo_file write; ++ userdom_manage_user_home_content_files(user, gpg_helper_t) - dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search }; - ') dnl end TODO @@ -2454,8 +2452,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.7/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-06 11:02:29.000000000 -0500 -@@ -7,15 +7,225 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/gpg.te 2008-02-11 14:16:30.000000000 -0500 +@@ -7,15 +7,232 @@ # # Type for gpg or pgp executables. @@ -2551,6 +2549,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +# GPG helper local policy +# + ++allow gpg_helper_t self:process getsched; ++ +# for helper programs (which automatically fetch keys) +# Note: this is only tested with the hkp interface. If you use eg the +# mail interface you will likely need additional permissions. @@ -2575,17 +2575,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +corenet_udp_bind_all_nodes(gpg_helper_t) +corenet_tcp_connect_all_ports(gpg_helper_t) + -+dev_read_urand(gpg_helper_t) -+ +files_read_etc_files(gpg_helper_t) -+# for nscd -+files_dontaudit_search_var(gpg_helper_t) ++ ++fs_list_inotifyfs(gpg_helper_t) ++ ++auth_use_nsswitch(gpg_helper_t) + +libs_use_ld_so(gpg_helper_t) +libs_use_shared_libs(gpg_helper_t) + -+sysnet_read_config(gpg_helper_t) -+ +tunable_policy(`use_nfs_home_dirs',` + fs_dontaudit_rw_nfs_files(gpg_helper_t) +') @@ -2616,8 +2614,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) + +# allow gpg to connect to the gpg agent ++manage_dirs_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++manage_lnk_files_pattern(gpg_agent_t,user_gpg_secret_t,user_gpg_secret_t) ++ +stream_connect_pattern(gpg_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t,gpg_agent_t) + ++manage_dirs_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ++manage_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) ++manage_sock_files_pattern(gpg_agent_t,user_gpg_agent_tmp_t,user_gpg_agent_tmp_t) +files_tmp_filetrans(gpg_agent_t, user_gpg_agent_tmp_t, { file sock_file dir }) + +corecmd_search_bin(gpg_agent_t) @@ -2762,7 +2767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.2.7/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/java.fc 2008-02-11 14:02:02.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2771,7 +2776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -20,5 +21,11 @@ +@@ -20,5 +21,13 @@ /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2783,7 +2788,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + -+/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/lib64/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) ++ +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.2.7/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400 @@ -3801,7 +3808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:user_nsplugin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.7/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.if 2008-02-08 14:05:36.000000000 -0500 @@ -0,0 +1,337 @@ + +## policy for nsplugin @@ -4142,8 +4149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.7/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,136 @@ ++++ serefpolicy-3.2.7/policy/modules/apps/nsplugin.te 2008-02-08 14:33:18.000000000 -0500 +@@ -0,0 +1,133 @@ ++ +policy_module(nsplugin,1.0.0) + +######################################## @@ -4236,7 +4244,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +# nsplugin_config local policy +# + -+## internal communication is often done using fifo and unix sockets. +allow nsplugin_config_t self:capability { sys_nice setuid setgid }; +allow nsplugin_config_t self:process { setsched getsched execmem }; +allow nsplugin_t self:sem create_sem_perms; @@ -4276,10 +4283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +userdom_search_all_users_home_content(nsplugin_config_t) + -+ +nsplugin_domtrans(nsplugin_config_t) -+ -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.7/policy/modules/apps/screen.fc --- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/apps/screen.fc 2008-02-06 11:02:29.000000000 -0500 @@ -4548,7 +4552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.2.7/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/apps/vmware.fc 2008-02-11 17:52:05.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -4588,13 +4592,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f ifdef(`distro_gentoo',` /opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) -@@ -49,3 +55,6 @@ +@@ -49,3 +55,8 @@ /opt/vmware/workstation/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0) /opt/vmware/workstation/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0) ') +/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) +/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) +/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) ++/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0) ++/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.2.7/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2007-02-19 11:32:52.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/apps/vmware.if 2008-02-06 11:02:29.000000000 -0500 @@ -4769,7 +4775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.fc 2008-02-11 14:27:33.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4814,16 +4820,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -147,7 +157,7 @@ +@@ -147,7 +157,8 @@ /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -186,7 +196,10 @@ +@@ -186,7 +197,10 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4834,7 +4841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +297,7 @@ +@@ -284,3 +298,9 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4842,6 +4849,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib(64)?/nspluginwrapper/npviewer gen_context(system_u:object_r:bin_t,s0) + +/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.7/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/kernel/corecommands.if 2008-02-06 11:02:29.000000000 -0500 @@ -4853,9 +4862,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-02-01 09:12:53.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.if.in 2008-02-11 14:37:57.000000000 -0500 +@@ -1441,10 +1441,11 @@ + # + interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute port_type; ++ type hi_reserved_port_t, reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; ++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; + ') + + ######################################## +@@ -1459,10 +1460,10 @@ + # + interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ type hi_reserved_port_t, reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/corenetwork.te.in 2008-02-07 12:49:50.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -4903,12 +4942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) -@@ -171,6 +177,8 @@ +@@ -170,7 +176,11 @@ + network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) ++network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) ++ network_port(vnc, tcp,5900,s0) -+# Reserve 50 ports for vnc/virt machines -+portcon tcp 5901-5950 gen_context(system_u:object_r:vnc_port_t, s0) ++# Reserve 100 ports for vnc/virt machines ++portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t, s0) network_port(wccp, udp,2048,s0) network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) @@ -5261,7 +5303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.7/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/devices.if 2008-02-07 11:04:37.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -5442,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.2.7/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/domain.te 2008-02-11 16:43:14.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -5474,7 +5516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -148,3 +156,21 @@ +@@ -148,3 +156,25 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5485,6 +5527,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') + +optional_policy(` ++ cron_dontaudit_write_system_job_tmp_files(domain) ++') ++ ++optional_policy(` + rpm_rw_pipes(domain) + rpm_dontaudit_use_script_fds(domain) +') @@ -5498,7 +5544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.7/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/files.