From 2da92e72c4b6838407dc1933438550f0fe8d53da Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 03 2007 01:29:11 +0000 Subject: - Change labeling on hpijs --- diff --git a/policy-20070703.patch b/policy-20070703.patch index e9c40e7..448cc99 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2080,7 +2080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-14 12:11:53.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-28 10:57:25.000000000 -0500 @@ -139,6 +139,7 @@ auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) @@ -2112,7 +2112,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') optional_policy(` -@@ -321,6 +329,7 @@ +@@ -195,6 +203,7 @@ + unconfined_domain(rpm_t) + # yum-updatesd requires this + unconfined_dbus_chat(rpm_t) ++ unconfined_dbus_chat(rpm_script_t) + ') + + ifdef(`TODO',` +@@ -321,6 +330,7 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -2344,7 +2352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-11-30 13:59:38.000000000 -0500 @@ -92,6 +92,7 @@ dev_read_urand(chfn_t) @@ -2365,7 +2373,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) -@@ -520,6 +523,10 @@ +@@ -315,6 +318,7 @@ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) ++init_use_fds(passwd_t) + + libs_use_ld_so(passwd_t) + libs_use_shared_libs(passwd_t) +@@ -520,6 +524,10 @@ mta_manage_spool(useradd_t) optional_policy(` @@ -2376,7 +2392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') -@@ -529,6 +536,12 @@ +@@ -529,6 +537,12 @@ ') optional_policy(` @@ -2672,7 +2688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.8/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/gnome.if 2007-11-30 09:20:22.000000000 -0500 @@ -33,6 +33,51 @@ ## # @@ -3077,8 +3093,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.8/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/loadkeys.te 2007-11-07 17:15:22.000000000 -0500 -@@ -41,6 +41,8 @@ ++++ serefpolicy-3.0.8/policy/modules/apps/loadkeys.te 2007-12-01 08:16:23.000000000 -0500 +@@ -41,6 +41,10 @@ miscfiles_read_localization(loadkeys_t) @@ -3087,6 +3103,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys optional_policy(` nscd_dontaudit_search_pid(loadkeys_t) ') ++ ++userdom_dontaudit_write_unpriv_user_home_content_files(loadkeys_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-10-22 13:21:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-29 23:59:29.000000000 -0400 @@ -4372,7 +4390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-16 09:41:59.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-11-28 11:00:38.000000000 -0500 @@ -6,6 +6,22 @@ # Declarations # @@ -4410,10 +4428,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Use trusted objects in /dev dev_rw_null(domain) -@@ -134,3 +154,31 @@ +@@ -134,3 +154,32 @@ # act on all domains keys allow unconfined_domain_type domain:key *; ++allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + +# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. +optional_policy(` @@ -5085,7 +5104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-12-01 07:21:24.000000000 -0500 @@ -21,6 +21,7 @@ # Use xattrs for the following filesystem types. @@ -5118,7 +5137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) type romfs_t; -@@ -133,6 +137,11 @@ +@@ -133,6 +137,16 @@ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -5127,12 +5146,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +genfscon squash / gen_context(system_u:object_r:squash_t,s0) +files_mountpoint(squash_t) + ++type vmblock_t; ++fs_noxattr_type(vmblock_t) ++files_mountpoint(vmblock_t) ++genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) ++ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-26 11:48:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-29 19:53:41.000000000 -0500 @@ -352,6 +352,24 @@ ######################################## @@ -5191,6 +5215,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## +@@ -1336,7 +1373,7 @@ + + read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ list_dirs_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) + ') + + ######################################## @@ -1707,6 +1744,7 @@ ') @@ -5229,7 +5262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2007-12-01 07:55:27.000000000 -0500 @@ -138,6 +138,7 @@ type security_t; ') @@ -6809,8 +6842,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-11-14 10:32:54.000000000 -0500 -@@ -13,8 +13,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-01 07:48:56.000000000 -0500 +@@ -5,16 +5,18 @@ + /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) + + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) ++/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) + + /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) + /var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) ++/var/run/clamav-milter(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) @@ -6818,11 +6861,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam -/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) ++/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0) /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-11-08 09:58:52.