From 1749ec9ed6fa780ba5d74e54bdf5cd1812c542d3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 13 2008 19:31:43 +0000 Subject: - Allow openvpn to create /etc/openvpn/ipp.txt --- diff --git a/modules-mls.conf b/modules-mls.conf index 4496db9..e95086b 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1004,6 +1004,13 @@ logwatch = base setrans = base # Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = base + +# Layer: services # Module: openvpn # # Policy for OPENVPN full-featured SSL VPN solution diff --git a/policy-20071130.patch b/policy-20071130.patch index 6aed210..ffe6259 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -6974,7 +6974,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.t + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.3.1/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/apps/slocate.te 2008-11-03 16:14:47.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/apps/slocate.te 2008-11-13 11:45:59.000000000 -0500 +@@ -22,7 +22,7 @@ + # + + allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +-allow locate_t self:process { execmem execheap execstack }; ++allow locate_t self:process { execmem execheap execstack signal }; + allow locate_t self:fifo_file rw_fifo_file_perms; + allow locate_t self:unix_stream_socket create_socket_perms; + @@ -39,6 +39,7 @@ files_list_all(locate_t) @@ -7686,7 +7695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-11-03 16:02:14.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-11-13 14:23:30.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.15) @@ -7702,15 +7711,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict -@@ -82,6 +83,7 @@ +@@ -82,6 +83,8 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) network_port(comsat, udp,512,s0) +network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0) ++portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) -@@ -90,7 +92,9 @@ +@@ -90,7 +93,9 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) @@ -7720,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,11 +113,14 @@ +@@ -109,11 +114,14 @@ network_port(ircd, tcp,6667,s0) network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) @@ -7735,7 +7745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -122,6 +129,8 @@ +@@ -122,6 +130,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -7744,9 +7754,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,10 +142,13 @@ +@@ -132,11 +142,20 @@ + network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) ++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) ++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) ++network_port(pki_ospc, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) ++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) ++network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0) ++network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0) network_port(postfix_policyd, tcp,10031,s0) +network_port(pulseaudio, tcp,4713,s0) +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) @@ -7758,7 +7775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,11 +160,11 @@ +@@ -148,11 +167,11 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -7772,7 +7789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) -@@ -165,12 +177,18 @@ +@@ -165,12 +184,18 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -8551,7 +8568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /emul diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-11-03 16:02:14.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-11-10 12:25:31.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -8564,6 +8581,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. files_type($1) ') +@@ -891,8 +896,8 @@ + relabel_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 }) + relabel_sock_files_pattern($1,{ file_type $2 },{ file_type $2 }) +- relabelfrom_blk_files_pattern($1,{ file_type $2 },{ file_type $2 }) +- relabelfrom_chr_files_pattern($1,{ file_type $2 },{ file_type $2 }) ++ relabel_blk_files_pattern($1,{ file_type $2 },{ file_type $2 }) ++ relabel_chr_files_pattern($1,{ file_type $2 },{ file_type $2 }) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) @@ -1023,6 +1028,24 @@ ## ## @@ -10396,7 +10424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-11-03 16:02:14.