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/files.if 2008-02-07 11:46:14.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -5715,7 +5761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.2.7/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/kernel/kernel.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/kernel/kernel.if 2008-02-08 12:06:51.000000000 -0500 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') @@ -6476,7 +6522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.7/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/apache.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/apache.te 2008-02-07 12:22:21.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -6814,7 +6860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -638,6 +717,12 @@ +@@ -628,6 +707,7 @@ + corenet_sendrecv_all_client_packets(httpd_suexec_t) + ') + ++domain_entry_file(httpd_sys_script_t,httpd_sys_content_t) + tunable_policy(`httpd_enable_cgi && httpd_unified',` + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + ') +@@ -638,6 +718,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6827,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +740,6 @@ +@@ -655,10 +741,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6838,7 +6892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +749,8 @@ +@@ -668,7 +750,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6848,7 +6902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +764,44 @@ +@@ -682,15 +765,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6894,7 +6948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +811,15 @@ +@@ -700,9 +812,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -6910,7 +6964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +841,46 @@ +@@ -724,3 +842,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -6968,7 +7022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +/etc/rc.d/init.d/apcupsd -- gen_context(system_u:object_r:apcupsd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.2.7/policy/modules/services/apcupsd.if --- nsaserefpolicy/policy/modules/services/apcupsd.if 2007-09-12 10:34:18.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/apcupsd.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/apcupsd.if 2008-02-11 13:25:12.000000000 -0500 @@ -90,10 +90,102 @@ ## ## @@ -7831,7 +7885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/etc/rc.d/init.d/pand -- gen_context(system_u:object_r:bluetooth_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.2.7/policy/modules/services/bluetooth.if --- nsaserefpolicy/policy/modules/services/bluetooth.if 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/bluetooth.if 2008-02-07 13:14:54.000000000 -0500 @@ -226,3 +226,88 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; @@ -8260,16 +8314,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.2.7/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/consolekit.fc 2008-02-06 11:02:29.000000000 -0500 -@@ -1,3 +1,5 @@ ++++ serefpolicy-3.2.7/policy/modules/services/consolekit.fc 2008-02-11 13:56:47.000000000 -0500 +@@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) /var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0) ++ ++/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.2.7/policy/modules/services/consolekit.if +--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400 ++++ serefpolicy-3.2.7/policy/modules/services/consolekit.if 2008-02-11 13:28:12.000000000 -0500 +@@ -38,3 +38,24 @@ + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Read consolekit log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_read_log',` ++ gen_require(` ++ type consolekit_log_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, consolekit_log_t, consolekit_log_t) ++') ++ + -+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.7/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/consolekit.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/consolekit.te 2008-02-11 13:56:27.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -8280,15 +8363,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ######################################## # # consolekit local policy -@@ -24,20 +27,26 @@ +@@ -24,20 +27,27 @@ allow consolekit_t self:unix_stream_socket create_stream_socket_perms; allow consolekit_t self:unix_dgram_socket create_socket_perms; +manage_files_pattern(consolekit_t,consolekit_log_t,consolekit_log_t) +logging_log_filetrans(consolekit_t,consolekit_log_t, file) + ++manage_dirs_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t) - files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) +-files_pid_filetrans(consolekit_t,consolekit_var_run_t, file) ++files_pid_filetrans(consolekit_t,consolekit_var_run_t, { file dir }) kernel_read_system_state(consolekit_t) @@ -8307,7 +8392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) -@@ -47,16 +56,32 @@ +@@ -47,16 +57,32 @@ auth_use_nsswitch(consolekit_t) @@ -8343,7 +8428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` unconfined_dbus_chat(consolekit_t) -@@ -64,6 +89,33 @@ +@@ -64,6 +90,33 @@ ') optional_policy(` @@ -8396,7 +8481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.7/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/cron.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/cron.if 2008-02-11 17:02:24.000000000 -0500 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -8646,7 +8731,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## Read, and write cron daemon TCP sockets. ## ## -@@ -583,3 +495,23 @@ +@@ -558,11 +470,14 @@ + # + interface(`cron_read_system_job_tmp_files',` + gen_require(` +- type system_crond_tmp_t; ++ type system_crond_tmp_t, cron_var_run_t; + ') + + files_search_tmp($1) + allow $1 system_crond_tmp_t:file read_file_perms; ++ ++ files_search_pids($1) ++ allow $1 cron_var_run_t:file read_file_perms; + ') + + ######################################## +@@ -583,3 +498,45 @@ dontaudit $1 system_crond_tmp_t:file append; ') @@ -8654,6 +8755,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + +######################################## +## ++## Do not audit attempts to write temporary ++## files from the system cron jobs. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`cron_dontaudit_write_system_job_tmp_files',` ++ gen_require(` ++ type system_crond_tmp_t; ++ type system_crond_var_run_t; ++ ') ++ ++ dontaudit $1 system_crond_tmp_t:file write_file_perms; ++ dontaudit $1 cron_var_run_t:file write_file_perms; ++') ++ ++ ++######################################## ++## +## Read temporary files from the system cron jobs. +## +## @@ -8672,7 +8795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.7/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/cron.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/cron.te 2008-02-11 17:01:41.000000000 -0500 @@ -12,14 +12,6 @@ ## @@ -8688,7 +8811,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## Enable extra rules in the cron domain ## to support fcron. ##

