From 189f19705e06ad20630cce3b9b701776a4b7f9ee Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Jul 31 2007 19:49:42 +0000
Subject: - Fix prelink to handle execmod
- Allow mount_ntfs to search file_type:dir
---
diff --git a/policy-20070501.patch b/policy-20070501.patch
index c46978f..9015fec 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -585,7 +585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.6.4/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/prelink.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/prelink.te 2007-07-24 08:58:20.000000000 -0400
@@ -26,7 +26,7 @@
# Local policy
#
@@ -595,6 +595,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
+@@ -40,7 +40,7 @@
+ read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+ logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+ files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+ fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+
@@ -49,8 +49,7 @@
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
@@ -614,6 +623,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
fs_getattr_xattr_fs(prelink_t)
+@@ -81,6 +82,7 @@
+ libs_manage_lib_files(prelink_t)
+ libs_relabel_lib_files(prelink_t)
+ libs_delete_lib_symlinks(prelink_t)
++libs_legacy_use_shared_libs(prelink_t)
+
+ miscfiles_read_localization(prelink_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.6.4/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2007-05-07 14:51:05.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/admin/readahead.te 2007-07-13 13:11:46.000000000 -0400
@@ -659,7 +676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-07-31 14:04:26.000000000 -0400
@@ -211,6 +211,24 @@
########################################
@@ -1422,7 +1439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-07-31 13:44:59.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1435,7 +1452,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +253,7 @@
+@@ -131,7 +136,8 @@
+ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+@@ -248,6 +254,7 @@
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -1443,7 +1470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +262,13 @@
+@@ -256,3 +263,13 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -1537,16 +1564,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-07-13 13:11:46.000000000 -0400
-@@ -19,6 +19,7 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:08.000000000 -0400
+@@ -19,6 +19,8 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
++/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
-@@ -52,7 +53,7 @@
+@@ -52,7 +54,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -1555,7 +1583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -64,6 +65,7 @@
+@@ -64,6 +66,7 @@
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -1563,7 +1591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -81,6 +83,8 @@
+@@ -81,6 +84,8 @@
/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -1824,7 +1852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-07-25 16:22:10.000000000 -0400
@@ -45,7 +45,6 @@
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
@@ -1841,6 +1869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -210,6 +210,7 @@
+ /usr/lost\+found/.* <>
+
+ /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
++/usr/share/doc(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-07-13 13:11:46.000000000 -0400
@@ -2083,7 +2119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:41.000000000 -0400
@@ -1096,6 +1096,24 @@
########################################
@@ -2136,7 +2172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a NFS filesystem.
##
##
-@@ -3420,3 +3458,22 @@
+@@ -3420,3 +3458,42 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -2159,6 +2195,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
+ allow $1 fusefs_t:filesystem mount;
+')
++
++########################################
++##
++## unmount a FUSE filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem unmount;
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-23 10:45:02.000000000 -0400
@@ -2850,7 +2906,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-23 16:18:32.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-26 13:46:31.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(apache,1.6.0)
++policy_module(apache,1.7.0)
+
+ #
+ # NOTES:
@@ -30,6 +30,13 @@
##
@@ -2879,6 +2942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
gen_tunable(httpd_can_network_connect,false)
##
+@@ -97,7 +111,7 @@
+ ## Allow http daemon to communicate with the TTY
+ ##
+ ##
+-gen_tunable(httpd_tty_comm,false)
++gen_tunable(httpd_tty_comm,true)
+
+ ##
+ ##
@@ -106,6 +120,27 @@
##
gen_tunable(httpd_unified,false)
@@ -2907,7 +2979,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
# domains that can exec all users scripts
-@@ -215,7 +250,7 @@
+@@ -201,11 +236,6 @@
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
+
+-ifdef(`targeted_policy',`
+- typealias httpd_sys_content_t alias httpd_user_content_t;
+- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+-')
+-
+ optional_policy(`
+ prelink_object_file(httpd_modules_t)
+ ')
+@@ -215,7 +245,7 @@