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-11-05 13:22:49.000000000 -0500 @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -10405,7 +10433,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -34,7 +35,7 @@ +@@ -26,6 +27,7 @@ + /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) + /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) ++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) +@@ -34,7 +36,7 @@ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -10414,7 +10450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ifdef(`distro_redhat', ` /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -48,6 +49,7 @@ +@@ -48,6 +50,7 @@ /dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -11356,7 +11392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-11-03 16:14:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-11-13 14:29:46.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -11617,14 +11653,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') ++ ++tunable_policy(`allow_httpd_sys_script_anon_write',` ++ miscfiles_manage_public_files(httpd_sys_script_t) ++') - manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent) - manage_files_pattern(httpd_t,httpdcontent,httpdcontent) - manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent) -+tunable_policy(`allow_httpd_sys_script_anon_write',` -+ miscfiles_manage_public_files(httpd_sys_script_t) -+') -+ +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` + domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file }) @@ -11638,13 +11674,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_ftp_server',` -@@ -399,11 +493,21 @@ +@@ -399,11 +493,28 @@ fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` -+ fs_read_nfs_files(httpd_t) -+ fs_read_nfs_symlinks(httpd_t) ++ fs_manage_nfs_files(httpd_t) ++ fs_manage_nfs_symlinks(httpd_t) ++ fs_manage_nfs_symlinks(httpd_t) ++') ++ ++tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_suexec_t) ++ fs_manage_nfs_files(httpd_suexec_t) ++ fs_manage_nfs_symlinks(httpd_suexec_t) +') + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` @@ -11660,7 +11703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -437,8 +541,13 @@ +@@ -437,8 +548,13 @@ ') optional_policy(` @@ -11676,7 +11719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -450,19 +559,13 @@ +@@ -450,19 +566,13 @@ ') optional_policy(` @@ -11697,7 +11740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -472,13 +575,23 @@ +@@ -472,13 +582,23 @@ openca_kill(httpd_t) ') @@ -11725,7 +11768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -486,6 +599,7 @@ +@@ -486,6 +606,7 @@ ') optional_policy(` @@ -11733,7 +11776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -521,6 +635,22 @@ +@@ -521,6 +642,22 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -11756,7 +11799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -550,18 +680,26 @@ +@@ -550,18 +687,26 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11786,7 +11829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -585,6 +723,8 @@ +@@ -585,6 +730,8 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -11795,7 +11838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -593,9 +733,7 @@ +@@ -593,9 +740,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -11806,7 +11849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -628,6 +766,7 @@ +@@ -628,6 +773,7 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -11814,7 +11857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) ') -@@ -638,6 +777,12 @@ +@@ -638,6 +784,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -11827,7 +11870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -655,10 +800,6 @@ +@@ -655,10 +807,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11838,7 +11881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -668,7 +809,8 @@ +@@ -668,7 +816,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -11848,7 +11891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -682,15 +824,46 @@ +@@ -682,15 +831,48 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11860,11 +11903,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +tunable_policy(`httpd_use_nfs', ` -+ fs_read_nfs_files(httpd_sys_script_t) -+ fs_read_nfs_symlinks(httpd_sys_script_t) ++ fs_manage_nfs_files(httpd_sys_script_t) ++ fs_manage_nfs_symlinks(httpd_sys_script_t) ++ fs_manage_nfs_symlinks(httpd_sys_script_t) +') + +tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', ` ++ fs_read_nfs_dirs(httpd_sys_script_t) fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11896,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -703,6 +876,10 @@ +@@ -703,6 +885,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11907,7 +11952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -724,3 +901,71 @@ +@@ -724,3 +910,71 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -15376,10 +15421,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. +files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.3.1/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-11-03 16:14:20.000000000 -0500 -@@ -0,0 +1,2 @@ ++++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-11-04 09:01:22.000000000 -0500 +@@ -0,0 +1,6 @@ + +/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) ++ ++/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) ++ ++/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.3.1/policy/modules/services/cyphesis.if --- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/cyphesis.if 2008-11-03 16:14:20.000000000 -0500 @@ -18684,8 +18733,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.3.1/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-11-03 16:14:20.000000000 -0500 -@@ -7,12 +7,21 @@ ++++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-11-10 14:48:54.000000000 -0500 +@@ -7,12 +7,22 @@ /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) @@ -18698,6 +18747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) @@ -18994,7 +19044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-11-03 16:14:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-11-10 14:43:51.000000000 -0500 @@ -16,6 +16,7 @@ type kadmind_t; type kadmind_exec_t; @@ -21902,8 +21952,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open kernel_read_kernel_sysctls(openct_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.3.1/policy/modules/services/openvpn.fc --- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/openvpn.fc 2008-11-03 16:14:20.000000000 -0500 -@@ -11,5 +11,7 @@ ++++ serefpolicy-3.3.1/policy/modules/services/openvpn.fc 2008-11-13 11:40:23.000000000 -0500 +@@ -2,6 +2,7 @@ + # /etc + # + /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) ++/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + + # + # /usr +@@ -11,5 +12,7 @@ # # /var # @@ -22036,7 +22094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.3.1/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-11-03 16:14:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-11-13 11:41:08.000000000 -0500 @@ -8,7 +8,7 @@ ## @@ -22046,16 +22104,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open ##

## gen_tunable(openvpn_enable_homedirs,false) -@@ -20,7 +20,7 @@ +@@ -20,7 +20,10 @@ # configuration files type openvpn_etc_t; -files_type(openvpn_etc_t) +files_config_file(openvpn_etc_t) ++ ++type openvpn_etc_rw_t; ++files_config_file(openvpn_etc_rw_t) # log files type openvpn_var_log_t; -@@ -30,12 +30,15 @@ +@@ -30,12 +33,15 @@ type openvpn_var_run_t; files_pid_file(openvpn_var_run_t) @@ -22072,15 +22133,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t self:process { signal getsched }; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -47,6 +50,7 @@ - allow openvpn_t openvpn_etc_t:dir list_dir_perms; +@@ -44,9 +50,11 @@ + allow openvpn_t self:tcp_socket server_stream_socket_perms; + allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; + +-allow openvpn_t openvpn_etc_t:dir list_dir_perms; ++manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t) read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t) ++filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file) +can_exec(openvpn_t,openvpn_etc_t) allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t,openvpn_var_log_t,file) -@@ -77,6 +81,7 @@ +@@ -77,6 +85,7 @@ corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_rw_tun_tap_dev(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) @@ -22088,7 +22154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) -@@ -110,3 +115,12 @@ +@@ -110,3 +119,12 @@ networkmanager_dbus_chat(openvpn_t) ') @@ -22161,6 +22227,818 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega rpm_exec(pegasus_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.3.1/policy/modules/services/pki.fc +--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/pki.fc 2008-11-13 14:24:04.000000000 -0500 +@@ -0,0 +1,66 @@ ++ ++/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0) ++ ++/etc/init.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0) ++ ++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) ++/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0) ++ ++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0) ++ ++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0) ++ ++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0) ++ ++/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0) ++ ++/etc/init.