-@@ -50,6 +42,7 @@ +@@ -38,6 +30,10 @@ + type cron_var_lib_t; + files_type(cron_var_lib_t) + ++# var/lib files ++type cron_var_run_t; ++files_type(cron_var_run_t) ++ + # var/log files + type cron_log_t; + logging_log_file(cron_log_t) +@@ -50,6 +46,7 @@ type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -8696,7 +8830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -71,6 +64,12 @@ +@@ -71,6 +68,12 @@ type system_crond_tmp_t; files_tmp_file(system_crond_tmp_t) @@ -8709,7 +8843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) ') -@@ -80,7 +79,7 @@ +@@ -80,7 +83,7 @@ # Cron Local policy # @@ -8718,7 +8852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -99,15 +98,14 @@ +@@ -99,15 +102,14 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -8737,7 +8871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(crond_t) kernel_search_key(crond_t) -@@ -133,6 +131,8 @@ +@@ -133,6 +135,8 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -8746,7 +8880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -142,13 +142,16 @@ +@@ -142,13 +146,16 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -8763,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -163,9 +166,6 @@ +@@ -163,9 +170,6 @@ mta_send_mail(crond_t) ifdef(`distro_debian',` @@ -8773,7 +8907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) -@@ -180,21 +180,45 @@ +@@ -180,21 +184,45 @@ ') ') @@ -8820,7 +8954,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -267,9 +291,16 @@ +@@ -236,6 +264,9 @@ + allow system_crond_t cron_var_lib_t:file manage_file_perms; + files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) + ++allow system_crond_t cron_var_run_t:file manage_file_perms; ++files_pid_filetrans(system_crond_t,cron_var_run_t,file) ++ + allow system_crond_t system_cron_spool_t:file read_file_perms; + # The entrypoint interface is not used as this is not + # a regular entrypoint. Since crontab files are +@@ -267,9 +298,13 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -8828,9 +8972,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +files_search_var_lib(system_crond_t) +manage_files_pattern(system_crond_t,system_crond_var_lib_t,system_crond_var_lib_t) + -+allow system_crond_t system_crond_var_run_t:file manage_file_perms; -+files_pid_filetrans(system_crond_t,system_crond_var_run_t,file) -+ # Read from /var/spool/cron. allow system_crond_t cron_spool_t:dir list_dir_perms; -allow system_crond_t cron_spool_t:file read_file_perms; @@ -8838,7 +8979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -323,7 +354,7 @@ +@@ -323,7 +358,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -8847,7 +8988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron auth_use_nsswitch(system_crond_t) -@@ -333,6 +364,7 @@ +@@ -333,6 +368,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -8855,7 +8996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -348,18 +380,6 @@ +@@ -348,18 +384,6 @@ ') ') @@ -8874,7 +9015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Needed for certwatch apache_exec_modules(system_crond_t) -@@ -383,6 +403,14 @@ +@@ -383,6 +407,14 @@ ') optional_policy(` @@ -8889,7 +9030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -415,8 +443,7 @@ +@@ -415,8 +447,7 @@ ') optional_policy(` @@ -8899,7 +9040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -424,8 +451,13 @@ +@@ -424,15 +455,12 @@ ') optional_policy(` @@ -8907,12 +9048,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron + unconfined_shell_domtrans(crond_t) + unconfined_domain(crond_t) unconfined_domain(system_crond_t) -+') +- +- userdom_priveleged_home_dir_manager(system_crond_t) + ') +-ifdef(`TODO',` +-ifdef(`mta.te', ` +-allow system_crond_t mail_spool_t:lnk_file read; +-allow mta_user_agent system_crond_t:fd use; +-r_dir_file(system_mail_t, crond_tmp_t) +optional_policy(` - userdom_priveleged_home_dir_manager(system_crond_t) ++ userdom_priveleged_home_dir_manager(system_crond_t) ') - +-') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.7/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/cups.fc 2008-02-06 11:02:29.000000000 -0500 @@ -9507,8 +9655,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.7/policy/modules/services/cyphesis.te --- nsaserefpolicy/policy/modules/services/cyphesis.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/cyphesis.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.2.7/policy/modules/services/cyphesis.te 2008-02-08 14:51:33.000000000 -0500 +@@ -0,0 +1,92 @@ +policy_module(cyphesis,1.0.0) + +######################################## @@ -9569,7 +9717,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph + +logging_send_syslog_msg(cyphesis_t) + -+## Networking basics (adjust to your needs!) +sysnet_dns_name_resolve(cyphesis_t) +corenet_tcp_sendrecv_all_if(cyphesis_t) +corenet_tcp_sendrecv_all_nodes(cyphesis_t) @@ -9578,10 +9725,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyph +corenet_tcp_cyphesis_bind(cyphesis_t) +corenet_tcp_sendrecv_all_ports(cyphesis_t) + -+# DAN Do you really need this? -+# For communication with the metaserver -+# allow cyphesis_t port_t:udp_socket { recv_msg send_msg }; -+ +# Init script handling +domain_use_interactive_fds(cyphesis_t) + @@ -9695,7 +9838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.2.7/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/cyrus.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/cyrus.te 2008-02-07 11:31:04.000000000 -0500 @@ -19,6 +19,9 @@ type cyrus_var_run_t; files_pid_file(cyrus_var_run_t) @@ -9708,7 +9851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.7/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/dbus.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/dbus.if 2008-02-11 17:07:47.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -9761,7 +9904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount($1_dbusd_t) selinux_validate_context($1_dbusd_t) -@@ -161,12 +168,22 @@ +@@ -161,12 +168,23 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) @@ -9769,6 +9912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t) + userdom_read_unpriv_users_home_content_files($1_dbusd_t) + userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t) ++ userdom_dontaudit_use_user_terminals($1, $1_dbusd_t) ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; @@ -9785,7 +9929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus tunable_policy(`read_default_t',` files_list_default($1_dbusd_t) files_read_default_files($1_dbusd_t) -@@ -182,6 +199,7 @@ +@@ -182,6 +200,7 @@ optional_policy(` xserver_use_xdm_fds($1_dbusd_t) xserver_rw_xdm_pipes($1_dbusd_t) @@ -9793,16 +9937,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ') -@@ -214,7 +232,7 @@ +@@ -214,7 +233,8 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; - allow $2 { system_dbusd_t self }:dbus send_msg; + allow $2 { system_dbusd_t $2 }:dbus send_msg; ++ allow system_dbusd_t $2:dbus send_msg; read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -223,6 +241,10 @@ +@@ -223,6 +243,10 @@ files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) dbus_read_config($2) @@ -9813,7 +9958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -251,6 +273,7 @@ +@@ -251,6 +275,7 @@ template(`dbus_user_bus_client_template',` gen_require(` type $1_dbusd_t; @@ -9821,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus class dbus send_msg; ') -@@ -263,6 +286,7 @@ +@@ -263,6 +288,7 @@ # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; @@ -9829,7 +9974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -292,6 +316,59 @@ +@@ -292,6 +318,59 @@ ######################################## ## @@ -9889,7 +10034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +443,55 @@ +@@ -366,3 +445,55 @@ allow $1 system_dbusd_t:dbus *; ') @@ -10670,7 +10815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.7/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/dnsmasq.te 2008-02-07 11:09:49.000000000 -0500 @@ -16,6 +16,9 @@ type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) @@ -11039,7 +11184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.7/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/exim.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/exim.te 2008-02-08 14:51:51.000000000 -0500 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -11189,7 +11334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + cyrus_stream_connect(exim_t) +') + -+## receipt & validation ++# receipt & validation + +optional_policy(` + clamav_domtrans_clamscan(exim_t) @@ -11670,7 +11815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.7/policy/modules/services/gnomeclock.te --- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/gnomeclock.te 2008-02-08 14:53:00.000000000 -0500 @@ -0,0 +1,51 @@ +policy_module(gnomeclock,1.0.0) +######################################## @@ -11690,7 +11835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom +allow gnomeclock_t self:capability sys_time; +allow gnomeclock_t self:process getsched; + -+## internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. +allow gnomeclock_t self:fifo_file rw_file_perms; +allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; + @@ -12570,8 +12715,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.7/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/kerneloops.