From 01c9e8a4f30b9e57334abb9d841108c36603e4ff Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 16 2010 15:27:15 +0000 Subject: - Add cluster_var_lib_t type and label for /var/lib/cluster --- diff --git a/policy-F13.patch b/policy-F13.patch index ee93bb4..ec44540 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -544,7 +544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.19/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-05-28 09:41:59.951610956 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/logrotate.te 2010-09-16 15:32:06.757637046 +0200 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -581,6 +581,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) +@@ -125,7 +128,7 @@ + mta_send_mail(logrotate_t) + + ifdef(`distro_debian', ` +- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; ++ allow logrotate_t logrotate_tmp_t:file relabel_file_perms; + # for savelog + can_exec(logrotate_t, logrotate_exec_t) + @@ -137,6 +140,10 @@ ') @@ -1131,7 +1140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-08-13 08:05:22.243084958 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-09-16 15:32:42.205637133 +0200 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -1163,7 +1172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink allow prelink_t prelink_log_t:dir setattr; create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) -@@ -45,10 +57,14 @@ +@@ -45,15 +57,19 @@ allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) @@ -1179,6 +1188,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink files_search_var_lib(prelink_t) # prelink misc objects that are not system + # libraries or entrypoints +-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; ++allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; + + kernel_read_system_state(prelink_t) + kernel_read_kernel_sysctls(prelink_t) @@ -64,6 +80,7 @@ corecmd_read_bin_symlinks(prelink_t) @@ -3036,8 +3051,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-13 14:43:33.016085201 +0200 -@@ -0,0 +1,88 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-16 16:57:25.804637037 +0200 +@@ -0,0 +1,89 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3117,14 +3132,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t +') + +tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_append_nfs_files(chrome_sandbox_t) -+ fs_dontaudit_read_nfs_files(chrome_sandbox_t) -+ fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t) ++ fs_search_nfs(chrome_sandbox_t) ++ fs_read_inherited_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_symlinks(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(chrome_sandbox_t) ++ fs_read_inherited_cifs_files(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) -+ fs_dontaudit_read_cifs_files(chrome_sandbox_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.19/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2010-04-13 20:44:37.000000000 +0200 @@ -6346,7 +6362,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut dbus_system_bus_client(podsleuth_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-05-28 09:41:59.998610877 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/pulseaudio.if 2010-09-16 14:32:51.711386965 +0200 +@@ -17,7 +17,7 @@ + # + interface(`pulseaudio_role',` + gen_require(` +- type pulseaudio_t, pulseaudio_exec_t, print_spool_t; ++ type pulseaudio_t, pulseaudio_exec_t; + class dbus { acquire_svc send_msg }; + ') + @@ -104,6 +104,24 @@ can_exec($1, pulseaudio_exec_t) ') @@ -10859,7 +10884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-09 13:45:53.856085155 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-16 17:07:16.826386994 +0200 @@ -559,6 +559,24 @@ ######################################## @@ -10898,11 +10923,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## list dirs on cgroup -## file systems. -## @@ -10919,10 +10943,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -11038,7 +11063,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount a CIFS or SMB network filesystem. ## ## -@@ -1141,7 +1213,7 @@ +@@ -1095,7 +1167,6 @@ + ## Domain allowed access. + ## + ## +-## + # + interface(`fs_append_cifs_files',` + gen_require(` +@@ -1115,7 +1186,6 @@ + ## Domain allowed access. + ## + ## +-## + # + interface(`fs_dontaudit_append_cifs_files',` + gen_require(` +@@ -1125,6 +1195,24 @@ + dontaudit $1 cifs_t:file append_file_perms; + ') + ++####################################### ++## ++## Read inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file read_inherited_file_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read or +@@ -1141,7 +1229,7 @@ type cifs_t; ') @@ -11047,7 +11113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -1404,6 +1476,25 @@ +@@ -1404,6 +1492,25 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -11073,7 +11139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1831,6 +1922,25 @@ +@@ -1831,6 +1938,25 @@ ######################################## ## @@ -11099,7 +11165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write hugetlbfs files. ## ## -@@ -1847,6 +1957,24 @@ +@@ -1847,6 +1973,24 @@ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -11124,7 +11190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. -@@ -1899,6 +2027,7 @@ +@@ -1899,6 +2043,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -11132,7 +11198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2424,25 @@ +@@ -2295,6 +2440,25 @@ ######################################## ## @@ -11158,7 +11224,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2349,7 +2497,7 @@ +@@ -2333,6 +2497,24 @@ + dontaudit $1 nfs_t:file append_file_perms; + ') + ++####################################### ++## ++## Read inherited files on a NFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file read_inherited_file_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read or +@@ -2349,7 +2531,7 @@ type nfs_t; ') @@ -11167,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2685,24 @@ +@@ -2537,6 +2719,24 @@ ######################################## ## @@ -11192,7 +11283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2911,7 @@ +@@ -2745,7 +2945,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -11201,7 +11292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3812,6 +3978,24 @@ +@@ -3812,6 +4012,24 @@ rw_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -11226,7 +11317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Read tmpfs link files. -@@ -3870,6 +4054,24 @@ +@@ -3870,6 +4088,24 @@ ######################################## ## @@ -11251,7 +11342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4634,44 @@ +@@ -4432,6 +4668,44 @@ ######################################## ## @@ -11296,7 +11387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4789,24 @@ +@@ -4549,3 +4823,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -11717,7 +11808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-08-04 15:34:29.688085386 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if 2010-09-16 15:33:56.220637065 +0200 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -11731,6 +11822,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## +@@ -334,7 +336,7 @@ + ') + + dev_list_all_dev_nodes($1) +- allow $1 console_device_t:chr_file { relabelfrom relabelto }; ++ allow $1 console_device_t:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -672,6 +674,25 @@ ######################################## @@ -11766,6 +11866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## +@@ -1097,7 +1118,7 @@ + ') + + dev_list_all_dev_nodes($1) +- allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ++ allow $1 tty_device_t:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -1196,7 +1217,7 @@ type tty_device_t; ') @@ -11788,6 +11897,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## +@@ -1275,7 +1298,7 @@ + ') + + dev_list_all_dev_nodes($1) +- allow $1 ttynode:chr_file { relabelfrom relabelto }; ++ allow $1 ttynode:chr_file relabel_chr_file_perms; + ') + + ######################################## @@ -1333,7 +1356,7 @@ attribute ttynode; ') @@ -13799,7 +13917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-06-21 21:22:47.103156860 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-09-16 14:47:19.835637495 +0200 @@ -21,7 +21,7 @@ ###################################### @@ -13809,7 +13927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## ## ## -@@ -38,6 +38,148 @@ +@@ -38,6 +38,149 @@ can_exec($1, abrt_exec_t) ') @@ -13863,7 +13981,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + gen_require(` + type abrt_t; + ') -+ ++ ++ kernel_search_proc($1) + ps_process_pattern($1, abrt_t) +') + @@ -13958,7 +14077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt #################################### ## ## Read abrt configuration file. -@@ -76,9 +218,85 @@ +@@ -76,9 +219,85 @@ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) ') @@ -14045,7 +14164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## an abrt environment ## ## -@@ -95,7 +313,7 @@ +@@ -95,7 +314,7 @@ # interface(`abrt_admin',` gen_require(` @@ -14054,7 +14173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt type abrt_var_cache_t, abrt_var_log_t; type abrt_var_run_t, abrt_tmp_t; type abrt_initrc_exec_t; -@@ -113,7 +331,7 @@ +@@ -113,7 +332,7 @@ admin_pattern($1, abrt_etc_t) logging_search_logs($1) @@ -14335,6 +14454,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.19/policy/modules/services/afs.if +--- nsaserefpolicy/policy/modules/services/afs.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/afs.if 2010-09-16 15:14:41.650636974 +0200 +@@ -97,8 +97,8 @@ + type afs_t, afs_initrc_exec_t; + ') + +- allow $1 afs_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, afs_t, afs_t) ++ allow $1 afs_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, afs_t) + + # Allow afs_admin to restart the afs service + afs_initrc_domtrans($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.19/policy/modules/services/afs.te --- nsaserefpolicy/policy/modules/services/afs.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/afs.te 2010-05-28 09:42:00.053610763 +0200 @@ -14487,7 +14620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.19/policy/modules/services/aiccu.te --- nsaserefpolicy/policy/modules/services/aiccu.