# Apache server local policy
#
@@ -2916,7 +3000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -257,6 +292,7 @@
+@@ -257,6 +287,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2924,15 +3008,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -297,6 +333,7 @@
+@@ -297,8 +328,10 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
- corenet_non_ipsec_sendrecv(httpd_t)
+-corenet_non_ipsec_sendrecv(httpd_t)
++corenet_all_recvfrom_unlabeled(httpd_t)
++corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -342,6 +379,9 @@
+ corenet_udp_sendrecv_all_if(httpd_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_t)
+@@ -342,6 +375,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2942,18 +3030,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -362,6 +402,10 @@
+@@ -360,16 +396,12 @@
- mta_send_mail(httpd_t)
+ userdom_use_unpriv_users_fds(httpd_t)
+-mta_send_mail(httpd_t)
+-
+-ifdef(`targeted_policy',`
+- term_dontaudit_use_unallocated_ttys(httpd_t)
+- term_dontaudit_use_generic_ptys(httpd_t)
+- files_dontaudit_read_root_files(httpd_t)
+optional_policy(`
+ nscd_socket_use(httpd_t)
+')
-+
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys(httpd_t)
- term_dontaudit_use_generic_ptys(httpd_t)
-@@ -382,6 +426,7 @@
+
+- tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_generic_user_home_dirs(httpd_t)
+- ')
++tunable_policy(`httpd_enable_homedirs',`
++ userdom_search_generic_user_home_dirs(httpd_t)
+ ')
+
+ tunable_policy(`allow_httpd_anon_write',`
+@@ -382,6 +414,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -2961,7 +3060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -389,6 +434,14 @@
+@@ -389,6 +422,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -2971,12 +3070,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
++ mta_send_mail(httpd_t)
++ mta_send_mail(httpd_sys_script_t)
+')
+
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +469,10 @@
+@@ -416,6 +459,10 @@
allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
@@ -2987,7 +3088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -433,11 +490,21 @@
+@@ -433,11 +480,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -3009,21 +3110,76 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -445,6 +512,13 @@
- allow httpd_sys_script_t httpd_t:process sigchld;
+@@ -459,10 +516,20 @@
')
+ optional_policy(`
++ tunable_policy(`httpd_tty_comm',`
++ unconfined_use_terminals(httpd_t)
++ ')
++')
++
+optional_policy(`
-+ dbus_system_bus_client_template(httpd,httpd_t)
-+ tunable_policy(`allow_httpd_dbus_avahi',`
-+ avahi_dbus_chat(httpd_t)
+ calamaris_read_www_files(httpd_t)
+ ')
+
+ optional_policy(`
++ cron_system_entry(httpd_t, httpd_exec_t)
++')
++
++optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+
+@@ -537,10 +604,16 @@
+ tunable_policy(`httpd_tty_comm',`
+ # cjp: this is redundant:
+ term_use_controlling_term(httpd_helper_t)
+-
+ userdom_use_sysadm_terms(httpd_helper_t)
+ ')
+
++optional_policy(`
++ tunable_policy(`httpd_tty_comm',`
++ unconfined_use_terminals(httpd_helper_t)
+ ')
+')
+
- # When the admin starts the server, the server wants to access
- # the TTY or PTY associated with the session. The httpd appears
- # to run correctly without this permission, so the permission
-@@ -668,6 +742,12 @@
++
+ ########################################
+ #
+ # Apache PHP script local policy
+@@ -631,17 +704,16 @@
+
+ miscfiles_read_localization(httpd_suexec_t)
+
+-ifdef(`targeted_policy',`
+- tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_generic_user_home_dirs(httpd_suexec_t)
+- ')
++tunable_policy(`httpd_enable_homedirs',`
++ userdom_search_generic_user_home_dirs(httpd_suexec_t)
+ ')
+
+ tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+- corenet_non_ipsec_sendrecv(httpd_suexec_t)
++ corenet_all_recvfrom_unlabeled(httpd_suexec_t)
++ corenet_all_recvfrom_netlabel(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+ corenet_udp_sendrecv_all_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+@@ -650,7 +722,6 @@
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+-
+ sysnet_read_config(httpd_suexec_t)
+ ')
+
+@@ -668,6 +739,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3036,7 +3192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -706,7 +786,8 @@
+@@ -706,7 +783,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3046,7 +3202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,6 +801,8 @@
+@@ -720,21 +798,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3055,20 +3211,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-@@ -730,11 +813,21 @@
- ')
+
+-ifdef(`targeted_policy',`
+- tunable_policy(`httpd_enable_homedirs',`
+- userdom_search_generic_user_home_dirs(httpd_sys_script_t)
+- ')
++tunable_policy(`httpd_enable_homedirs',`
++ userdom_search_generic_user_home_dirs(httpd_sys_script_t)
')
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_sys_script_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_tcp_connect_postgresql_port(httpd_sys_script_t)
++ corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
++ corenet_sendrecv_postgresql_client_packets(httpd_sys_script_t)
++ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
++ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_sys_script_t self:udp_socket create_socket_perms;