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,55 @@ ++++ serefpolicy-3.2.7/policy/modules/services/kerneloops.te 2008-02-08 14:53:20.000000000 -0500 +@@ -0,0 +1,56 @@ +policy_module(kerneloops,1.0.0) + +######################################## @@ -12597,9 +12742,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern +# Init script handling +domain_use_interactive_fds(kerneloops_t) + -+## internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. +allow kerneloops_t self:fifo_file rw_file_perms; +allow kerneloops_t self:unix_stream_socket create_stream_socket_perms; ++allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; + +corenet_all_recvfrom_unlabeled(kerneloops_t) +corenet_all_recvfrom_netlabel(kerneloops_t) @@ -12893,7 +13039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.7/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/mta.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/mta.if 2008-02-11 17:47:53.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -13794,7 +13940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.7/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-12 10:15:45.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/networkmanager.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/networkmanager.if 2008-02-11 14:21:11.000000000 -0500 @@ -97,3 +97,21 @@ allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; @@ -13819,7 +13965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.7/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/networkmanager.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/networkmanager.te 2008-02-11 13:33:00.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -13839,7 +13985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; -@@ -38,6 +41,9 @@ +@@ -38,10 +41,14 @@ manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) @@ -13849,7 +13995,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -67,6 +73,7 @@ + kernel_load_module(NetworkManager_t) ++kernel_read_debugfs(NetworkManager_t) + + corenet_all_recvfrom_unlabeled(NetworkManager_t) + corenet_all_recvfrom_netlabel(NetworkManager_t) +@@ -67,6 +74,7 @@ fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) @@ -13857,7 +14008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw mls_file_read_all_levels(NetworkManager_t) -@@ -86,6 +93,8 @@ +@@ -86,6 +94,8 @@ init_read_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) @@ -13866,14 +14017,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -129,21 +138,25 @@ +@@ -129,21 +139,21 @@ ') optional_policy(` -+ allow NetworkManager_t self:dbus send_msg; -+ - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) +- dbus_system_bus_client_template(NetworkManager,NetworkManager_t) +- dbus_connect_system_bus(NetworkManager_t) + dbus_system_domain(NetworkManager_t,NetworkManager_exec_t) ') @@ -13895,7 +14044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,19 +168,20 @@ +@@ -155,19 +165,20 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -14793,8 +14942,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.7/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/polkit.if 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,119 @@ ++++ serefpolicy-3.2.7/policy/modules/services/polkit.if 2008-02-08 14:58:02.000000000 -0500 +@@ -0,0 +1,189 @@ + +## policy for polkit_auth + @@ -14903,21 +15052,91 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +interface(`polkit_run_grant',` + gen_require(` + type polkit_grant_t; -+ type polkit_auth_t; + ') + + polkit_domtrans_grant($1) + role $2 types polkit_grant_t; -+ role $2 types polkit_auth_t; + allow polkit_grant_t $3:chr_file rw_term_perms; + allow $1 polkit_grant_t:process signal; + read_files_pattern(polkit_grant_t, $1, $1) + allow polkit_grant_t $1:process getattr; +') ++ ++######################################## ++## ++## Execute a policy_auth in the policy_auth domain, and ++## allow the specified role the policy_auth domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the load_policy domain. ++## ++## ++## ++## ++## The type of the terminal allow the load_policy domain to use. ++## ++## ++# ++interface(`polkit_run_auth',` ++ gen_require(` ++ type polkit_auth_t; ++ ') ++ ++ polkit_domtrans_auth($1) ++ role $2 types polkit_auth_t; ++ allow polkit_auth_t $3:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## The per role template for the nsplugin module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for nsplugin web browser. ++##

++##

++## This template is invoked automatically for each user, and ++## generally does not need to be invoked directly ++## by policy writers. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++## ++# ++template(`polkit_per_role_template',` ++ polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t }) ++ polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t }) ++ polkit_read_lib($2) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.7/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/polkit.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,154 @@ ++++ serefpolicy-3.2.7/policy/modules/services/polkit.te 2008-02-11 14:24:37.000000000 -0500 +@@ -0,0 +1,156 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -15020,6 +15239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t) +files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir }) + ++userdom_append_unpriv_users_home_content_files(polkit_auth_t) ++ +optional_policy(` + dbus_system_bus_client_template(polkit_auth, polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) @@ -15960,8 +16181,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.7/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/prelude.te 2008-02-06 11:02:29.000000000 -0500 -@@ -0,0 +1,122 @@ ++++ serefpolicy-3.2.7/policy/modules/services/prelude.te 2008-02-08 14:54:04.000000000 -0500 +@@ -0,0 +1,140 @@ +policy_module(prelude,1.0.0) + +######################################## @@ -16004,11 +16225,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + +allow prelude_t self:capability sys_tty_config; + -+## internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. +allow prelude_t self:fifo_file rw_file_perms; +allow prelude_t self:unix_stream_socket create_stream_socket_perms; + -+allow prelude_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; ++allow prelude_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_t self:tcp_socket { bind create setopt listen }; + +dev_read_rand(prelude_t) @@ -16064,13 +16285,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +# Init script handling +domain_use_interactive_fds(audisp_prelude_t) + -+## internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. +allow audisp_prelude_t self:fifo_file rw_file_perms; +allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms; ++allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms; ++allow audisp_prelude_t self:tcp_socket create_socket_perms; + +manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t) +files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file) + ++dev_read_rand(audisp_prelude_t) ++dev_read_urand(audisp_prelude_t) ++ +files_read_etc_files(audisp_prelude_t) + +libs_use_ld_so(audisp_prelude_t) @@ -16084,6 +16310,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +allow audisp_prelude_t self:unix_dgram_socket create_socket_perms; + +logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t) ++ ++files_search_spool(audisp_prelude_t) ++manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t) ++manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t) ++ ++corenet_all_recvfrom_unlabeled(audisp_prelude_t) ++corenet_all_recvfrom_netlabel(audisp_prelude_t) ++corenet_tcp_sendrecv_all_if(audisp_prelude_t) ++corenet_tcp_sendrecv_all_nodes(audisp_prelude_t) ++corenet_tcp_bind_all_nodes(audisp_prelude_t) ++corenet_tcp_connect_prelude_port(audisp_prelude_t) ++ ++allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.2.7/policy/modules/services/privoxy.fc --- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/services/privoxy.fc 2008-02-06 11:02:29.000000000 -0500 @@ -16238,7 +16477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.7/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/procmail.