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-07-13 09:29:24.178502599 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/aiccu.te 2010-09-16 09:55:09.026658234 +0200 @@ -0,0 +1,72 @@ + +policy_module(aiccu, 1.0.0) @@ -14515,7 +14648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc +# aiccu local policy +# + -+allow aiccu_t self:capability { kill net_admin }; ++allow aiccu_t self:capability { kill net_admin net_raw }; +dontaudit aiccu_t self:capability sys_tty_config; +allow aiccu_t self:process signal; +allow aiccu_t self:fifo_file rw_file_perms; @@ -15991,6 +16124,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.19/policy/modules/services/arpwatch.if +--- nsaserefpolicy/policy/modules/services/arpwatch.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/arpwatch.if 2010-09-16 15:05:24.621637181 +0200 +@@ -137,7 +137,7 @@ + type arpwatch_initrc_exec_t; + ') + +- allow $1 arpwatch_t:process { ptrace signal_perms getattr }; ++ allow $1 arpwatch_t:process { ptrace signal_perms }; + ps_process_pattern($1, arpwatch_t) + + arpwatch_initrc_domtrans($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.19/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/arpwatch.te 2010-07-23 14:06:57.786138760 +0200 @@ -16025,7 +16170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw fs_search_auto_mountpoints(arpwatch_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.19/policy/modules/services/asterisk.if --- nsaserefpolicy/policy/modules/services/asterisk.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-05-28 09:42:00.063611364 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/asterisk.if 2010-09-16 15:05:49.748637209 +0200 @@ -1,5 +1,24 @@ ## Asterisk IP telephony server @@ -16051,6 +16196,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ##################################### ## ## Connect to asterisk over a unix domain +@@ -45,7 +64,7 @@ + type asterisk_initrc_exec_t; + ') + +- allow $1 asterisk_t:process { ptrace signal_perms getattr }; ++ allow $1 asterisk_t:process { ptrace signal_perms }; + ps_process_pattern($1, asterisk_t) + + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.19/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2010-05-28 09:42:00.064610809 +0200 @@ -16163,6 +16317,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste + udev_read_db(asterisk_t) ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.7.19/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/automount.if 2010-09-16 15:06:07.893637088 +0200 +@@ -68,7 +68,8 @@ + type automount_t; + ') + +- read_files_pattern($1, automount_t, automount_t) ++ kernel_search_proc($1) ++ ps_process_pattern($1, automount_t) + ') + + ######################################## +@@ -149,7 +150,7 @@ + type automount_var_run_t, automount_initrc_exec_t; + ') + +- allow $1 automount_t:process { ptrace signal_perms getattr }; ++ allow $1 automount_t:process { ptrace signal_perms }; + ps_process_pattern($1, automount_t) + + init_labeled_script_domtrans($1, automount_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.19/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/automount.te 2010-05-28 09:42:00.065610953 +0200 @@ -16348,7 +16524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.19/policy/modules/services/boinc.if --- nsaserefpolicy/policy/modules/services/boinc.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-06-25 14:56:43.461388526 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/boinc.if 2010-09-16 15:15:07.962637079 +0200 @@ -0,0 +1,151 @@ + +## policy for boinc @@ -16490,8 +16666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + type boinc_var_lib_t; + ') + -+ allow $1 boinc_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, boinc_t, boinc_t) ++ allow $1 boinc_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, boinc_t) + + boinc_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -18224,7 +18400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_cache_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-25 15:03:23.048137726 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-09-16 15:15:34.657636962 +0200 @@ -68,7 +68,7 @@ ######################################## ## @@ -18243,14 +18419,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ## an cobblerd environment ## ## -@@ -162,6 +162,7 @@ +@@ -162,10 +162,11 @@ gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; type cobbler_etc_t, cobblerd_initrc_exec_t; + type httpd_cobbler_content_rw_t; ') - allow $1 cobblerd_t:process { ptrace signal_perms getattr }; +- allow $1 cobblerd_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, cobblerd_t, cobblerd_t) ++ allow $1 cobblerd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, cobblerd_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) @@ -173,9 +174,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -18574,8 +18756,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.19/policy/modules/services/corosync.if --- nsaserefpolicy/policy/modules/services/corosync.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-05-28 09:42:00.087610617 +0200 -@@ -0,0 +1,108 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.if 2010-09-16 17:00:39.809386936 +0200 +@@ -0,0 +1,127 @@ +## SELinux policy for Corosync Cluster Engine + +######################################## @@ -18596,6 +18778,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + domtrans_pattern($1, corosync_exec_t, corosync_t) +') + ++####################################### ++## ++## Execute corosync in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`corosync_exec',` ++ gen_require(` ++ type corosync_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, corosync_exec_t) ++') ++ +##################################### +## +## Connect to corosync over a unix domain @@ -18686,8 +18887,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-13 16:14:36.850085069 +0200 -@@ -0,0 +1,143 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-16 17:00:39.810387061 +0200 +@@ -0,0 +1,144 @@ + +policy_module(corosync,1.0.0) + @@ -18819,6 +19020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) ++ rhcs_read_cluster_lib_files(corosync_t) +') + +optional_policy(` @@ -18853,19 +19055,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.19/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-07-27 16:15:15.408074038 +0200 -@@ -12,6 +12,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cron.if 2010-09-16 14:41:50.412386895 +0200 +@@ -12,6 +12,12 @@ ## # template(`cron_common_crontab_template',` + gen_require(` -+ type crond_t, crond_var_run_t; ++ type crond_t, crond_var_run_t, crontab_exec_t; ++ type cron_spool_t, user_cron_spool_t; ++ + ') + ############################## # # Declarations -@@ -34,8 +38,12 @@ +@@ -34,8 +40,12 @@ allow $1_t self:process { setsched signal_perms }; allow $1_t self:fifo_file rw_fifo_file_perms; @@ -18880,7 +19084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # create files in /var/spool/cron manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t) -@@ -62,6 +70,7 @@ +@@ -62,6 +72,7 @@ logging_send_syslog_msg($1_t) logging_send_audit_msgs($1_t) @@ -18888,7 +19092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron init_dontaudit_write_utmp($1_t) init_read_utmp($1_t) -@@ -76,6 +85,7 @@ +@@ -76,6 +87,7 @@ userdom_use_user_terminals($1_t) # Read user crontabs userdom_read_user_home_content_files($1_t) @@ -18896,7 +19100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -106,6 +116,7 @@ +@@ -106,6 +118,7 @@ interface(`cron_role',` gen_require(` type cronjob_t, crontab_t, crontab_exec_t; @@ -18904,7 +19108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') role $1 types { cronjob_t crontab_t }; -@@ -120,6 +131,15 @@ +@@ -120,6 +133,15 @@ ps_process_pattern($2, crontab_t) allow $2 crontab_t:process signal; @@ -18920,7 +19124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) #corecmd_shell_domtrans(crontab_t, $2) -@@ -154,27 +174,14 @@ +@@ -154,27 +176,14 @@ # interface(`cron_unconfined_role',` gen_require(` @@ -18950,7 +19154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron optional_policy(` gen_require(` class dbus send_msg; -@@ -259,9 +266,8 @@ +@@ -259,9 +268,8 @@ gen_require(` type crond_t, system_cronjob_t; ') @@ -18961,7 +19165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron role system_r types $1; ') -@@ -408,7 +414,43 @@ +@@ -408,7 +416,43 @@ type crond_t; ') @@ -19006,7 +19210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -554,7 +596,7 @@ +@@ -554,7 +598,7 @@ type system_cronjob_t; ') @@ -19015,7 +19219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -587,11 +629,14 @@ +@@ -587,11 +631,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -19031,12 +19235,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') ######################################## -@@ -627,7 +672,48 @@ +@@ -627,7 +674,47 @@ interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; + type cron_var_run_t; -+ type system_cronjob_var_run_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; @@ -20257,7 +20460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.19/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-05-28 09:42:00.099610866 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/devicekit.if 2010-09-16 14:43:03.179637274 +0200 @@ -139,6 +139,26 @@ ######################################## @@ -20285,7 +20488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## All of the rules required to administrate ## an devicekit environment ## -@@ -162,7 +182,7 @@ +@@ -162,16 +182,16 @@ interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; @@ -20293,7 +20496,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') - allow $1 devicekit_t:process { ptrace signal_perms getattr }; +- allow $1 devicekit_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_t) + +- allow $1 devicekit_disk_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_disk_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_disk_t) + +- allow $1 devicekit_power_t:process { ptrace signal_perms getattr }; ++ allow $1 devicekit_power_t:process { ptrace signal_perms }; + ps_process_pattern($1, devicekit_power_t) + + admin_pattern($1, devicekit_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-08-10 17:16:41.979085228 +0200 @@ -20530,6 +20745,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +optional_policy(` vbetool_domtrans(devicekit_power_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.19/policy/modules/services/dhcp.if +--- nsaserefpolicy/policy/modules/services/dhcp.