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0) ++ ++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) ++/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0) ++ ++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0) ++ ++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0) ++ ++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0) ++ ++/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0) ++ ++/etc/init.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0) ++ ++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) ++/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0) ++ ++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0) ++ ++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) ++ ++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0) ++ ++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) ++/etc/init.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0) ++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) ++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) ++ ++ ++/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0) ++ ++/etc/init.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0) ++ ++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) ++/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0) ++ ++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0) ++ ++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0) ++ ++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0) ++ ++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) ++/etc/init.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0) ++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) ++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.3.1/policy/modules/services/pki.if +--- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/pki.if 2008-11-13 14:24:04.000000000 -0500 +@@ -0,0 +1,643 @@ ++ ++## policy for pki ++ ++######################################## ++## ++## Execute pki_ca server in the pki_ca domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_ca_script_domtrans',` ++ gen_require(` ++ attribute pki_ca_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_ca_script) ++') ++ ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`pki_ca_template',` ++ gen_require(` ++ attribute pki_ca_process; ++ attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run; ++ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; ++ type pki_ca_tomcat_exec_t; ++ type $1_port_t; ++ ') ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ type $1_t, pki_ca_process; ++ type $1_exec_t, pki_ca_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_script_exec_t, pki_ca_script; ++ init_script_file($1_script_exec_t) ++ ++ type $1_etc_rw_t, pki_ca_config; ++ files_type($1_etc_rw_t) ++ ++ type $1_var_run_t, pki_ca_var_run; ++ files_pid_file($1_var_run_t) ++ ++ type $1_var_lib_t, pki_ca_var_lib; ++ files_type($1_var_lib_t) ++ ++ type $1_log_t, pki_ca_var_log; ++ logging_log_file($1_log_t) ++ ++ ######################################## ++ # ++ # $1 local policy ++ # ++ ++ # Execstack/execmem caused by java app. ++ allow $1_t self:process { execstack execmem getsched setsched }; ++ ++ ## internal communication is often done using fifo and unix sockets. ++ allow $1_t self:fifo_file rw_file_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:tcp_socket create_stream_socket_perms; ++ allow $1_t self:process signull; ++ ++ allow $1_t $1_port_t:tcp_socket {name_bind name_connect}; ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_tcp_sendrecv_all_if($1_t) ++ corenet_tcp_sendrecv_all_nodes($1_t) ++ corenet_tcp_sendrecv_all_ports($1_t) ++ ++ corenet_tcp_bind_all_nodes($1_t) ++ corenet_tcp_bind_ocsp_port($1_t) ++ corenet_tcp_connect_ocsp_port($1_t) ++ ++ # This is for /etc/$1/tomcat.conf: ++ can_exec($1_t, pki_ca_tomcat_exec_t) ++ ++ # Init script handling ++ domain_use_interactive_fds($1_t) ++ ++ files_read_etc_files($1_t) ++ ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++ ++ corecmd_exec_bin($1_t) ++ corecmd_read_bin_symlinks($1_t) ++ corecmd_exec_shell($1_t) ++ ++ dev_list_sysfs($1_t) ++ dev_read_rand($1_t) ++ dev_read_urand($1_t) ++ ++ # Java is looking in /tmp for some reason...: ++ files_manage_generic_tmp_dirs($1_t) ++ files_manage_generic_tmp_files($1_t) ++ files_read_usr_files($1_t) ++ files_read_usr_symlinks($1_t) ++ # These are used to read tomcat class files in /var/lib/tomcat ++ files_read_var_lib_files($1_t) ++ files_read_var_lib_symlinks($1_t) ++ ++ kernel_read_network_state($1_t) ++ kernel_read_system_state($1_t) ++ kernel_search_network_state($1_t) ++ # audit2allow ++ kernel_signull_unlabeled($1_t) ++ ++ auth_use_nsswitch($1_t) ++ ++ init_dontaudit_write_utmp($1_t) ++ ++ libs_use_ld_so($1_t) ++ libs_use_shared_libs($1_t) ++ ++ miscfiles_read_localization($1_t) ++ ++ ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys($1_t) ++ term_dontaudit_use_generic_ptys($1_t) ++ ') ++ ++#This is broken in selinux-policy we need java_exec defined, Will add to policy ++ gen_require(` ++ type java_exec_t; ++ ') ++ can_exec($1_t, java_exec_t) ++ ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_ca environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_ca_admin',` ++ gen_require(` ++ type pki_ca_tomcat_exec_t; ++ attribute pki_ca_process; ++ attribute pki_ca_config; ++ attribute pki_ca_executable; ++ attribute pki_ca_var_lib; ++ attribute pki_ca_var_log; ++ attribute pki_ca_var_run; ++ attribute pki_ca_pidfiles; ++ attribute pki_ca_script; ++ ') ++ ++ allow $1 pki_ca_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ca_t) ++ ++ # Allow pki_ca_t to restart the service ++ pki_ca_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ca_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_ca_config) ++ manage_all_pattern($1, pki_ca_var_run) ++ manage_all_pattern($1, pki_ca_var_lib) ++ manage_all_pattern($1, pki_ca_var_log) ++ manage_all_pattern($1, pki_ca_config) ++ manage_all_pattern($1, pki_ca_tomcat_exec_t) ++') ++ ++######################################## ++## ++## Execute pki_kra server in the pki_kra domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_kra_script_domtrans',` ++ gen_require(` ++ attribute pki_kra_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_kra_script) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_kra environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_kra_admin',` ++ gen_require(` ++ type pki_kra_tomcat_exec_t; ++ attribute pki_kra_process; ++ attribute pki_kra_config; ++ attribute pki_kra_executable; ++ attribute pki_kra_var_lib; ++ attribute pki_kra_var_log; ++ attribute pki_kra_var_run; ++ attribute pki_kra_pidfiles; ++ attribute pki_kra_script; ++ ') ++ ++ allow $1 pki_kra_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_kra_t) ++ ++ # Allow pki_kra_t to restart the service ++ pki_kra_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_kra_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_kra_config) ++ manage_all_pattern($1, pki_kra_var_run) ++ manage_all_pattern($1, pki_kra_var_lib) ++ manage_all_pattern($1, pki_kra_var_log) ++ manage_all_pattern($1, pki_kra_config) ++ manage_all_pattern($1, pki_kra_tomcat_exec_t) ++') ++ ++######################################## ++## ++## Execute pki_ocsp server in the pki_ocsp domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_ocsp_script_domtrans',` ++ gen_require(` ++ attribute pki_ocsp_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_ocsp_script) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_ocsp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_ocsp_admin',` ++ gen_require(` ++ type pki_ocsp_tomcat_exec_t; ++ attribute pki_ocsp_process; ++ attribute pki_ocsp_config; ++ attribute pki_ocsp_executable; ++ attribute pki_ocsp_var_lib; ++ attribute pki_ocsp_var_log; ++ attribute pki_ocsp_var_run; ++ attribute pki_ocsp_pidfiles; ++ attribute pki_ocsp_script; ++ ') ++ ++ allow $1 pki_ocsp_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ocsp_t) ++ ++ # Allow pki_ocsp_t to restart the service ++ pki_ocsp_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ocsp_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_ocsp_config) ++ manage_all_pattern($1, pki_ocsp_var_run) ++ manage_all_pattern($1, pki_ocsp_var_lib) ++ manage_all_pattern($1, pki_ocsp_var_log) ++ manage_all_pattern($1, pki_ocsp_config) ++ manage_all_pattern($1, pki_ocsp_tomcat_exec_t) ++') ++ ++######################################## ++## ++## Execute pki_ra server in the pki_ra domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_ra_script_domtrans',` ++ gen_require(` ++ attribute pki_ra_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_ra_script) ++') ++ ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`pki_ra_template',` ++ gen_require(` ++ attribute pki_ra_process; ++ attribute pki_ra_config, pki_ra_var_lib; ++ attribute pki_ra_executable, pki_ra_script, pki_ra_var_log; ++ ') ++ ######################################## ++ # ++ # Declarations ++ # ++ ++ type $1_t, pki_ra_process; ++ type $1_exec_t, pki_ra_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_script_exec_t, pki_ra_script; ++ init_script_file($1_script_exec_t) ++ ++ type $1_etc_rw_t, pki_ra_config; ++ files_type($1_etc_rw_t) ++ ++ type $1_var_lib_t, pki_ra_var_lib; ++ files_type($1_var_lib_t) ++ ++ type $1_log_t, pki_ra_var_log; ++ logging_log_file($1_log_t) ++ ++ ######################################## ++ # ++ # $1 local policy ++ # ++ ++ ## internal communication is often done using fifo and unix sockets. ++ allow $1_t self:fifo_file rw_file_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ ++ # Init script handling ++ domain_use_interactive_fds($1_t) ++ ++ files_read_etc_files($1_t) ++ ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++ ++ init_dontaudit_write_utmp($1_t) ++ ++ libs_use_ld_so($1_t) ++ libs_use_shared_libs($1_t) ++ ++ miscfiles_read_localization($1_t) ++ ++ ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys($1_t) ++ term_dontaudit_use_generic_ptys($1_t) ++ ') ++ ++ gen_require(` ++ type httpd_t; ++ ') ++ ++ allow httpd_t pki_ra_etc_rw_t:file { read getattr }; ++ allow httpd_t pki_ra_log_t:file read; ++ allow httpd_t pki_ra_var_lib_t:lnk_file read; ++ ++ ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_ra environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_ra_admin',` ++ gen_require(` ++ attribute pki_ra_process; ++ attribute pki_ra_config; ++ attribute pki_ra_executable; ++ attribute pki_ra_var_lib; ++ attribute pki_ra_var_log; ++ attribute pki_ra_script; ++ ') ++ ++ allow $1 pki_ra_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ra_t) ++ ++ # Allow pki_ra_t to restart the service ++ pki_ra_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ra_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_ra_config) ++ manage_all_pattern($1, pki_ra_var_lib) ++ manage_all_pattern($1, pki_ra_var_log) ++ manage_all_pattern($1, pki_ra_config) ++') ++ ++######################################## ++## ++## Execute pki_tks server in the pki_tks domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_tks_script_domtrans',` ++ gen_require(` ++ attribute pki_tks_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_tks_script) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_tks environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_tks_admin',` ++ gen_require(` ++ type pki_tks_tomcat_exec_t; ++ attribute pki_tks_process; ++ attribute pki_tks_config; ++ attribute pki_tks_executable; ++ attribute pki_tks_var_lib; ++ attribute pki_tks_var_log; ++ attribute pki_tks_var_run; ++ attribute pki_tks_pidfiles; ++ attribute pki_tks_script; ++ ') ++ ++ allow $1 pki_tks_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_tks_t) ++ ++ # Allow pki_tks_t to restart the service ++ pki_tks_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_tks_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_tks_config) ++ manage_all_pattern($1, pki_tks_var_run) ++ manage_all_pattern($1, pki_tks_var_lib) ++ manage_all_pattern($1, pki_tks_var_log) ++ manage_all_pattern($1, pki_tks_config) ++ manage_all_pattern($1, pki_tks_tomcat_exec_t) ++') ++ ++######################################## ++## ++## Execute pki_tps server in the pki_tps domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`pki_tps_script_domtrans',` ++ gen_require(` ++ attribute pki_tps_script; ++ ') ++ ++ init_script_domtrans_spec($1,pki_tps_script) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pki_tps environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`pki_tps_admin',` ++ gen_require(` ++ attribute pki_tps_process; ++ attribute pki_tps_config; ++ attribute pki_tps_executable; ++ attribute pki_tps_var_lib; ++ attribute pki_tps_var_log; ++ attribute pki_tps_script; ++ ') ++ ++ allow $1 pki_tps_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_tps_t) ++ ++ # Allow pki_tps_t to restart the service ++ pki_tps_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_tps_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_tps_config) ++ manage_all_pattern($1, pki_tps_var_lib) ++ manage_all_pattern($1, pki_tps_var_log) ++ manage_all_pattern($1, pki_tps_config) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.3.1/policy/modules/services/pki.te +--- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/pki.te 2008-11-13 14:24:04.000000000 -0500 +@@ -0,0 +1,91 @@ ++policy_module(pki,1.0.0) ++ ++attribute pki_ca_config; ++attribute pki_ca_executable; ++attribute pki_ca_var_lib; ++attribute pki_ca_var_log; ++attribute pki_ca_var_run; ++attribute pki_ca_pidfiles; ++attribute pki_ca_script; ++attribute pki_ca_process; ++ ++type pki_ca_tomcat_exec_t; ++files_type(pki_ca_tomcat_exec_t) ++ ++pki_ca_template(pki_ca) ++ ++attribute pki_kra_config; ++attribute