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/procmail.te 2008-02-07 12:12:59.000000000 -0500 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -16297,7 +16536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc sendmail_rw_tcp_sockets(procmail_t) sendmail_rw_unix_stream_sockets(procmail_t) ') -@@ -129,7 +147,9 @@ +@@ -129,7 +147,10 @@ corenet_udp_bind_generic_port(procmail_t) corenet_dontaudit_udp_bind_all_ports(procmail_t) @@ -16305,6 +16544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc - spamassassin_exec_client(procmail_t) - spamassassin_read_lib_files(procmail_t) + spamassassin_domtrans(procmail_t) ++ spamassassin_domtrans_spamc(procmail_t) +') + +optional_policy(` @@ -17781,7 +18021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.7/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/samba.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/samba.te 2008-02-08 14:53:50.000000000 -0500 @@ -26,28 +26,28 @@ ## @@ -18073,7 +18313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +# smbcontrol local policy +# + -+## internal communication is often done using fifo and unix sockets. ++# internal communication is often done using fifo and unix sockets. +allow smbcontrol_t self:fifo_file rw_file_perms; +allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + @@ -19024,7 +19264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.7/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.if 2008-02-07 12:12:50.000000000 -0500 @@ -37,7 +37,9 @@ gen_require(` @@ -19588,7 +19828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.7/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/spamassassin.te 2008-02-06 11:02:29.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/spamassassin.te 2008-02-07 13:26:22.000000000 -0500 @@ -21,8 +21,9 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -21474,7 +21714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.7/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-06 11:02:30.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/services/xserver.te 2008-02-11 14:21:09.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -21679,7 +21919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -304,7 +363,16 @@ +@@ -304,7 +363,23 @@ ') optional_policy(` @@ -21687,16 +21927,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +optional_policy(` ++ consolekit_read_log(xdm_t) ++') ++ ++optional_policy(` consolekit_dbus_chat(xdm_t) + dbus_system_bus_client_template(xdm, xdm_t) + dbus_per_role_template(xdm, xdm_t, system_r) + optional_policy(` + hal_dbus_chat(xdm_t) + ') ++ optional_policy(` ++ networkmanager_dbus_chat(xdm_t) ++ ') ') optional_policy(` -@@ -322,6 +390,10 @@ +@@ -322,6 +397,10 @@ ') optional_policy(` @@ -21707,7 +21954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +407,11 @@ +@@ -335,6 +414,11 @@ ') optional_policy(` @@ -21719,7 +21966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +420,8 @@ +@@ -343,8 +427,8 @@ ') optional_policy(` @@ -21729,7 +21976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +457,7 @@ +@@ -380,7 +464,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -21738,7 +21985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +469,15 @@ +@@ -392,6 +476,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -21754,7 +22001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,6 +490,7 @@ +@@ -404,6 +497,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -21762,7 +22009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -420,6 +507,14 @@ +@@ -420,6 +514,14 @@ ') optional_policy(` @@ -21777,7 +22024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +524,103 @@ +@@ -429,47 +531,103 @@ ') optional_policy(` @@ -21801,15 +22048,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # xserver signals unconfined user on startx + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) -+') -+ -+ -+tunable_policy(`allow_xserver_execmem', ` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; -+') -+ -+ifndef(`distro_redhat',` -+ allow xdm_xserver_t self:process { execheap execmem }; ') -ifdef(`TODO',` @@ -21833,10 +22071,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -+ifdef(`distro_rhel4',` -+ allow xdm_xserver_t self:process { execheap execmem }; ++ ++tunable_policy(`allow_xserver_execmem', ` ++ allow xdm_xserver_t self:process { execheap execmem execstack }; ') ++ifndef(`distro_redhat',` ++ allow xdm_xserver_t self:process { execheap execmem }; ++') ++ ++ifdef(`distro_rhel4',` ++ allow xdm_xserver_t self:process { execheap execmem }; ++') ++ +############################## # -# Wants to delete .xsession-errors file @@ -22292,7 +22539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.7/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/authlogin.te 2008-02-06 11:06:09.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/authlogin.te 2008-02-11 17:22:21.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -22472,6 +22719,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.2.7/policy/modules/system/init.fc +--- nsaserefpolicy/policy/modules/system/init.fc 2007-10-12 08:56:08.000000000 -0400 ++++ serefpolicy-3.2.7/policy/modules/system/init.fc 2008-02-11 16:58:09.000000000 -0500 +@@ -4,8 +4,7 @@ + /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +-/etc/rc\.d/rc\.sysinit -- gen_context(system_u:object_r:initrc_exec_t,s0) +-/etc/rc\.d/rc\.local -- gen_context(system_u:object_r:initrc_exec_t,s0) ++/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) + + /etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.7/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400 +++ serefpolicy-3.2.7/policy/modules/system/init.if 2008-02-06 11:02:30.000000000 -0500 @@ -22772,7 +23032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.7/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/init.te 2008-02-06 15:09:41.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/init.te 2008-02-11 16:57:34.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -23007,7 +23267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. allow iscsid_t self:unix_dgram_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.7/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/libraries.fc 2008-02-06 11:02:30.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/libraries.fc 2008-02-11 16:26:03.000000000 -0500 @@ -133,6 +133,7 @@ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -23050,12 +23310,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +309,5 @@ +@@ -304,3 +309,6 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.7/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/libraries.te 2008-02-06 11:06:35.000000000 -0500 @@ -23650,7 +23911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.7/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/miscfiles.if 2008-02-06 11:02:30.