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-12-01 07:46:17.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(clamav,1.4.1) @@ -6838,7 +6882,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) -@@ -127,6 +128,10 @@ +@@ -120,6 +121,8 @@ + cron_use_system_job_fds(clamd_t) + cron_rw_pipes(clamd_t) + ++mta_read_config(clamd_t) ++ + optional_policy(` + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) +@@ -127,6 +130,10 @@ amavis_create_pid_files(clamd_t) ') @@ -6849,7 +6902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Freshclam local policy -@@ -233,3 +238,7 @@ +@@ -233,3 +240,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') @@ -6919,7 +6972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-19 15:22:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-26 22:41:45.000000000 -0500 @@ -10,7 +10,6 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -6963,7 +7016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_send_system_bus(consolekit_t) -@@ -62,9 +71,16 @@ +@@ -62,9 +71,17 @@ optional_policy(` unconfined_dbus_chat(consolekit_t) ') @@ -6973,6 +7026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` xserver_read_all_users_xauth(consolekit_t) xserver_stream_connect_xdm_xserver(consolekit_t) ++ xserver_stream_connect_xdm(consolekit_t) ') + +optional_policy(` @@ -7418,8 +7472,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-14 10:50:26.000000000 -0500 -@@ -8,17 +8,14 @@ ++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-28 07:16:49.000000000 -0500 +@@ -8,17 +8,15 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -7432,13 +7486,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) ++/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -@@ -26,6 +23,11 @@ +@@ -26,6 +24,11 @@ /usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) @@ -7450,7 +7505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -@@ -33,7 +35,7 @@ +@@ -33,7 +36,7 @@ /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -7459,7 +7514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -51,4 +53,5 @@ +@@ -51,4 +54,5 @@ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -7476,7 +7531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-11-26 13:00:40.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cups.te 2007-12-02 19:06:03.000000000 -0500 @@ -48,9 +48,8 @@ type hplip_t; type hplip_exec_t; @@ -7712,8 +7767,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -525,11 +551,9 @@ - allow hplip_t cupsd_etc_t:dir search; +@@ -522,14 +548,12 @@ + allow hplip_t self:udp_socket create_socket_perms; + allow hplip_t self:rawip_socket create_socket_perms; + +-allow hplip_t cupsd_etc_t:dir search; ++allow hplip_t cupsd_etc_t:dir search_dir_perms; cups_stream_connect(hplip_t) - @@ -7727,26 +7786,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -560,7 +584,9 @@ +@@ -560,7 +584,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) -dev_read_usbfs(hplip_t) +dev_rw_usbfs(hplip_t) -+ -+lpd_read_spool(hplip_t) fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -587,8 +613,6 @@ +@@ -587,7 +611,7 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) -lpd_read_config(cupsd_t) -- ++lpd_manage_spool(hplip_t) + optional_policy(` seutil_sigchld_newrole(hplip_t) - ') @@ -668,3 +692,15 @@ optional_policy(` udev_read_db(ptal_t) @@ -9525,7 +9582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-11-08 09:56:54.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-01 07:39:05.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -9688,7 +9745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-20 17:00:29.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-12-01 07:56:00.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -9706,7 +9763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -40,27 +43,38 @@ +@@ -40,27 +43,40 @@ allow system_mail_t self:capability { dac_override }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) @@ -9721,6 +9778,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. +fs_rw_anon_inodefs_files(system_mail_t) + ++selinux_getattr_fs(system_mail_t) ++ init_use_script_ptys(system_mail_t) userdom_use_sysadm_terms(system_mail_t) @@ -9745,7 +9804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +87,7 @@ +@@ -73,6 +89,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -9753,7 +9812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') -@@ -81,6 +96,11 @@ +@@ -81,6 +98,11 @@ ') optional_policy(` @@ -9765,6 +9824,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') +@@ -136,6 +158,14 @@ + ') + + optional_policy(` ++ clamav_stream_connect(sendmail_t) ++') ++ ++optional_policy(` ++ spamd_stream_connect(system_mail_t) ++') ++ ++optional_policy(` + smartmon_read_tmp_files(system_mail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-29 23:59:29.000000000 -0400 @@ -11882,9 +11956,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd - unconfined_domain(rshd_t) - unconfined_shell_domtrans(rshd_t) -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.0.8/policy/modules/services/rsync.fc +--- nsaserefpolicy/policy/modules/services/rsync.