pki_kra_executable; ++attribute pki_kra_var_lib; ++attribute pki_kra_var_log; ++attribute pki_kra_var_run; ++attribute pki_kra_pidfiles; ++attribute pki_kra_script; ++attribute pki_kra_process; ++ ++type pki_kra_tomcat_exec_t; ++files_type(pki_kra_tomcat_exec_t) ++ ++pki_ca_template(pki_kra) ++ ++ ++attribute pki_ocsp_config; ++attribute pki_ocsp_executable; ++attribute pki_ocsp_var_lib; ++attribute pki_ocsp_var_log; ++attribute pki_ocsp_var_run; ++attribute pki_ocsp_pidfiles; ++attribute pki_ocsp_script; ++attribute pki_ocsp_process; ++ ++type pki_ocsp_tomcat_exec_t; ++files_type(pki_ocsp_tomcat_exec_t) ++ ++pki_ca_template(pki_ocsp) ++ ++ ++attribute pki_ra_config; ++attribute pki_ra_executable; ++attribute pki_ra_var_lib; ++attribute pki_ra_var_log; ++attribute pki_ra_var_run; ++attribute pki_ra_pidfiles; ++attribute pki_ra_script; ++attribute pki_ra_process; ++ ++type pki_ra_tomcat_exec_t; ++files_type(pki_ra_tomcat_exec_t) ++ ++pki_ra_template(pki_ra) ++ ++ ++attribute pki_tks_config; ++attribute pki_tks_executable; ++attribute pki_tks_var_lib; ++attribute pki_tks_var_log; ++attribute pki_tks_var_run; ++attribute pki_tks_pidfiles; ++attribute pki_tks_script; ++attribute pki_tks_process; ++ ++type pki_tks_tomcat_exec_t; ++files_type(pki_tks_tomcat_exec_t) ++ ++pki_ca_template(pki_tks) ++ ++ ++attribute pki_tps_config; ++attribute pki_tps_executable; ++attribute pki_tps_var_lib; ++attribute pki_tps_var_log; ++attribute pki_tps_var_run; ++attribute pki_tps_pidfiles; ++attribute pki_tps_script; ++attribute pki_tps_process; ++ ++type pki_tps_tomcat_exec_t; ++files_type(pki_tps_tomcat_exec_t) ++ ++pki_ra_template(pki_tps) ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.fc serefpolicy-3.3.1/policy/modules/services/podsleuth.fc --- nsaserefpolicy/policy/modules/services/podsleuth.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-11-03 16:14:20.000000000 -0500 @@ -22536,8 +23414,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-11-03 16:14:20.000000000 -0500 -@@ -0,0 +1,220 @@ ++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-11-05 11:49:08.000000000 -0500 +@@ -0,0 +1,221 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -22693,6 +23571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +logging_send_syslog_msg(polkit_grant_t) + +polkit_domtrans_auth(polkit_grant_t) ++polkit_domtrans_resolve(polkit_grant_t) + +manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t) + @@ -26911,7 +27790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-11-03 16:14:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-11-05 12:58:33.000000000 -0500 @@ -17,6 +17,13 @@ ## @@ -27093,7 +27972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -363,6 +412,12 @@ +@@ -363,10 +412,18 @@ udev_read_db(smbd_t) ') @@ -27105,8 +27984,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) ++ auth_read_all_dirs_except_shadow(smbd_t) auth_read_all_files_except_shadow(smbd_t) -@@ -391,7 +446,7 @@ + fs_read_noxattr_fs_files(nmbd_t) ++ auth_read_all_dirs_except_shadow(nmbd_t) + auth_read_all_files_except_shadow(nmbd_t) + ') + +@@ -391,7 +448,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -27115,7 +28000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -403,8 +458,7 @@ +@@ -403,8 +460,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -27125,7 +28010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -439,6 +493,7 @@ +@@ -439,6 +495,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -27133,7 +28018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -522,6 +577,7 @@ +@@ -522,6 +579,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -27141,7 +28026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -533,41 +589,50 @@ +@@ -533,41 +591,50 @@ auth_use_nsswitch(smbmount_t) @@ -27202,7 +28087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -577,7 +642,9 @@ +@@ -577,7 +644,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -27213,7 +28098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -602,10 +669,12 @@ +@@ -602,10 +671,12 @@ dev_read_urand(swat_t) @@ -27226,7 +28111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -614,6 +683,7 @@ +@@ -614,6 +685,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -27234,7 +28119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -631,6 +701,17 @@ +@@ -631,6 +703,17 @@ kerberos_use(swat_t) ') @@ -27252,7 +28137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Winbind local policy -@@ -673,12 +754,15 @@ +@@ -673,12 +756,15 @@ manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) @@ -27268,7 +28153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -764,8 +848,13 @@ +@@ -764,8 +850,13 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(` @@ -27282,7 +28167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -774,19 +863,64 @@ +@@ -774,19 +865,64 @@ # optional_policy(` @@ -28182,7 +29067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-11-03 16:14:20.