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dhcp.if 2010-09-16 17:18:21.454637263 +0200 +@@ -77,7 +77,7 @@ + # + interface(`dhcpd_admin',` + gen_require(` +- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; ++ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-06-16 21:55:51.478859909 +0200 @@ -20972,7 +21199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.7.19/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-28 09:42:00.106610959 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-09-16 15:15:56.330386661 +0200 @@ -20,6 +20,24 @@ ######################################## @@ -21025,8 +21252,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + type exim_tmp_t, exim_spool_t, exim_var_run_t; + ') + -+ allow $1 exim_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, exim_t, exim_t) ++ allow $1 exim_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, exim_t) + + exim_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -21117,6 +21344,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +optional_policy(` iptables_domtrans(fail2ban_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.7.19/policy/modules/services/fetchmail.if +--- nsaserefpolicy/policy/modules/services/fetchmail.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/fetchmail.if 2010-09-16 14:46:13.627387014 +0200 +@@ -18,6 +18,7 @@ + type fetchmail_var_run_t; + ') + ++ allow $1 fetchmail_t:process { ptrace signal_perms }; + ps_process_pattern($1, fetchmail_t) + + files_list_etc($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-09-13 13:10:28.599085102 +0200 @@ -22254,8 +22492,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-28 09:42:00.115610849 +0200 -@@ -367,7 +367,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-09-16 15:08:39.708386708 +0200 +@@ -51,6 +51,7 @@ + type hald_t; + ') + ++ kernel_search_proc($1) + ps_process_pattern($1, hald_t) + ') + +@@ -367,7 +368,7 @@ ## # interface(`hal_read_pid_files',` @@ -22264,7 +22510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. type hald_var_run_t; ') -@@ -377,6 +377,26 @@ +@@ -377,6 +378,26 @@ ######################################## ## @@ -22273,7 +22519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -22449,6 +22695,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald dccm policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.19/policy/modules/services/icecast.if +--- nsaserefpolicy/policy/modules/services/icecast.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/icecast.if 2010-09-16 14:50:20.457637118 +0200 +@@ -173,6 +173,7 @@ + type icecast_t, icecast_initrc_exec_t; + ') + ++ allow $1 icecast_t:process { ptrace signal_perms }; + ps_process_pattern($1, icecast_t) + + # Allow icecast_t to restart the apache service diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-09-09 12:23:45.726084993 +0200 @@ -22525,7 +22782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if --- nsaserefpolicy/policy/modules/services/jabber.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-01 11:58:19.536083725 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/jabber.if 2010-09-16 15:09:16.987637037 +0200 @@ -1,17 +1,96 @@ ## Jabber instant messaging server @@ -22597,7 +22854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -22966,7 +23223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-05-28 09:42:00.121610589 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-09-16 15:00:27.926637062 +0200 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -23037,10 +23294,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ## Read the OpenLDAP configuration files. ## ## -@@ -71,6 +128,30 @@ +@@ -69,8 +126,30 @@ + ') + files_search_pids($1) - allow $1 slapd_var_run_t:sock_file write; - allow $1 slapd_t:unix_stream_socket connectto; +- allow $1 slapd_var_run_t:sock_file write; +- allow $1 slapd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + + optional_policy(` + ldap_stream_connect_dirsrv($1) @@ -23063,8 +23323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap + ') + + files_search_pids($1) -+ allow $1 dirsrv_var_run_t:sock_file write; -+ allow $1 dirsrv_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) ') ######################################## @@ -23167,9 +23426,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc + +sysnet_dns_name_resolve(lircd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.7.19/policy/modules/services/lpd.if +--- nsaserefpolicy/policy/modules/services/lpd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/lpd.if 2010-09-16 15:34:23.589636742 +0200 +@@ -153,7 +153,7 @@ + ') + + files_search_spool($1) +- allow $1 print_spool_t:file { relabelto relabelfrom }; ++ allow $1 print_spool_t:file relabel_file_perms; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if --- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-06-25 15:07:20.909137514 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-09-16 14:51:54.584636864 +0200 @@ -59,6 +59,7 @@ gen_require(` type memcached_t; @@ -23178,6 +23449,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc ') allow $1 memcached_t:process { ptrace signal_perms }; +@@ -69,5 +70,6 @@ + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_pids($1) + admin_pattern($1, memcached_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.7.19/policy/modules/services/milter.fc --- nsaserefpolicy/policy/modules/services/milter.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/milter.fc 2010-09-09 10:52:57.640084901 +0200 @@ -23363,7 +23641,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. +/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if --- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-28 14:07:11.654150869 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-09-16 14:59:09.494386932 +0200 @@ -0,0 +1,295 @@ + +## policy for daemon for playing music @@ -23420,8 +23698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + type mpd_data_t; + ') + -+ files_search_var_lib($1) -+ mpd_search_lib($1) ++ mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') + @@ -23440,8 +23717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + type mpd_tmpfs_t; + ') + -+ files_search_var_lib($1) -+ mpd_search_lib($1) ++ fs_search_tmpfs($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + @@ -23460,10 +23736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + type mpd_tmpfs_t; + ') + -+ files_search_var_lib($1) -+ mpd_search_lib($1) -+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) -+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ++ fs_search_tmpfs($1) ++ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) ++ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +###################################### @@ -23637,7 +23912,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + type mpd_data_t; + type mpd_etc_t; + type mpd_log_t; -+ type mpd_var_lib_t; ++ type mpd_tmpfs_t; ++ type mpd_var_lib_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; @@ -23659,6 +23935,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd. + + admin_pattern($1, mpd_log_t) + ++ fs_search_tmpfs($1) ++ admin_pattern($1, mpd_tmpfs_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.7.19/policy/modules/services/mpd.te --- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100 @@ -24286,8 +24564,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.19/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-08-02 09:03:40.662642033 +0200 -@@ -43,6 +43,24 @@ ++++ serefpolicy-3.7.19/policy/modules/services/munin.if 2010-09-16 15:01:01.167395899 +0200 +@@ -16,8 +16,7 @@ + type munin_var_run_t, munin_t; + ') + +- allow $1 munin_t:unix_stream_socket connectto; +- allow $1 munin_var_run_t:sock_file { getattr write }; ++ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) + files_search_pids($1) + ') + +@@ -43,6 +42,24 @@ files_search_etc($1) ') @@ -24312,7 +24600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ####################################### ## ## Append to the munin log. -@@ -102,6 +120,58 @@ +@@ -102,6 +119,58 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; ') @@ -24603,6 +24891,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +term_getattr_unallocated_ttys(munin_system_plugin_t) +term_getattr_all_ptys(munin_system_plugin_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.19/policy/modules/services/mysql.if +--- nsaserefpolicy/policy/modules/services/mysql.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/mysql.if 2010-09-16 15:01:43.198637084 +0200 +@@ -73,6 +73,7 @@ + type mysqld_t, mysqld_var_run_t, mysqld_db_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-06-21 15:32:41.673073820 +0200 @@ -26176,6 +26475,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd +optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.7.19/policy/modules/services/nslcd.if +--- nsaserefpolicy/policy/modules/services/nslcd.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nslcd.if 2010-09-16 15:03:19.430636930 +0200 +@@ -106,9 +106,9 @@ + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + +- manage_files_pattern($1, nslcd_conf_t, nslcd_conf_t) ++ files_search_etc($1) ++ admin_pattern($1, nslcd_conf_t) + +- manage_dirs_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +- manage_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) +- manage_lnk_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ++ files_search_pids($1) ++ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.7.19/policy/modules/services/nslcd.te --- nsaserefpolicy/policy/modules/services/nslcd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/nslcd.te 2010-05-28 09:42:00.139610787 +0200 @@ -26441,6 +26757,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop seutil_sigchld_newrole(ntop_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.7.19/policy/modules/services/ntp.if +--- nsaserefpolicy/policy/modules/services/ntp.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ntp.if 2010-09-16 15:06:24.157386834 +0200 +@@ -144,7 +144,7 @@ + type ntpd_initrc_exec_t; + ') + +- allow $1 ntpd_t:process { ptrace signal_perms getattr }; ++ allow $1 ntpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, ntpd_t) + + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.19/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ntp.te 2010-05-28 09:42:00.141610585 +0200 @@ -26631,7 +26959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if --- nsaserefpolicy/policy/modules/services/oddjob.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-08-09 14:17:22.876085247 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-09-16 15:10:11.324637049 +0200 @@ -22,6 +22,25 @@ domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') @@ -26643,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -26782,6 +27110,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.7.19/policy/modules/services/pads.if +--- nsaserefpolicy/policy/modules/services/pads.