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/miscfiles.if 2008-02-07 11:09:32.000000000 -0500 @@ -489,3 +489,44 @@ manage_lnk_files_pattern($1,locale_t,locale_t) ') @@ -24013,8 +24274,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.2.7/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-06 11:02:30.000000000 -0500 -@@ -0,0 +1,105 @@ ++++ serefpolicy-3.2.7/policy/modules/system/qemu.if 2008-02-07 10:20:14.000000000 -0500 +@@ -0,0 +1,151 @@ + +## policy for qemu + @@ -24120,6 +24381,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + role $2 types qemu_t; + allow qemu_t $3:chr_file rw_file_perms; +') ++ ++######################################## ++## ++## Execute qemu programs in the qemu domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to allow the PAM domain. ++## ++## ++## ++## ++## The type of the terminal allow the PAM domain to use. ++## ++## ++# ++interface(`qemu_runas',` ++ gen_require(` ++ type qemu_t; ++ ') ++ ++ qemu_domtrans($1) ++ allow qemu_t $3:chr_file rw_file_perms; ++') ++######################################## ++## ++## Execute qemu programs in the qemu domain. ++## ++## ++## ++## The role to allow the PAM domain. ++## ++## ++# ++interface(`qemu_role',` ++ gen_require(` ++ type qemu_t; ++ ') ++ role $1 types qemu_t; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.7/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/qemu.te 2008-02-06 11:02:30.000000000 -0500 @@ -25332,8 +25639,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.7/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-06 11:02:30.000000000 -0500 -@@ -6,35 +6,59 @@ ++++ serefpolicy-3.2.7/policy/modules/system/unconfined.te 2008-02-07 10:19:49.000000000 -0500 +@@ -6,35 +6,66 @@ # Declarations # @@ -25344,6 +25651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## +gen_tunable(allow_unconfined_nsplugin_transition,false) + ++## ++##

++## Transition to confined qemu domains from unconfined user ++##

++## ++gen_tunable(allow_unconfined_qemu_transition,false) ++ # usage in this module of types created by these # calls is not correct, however we dont currently # have another method to add access to these types @@ -25397,7 +25711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,7 +66,10 @@ +@@ -42,7 +73,10 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -25408,7 +25722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,13 +78,25 @@ +@@ -51,13 +85,25 @@ userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` @@ -25436,7 +25750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain(httpd_unconfined_script_t) ') -@@ -69,11 +108,11 @@ +@@ -69,11 +115,11 @@ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') @@ -25453,7 +25767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -101,12 +140,24 @@ +@@ -101,12 +147,24 @@ ') optional_policy(` @@ -25478,7 +25792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +169,7 @@ +@@ -118,11 +176,7 @@ ') optional_policy(` @@ -25491,7 +25805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +181,6 @@ +@@ -134,14 +188,6 @@ ') optional_policy(` @@ -25506,7 +25820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +193,32 @@ +@@ -154,38 +200,34 @@ ') optional_policy(` @@ -25518,13 +25832,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - -optional_policy(` - pyzor_per_role_template(unconfined) -+ qemu_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - +-') +- -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) --') ++ tunable_policy(`allow_unconfined_qemu_transition', ` ++ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++ ') ++ qemu_role(unconfined_r) + ') optional_policy(` rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -25552,7 +25869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +238,30 @@ +@@ -205,11 +247,30 @@ ') optional_policy(` @@ -25585,7 +25902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +271,34 @@ +@@ -219,14 +280,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -25640,7 +25957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.7/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-06 14:51:11.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/userdomain.if 2008-02-11 17:21:21.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -26634,7 +26951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -1085,32 +1093,17 @@ +@@ -1085,32 +1093,21 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -26652,15 +26969,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - optional_policy(` - cups_dbus_chat($1_t) - ') -- ') -- -- optional_policy(` -- java_per_role_template($1, $1_t, $1_r) + alsa_read_rw_config($1_usertype) ') - optional_policy(` -- mono_per_role_template($1, $1_t, $1_r) +- java_per_role_template($1, $1_t, $1_r) - ') + # Broken Cover up bugzilla #345921 Should be removed when this is fixed + corenet_tcp_connect_soundd_port($1_t) @@ -26669,12 +26982,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + corenet_tcp_sendrecv_lo_node($1_t) optional_policy(` -- setroubleshoot_dontaudit_stream_connect($1_t) +- mono_per_role_template($1, $1_t, $1_r) + nsplugin_per_role_template($1, $1_usertype, $1_r) ') + + optional_policy(` +- setroubleshoot_dontaudit_stream_connect($1_t) ++ polkit_per_role_template($1, $1_usertype, $1_r) + ') ') -@@ -1121,10 +1114,10 @@ +@@ -1121,10 +1118,10 @@ ## ## ##

@@ -26689,7 +27007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. -@@ -1187,12 +1180,11 @@ +@@ -1187,12 +1184,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -26704,16 +27022,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') # Run pppd in pppd_t by default for user -@@ -1201,7 +1193,7 @@ +@@ -1201,7 +1197,11 @@ ') optional_policy(` - setroubleshoot_stream_connect($1_t) + nsplugin_per_role_template($1, $1_usertype, $1_r) ++ ') ++ ++ optional_policy(` ++ polkit_per_role_template($1, $1_usertype, $1_r) ') ') -@@ -1278,8 +1270,6 @@ +@@ -1278,8 +1278,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -26722,7 +27044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1357,13 +1347,6 @@ +@@ -1357,13 +1355,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -26736,7 +27058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` userhelper_exec($1_t) ') -@@ -1416,6 +1399,7 @@ +@@ -1416,6 +1407,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -26744,7 +27066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1781,10 +1765,14 @@ +@@ -1781,10 +1773,14 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -26760,7 +27082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1880,11 +1868,11 @@ +@@ -1880,11 +1876,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -26774,7 +27096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1914,11 +1902,11 @@ +@@ -1914,11 +1910,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -26788,7 +27110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1962,12 +1950,12 @@ +@@ -1962,12 +1958,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -26804,7 +27126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1997,10 +1985,10 @@ +@@ -1997,10 +1993,10 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -26817,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2032,11 +2020,47 @@ +@@ -2032,11 +2028,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -26867,7 +27189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2068,10 +2092,10 @@ +@@ -2068,10 +2100,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -26880,7 +27202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2101,11 +2125,11 @@ +@@ -2101,11 +2133,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -26894,7 +27216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2135,11 +2159,11 @@ +@@ -2135,11 +2167,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -26909,7 +27231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2169,10 +2193,10 @@ +@@ -2169,10 +2201,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -26919,10 +27241,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dontaudit $2 $1_home_t:file write; + dontaudit $2 user_home_t:file write; ++ fs_dontaudit_list_nfs($2) ++ fs_dontaudit_rw_nfs_files($2) ++ fs_dontaudit_list_cifs($2) ++ fs_dontaudit_rw_cifs_files($2) ') ######################################## -@@ -2202,11 +2226,11 @@ +@@ -2202,11 +2238,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -26936,7 +27262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2236,11 +2260,11 @@ +@@ -2236,11 +2272,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -26950,7 +27276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2270,10 +2294,10 @@ +@@ -2270,10 +2306,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -26963,7 +27289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2305,12 +2329,12 @@ +@@ -2305,12 +2341,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -26979,7 +27305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2342,10 +2366,10 @@ +@@ -2342,10 +2378,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -26992,7 +27318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2377,12 +2401,12 @@ +@@ -2377,12 +2413,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -27008,7 +27334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2414,12 +2438,12 @@ +@@ -2414,12 +2450,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -27024,7 +27350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2451,12 +2475,12 @@ +@@ -2451,12 +2487,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -27040,7 +27366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2501,11 +2525,11 @@ +@@ -2501,11 +2537,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -27054,7 +27380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2550,11 +2574,11 @@ +@@ -2550,11 +2586,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -27068,7 +27394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2594,11 +2618,11 @@ +@@ -2594,11 +2630,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -27082,7 +27408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2628,11 +2652,11 @@ +@@ -2628,11 +2664,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -27096,7 +27422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2662,11 +2686,11 @@ +@@ -2662,11 +2698,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -27110,7 +27436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2698,10 +2722,10 @@ +@@ -2698,10 +2734,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -27123,7 +27449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2733,10 +2757,10 @@ +@@ -2733,10 +2769,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -27136,7 +27462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2766,12 +2790,12 @@ +@@ -2766,12 +2802,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -27152,7 +27478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2803,10 +2827,10 @@ +@@ -2803,10 +2839,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -27165,7 +27491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2838,10 +2862,48 @@ +@@ -2838,10 +2874,48 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -27216,7 +27542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2871,12 +2933,12 @@ +@@ -2871,12 +2945,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -27232,7 +27558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2908,10 +2970,10 @@ +@@ -2908,10 +2982,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -27245,7 +27571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2943,12 +3005,12 @@ +@@ -2943,12 +3017,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -27261,7 +27587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2980,11 +3042,11 @@ +@@ -2980,11 +3054,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -27275,7 +27601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3016,11 +3078,11 @@ +@@ -3016,11 +3090,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -27289,7 +27615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3052,11 +3114,11 @@ +@@ -3052,11 +3126,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -27303,7 +27629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3088,11 +3150,11 @@ +@@ -3088,11 +3162,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -27317,7 +27643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3124,11 +3186,11 @@ +@@ -3124,11 +3198,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -27331,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3173,10 +3235,10 @@ +@@ -3173,10 +3247,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -27344,7 +27670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($2) ') -@@ -3217,10 +3279,10 @@ +@@ -3217,10 +3291,10 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -27357,7 +27683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3248,6 +3310,42 @@ +@@ -3248,6 +3322,42 @@ ## ## # @@ -27400,7 +27726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo template(`userdom_rw_user_tmpfs_files',` gen_require(` type $1_tmpfs_t; -@@ -4225,11 +4323,11 @@ +@@ -4225,11 +4335,11 @@ # interface(`userdom_search_staff_home_dirs',` gen_require(` @@ -27414,7 +27740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4245,10 +4343,10 @@ +@@ -4245,10 +4355,10 @@ # interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` @@ -27427,7 +27753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4264,11 +4362,11 @@ +@@ -4264,11 +4374,11 @@ # interface(`userdom_manage_staff_home_dirs',` gen_require(` @@ -27441,7 +27767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,16 +4381,16 @@ +@@ -4283,16 +4393,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -27461,7 +27787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## users home directory. ## ## -@@ -4301,38 +4399,32 @@ +@@ -4301,38 +4411,32 @@ ## ## # @@ -27509,7 +27835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ##

-@@ -4340,7 +4432,28 @@ +@@ -4340,7 +4444,28 @@ ## ## # @@ -27539,7 +27865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo gen_require(` type sysadm_t; ') -@@ -4525,10 +4638,10 @@ +@@ -4525,10 +4650,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -27552,7 +27878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4658,10 @@ +@@ -4545,10 +4670,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -27565,7 +27891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4676,10 @@ +@@ -4563,10 +4688,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -27578,7 +27904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4695,10 @@ +@@ -4582,10 +4707,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -27591,7 +27917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4713,10 @@ +@@ -4600,10 +4725,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -27604,7 +27930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4732,10 @@ +@@ -4619,10 +4744,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -27617,7 +27943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4751,11 @@ +@@ -4638,12 +4763,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -27633,7 +27959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4782,10 @@ +@@ -4670,10 +4794,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -27646,7 +27972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4800,10 @@ +@@ -4688,10 +4812,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -27659,7 +27985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4818,13 @@ +@@ -4706,13 +4830,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -27677,7 +28003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4860,49 @@ +@@ -4748,11 +4872,49 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -27728,7 +28054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4772,6 +4922,14 @@ +@@ -4772,6 +4934,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -27743,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4833,6 +4991,26 @@ +@@ -4833,6 +5003,26 @@ ######################################## ## @@ -27770,7 +28096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all directories ## in all users home directories. ## -@@ -4853,6 +5031,25 @@ +@@ -4853,6 +5043,25 @@ ######################################## ## @@ -27796,7 +28122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4873,6 +5070,26 @@ +@@ -4873,6 +5082,26 @@ ######################################## ## @@ -27823,7 +28149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete all symlinks ## in all users home directories. ## -@@ -5109,7 +5326,7 @@ +@@ -5109,7 +5338,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -27832,7 +28158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5515,50 @@ +@@ -5298,6 +5527,50 @@ ######################################## ## @@ -27883,7 +28209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5764,42 @@ +@@ -5503,6 +5776,42 @@ ######################################## ## @@ -27926,7 +28252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5965,42 @@ +@@ -5668,6 +5977,42 @@ ######################################## ## @@ -27969,7 +28295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +6031,277 @@ +@@ -5698,3 +6043,301 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -28247,9 +28573,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + files_tmp_filetrans($2, user_tmp_t, $3) +') + ++################################################ ++## ++## Allow unpriv users read domains system state ++## ++## ++## Allow the ps command visibility to processes in ++## the specified domain when used by an ++## unprivileged user ++## ++## ++## ++## Domain for which the ps command will have access ++## ++## ++## ++## ++# ++interface(`userdom_readable_process',` ++ gen_require(` ++ attribute unpriv_process; ++ ') ++ ++ typeattribute $1 unpriv_process; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.7/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-06 11:02:30.000000000 -0500 ++++ serefpolicy-3.2.7/policy/modules/system/userdomain.te 2008-02-08 14:50:33.000000000 -0500 @@ -2,12 +2,7 @@ policy_module(userdomain,2.5.0) @@ -28296,7 +28646,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -101,40 +92,49 @@ +@@ -97,44 +88,54 @@ + + # unprivileged user domains + attribute unpriv_userdomain; ++attribute unpriv_process; + attribute untrusted_content_type; attribute untrusted_content_tmp_type; @@ -28374,7 +28729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## # -@@ -154,6 +154,11 @@ +@@ -154,6 +155,11 @@ init_exec(sysadm_t) @@ -28386,7 +28741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Following for sending reboot and wall messages userdom_use_unpriv_users_ptys(sysadm_t) userdom_use_unpriv_users_ttys(sysadm_t) -@@ -170,46 +175,7 @@ +@@ -170,46 +176,7 @@ ') ') @@ -28434,7 +28789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal) -@@ -224,6 +190,10 @@ +@@ -224,6 +191,10 @@ ') optional_policy(` @@ -28445,7 +28800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo apache_run_helper(sysadm_t, sysadm_r, admin_terminal) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) -@@ -279,14 +249,6 @@ +@@ -279,14 +250,6 @@ ') optional_policy(` @@ -28460,7 +28815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo cron_admin_template(sysadm, sysadm_t, sysadm_r) ') -@@ -302,12 +264,9 @@ +@@ -302,12 +265,9 @@ optional_policy(` dmesg_exec(sysadm_t) @@ -28474,7 +28829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` dmidecode_run(sysadm_t, sysadm_r, admin_terminal) ') -@@ -352,6 +311,10 @@ +@@ -352,6 +312,10 @@ ') optional_policy(` @@ -28485,7 +28840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo lvm_run(sysadm_t, sysadm_r, admin_terminal) ') -@@ -387,6 +350,10 @@ +@@ -387,6 +351,10 @@ ') optional_policy(` @@ -28496,7 +28851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run(sysadm_t, sysadm_r, admin_terminal) netutils_run_ping(sysadm_t, sysadm_r, admin_terminal) netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal) -@@ -436,15 +403,19 @@ +@@ -436,15 +404,19 @@ optional_policy(` samba_run_net(sysadm_t, sysadm_r, admin_terminal) @@ -28517,7 +28872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ', ` userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal) ') -@@ -487,3 +458,8 @@ +@@ -487,3 +459,13 @@ optional_policy(` yam_run(sysadm_t, sysadm_r, admin_terminal) ') @@ -28526,6 +28881,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + term_use_console(userdomain) +') + ++# Allow unpriv users to read system state of unpriv processes ++read_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) ++read_lnk_files_pattern(unpriv_userdomain, unpriv_process, unpriv_process) ++allow unpriv_userdomain unpriv_process:process getattr; ++dontaudit unpriv_userdomain unpriv_process:process ptrace; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.2.7/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.7/policy/modules/system/virt.fc 2008-02-06 11:02:30.000000000 -0500 @@ -28873,8 +29233,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.2.7/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-06 11:02:30.000000000 -0500 -@@ -0,0 +1,137 @@ ++++ serefpolicy-3.2.7/policy/modules/system/virt.te 2008-02-07 11:31:40.000000000 -0500 +@@ -0,0 +1,158 @@ + +policy_module(virt,1.0.0) + @@ -28963,12 +29323,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +corenet_tcp_sendrecv_all_nodes(virtd_t) +corenet_tcp_sendrecv_all_ports(virtd_t) +corenet_tcp_bind_all_nodes(virtd_t) ++corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t) ++corenet_tcp_connect_vnc_port(virtd_t) ++corenet_tcp_connect_soundd_port(virtd_t) +corenet_rw_tun_tap_dev(virtd_t) + ++dev_read_sysfs(virtd_t) ++ +kernel_read_system_state(virtd_t) +kernel_read_network_state(virtd_t) +kernel_rw_net_sysctls(virtd_t) ++kernel_write_xen_state(virtd_t) + +# Init script handling +domain_use_interactive_fds(virtd_t) @@ -28981,6 +29347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +libs_use_shared_libs(virtd_t) + +miscfiles_read_localization(virtd_t) ++miscfiles_read_certs(virtd_t) + +auth_use_nsswitch(virtd_t) + @@ -28991,10 +29358,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +') + +optional_policy(` -+ qemu_domtrans(virtd_t) -+ qemu_read_state(virtd_t) -+ qemu_signal(virtd_t) -+ qemu_sigkill(virtd_t) ++ dbus_system_bus_client_template(virtd,virtd_t) ++ optional_policy(` ++ avahi_dbus_chat(virtd_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(virtd_t) ++ ') +') + +optional_policy(` @@ -29007,15 +29378,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +') + +optional_policy(` -+ dbus_system_bus_client_template(virtd,virtd_t) -+ optional_policy(` -+ avahi_dbus_chat(virtd_t) -+ ') ++ qemu_domtrans(virtd_t) ++ qemu_read_state(virtd_t) ++ qemu_signal(virtd_t) ++ qemu_sigkill(virtd_t) +') ++ ++optional_policy(` ++ sasl_connect(virtd_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(virtd_t) ++ xen_stream_connect_xenstore(virtd_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.2.7/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400 -+++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-06 11:02:30.000000000 -0500 -@@ -191,3 +191,24 @@ ++++ serefpolicy-3.2.7/policy/modules/system/xen.if 2008-02-07 11:26:47.000000000 -0500 +@@ -167,11 +167,14 @@ + # + interface(`xen_stream_connect',` + gen_require(` +- type xend_t, xend_var_run_t; ++ type xend_t, xend_var_run_t, xend_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1,xend_var_run_t,xend_var_run_t,xend_t) ++ ++ files_search_var_lib($1) ++ stream_connect_pattern($1,xend_var_lib_t,xend_var_lib_t,xend_t) + ') + + ######################################## +@@ -191,3 +194,24 @@ domtrans_pattern($1,xm_exec_t,xm_t) ') @@ -29395,8 +29792,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.7/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-06 15:11:44.000000000 -0500 -@@ -0,0 +1,65 @@ ++++ serefpolicy-3.2.7/policy/modules/users/staff.te 2008-02-08 14:13:09.000000000 -0500 +@@ -0,0 +1,60 @@ +policy_module(staff,1.0.1) +userdom_unpriv_user_template(staff) + @@ -29455,11 +29852,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +') + +optional_policy(` -+ polkit_run_grant(staff_t, staff_r, { staff_devpts_t staff_tty_device_t }) -+ polkit_read_lib(staff_t) -+') -+ -+optional_policy(` + xserver_per_role_template(staff, staff_t, staff_r) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.2.7/policy/modules/users/user.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 3605061..ab3c4b7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.7 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,13 @@ exit 0 %endif %changelog +* Thu Feb 5 2008 Dan Walsh 3.2.7-3 +- More fixes for polkit + +* Thu Feb 5 2008 Dan Walsh 3.2.7-2 +- Eliminate transition from unconfined_t to qemu by default +- Fixes for gpg + * Tue Feb 5 2008 Dan Walsh 3.2.7-1 - Update to upstream