diff --git a/policy-20071130.patch b/policy-20071130.patch index c518cd3..cc41bed 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2437,7 +2437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-24 06:47:25.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2007-12-26 18:15:18.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -4446,7 +4446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/apache.te 2007-12-26 19:16:19.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -4643,7 +4643,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -437,8 +505,14 @@ +@@ -425,6 +493,10 @@ + ') + + optional_policy(` ++ application_exec(httpd_t) ++') ++ ++optional_policy(` + calamaris_read_www_files(httpd_t) + ') + +@@ -437,8 +509,14 @@ ') optional_policy(` @@ -4659,7 +4670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +524,13 @@ +@@ -450,19 +528,13 @@ ') optional_policy(` @@ -4680,7 +4691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +540,14 @@ +@@ -472,13 +544,14 @@ openca_kill(httpd_t) ') @@ -4699,7 +4710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +555,7 @@ +@@ -486,6 +559,7 @@ ') optional_policy(` @@ -4707,7 +4718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +591,13 @@ +@@ -521,6 +595,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -4721,7 +4732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +627,24 @@ +@@ -550,18 +631,24 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -4749,7 +4760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +668,8 @@ +@@ -585,6 +672,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4758,7 +4769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -638,6 +723,12 @@ +@@ -638,6 +727,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -4771,7 +4782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +746,6 @@ +@@ -655,10 +750,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4782,7 +4793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +755,8 @@ +@@ -668,7 +759,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -4792,7 +4803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +770,44 @@ +@@ -682,15 +774,44 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -4804,15 +4815,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) -+') -+ -+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') ++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_files(httpd_sys_script_t) ++ fs_read_nfs_symlinks(httpd_sys_script_t) ++') ++ +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` + allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_sys_script_t self:udp_socket create_socket_perms; @@ -4838,7 +4849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -700,9 +817,15 @@ +@@ -700,9 +821,15 @@ clamav_domtrans_clamscan(httpd_sys_script_t) ') @@ -4854,7 +4865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +847,46 @@ +@@ -724,3 +851,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -5473,7 +5484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/cron.te 2007-12-27 07:19:39.000000000 -0500 @@ -50,6 +50,7 @@ type crond_tmp_t; @@ -5532,7 +5543,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron files_read_etc_files(crond_t) files_read_generic_spool(crond_t) -@@ -148,7 +156,9 @@ +@@ -142,13 +150,16 @@ + files_search_default(crond_t) + + init_rw_utmp(crond_t) ++init_spec_domtrans_script(crond_t) + + auth_use_nsswitch(crond_t) + libs_use_ld_so(crond_t) libs_use_shared_libs(crond_t) @@ -5542,7 +5560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -163,9 +173,6 @@ +@@ -163,9 +174,6 @@ mta_send_mail(crond_t) ifdef(`distro_debian',` @@ -5552,7 +5570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` # Debian logcheck has the home dir set to its cache logwatch_search_cache_dir(crond_t) -@@ -180,21 +187,45 @@ +@@ -180,21 +188,45 @@ ') ') @@ -5599,7 +5617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -267,9 +298,16 @@ +@@ -267,9 +299,16 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -5617,7 +5635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -323,7 +361,7 @@ +@@ -323,7 +362,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -5626,7 +5644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron auth_use_nsswitch(system_crond_t) -@@ -333,6 +371,7 @@ +@@ -333,6 +372,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -5634,7 +5652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -383,6 +422,14 @@ +@@ -383,6 +423,14 @@ ') optional_policy(` @@ -5649,7 +5667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -415,8 +462,7 @@ +@@ -415,8 +463,7 @@ ') optional_policy(` @@ -5659,7 +5677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -424,8 +470,13 @@ +@@ -424,8 +471,13 @@ ') optional_policy(` @@ -6031,8 +6049,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-24 06:16:06.000000000 -0500 -@@ -91,7 +91,9 @@ ++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-30 09:53:47.000000000 -0500 +@@ -53,6 +53,7 @@ + gen_require(` + type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; + class dbus { send_msg acquire_svc }; ++ attribute dbusd_unconfined; + ') + + ############################## +@@ -84,6 +85,9 @@ + allow $1_dbusd_t self:tcp_socket create_stream_socket_perms; + allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms; + ++ allow