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/pads.if 2010-09-16 15:10:56.276637029 +0200 +@@ -39,6 +39,9 @@ + role_transition $2 pads_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_pids($1) + admin_pattern($1, pads_var_run_t) ++ ++ files_search_etc($1) + admin_pattern($1, pads_config_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200 @@ -27326,8 +27667,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.19/policy/modules/services/plymouthd.if --- nsaserefpolicy/policy/modules/services/plymouthd.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-05-28 09:42:00.150610614 +0200 -@@ -0,0 +1,322 @@ ++++ serefpolicy-3.7.19/policy/modules/services/plymouthd.if 2010-09-16 15:18:22.185386928 +0200 +@@ -0,0 +1,326 @@ +## policy for plymouthd + +######################################## @@ -27619,17 +27960,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym +# +interface(`plymouthd_admin', ` + gen_require(` -+ type plymouthd_t; ++ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; ++ type plymouthd_var_run_t; + ') + -+ allow $1 plymouthd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, plymouthd_t, plymouthd_t) -+ -+ plymouthd_manage_var_run($1) ++ allow $1 plymouthd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, plymouthd_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, plymouthd_spool_t) ++ ++ admin_pattern($1, plymouthd_var_lib_t) + -+ plymouthd_manage_var_lib($1) ++ files_search_pids($1) ++ admin_pattern($1, plymouthd_var_run_t) + -+ plymouthd_manage_spool($1) +') + +######################################## @@ -28077,7 +28422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.7.19/policy/modules/services/portreserve.if --- nsaserefpolicy/policy/modules/services/portreserve.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-28 09:42:00.154610557 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-09-16 15:19:05.465636901 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, portreserve_exec_t, portreserve_t) ') @@ -28130,8 +28475,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port + type portreserve_initrc_exec_t, portreserve_var_run_t; + ') + -+ allow $1 portreserve_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, portreserve_t, portreserve_t) ++ allow $1 portreserve_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, portreserve_t) + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -28187,7 +28532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-25 16:01:16.678085053 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-09-16 15:22:04.119636970 +0200 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -28360,20 +28705,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -437,11 +522,30 @@ +@@ -437,15 +522,34 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; -+ ') -+ + ') + +- allow $1 postfix_spool_t:dir list_dir_perms; + allow $1 postfix_spool_type:dir list_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## + files_search_spool($1) + ') + + ######################################## + ## +## Getattr postfix mail spool files. +## +## @@ -28385,14 +28731,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +interface(`postfix_getattr_spool_files',` + gen_require(` + attribute postfix_spool_type; - ') - -- allow $1 postfix_spool_t:dir list_dir_perms; - files_search_spool($1) ++ ') ++ ++ files_search_spool($1) + getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Read postfix mail spool files. + ## + ## @@ -456,16 +560,16 @@ # interface(`postfix_read_spool_files',` @@ -28540,26 +28889,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + ') + -+ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t) ++ allow $1 postfix_bounce_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_bounce_t) + -+ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t) ++ allow $1 postfix_cleanup_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_cleanup_t) + -+ allow $1 postfix_local_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_local_t, postfix_local_t) ++ allow $1 postfix_local_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_local_t) + -+ allow $1 postfix_master_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_master_t, postfix_master_t) ++ allow $1 postfix_master_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_master_t) + -+ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t) ++ allow $1 postfix_pickup_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_pickup_t) + -+ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t) ++ allow $1 postfix_qmgr_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_qmgr_t) + -+ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t) ++ allow $1 postfix_smtpd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, postfix_smtpd_t) + + postfix_run_map($1,$2) + postfix_run_postdrop($1,$2) @@ -29013,6 +29362,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +userdom_manage_user_home_content(postfix_virtual_t) +userdom_home_filetrans_user_home_dir(postfix_virtual_t) +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir }) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.19/policy/modules/services/postgresql.if +--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postgresql.if 2010-09-16 15:28:46.998386775 +0200 +@@ -312,10 +312,8 @@ + ') + + files_search_pids($1) +- allow $1 postgresql_t:unix_stream_socket connectto; +- allow $1 postgresql_var_run_t:sock_file write; +- # Some versions of postgresql put the sock file in /tmp +- allow $1 postgresql_tmp_t:sock_file write; ++ files_search_tmp($1) ++ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t) + ') + + ######################################## +@@ -439,14 +437,19 @@ + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + ++ files_search_pids($1) + admin_pattern($1, postgresql_var_run_t) + ++ files_search_var_lib($1) + admin_pattern($1, postgresql_db_t) + ++ files_search_etc($1) + admin_pattern($1, postgresql_etc_t) + ++ logging_search_logs($1) + admin_pattern($1, postgresql_log_t) + ++ files_search_tmp($1) + admin_pattern($1, postgresql_tmp_t) + + postgresql_tcp_connect($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.19/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2010-09-15 15:43:14.862386997 +0200 @@ -29025,6 +29410,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_etc(postgresql_t) files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.19/policy/modules/services/ppp.if +--- nsaserefpolicy/policy/modules/services/ppp.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ppp.if 2010-09-16 15:24:30.000387099 +0200 +@@ -360,7 +360,7 @@ + type pppd_initrc_exec_t; + ') + +- allow $1 pppd_t:process { ptrace signal_perms getattr }; ++ allow $1 pppd_t:process { ptrace signal_perms }; + ps_process_pattern($1, pppd_t) + + ppp_initrc_domtrans($1) +@@ -386,7 +386,7 @@ + files_list_pids($1) + admin_pattern($1, pppd_var_run_t) + +- allow $1 pptp_t:process { ptrace signal_perms getattr }; ++ allow $1 pptp_t:process { ptrace signal_perms }; + ps_process_pattern($1, pptp_t) + + admin_pattern($1, pptp_log_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.19/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2010-05-28 09:42:00.159610853 +0200 @@ -29046,6 +29452,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.7.19/policy/modules/services/prelude.if +--- nsaserefpolicy/policy/modules/services/prelude.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/prelude.if 2010-09-16 15:12:53.251386792 +0200 +@@ -136,9 +136,15 @@ + allow $2 system_r; + + admin_pattern($1, prelude_spool_t) ++ ++ files_search_var_lib($1) + admin_pattern($1, prelude_var_lib_t) ++ ++ files_search_pids($1) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) ++ ++ files_search_tmp($1) + admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_var_run_t) + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.7.19/policy/modules/services/privoxy.if +--- nsaserefpolicy/policy/modules/services/privoxy.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/privoxy.if 2010-09-16 15:24:54.424637062 +0200 +@@ -24,7 +24,7 @@ + type privoxy_initrc_exec_t; + ') + +- allow $1 privoxy_t:process { ptrace signal_perms getattr }; ++ allow $1 privoxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, privoxy_t) + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.7.19/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/procmail.fc 2010-05-28 09:42:00.159610853 +0200 @@ -29219,13 +29656,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-08-30 19:46:34.715085037 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-09-16 15:40:46.667386897 +0200 @@ -192,7 +192,14 @@ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -+allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto }; -+allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto }; ++allow puppetmaster_t puppet_log_t:file relabel_file_perms; ++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; + +selinux_validate_context(puppetmaster_t) +seutil_read_file_contexts(puppetmaster_t) @@ -29417,8 +29854,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.if serefpolicy-3.7.19/policy/modules/services/qpidd.if --- nsaserefpolicy/policy/modules/services/qpidd.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-05-28 09:42:00.164610730 +0200 -@@ -0,0 +1,236 @@ ++++ serefpolicy-3.7.19/policy/modules/services/qpidd.if 2010-09-16 15:23:19.343636970 +0200 +@@ -0,0 +1,231 @@ + +## policy for qpidd + @@ -29597,16 +30034,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +# +interface(`qpidd_admin',` + gen_require(` -+ type qpidd_t; ++ type qpidd_t, qpidd_initrc_exec_t; + ') + -+ allow $1 qpidd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, qpidd_t, qpidd_t) -+ -+ -+ gen_require(` -+ type qpidd_initrc_exec_t; -+ ') ++ allow $1 qpidd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, qpidd_t) + + # Allow qpidd_t to restart the apache service + qpidd_initrc_domtrans($1) @@ -29718,6 +30150,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.if serefpolicy-3.7.19/policy/modules/services/radius.if +--- nsaserefpolicy/policy/modules/services/radius.