++
++ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++ corenet_tcp_connect_all_ports(httpd_sys_script_t)
++ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
++')
++
++
+tunable_policy(`httpd_use_cifs', `
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -3077,11 +3274,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -788,3 +881,19 @@
- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
- term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
+@@ -754,14 +877,12 @@
+ # Apache unconfined script local policy
+ #
+
+-unconfined_domain(httpd_unconfined_script_t)
+-
+ optional_policy(`
+- cron_system_entry(httpd_t, httpd_exec_t)
++ nscd_socket_use(httpd_unconfined_script_t)
')
-+
+
+ optional_policy(`
+- nscd_socket_use(httpd_unconfined_script_t)
++ unconfined_domain(httpd_unconfined_script_t)
+ ')
+
+ ########################################
+@@ -784,7 +905,25 @@
+
+ miscfiles_read_localization(httpd_rotatelogs_t)
+
+-ifdef(`targeted_policy',`
+- term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+- term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
@@ -3097,11 +3313,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
+
++
++optional_policy(`
++ dbus_system_bus_client_template(httpd,httpd_t)
++ tunable_policy(`allow_httpd_dbus_avahi',`
++ avahi_dbus_chat(httpd_t)
++ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-2.6.4/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc 2007-07-13 13:11:46.000000000 -0400
-@@ -3,3 +3,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc 2007-07-30 11:42:49.000000000 -0400
+@@ -1,5 +1,11 @@
+ /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
++/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
@@ -3140,7 +3366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:24.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -3186,20 +3412,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -54,6 +66,12 @@
+@@ -53,6 +65,15 @@
+
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
-
++# Creates /etc/nologin
++files_manage_etc_runtime_files(apcupsd_t)
++files_etc_filetrans_etc_runtime(apcuspd_t,file)
++
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+kernel_read_system_state(apcupsd_t)
-+
+
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
-
-@@ -61,7 +79,39 @@
+@@ -61,7 +82,39 @@
miscfiles_read_localization(apcupsd_t)
@@ -3843,7 +4072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-07-31 13:45:11.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -3852,15 +4081,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+@@ -17,7 +18,7 @@
+
+ /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+
@@ -52,3 +53,5 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
-+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+
++/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:cupsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-19 10:33:19.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-31 12:58:13.000000000 -0400
@@ -93,8 +93,6 @@
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
@@ -3870,6 +4108,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_etc_t:{ dir file } setattr;
read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
+@@ -107,7 +105,7 @@
+
+ # allow cups to execute its backend scripts
+ can_exec(cupsd_t, cupsd_exec_t)
+-allow cupsd_t cupsd_exec_t:dir search;
++allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read;
+
+ manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
@@ -151,14 +149,16 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@@ -6488,8 +6735,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-16 16:14:39.000000000 -0400
-@@ -59,6 +59,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-31 14:16:39.000000000 -0400
+@@ -59,10 +59,13 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -6498,7 +6745,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_system_state(rpcd_t)
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
-@@ -79,6 +81,7 @@
+ kernel_read_sysctl(rpcd_t)
++kernel_getattr_core_if(nfsd_t)
+
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+@@ -79,6 +82,7 @@
optional_policy(`
nis_read_ypserv_config(rpcd_t)
@@ -6506,7 +6758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
########################################
-@@ -91,6 +94,9 @@
+@@ -91,9 +95,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -6516,7 +6768,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
-@@ -123,6 +129,7 @@
++kernel_dontaudit_getattr_core_if(nfsd_t)
+
+ corenet_tcp_bind_all_rpc_ports(nfsd_t)
+ corenet_udp_bind_all_rpc_ports(nfsd_t)
+@@ -123,6 +131,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -7621,7 +7877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.6.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.te 2007-07-31 10:08:59.000000000 -0400
@@ -448,6 +448,10 @@
rhgb_rw_tmpfs_files(xdm_xserver_t)
')
@@ -8190,7 +8446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-19 09:02:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-30 11:23:46.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(brctl,1.0.0)
+
@@ -8214,7 +8470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