dbusd_unconfined $1_dbusd_t:dbus { send_msg acquire_svc }; ++ allow $1_dbusd_t dbusd_unconfined:dbus send_msg; ++ + # For connecting to the bus + allow $2 $1_dbusd_t:unix_stream_socket connectto; + type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t; +@@ -91,7 +95,9 @@ # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $2 $1_dbusd_t:dbus { send_msg acquire_svc }; @@ -6043,7 +6079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern($1_dbusd_t,dbusd_etc_t,dbusd_etc_t) -@@ -104,8 +106,7 @@ +@@ -104,8 +110,7 @@ domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t) allow $2 $1_dbusd_t:process { sigkill signal }; @@ -6053,7 +6089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -161,7 +162,9 @@ +@@ -161,7 +166,9 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) @@ -6064,7 +6100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; -@@ -214,7 +217,7 @@ +@@ -214,7 +221,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -6073,7 +6109,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -263,6 +266,7 @@ +@@ -251,6 +258,7 @@ + template(`dbus_user_bus_client_template',` + gen_require(` + type $1_dbusd_t; ++ attribute dbusd_unconfined; + class dbus send_msg; + ') + +@@ -263,6 +271,7 @@ # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket connectto; @@ -6081,7 +6125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -292,6 +296,59 @@ +@@ -292,6 +301,59 @@ ######################################## ## @@ -6141,7 +6185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +423,53 @@ +@@ -366,3 +428,53 @@ allow $1 system_dbusd_t:dbus *; ') @@ -7328,7 +7372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-27 11:44:00.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -7415,7 +7459,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -438,20 +491,18 @@ +@@ -422,6 +475,7 @@ + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets($1) + apache_dontaudit_rw_sys_script_stream_sockets($1) ++ apache_append_log($1) + ') + ') + +@@ -438,20 +492,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -7442,7 +7494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -586,6 +637,25 @@ +@@ -586,6 +638,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -7468,6 +7520,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### ## +@@ -837,6 +908,25 @@ + + ######################################## + ## ++## read mail queue files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_queue',` ++ gen_require(` ++ type mqueue_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete + ## mail queue files. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 @@ -7878,13 +7956,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te 2007-12-26 20:31:36.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) +type NetworkManager_log_t; -+files_pid_file(NetworkManager_log_t) ++logging_log_file(NetworkManager_log_t) + ######################################## # @@ -8891,8 +8969,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-19 05:38:09.000000000 -0500 -@@ -133,3 +133,7 @@ ++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2007-12-26 18:16:54.000000000 -0500 +@@ -129,7 +129,12 @@ + corenet_udp_bind_generic_port(procmail_t) + corenet_dontaudit_udp_bind_all_ports(procmail_t) + ++ spamassassin_read_user_home_files(procmail_t) + spamassassin_exec(procmail_t) spamassassin_exec_client(procmail_t) spamassassin_read_lib_files(procmail_t) ') @@ -8942,7 +9025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/pyzor.te 2007-12-27 11:44:33.000000000 -0500 @@ -28,6 +28,9 @@ type pyzor_var_lib_t; files_type(pyzor_var_lib_t) @@ -8953,6 +9036,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## # # Pyzor local policy +@@ -68,6 +71,8 @@ + + miscfiles_read_localization(pyzor_t) + ++mta_read_queue(pyzor_t) ++ + userdom_dontaudit_search_sysadm_home_dirs(pyzor_t) + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500 @@ -10149,7 +10241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2007-12-26 18:16:14.000000000 -0500 @@ -38,6 +38,8 @@ gen_require(` type spamc_exec_t, spamassassin_exec_t; @@ -10253,7 +10345,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam kernel_read_kernel_sysctls($1_spamassassin_t) -@@ -528,3 +526,21 @@ +@@ -407,6 +405,40 @@ + + ######################################## + ## ++## Read spamassassin per user homedir ++## ++## ++## ++## Read spamassassin per user homedir ++## ++## ++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++## ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`spamassassin_read_user_home_files',` ++ gen_require(` ++ type user_spamassassin_home_t; ++ ') ++ ++ allow $1 user_spamassassin_home_t:dir list_dir_perms; ++ allow $1 user_spamassassin_home_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Execute the spamassassin client + ## program in the caller directory. + ## +@@ -469,6 +501,7 @@ + ') + + files_search_var_lib($1) ++ read_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t) + ') + +@@ -528,3 +561,22 @@ dontaudit $1 spamd_tmp_t:sock_file getattr; ') @@ -10275,6 +10416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + + stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2007-12-19 05:38:09.000000000 -0500 @@ -10812,7 +10954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2007-12-27 