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/radius.if 2010-09-16 15:25:26.911637199 +0200 +@@ -38,7 +38,7 @@ + type radiusd_initrc_exec_t; + ') + +- allow $1 radiusd_t:process { ptrace signal_perms getattr }; ++ allow $1 radiusd_t:process { ptrace signal_perms }; + ps_process_pattern($1, radiusd_t) + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-08-30 19:31:22.527085108 +0200 @@ -29748,8 +30192,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.19/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-05-28 09:42:00.166610736 +0200 -@@ -157,3 +157,45 @@ ++++ serefpolicy-3.7.19/policy/modules/services/razor.if 2010-09-16 15:26:20.599637115 +0200 +@@ -157,3 +157,44 @@ domtrans_pattern($1, razor_exec_t, razor_t) ') @@ -29770,7 +30214,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + type razor_home_t; + ') + -+ files_search_home($1) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) @@ -29849,6 +30292,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo +') + ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/resmgr.if serefpolicy-3.7.19/policy/modules/services/resmgr.if +--- nsaserefpolicy/policy/modules/services/resmgr.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/resmgr.if 2010-09-16 15:29:11.862636875 +0200 +@@ -16,7 +16,6 @@ + type resmgrd_var_run_t, resmgrd_t; + ') + +- allow $1 resmgrd_t:unix_stream_socket connectto; +- allow $1 resmgrd_var_run_t:sock_file { getattr write }; + files_search_pids($1) ++ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.19/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/services/rgmanager.fc 2010-05-28 09:42:00.167610740 +0200 @@ -29865,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.19/policy/modules/services/rgmanager.if --- nsaserefpolicy/policy/modules/services/rgmanager.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-28 09:42:00.168610743 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-09-16 15:26:59.814637060 +0200 @@ -0,0 +1,141 @@ +## SELinux policy for rgmanager + @@ -29990,7 +30445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma + ') + + allow $1 rgmanager_t:process { ptrace signal_perms }; -+ read_files_pattern($1, rgmanager_t, rgmanager_t) ++ ps_process_pattern($1, rgmanager_t) + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) @@ -30237,8 +30692,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-08-10 16:35:38.723085246 +0200 -@@ -0,0 +1,24 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-09-16 17:00:39.815401517 +0200 +@@ -0,0 +1,26 @@ +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -30249,8 +30704,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) + ++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) + ++/var/log/cluster/.*\.*log <> +/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) @@ -30265,8 +30722,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if --- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-01 11:22:33.060333720 +0200 -@@ -0,0 +1,439 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-09-16 17:00:39.817386962 +0200 +@@ -0,0 +1,458 @@ +## RHCS - Red Hat Cluster Suite + +####################################### @@ -30706,10 +31163,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + + allow $1 qdiskd_tmpfs_t:file read_file_perms; +') ++ ++####################################### ++## ++## Allow domain to read cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_read_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-08-06 12:18:34.559334235 +0200 -@@ -0,0 +1,245 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-09-16 17:00:39.818386668 +0200 +@@ -0,0 +1,257 @@ + +policy_module(rhcs,1.1.0) + @@ -30750,6 +31226,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +type qdiskd_var_lib_t; +files_type(qdiskd_var_lib_t) + ++# type for generic cluster lib files ++type cluster_var_lib_t; ++files_type(cluster_var_lib_t) ++ +##################################### +# +# dlm_controld local policy @@ -30829,6 +31309,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + ccs_stream_connect(cluster_domain) +') + ++# needed by fence_scsi ++optional_policy(` ++ corosync_exec(fenced_t) ++') ++ +optional_policy(` + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) @@ -30945,6 +31430,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +allow cluster_domain self:unix_stream_socket create_stream_socket_perms; +allow cluster_domain self:unix_dgram_socket create_socket_perms; + ++manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) ++manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) ++ +libs_use_ld_so(cluster_domain) +libs_use_shared_libs(cluster_domain) + @@ -30967,7 +31455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if --- nsaserefpolicy/policy/modules/services/ricci.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-08-09 14:36:06.787334935 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-09-16 15:29:32.734636961 +0200 @@ -18,6 +18,24 @@ domtrans_pattern($1, ricci_exec_t, ricci_t) ') @@ -30993,8 +31481,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ######################################## ## ## Execute a domain transition to run ricci_modcluster. -@@ -94,6 +112,25 @@ - allow $1 ricci_modclusterd_t:unix_stream_socket connectto; +@@ -90,10 +108,28 @@ + ') + + files_search_pids($1) +- allow $1 ricci_modcluster_var_run_t:sock_file write; +- allow $1 ricci_modclusterd_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) ') +####################################### @@ -31019,7 +31512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc ######################################## ## ## Execute a domain transition to run ricci_modlog. -@@ -165,3 +202,87 @@ +@@ -165,3 +201,87 @@ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') @@ -31309,8 +31802,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.7.19/policy/modules/services/rpcbind.if --- nsaserefpolicy/policy/modules/services/rpcbind.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-06-25 15:10:52.796137763 +0200 -@@ -141,7 +141,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.if 2010-09-16 15:30:57.838386767 +0200 +@@ -34,8 +34,7 @@ + ') + + files_search_pids($1) +- allow $1 rpcbind_var_run_t:sock_file write; +- allow $1 rpcbind_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) + ') + + ######################################## +@@ -141,8 +140,14 @@ allow $1 rpcbind_t:process { ptrace signal_perms }; ps_process_pattern($1, rpcbind_t) @@ -31319,6 +31822,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, rpcbind_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, rpcbind_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.19/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-08-30 20:25:53.722333587 +0200 @@ -31341,7 +31851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.19/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-05-28 09:42:00.175610487 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/rpc.if 2010-09-16 15:41:11.666398045 +0200 @@ -246,6 +246,26 @@ allow rpcd_t $1:process signal; ') @@ -31373,7 +31883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) -+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ++ allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.19/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2010-04-13 20:44:37.000000000 +0200 @@ -31669,7 +32179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.19/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-06-28 18:46:37.808401969 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.if 2010-09-16 16:51:08.806636988 +0200 @@ -62,6 +62,25 @@ ######################################## @@ -31804,7 +32314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## ## ## Connect to winbind. -@@ -610,6 +709,36 @@ +@@ -610,6 +709,37 @@ ######################################## ## @@ -31820,6 +32330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +template(`samba_helper_template',` + gen_require(` + type smbd_t; ++ role system_r; + ') + #This type is for samba helper scripts + type samba_$1_script_t; @@ -31841,7 +32352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## All of the rules required to administrate ## an samba environment ## -@@ -640,6 +769,7 @@ +@@ -640,6 +770,7 @@ type winbind_var_run_t, winbind_tmp_t; type winbind_log_t; @@ -31849,17 +32360,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_initrc_exec_t; ') -@@ -649,6 +779,9 @@ +@@ -649,6 +780,9 @@ allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) -+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t) ++ allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, samba_unconfined_script_t) + samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -689,4 +822,5 @@ +@@ -689,4 +823,5 @@ admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -32225,6 +32736,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl # # /usr +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.7.19/policy/modules/services/sasl.if +--- nsaserefpolicy/policy/modules/services/sasl.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2010-09-16 16:45:19.599637162 +0200 +@@ -42,7 +42,7 @@ + type saslauthd_initrc_exec_t; + ') + +- allow $1 saslauthd_t:process { ptrace signal_perms getattr }; ++ allow $1 saslauthd_t:process { ptrace signal_perms }; + ps_process_pattern($1, saslauthd_t) + + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-28 09:42:00.182610859 +0200 @@ -32250,11 +32773,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-07-14 12:54:00.393409832 +0200 -@@ -57,6 +57,24 @@ - allow sendmail_t $1:process sigchld; - ') ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-09-16 16:48:16.015637212 +0200 +@@ -51,10 +51,24 @@ + ') + mta_sendmail_domtrans($1, sendmail_t) ++') ++ +####################################### +## +## Execute sendmail in the sendmail domain. @@ -32269,14 +32794,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + gen_require(` + type sendmail_initrc_exec_t; + ') -+ + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_file_perms; +- allow sendmail_t $1:process sigchld; + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) -+') -+ + ') + ######################################## - ## - ## Execute the sendmail program in the sendmail domain. -@@ -277,3 +295,70 @@ +@@ -152,7 +166,7 @@ + type sendmail_t; + ') + +- allow $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ++ allow $1 sendmail_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -171,7 +185,7 @@ + type sendmail_t; + ') + +- dontaudit $1 sendmail_t:unix_stream_socket { getattr read write ioctl }; ++ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -277,3 +291,70 @@ sendmail_domtrans_unconfined($1) role $2 types unconfined_sendmail_t; ') @@ -32324,11 +32868,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + type mail_spool_t; + ') + -+ allow $1 sendmail_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, sendmail_t, sendmail_t) ++ allow $1 sendmail_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sendmail_t) + -+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t) ++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, unconfined_sendmail_t) + + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + domain_system_change_exemption($1) @@ -32449,7 +32993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-06-25 15:13:41.144137172 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.if 2010-09-16 16:20:10.904636972 +0200 @@ -16,8 +16,8 @@ ') @@ -32498,7 +33042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -32737,6 +33281,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.7.19/policy/modules/services/smartmon.if +--- nsaserefpolicy/policy/modules/services/smartmon.