-+dev_search_sysfs(brctl_t)
++dev_rw_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
@@ -8307,7 +8563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-14 08:55:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-25 10:26:51.000000000 -0400
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -8316,15 +8572,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
role system_r types fsadm_t;
type fsadm_log_t;
-@@ -184,3 +185,8 @@
+@@ -184,3 +185,9 @@
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
+
+optional_policy(`
+ xen_append_log(fsadm_t)
-+ xen_rw_image_files(udev_t)
++ xen_rw_image_files(fsadm_t)
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.4/policy/modules/system/fusermount.fc
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/system/fusermount.fc 2007-07-13 13:11:47.000000000 -0400
@@ -9083,7 +9340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-07-26 14:57:05.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -9110,7 +9367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
-@@ -59,14 +67,17 @@
+@@ -59,13 +67,18 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -9122,16 +9379,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
########################################
#
- # Auditd local policy
+-# Auditd local policy
++# Auditctl local policy
#
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
--
++allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-
-@@ -91,6 +102,7 @@
+@@ -91,6 +104,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -9139,7 +9397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(auditctl_t)
ifdef(`targeted_policy',`
-@@ -103,12 +115,11 @@
+@@ -103,12 +117,11 @@
# Auditd local policy
#
@@ -9153,7 +9411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -146,6 +157,7 @@
+@@ -146,6 +159,7 @@
init_telinit(auditd_t)
@@ -9161,7 +9419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -265,8 +277,14 @@
+@@ -265,8 +279,14 @@
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
@@ -9176,7 +9434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -331,6 +349,7 @@
+@@ -331,6 +351,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -9386,7 +9644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-07-31 13:48:21.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
##
@@ -9459,7 +9717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
')
-@@ -204,4 +225,58 @@
+@@ -204,4 +225,65 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -9473,7 +9731,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+#
+# mount_ntfs local policy
+#
-+allow mount_ntfs_t self:capability { setuid sys_admin };
++mount_ntfs_domtrans(mount_t)
++
++allow mount_ntfs_t self:capability { dac_override setuid sys_admin };
+allow mount_ntfs_t self:fifo_file { read write };
+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_ntfs_t self:unix_dgram_socket { connect create };
@@ -9482,6 +9742,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+corecmd_exec_shell(mount_ntfs_t)
+
+files_read_etc_files(mount_ntfs_t)
++files_search_all(mount_ntfs_t)
++files_mounton_non_security_dir(mount_ntfs_t)
++
++fs_mount_fusefs(mount_ntfs_t)
++fs_unmount_fusefs(mount_ntfs_t)
+
+libs_use_ld_so(mount_ntfs_t)
+libs_use_shared_libs(mount_ntfs_t)
@@ -9499,7 +9764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+modutils_domtrans_insmod(mount_ntfs_t)
+
-+mount_ntfs_domtrans(mount_t)
++mount_domtrans(mount_ntfs_t)
+
+storage_raw_read_fixed_disk(mount_ntfs_t)
+storage_raw_write_fixed_disk(mount_ntfs_t)
@@ -9534,7 +9799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab
libs_use_ld_so(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/raid.te 2007-07-31 09:57:06.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -9552,6 +9817,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
term_dontaudit_list_ptys(mdadm_t)
+@@ -69,6 +70,7 @@
+
+ userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+ userdom_dontaudit_use_sysadm_ttys(mdadm_t)
++userdom_dontaudit_search_all_users_home_content(mdadm_t)
+
+ mta_send_mail(mdadm_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc 2007-07-13 13:11:47.000000000 -0400
@@ -10179,7 +10452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-07-28 11:08:16.000000000 -0400
@@ -114,6 +114,22 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
@@ -10275,6 +10548,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+@@ -1028,7 +1071,7 @@
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_all_nodes($1_t)
+- corenet_tcp_bind_generic_port($1_t)
++ corenet_tcp_bind_all_unreserved_ports($1_t)
+ ')
+
+ optional_policy(`
@@ -1059,10 +1102,6 @@
dontaudit xdm_t $1_home_t:file rw_file_perms;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2ae4c52..4581735 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 29%{?dist}
+Release: 30%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,8 +361,12 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
%endif
%changelog
+* Mon Jul 23 2007 Dan Walsh 2.6.4-30
+- Fix prelink to handle execmod
+- Allow mount_ntfs to search file_type:dir
+
* Mon Jul 23 2007 Dan Walsh 2.6.4-29
--
+- Multiple fixes
* Fri Jul 13 2007 Dan Walsh 2.6.4-28
- Additional rules for openvpn reading homedirs