11:37:04.000000000 -0500 @@ -45,7 +45,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -10822,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dontaudit $1_xserver_t self:capability chown; allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_xserver_t self:memprotect mmap_zero; -@@ -115,8 +115,7 @@ +@@ -115,18 +115,23 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) @@ -10832,7 +10974,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t) -@@ -125,8 +124,13 @@ + # for other device nodes such as the NVidia binary-only driver + dev_rw_xserver_misc($1_xserver_t) ++ dev_setattr_xserver_misc_dev($1_xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) @@ -10846,7 +10990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,12 +144,16 @@ +@@ -140,12 +145,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -10864,7 +11008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -232,39 +240,26 @@ +@@ -232,39 +241,26 @@ # Declarations # @@ -10911,7 +11055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xserver_t Local policy -@@ -272,12 +267,15 @@ +@@ -272,12 +268,15 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) @@ -10928,7 +11072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -307,6 +305,7 @@ +@@ -307,6 +306,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -10936,7 +11080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -330,12 +329,12 @@ +@@ -330,12 +330,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -10954,7 +11098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -344,12 +343,6 @@ +@@ -344,12 +344,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -10967,7 +11111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -378,6 +371,14 @@ +@@ -378,6 +372,14 @@ ') optional_policy(` @@ -10982,7 +11126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ssh_sigchld($1_xauth_t) ssh_read_pipes($1_xauth_t) ssh_dontaudit_rw_tcp_sockets($1_xauth_t) -@@ -390,16 +391,16 @@ +@@ -390,16 +392,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -11004,7 +11148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -523,17 +524,16 @@ +@@ -523,17 +525,16 @@ template(`xserver_user_client_template',` gen_require(` @@ -11029,7 +11173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +542,55 @@ +@@ -542,25 +543,55 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -11093,7 +11237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -613,6 +643,24 @@ +@@ -613,6 +644,24 @@ ######################################## ## @@ -11118,7 +11262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -646,6 +694,73 @@ +@@ -646,6 +695,73 @@ ######################################## ## @@ -11192,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -671,10 +786,10 @@ +@@ -671,10 +787,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -11205,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +875,7 @@ +@@ -760,7 +876,7 @@ type xconsole_device_t; ') @@ -11214,7 +11358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +975,25 @@ +@@ -860,6 +976,25 @@ ######################################## ## @@ -11240,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1048,7 @@ +@@ -914,6 +1049,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -11248,7 +11392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -974,6 +1109,37 @@ +@@ -974,6 +1110,37 @@ ######################################## ## @@ -11286,7 +11430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1289,7 @@ +@@ -1123,7 +1290,7 @@ type xdm_xserver_tmp_t; ') @@ -11295,7 +11439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1478,45 @@ +@@ -1312,3 +1479,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -12467,8 +12611,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-19 05:38:09.000000000 -0500 -@@ -292,6 +292,8 @@ ++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc 2007-12-27 11:40:35.000000000 -0500 +@@ -183,6 +183,7 @@ + /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -242,7 +243,8 @@ + + # Flash plugin, Macromedia + HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -292,6 +294,8 @@ # # /var # @@ -12477,6 +12639,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +@@ -304,3 +308,4 @@ + /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) + /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) + /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.2.5/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-12-19 05:32:17.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/libraries.te 2007-12-19 05:38:09.000000000 -0500 @@ -12710,7 +12877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.2.5/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/logging.te 2007-12-25 07:00:24.000000000 -0500 @@ -61,6 +61,12 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -12724,7 +12891,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) ') -@@ -202,6 +208,7 @@ +@@ -165,6 +171,10 @@ + userdom_dontaudit_search_sysadm_home_dirs(auditd_t) + + optional_policy(` ++ mta_send_mail(auditd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(auditd_t) + ') + +@@ -202,6 +212,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t)
++## Read spamassassin per user homedir ++##
++## This is a templated interface, and should only ++## be called from a per-userdomain template. ++##