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/smartmon.if 2010-09-16 16:45:57.103387039 +0200 +@@ -15,6 +15,7 @@ + type fsdaemon_tmp_t; + ') + ++ files_search_tmp($1) + allow $1 fsdaemon_tmp_t:file read_file_perms; + ') + +@@ -41,7 +42,7 @@ + type fsdaemon_initrc_exec_t; + ') + +- allow $1 fsdaemon_t:process { ptrace signal_perms getattr }; ++ allow $1 fsdaemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, fsdaemon_t) + + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-05-28 09:42:00.186610872 +0200 @@ -32768,6 +33332,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok logging_send_syslog_msg(smokeping_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if +--- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-09-16 16:46:09.199637062 +0200 +@@ -62,6 +62,7 @@ + type snmpd_var_lib_t; + ') + ++ files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +@@ -83,7 +84,7 @@ + ') + dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; + dontaudit $1 snmpd_var_lib_t:file read_file_perms; +- dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read }; ++ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -128,7 +129,7 @@ + type snmpd_initrc_exec_t; + ') + +- allow $1 snmpd_t:process { ptrace signal_perms getattr }; ++ allow $1 snmpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, snmpd_t) + + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.19/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/snmp.te 2010-05-28 09:42:00.187610526 +0200 @@ -32788,6 +33381,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp auth_use_nsswitch(snmpd_t) auth_read_all_dirs_except_shadow(snmpd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.7.19/policy/modules/services/snort.if +--- nsaserefpolicy/policy/modules/services/snort.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/snort.if 2010-09-16 16:42:05.561636781 +0200 +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run snort. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`snort_domtrans',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.19/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/snort.te 2010-05-28 09:42:00.188610878 +0200 @@ -32844,8 +33452,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.19/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-05-28 09:42:00.189610812 +0200 -@@ -111,6 +111,45 @@ ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.if 2010-09-16 16:51:58.958637037 +0200 +@@ -14,6 +14,7 @@ + ## User domain for the role + ## + ## ++## + # + interface(`spamassassin_role',` + gen_require(` +@@ -25,9 +26,13 @@ + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) ++ ++ allow $2 spamassassin_t:process { ptrace signal_perms }; + ps_process_pattern($2, spamassassin_t) + + domtrans_pattern($2, spamc_exec_t, spamc_t) ++ ++ allow $2 spamc_t:process { ptrace signal_perms }; + ps_process_pattern($2, spamc_t) + + manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) +@@ -111,6 +116,46 @@ ') domtrans_pattern($1, spamc_exec_t, spamc_t) @@ -32885,13 +33515,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + type spamc_home_t; + ') + ++ userdom_search_user_home_dirs($1) + manage_dirs_pattern($1, spamc_home_t, spamc_home_t) + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') ######################################## -@@ -166,7 +205,9 @@ +@@ -166,7 +211,9 @@ ') files_search_var_lib($1) @@ -32901,10 +33532,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -225,3 +266,69 @@ +@@ -204,6 +251,7 @@ + type spamd_tmp_t; + ') - dontaudit $1 spamd_tmp_t:sock_file getattr; ++ files_search_tmp($1) + allow $1 spamd_tmp_t:file read_file_perms; ') + +@@ -223,5 +271,72 @@ + type spamd_tmp_t; + ') + +- dontaudit $1 spamd_tmp_t:sock_file getattr; ++ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; ++') + +######################################## +## @@ -32918,9 +33560,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +# +interface(`spamd_stream_connect',` + gen_require(` -+ type spamd_t, spamd_var_run_t, spamd_spool_t; ++ type spamd_t, spamd_var_run_t; + ') + ++ files_search_pids($1) + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + @@ -32970,7 +33613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) -+') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-07-21 09:36:37.293135266 +0200 @@ -33290,6 +33933,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +optional_policy(` udev_read_db(spamd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.7.19/policy/modules/services/squid.if +--- nsaserefpolicy/policy/modules/services/squid.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/squid.if 2010-09-16 16:33:25.875637032 +0200 +@@ -71,7 +71,7 @@ + type squid_t; + ') + +- allow $1 squid_t:unix_stream_socket { getattr read write }; ++ allow $1 squid_t:unix_stream_socket rw_socket_perms; + ') + + ######################################## +@@ -83,7 +83,6 @@ + ## Domain to not audit. + ## + ## +-## + # + interface(`squid_dontaudit_search_cache',` + gen_require(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/squid.te 2010-05-28 09:42:00.191611098 +0200 @@ -33367,7 +34030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-07-14 14:41:02.740409622 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-09-16 16:52:19.653637145 +0200 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -33423,7 +34086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. dev_read_urand($1_ssh_t) -@@ -181,9 +180,9 @@ +@@ -181,16 +180,16 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -33435,6 +34098,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; + +- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; + term_create_pty($1_t, $1_devpts_t) + + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) @@ -206,6 +205,7 @@ kernel_read_kernel_sysctls($1_t) @@ -33456,7 +34127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. fs_dontaudit_getattr_all_fs($1_t) -@@ -234,17 +239,19 @@ +@@ -234,17 +239,18 @@ corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -33472,12 +34143,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. - userdom_create_all_users_keys($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) +- userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) -@@ -265,9 +272,16 @@ +@@ -265,9 +271,16 @@ optional_policy(` files_read_var_lib_symlinks($1_t) @@ -33495,6 +34166,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ######################################## +@@ -290,6 +303,7 @@ + ## User domain for the role + ## + ## ++## + # + template(`ssh_role_template',` + gen_require(` +@@ -327,7 +341,7 @@ + + # allow ps to show ssh + ps_process_pattern($3, ssh_t) +- allow $3 ssh_t:process signal; ++ allow $3 ssh_t:process { ptrace signal_perms }; + + # for rsync + allow ssh_t $3:unix_stream_socket rw_socket_perms; +@@ -359,7 +373,7 @@ + stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + + # Allow the user shell to signal the ssh program. +- allow $3 $1_ssh_agent_t:process signal; ++ allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; + + # allow ps to show ssh + ps_process_pattern($3, $1_ssh_agent_t) @@ -388,6 +402,7 @@ logging_send_syslog_msg($1_ssh_agent_t) @@ -33503,15 +34200,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. seutil_dontaudit_read_config($1_ssh_agent_t) -@@ -395,6 +410,7 @@ +@@ -395,10 +410,8 @@ userdom_use_user_terminals($1_ssh_agent_t) # for the transition back to normal privs upon exec + userdom_search_user_home_content($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; -@@ -582,6 +598,25 @@ +- allow $3 $1_ssh_agent_t:fd use; +- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; +- allow $3 $1_ssh_agent_t:process sigchld; + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_ssh_agent_t) +@@ -475,7 +488,7 @@ + type sshd_t; + ') + +- allow $1 sshd_t:fifo_file { getattr read }; ++ allow $1 sshd_t:fifo_file read_fifo_file_perms; + ') + ######################################## + ## +@@ -492,7 +505,7 @@ + type sshd_t; + ') + +- allow $1 sshd_t:fifo_file { write read getattr ioctl }; ++ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; + ') + + ######################################## +@@ -582,6 +595,25 @@ domtrans_pattern($1, sshd_exec_t, sshd_t) ') @@ -33537,10 +34256,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ######################################## ## ## Execute the ssh client in the caller domain. -@@ -696,6 +731,50 @@ - dontaudit $1 sshd_key_t:file { getattr read }; +@@ -616,7 +648,7 @@ + type sshd_key_t; + ') + +- allow $1 sshd_key_t:file setattr; ++ allow $1 sshd_key_t:file setattr_file_perms; + files_search_pids($1) ') +@@ -693,7 +725,51 @@ + type sshd_key_t; + ') + +- dontaudit $1 sshd_key_t:file { getattr read }; ++ dontaudit $1 sshd_key_t:file read_file_perms; ++') ++ +###################################### +## +## Manage ssh home directory content @@ -33583,12 +34315,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + create_files_pattern($1, home_ssh_t, home_ssh_t) + userdom_user_home_dir_filetrans($1, home_ssh_t, { dir file }) + userdom_search_user_home_dirs($1) -+') -+ + ') + ####################################### - ## - ## Delete from the ssh temp files. -@@ -714,3 +793,67 @@ +@@ -714,3 +790,67 @@ files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -33805,6 +34535,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.19/policy/modules/services/sssd.if +--- nsaserefpolicy/policy/modules/services/sssd.