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-11-13 13:38:35.000000000 -0500 @@ -18,12 +18,16 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -28195,13 +29080,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp # Local policy # -allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; -+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace }; ++allow snmpd_t self:capability { dac_override ipc_lock kill net_admin sys_nice sys_tty_config sys_ptrace }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -@@ -45,6 +49,7 @@ +@@ -45,10 +49,13 @@ kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) @@ -28209,7 +29094,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) -@@ -76,13 +81,14 @@ + kernel_read_network_state(snmpd_t) ++kernel_read_xen_state(snmpd_t) ++kernel_write_xen_state(snmpd_t) + + corecmd_exec_bin(snmpd_t) + corecmd_exec_shell(snmpd_t) +@@ -76,13 +83,14 @@ domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) @@ -28226,7 +29117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) -@@ -94,6 +100,8 @@ +@@ -94,6 +102,8 @@ init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -28235,7 +29126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp libs_use_ld_so(snmpd_t) libs_use_shared_libs(snmpd_t) -@@ -120,7 +128,7 @@ +@@ -120,7 +130,7 @@ ') optional_policy(` @@ -28244,6 +29135,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') optional_policy(` +@@ -151,3 +161,12 @@ + optional_policy(` + udev_read_db(snmpd_t) + ') ++ ++optional_policy(` ++ virt_stream_connect(snmpd_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(snmpd_t) ++ xen_stream_connect_xenstore(snmpd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc --- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/snort.fc 2008-11-03 16:14:20.000000000 -0500 @@ -34194,6 +35098,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t zebra_read_config(initrc_t) ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.3.1/policy/modules/system/ipsec.fc +--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/ipsec.fc 2008-11-05 10:39:34.000000000 -0500 +@@ -26,6 +26,7 @@ + /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + ++/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.3.1/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/ipsec.if 2008-11-03 16:14:39.000000000 -0500 @@ -34341,7 +35256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-03 16:14:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-05 11:29:06.000000000 -0500 @@ -69,8 +69,10 @@ ifdef(`distro_gentoo',` # despite the extensions, they are actually libs @@ -34434,7 +35349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) -@@ -304,3 +318,13 @@ +@@ -304,3 +318,16 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -34448,6 +35363,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-11-03 16:14:39.000000000 -0500 @@ -34598,7 +35516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-11-03 16:14:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-11-07 08:14:42.000000000 -0500 @@ -4,6 +4,8 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) @@ -34618,7 +35536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ifdef(`distro_suse', ` /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -@@ -45,10 +50,10 @@ +@@ -45,15 +50,21 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -34633,8 +35551,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -@@ -57,3 +62,8 @@ + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) ++/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + @@ -38389,7 +39309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-11-03 16:14:39.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-11-03 17:15:11.000000000 -0500 @@ -29,9 +29,14 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5165141..ba1b2c3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 107%{?dist} +Release: 109%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -382,6 +382,12 @@ exit 0 %endif %changelog +* Thu Nov 13 2008 Dan Walsh 3.3.1-109 +- Allow openvpn to create /etc/openvpn/ipp.txt + +* Tue Nov 5 2008 Dan Walsh 3.3.1-108 +- Add label to /dev/mspblk.* + * Mon Nov 3 2008 Dan Walsh 3.3.1-107 - Allow kismet to send signals to itself - Allow NetworkManager to transition to dnsmasq