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/sssd.if 2010-09-16 16:48:33.455636869 +0200 +@@ -89,6 +89,7 @@ + type sssd_var_run_t; + ') + ++ files_search_pids($1) + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) + ') +@@ -128,7 +129,6 @@ + ') + + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; +- files_search_var_lib($1) + ') + + ######################################## +@@ -225,11 +225,6 @@ + ## The role to be allowed to manage the sssd domain. + ## + ## +-## +-## +-## The type of the user terminal. +-## +-## + ## + # + interface(`sssd_admin',` +@@ -238,8 +233,8 @@ + type sssd_initrc_exec_t; + ') + +- allow $1 sssd_t:process { ptrace signal_perms getattr }; +- read_files_pattern($1, sssd_t, sssd_t) ++ allow $1 sssd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sssd_t) + + # Allow sssd_t to restart the apache service + sssd_initrc_domtrans($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te --- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-08-18 13:10:17.920085544 +0200 @@ -33861,7 +34633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.19/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-07-19 15:51:20.642151520 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-09-16 16:46:36.105386681 +0200 @@ -16,6 +16,26 @@ ') @@ -33889,6 +34661,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ') ######################################## +@@ -55,9 +75,10 @@ + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + ') + +- allow $1 tftpd_t:process { ptrace signal_perms getattr }; ++ allow $1 tftpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, tftpd_t) + ++ files_list_var_lib($1) + admin_pattern($1, tftpdir_rw_t) + + admin_pattern($1, tftpdir_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.19/policy/modules/services/tgtd.if --- nsaserefpolicy/policy/modules/services/tgtd.if 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/tgtd.if 2010-09-15 15:55:31.098636967 +0200 @@ -33945,6 +34729,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd +optional_policy(` + iscsi_manage_semaphores(tgtd_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-3.7.19/policy/modules/services/tor.if +--- nsaserefpolicy/policy/modules/services/tor.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tor.if 2010-09-16 16:46:52.559636983 +0200 +@@ -42,7 +42,7 @@ + type tor_initrc_exec_t; + ') + +- allow $1 tor_t:process { ptrace signal_perms getattr }; ++ allow $1 tor_t:process { ptrace signal_perms }; + ps_process_pattern($1, tor_t) + + init_labeled_script_domtrans($1, tor_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-09-13 12:47:18.717085060 +0200 @@ -34019,6 +34815,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune # to allow network interface tuning optional_policy(` sysnet_domtrans_ifconfig(tuned_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.7.19/policy/modules/services/ucspitcp.if +--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.if 2010-09-16 15:55:14.630636773 +0200 +@@ -31,8 +31,5 @@ + + role system_r types $1; + +- domain_auto_trans(ucspitcp_t, $2, $1) +- allow $1 ucspitcp_t:fd use; +- allow $1 ucspitcp_t:process sigchld; +- allow $1 ucspitcp_t:tcp_socket rw_stream_socket_perms; ++ domtrans_pattern(ucspitcp_t, $2, $1) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.19/policy/modules/services/ucspitcp.te --- nsaserefpolicy/policy/modules/services/ucspitcp.te 2010-04-13 20:44:36.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/ucspitcp.te 2010-05-28 09:42:00.197610559 +0200 @@ -34074,7 +34883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.7.19/policy/modules/services/uucp.if --- nsaserefpolicy/policy/modules/services/uucp.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/uucp.if 2010-09-01 12:03:39.662084414 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/uucp.if 2010-09-16 16:47:05.182637460 +0200 @@ -1,5 +1,24 @@ ## Unix to Unix Copy @@ -34100,6 +34909,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp ######################################## ## ## Allow the specified domain to append +@@ -80,7 +99,7 @@ + type uucpd_var_run_t; + ') + +- allow $1 uucpd_t:process { ptrace signal_perms getattr }; ++ allow $1 uucpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, uucpd_t) + + logging_list_logs($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/uucp.te 2010-08-04 15:04:00.352085562 +0200 @@ -34175,8 +34993,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos +/var/run/vhostmd\.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.19/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.if 2010-07-21 09:59:21.999134987 +0200 -@@ -212,7 +212,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/vhostmd.if 2010-09-16 16:16:14.800637139 +0200 +@@ -51,8 +51,8 @@ + type vhostmd_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + allow $1 vhostmd_tmpfs_t:file read_file_perms; +- files_search_tmp($1) + ') + + ######################################## +@@ -89,8 +89,8 @@ + type vhostmd_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +- files_search_tmp($1) + ') + + ######################################## +@@ -108,8 +108,8 @@ + type vhostmd_tmpfs_t; + ') + ++ fs_search_tmpfs($1) + manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +- files_search_tmp($1) + ') + + ######################################## +@@ -146,7 +146,8 @@ + type vhostmd_var_run_t; + ') + +- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) ++ files_search_pids($1) ++ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) + ') + + ######################################## +@@ -212,7 +213,7 @@ allow $1 vhostmd_t:process { ptrace signal_perms getattr }; ps_process_pattern($1, vhostmd_t) @@ -34234,7 +35092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-08-30 20:21:58.039085207 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-09-16 16:52:58.485636847 +0200 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -34247,12 +35105,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) -- -- type $1_var_run_t; -- files_pid_file($1_var_run_t) + dev_associate_sysfs($1_image_t) - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; +- type $1_var_run_t; +- files_pid_file($1_var_run_t) +- +- allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; ++ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) manage_dirs_pattern($1_t, $1_image_t, $1_image_t) @@ -34333,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -34394,7 +35253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +561,49 @@ +@@ -516,3 +561,50 @@ virt_manage_log($1) ') @@ -34411,9 +35270,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +## +## +## -+## The role to be allowed the sandbox domain. ++## The role to be allowed the svirt domain. +## +## ++## +# +interface(`virt_transition_svirt',` + gen_require(` @@ -34446,7 +35306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-15 15:47:01.852387031 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-16 17:06:29.681386750 +0200 @@ -1,5 +1,5 @@ -policy_module(virt, 1.3.2) @@ -34607,22 +35467,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -205,9 +237,15 @@ +@@ -205,8 +237,14 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +-allow virtd_t virt_image_type:file { relabelfrom relabelto }; +-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) - allow virtd_t virt_image_type:file { relabelfrom relabelto }; - allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; - ++allow virtd_t virt_image_type:file relabel_file_perms; ++allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; ++ +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) -+ + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) - logging_log_filetrans(virtd_t, virt_log_t, { file dir }) @@ -225,6 +263,7 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -34679,12 +35540,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) -@@ -291,15 +351,24 @@ +@@ -290,16 +350,26 @@ + modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) - -+selinux_validate_context(virtd_t) ++logging_send_audit_msgs(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -34704,7 +35567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +439,8 @@ +@@ -370,6 +440,8 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -34713,7 +35576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -407,6 +478,19 @@ +@@ -407,6 +479,19 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -34733,7 +35596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -427,6 +511,7 @@ +@@ -427,6 +512,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -34741,7 +35604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -434,10 +519,12 @@ +@@ -434,10 +520,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -34754,7 +35617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -445,6 +532,11 @@ +@@ -445,6 +533,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -34766,7 +35629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -462,8 +554,13 @@ +@@ -462,8 +555,13 @@ ') optional_policy(` @@ -34808,6 +35671,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + +apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-3.7.19/policy/modules/services/xfs.if +--- nsaserefpolicy/policy/modules/services/xfs.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xfs.if 2010-09-16 15:50:24.207636935 +0200 +@@ -1,4 +1,4 @@ +-## X Windows Font Server ++## X Windows Font Server + + ######################################## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-28 09:42:00.203610788 +0200 @@ -34934,7 +35806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-06-03 10:20:29.487175768 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.if 2010-09-16 16:53:59.645636878 +0200 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -34964,42 +35836,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_search_tmp($2) # Communicate via System V shared memory. -@@ -56,6 +58,10 @@ - - domtrans_pattern($2, iceauth_exec_t, iceauth_t) +@@ -70,17 +72,21 @@ -+ifdef(`hide_broken_symptoms', ` -+ dontaudit iceauth_t $2:socket_class_set { read write }; -+') -+ - allow $2 iceauth_home_t:file read_file_perms; - - domtrans_pattern($2, xauth_exec_t, xauth_t) -@@ -71,9 +77,13 @@ # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; dontaudit $2 xdm_t:tcp_socket { read write }; -+ dontaudit $2 xdm_tmp_t:dir setattr; ++ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; + + allow $2 xdm_t:dbus send_msg; + allow xdm_t $2:dbus send_msg; # Client read xserver shm allow $2 xserver_t:fd use; -@@ -89,14 +99,19 @@ + allow $2 xserver_tmpfs_t:file read_file_perms; + + # Read /tmp/.X0-lock +- allow $2 xserver_tmp_t:file { getattr read }; ++ allow $2 xserver_tmp_t:file read_inherited_file_perms; + + dev_rw_xserver_misc($2) + dev_rw_power_management($2) +@@ -89,14 +95,14 @@ dev_write_misc($2) # open office is looking for the following dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) -+ tunable_policy(`user_direct_dri',` -+ dev_rw_dri($2) -+ ',` -+ dev_dontaudit_rw_dri($2) -+ ') + # GNOME checks for usb and other devices: dev_rw_usbfs($2) @@ -35012,15 +35879,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -148,6 +163,7 @@ +@@ -107,13 +113,24 @@ + # Needed for escd, remove if we get escd policy + xserver_manage_xdm_tmp_files($2) + ++ ifdef(`hide_broken_symptoms',` ++ dontaudit iceauth_t $2:socket_class_set { read write }; ++ ') ++ + # Client write xserver shm + tunable_policy(`allow_write_xshm',` + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') ++ ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($2) ++ ',` ++ dev_dontaudit_rw_dri($2) ++ ') + ') + ++ + ######################################## + ## + ## Rules required for using the X Windows server +@@ -143,11 +160,12 @@ + allow $2 xserver_tmpfs_t:file rw_file_perms; + + allow $2 iceauth_home_t:file manage_file_perms; +- allow $2 iceauth_home_t:file { relabelfrom relabelto }; ++ allow $2 iceauth_home_t:file relabel_file_perms; + allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; +- allow $2 xauth_home_t:file { relabelfrom relabelto }; ++ allow $2 xauth_home_t:file relabel_file_perms; + mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) -@@ -197,7 +213,7 @@ +@@ -197,7 +215,7 @@ allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -35029,7 +35928,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Client read xserver shm allow $1 xserver_t:fd use; -@@ -291,12 +307,12 @@ +@@ -227,7 +245,7 @@ + type xserver_t, xserver_tmpfs_t; + ') + +- xserver_ro_session($1,$2) ++ xserver_ro_session($1, $2) + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') +@@ -291,12 +309,12 @@ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -35045,7 +35953,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow $1 xdm_tmp_t:dir search; allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -355,6 +371,12 @@ +@@ -310,7 +328,7 @@ + # for .xsession-errors + userdom_dontaudit_write_user_home_content_files($1) + +- xserver_ro_session($1,$2) ++ xserver_ro_session($1, $2) + xserver_use_user_fonts($1) + + xserver_read_xdm_tmp_files($1) +@@ -355,6 +373,12 @@ class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; @@ -35058,7 +35975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ############################## -@@ -386,6 +408,15 @@ +@@ -386,6 +410,15 @@ allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -35074,7 +35991,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ####################################### -@@ -476,6 +507,7 @@ +@@ -458,9 +491,9 @@ + + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; +- allow $2 xdm_t:fifo_file { getattr read write ioctl }; ++ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 xdm_tmp_t:dir search_dir_perms; +- allow $2 xdm_tmp_t:sock_file { read write }; ++ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. +@@ -472,10 +505,11 @@ + # for .xsession-errors + userdom_dontaudit_write_user_home_content_files($2) + +- xserver_ro_session($2,$3) ++ xserver_ro_session($2, $3) xserver_use_user_fonts($2) xserver_read_xdm_tmp_files($2) @@ -35082,7 +36016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X object manager xserver_object_types_template($1) -@@ -545,6 +577,27 @@ +@@ -545,6 +579,27 @@ ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -35110,7 +36044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -598,6 +651,7 @@ +@@ -598,6 +653,7 @@ allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -35118,7 +36052,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -724,11 +778,12 @@ +@@ -615,7 +671,7 @@ + type xconsole_device_t; + ') + +- allow $1 xconsole_device_t:fifo_file setattr; ++ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; + ') + + ######################################## +@@ -724,11 +780,13 @@ # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -35128,12 +36071,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - + files_search_tmp($1) ++ files_search_pids($1) stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + stream_connect_pattern($1, xdm_var_run_t, xdm_var_run_t, xdm_t) ') ######################################## -@@ -805,7 +860,7 @@ +@@ -765,7 +823,7 @@ + type xdm_tmp_t; + ') + +- allow $1 xdm_tmp_t:dir setattr; ++ allow $1 xdm_tmp_t:dir setattr_dir_perms; + ') + + ######################################## +@@ -805,7 +863,7 @@ ') files_search_pids($1) @@ -35142,7 +36095,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -916,7 +971,7 @@ +@@ -897,7 +955,7 @@ + ') + + logging_search_logs($1) +- allow $1 xserver_log_t:file getattr; ++ allow $1 xserver_log_t:file getattr_file_perms; + ') + + ######################################## +@@ -916,7 +974,7 @@ type xserver_log_t; ') @@ -35151,7 +36113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -964,6 +1019,44 @@ +@@ -964,6 +1022,44 @@ ######################################## ## @@ -35196,7 +36158,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm temporary files. ## ## -@@ -1224,9 +1317,20 @@ +@@ -1052,7 +1148,7 @@ + type xdm_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -1210,7 +1306,7 @@ + ## + ## Interface to provide X object permissions on a given X server to + ## an X client domain. Gives the domain permission to read the +-## virtual core keyboard and virtual core pointer devices. ++## virtual core keyboard and virtual core pointer devices. + ## + ## + ## +@@ -1224,9 +1320,20 @@ class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; @@ -35217,7 +36197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1250,3 +1354,329 @@ +@@ -1250,3 +1357,330 @@ typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') @@ -35424,7 +36404,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +## Domain allowed access. +## +## -+## +# +interface(`xserver_rw_inherited_user_fonts',` + gen_require(` @@ -35490,6 +36469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +## The role to be allowed the xserver domain. +## +## ++## +# +interface(`xserver_run',` + gen_require(` @@ -35515,6 +36495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +## The role to be allowed the xserver domain. +## +## ++## +# +interface(`xserver_run_xauth',` + gen_require(` @@ -36461,6 +37442,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +tunable_policy(`use_samba_home_dirs',` + fs_append_cifs_files(xdmhomewriter) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.19/policy/modules/services/zebra.if +--- nsaserefpolicy/policy/modules/services/zebra.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/zebra.if 2010-09-16 15:45:27.161386642 +0200 +@@ -38,8 +38,7 @@ + ') + + files_search_pids($1) +- allow $1 zebra_var_run_t:sock_file write; +- allow $1 zebra_t:unix_stream_socket connectto; ++ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + ') + + ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.7.19/policy/modules/services/zosremote.if +--- nsaserefpolicy/policy/modules/services/zosremote.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/zosremote.if 2010-09-16 15:54:12.998637035 +0200 +@@ -5,9 +5,9 @@ + ## Execute a domain transition to run audispd-zos-remote. + ## + ## +-## ++## + ## Domain allowed to transition. +-## ++## + ## + # + interface(`zosremote_domtrans',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/application.if 2010-08-04 15:09:32.261085029 +0200 @@ -36525,7 +37534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-28 09:42:00.210610461 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-09-16 15:42:52.233637126 +0200 @@ -41,7 +41,6 @@ ## # @@ -36625,6 +37634,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## +@@ -694,7 +734,7 @@ + ') + + files_search_etc($1) +- allow $1 shadow_t:file { relabelfrom relabelto }; ++ allow $1 shadow_t:file relabel_file_perms; + typeattribute $1 can_relabelto_shadow_passwords; + ') + @@ -1500,6 +1540,8 @@ # interface(`auth_use_nsswitch',` @@ -38682,7 +39700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.19/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-06-28 18:21:14.861150814 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/logging.if 2010-09-16 15:43:30.178636919 +0200 @@ -545,6 +545,25 @@ ######################################## @@ -38775,8 +39793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) -+ allow $1 logfile:dir { relabelfrom relabelto }; -+ allow $1 logfile:file { relabelfrom relabelto }; ++ allow $1 logfile:dir relabel_dir_perms; ++ allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) @@ -41333,8 +42351,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-05-28 09:42:00.521610641 +0200 -@@ -196,6 +196,25 @@ ++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2010-09-16 15:27:33.814637102 +0200 +@@ -88,8 +88,7 @@ + ') + + kernel_search_proc($1) +- allow $1 udev_t:file read_file_perms; +- allow $1 udev_t:lnk_file read_lnk_file_perms; ++ ps_process_pattern($1, udev_t) + ') + + ######################################## +@@ -196,6 +195,25 @@ ######################################## ## @@ -42185,7 +43213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-08-10 16:46:30.604085285 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-09-16 15:44:29.987386896 +0200 @@ -30,8 +30,9 @@ ') @@ -43445,7 +44473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + type user_home_t; + ') + -+ allow $1 user_home_t:file { relabelto relabelfrom }; ++ allow $1 user_home_t:file relabel_file_perms; +') + ######################################## @@ -44585,7 +45613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +dontaudit unpriv_userdomain self:dir setattr; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.19/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-05-28 09:42:00.530610879 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/xen.if 2010-09-16 14:34:16.094636765 +0200 @@ -213,8 +213,9 @@ interface(`xen_domtrans_xm',` gen_require(` @@ -44597,6 +45625,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if domtrans_pattern($1, xm_exec_t, xm_t) ') +@@ -230,7 +231,7 @@ + # + interface(`xen_stream_connect_xm',` + gen_require(` +- type xm_t; ++ type xm_t, xenstored_var_run_t; + ') + + files_search_pids($1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.19/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/xen.te 2010-07-23 14:36:40.882388397 +0200 diff --git a/selinux-policy.spec b/selinux-policy.spec index 6f9c7b1..d50c9b2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 58%{?dist} +Release: 59%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Wed Sep 16 2010 Miroslav Grepl 3.7.19-59 +- Add cluster_var_lib_t type and label for /var/lib/cluster + * Wed Sep 15 2010 Miroslav Grepl 3.7.19-58 - Add labeling for /root/.debug - Remove permissive from cmirrord domain