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/rsync.fc 2007-12-01 08:07:49.000000000 -0500 +@@ -1,2 +1,4 @@ + + /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) ++ ++/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-19 14:03:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-12-01 08:07:35.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -11907,7 +11989,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn role system_r types rsync_t; type rsync_data_t; -@@ -33,7 +41,7 @@ +@@ -25,6 +33,9 @@ + type rsync_tmp_t; + files_tmp_file(rsync_tmp_t) + ++type rsync_log_t; ++logging_log_file(rsync_log_t) ++ + type rsync_var_run_t; + files_pid_file(rsync_var_run_t) + +@@ -33,7 +44,7 @@ # Local policy # @@ -11916,7 +12008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; -@@ -43,7 +51,6 @@ +@@ -43,7 +54,6 @@ # cjp: this should probably only be inetd_child_t rules? # search home and kerberos also. allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; @@ -11924,7 +12016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn #end for identd allow rsync_t rsync_data_t:dir list_dir_perms; -@@ -57,6 +64,8 @@ +@@ -57,6 +67,8 @@ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) @@ -11933,7 +12025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) -@@ -80,6 +89,8 @@ +@@ -80,17 +92,18 @@ files_read_etc_files(rsync_t) files_search_home(rsync_t) @@ -11942,7 +12034,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) -@@ -89,8 +100,6 @@ + logging_send_syslog_msg(rsync_t) +-logging_dontaudit_search_logs(rsync_t) ++manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t) ++logging_log_filetrans(rsync_t,rsync_log_t,file) + miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -11951,7 +12047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn tunable_policy(`allow_rsync_anon_write',` miscfiles_manage_public_files(rsync_t) ') -@@ -107,10 +116,7 @@ +@@ -107,10 +120,7 @@ inetd_service_domain(rsync_t,rsync_exec_t) ') @@ -12666,7 +12762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-11-20 10:14:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-01 07:53:30.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -12701,7 +12797,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -94,30 +99,33 @@ +@@ -66,6 +71,8 @@ + fs_getattr_all_fs(sendmail_t) + fs_search_auto_mountpoints(sendmail_t) + ++selinux_getattr_fs(sendmail_t) ++ + term_dontaudit_use_console(sendmail_t) + + # for piping mail to a command +@@ -94,30 +101,34 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -12728,6 +12833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send optional_policy(` clamav_search_lib(sendmail_t) ++ clamav_stream_connect(sendmail_t) ') optional_policy(` @@ -12741,7 +12847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -131,28 +139,29 @@ +@@ -131,28 +142,33 @@ ') optional_policy(` @@ -12757,6 +12863,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') + +optional_policy(` ++ spamd_stream_connect(sendmail_t) ++') ++ ++optional_policy(` udev_read_db(sendmail_t) ') @@ -12789,16 +12899,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-11-26 09:31:09.000000000 -0500 -@@ -53,6 +53,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2007-12-01 06:50:19.000000000 -0500 +@@ -27,8 +27,8 @@ + # setroubleshootd local policy + # + +-allow setroubleshootd_t self:capability { dac_override sys_tty_config }; +-allow setroubleshootd_t self:process { signull signal getattr getsched }; ++allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; ++allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; + allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; + allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; + allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -53,6 +53,8 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) ++kernel_read_net_sysctls(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -67,6 +68,7 @@ +@@ -67,12 +69,13 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t) dev_read_urand(setroubleshootd_t) @@ -12806,7 +12928,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr domain_dontaudit_search_all_domains_state(setroubleshootd_t) -@@ -111,3 +113,11 @@ + files_read_usr_files(setroubleshootd_t) + files_read_etc_files(setroubleshootd_t) +-files_getattr_all_dirs(setroubleshootd_t) ++files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) + + fs_getattr_all_dirs(setroubleshootd_t) +@@ -111,3 +114,11 @@ rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) ') @@ -12993,7 +13122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-11-14 14:47:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-01 07:44:43.000000000 -0500 @@ -286,6 +286,12 @@ userdom_manage_user_home_content_symlinks($1,spamd_t) ') @@ -13007,10 +13136,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_spamassassin_t) fs_manage_nfs_files($1_spamassassin_t) +@@ -531,3 +537,21 @@ + + dontaudit $1 spamd_tmp_t:sock_file getattr; + ') ++ ++######################################## ++## ++## Connect to run spamd. ++## ++## ++## ++## Domain allowed to connect. ++## ++## ++# ++interface(`spamd_stream_connect',` ++ gen_require(` ++ type spamd_t, spamd_var_run_t; ++ ') ++ ++ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-14 14:09:01.000000000 -0500 -@@ -81,7 +81,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-01 07:28:12.000000000 -0500 +@@ -81,11 +81,12 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -13019,7 +13170,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -@@ -150,10 +150,12 @@ +-files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) ++manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) ++files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file sock_file }) + + kernel_read_all_sysctls(spamd_t) + kernel_read_system_state(spamd_t) +@@ -150,10 +151,12 @@ userdom_dontaudit_search_sysadm_home_dirs(spamd_t) tunable_policy(`use_nfs_home_dirs',` @@ -14196,7 +14353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-15 16:23:05.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-30 09:20:54.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -14341,7 +14498,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -348,12 +382,8 @@ +@@ -313,6 +347,10 @@ + ') + + optional_policy(` ++ gnome_exec_gconf(xdm_t) ++') ++ ++optional_policy(` + # Talk to the console mouse server. + gpm_stream_connect(xdm_t) + gpm_setattr_gpmctl(xdm_t) +@@ -348,12 +386,8 @@ ') optional_policy(` @@ -14355,7 +14523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +415,7 @@ +@@ -385,7 +419,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -14364,7 +14532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +427,15 @@ +@@ -397,6 +431,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -14380,7 +14548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -425,6 +464,14 @@ +@@ -425,6 +468,14 @@ ') optional_policy(` @@ -14395,7 +14563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +481,26 @@ +@@ -434,47 +485,26 @@ ') optional_policy(` @@ -14492,7 +14660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-11-15 10:15:01.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-11-29 07:52:28.000000000 -0500 @@ -14,6 +14,7 @@ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -14510,7 +14678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-26 16:38:01.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-29 19:40:16.000000000 -0500 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -14922,7 +15090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-13 17:09:13.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-29 07:59:30.000000000 -0500 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -15040,8 +15208,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +auth_use_nsswitch(updpwd_t) + +term_dontaudit_use_console(updpwd_t) -+term_dontaudit_use_console(updpwd_t) +term_dontaudit_use_unallocated_ttys(updpwd_t) ++ +files_manage_etc_files(updpwd_t) +kernel_read_system_state(updpwd_t) +logging_send_syslog_msg(updpwd_t) @@ -15486,7 +15654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-10-30 21:08:32.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-11-30 14:03:04.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -15696,17 +15864,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -750,6 +797,10 @@ +@@ -749,6 +796,12 @@ + ') ') - optional_policy(` ++userdom_dontaudit_search_sysadm_home_dirs(daemon) ++ ++optional_policy(` + rpm_dontaudit_rw_pipes(daemon) +') + -+optional_policy(` + optional_policy(` vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-11-16 09:54:16.000000000 -0500 @@ -17660,16 +17830,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2007-10-29 23:59:29.000000000 -0400 -@@ -54,7 +54,7 @@ ++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc 2007-11-28 11:07:20.000000000 -0500 +@@ -52,8 +52,7 @@ + /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) + +-/var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) +-/var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) ++/var/run/dhclient[^/]* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) - /var/run/dhclient.*\.pid -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) - /var/run/dhclient.*\.leases -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) -- -+/var/run/dhclient-[^/]*\.lease -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) - ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-10-22 13:21:40.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-11-06 15:55:57.000000000 -0500 @@ -17931,7 +18102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-26 21:45:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-28 10:59:10.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -18508,7 +18679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-26 13:59:06.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-30 17:25:54.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19103,7 +19274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -954,21 +886,166 @@ +@@ -954,21 +886,164 @@ ## ## # @@ -19146,6 +19317,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + userdom_base_user_template($1) + + userdom_manage_home_template($1) ++ userdom_poly_home_template($1) ++ userdom_poly_tmp_template($1) ++ + userdom_manage_tmp_template($1) + userdom_manage_tmpfs_template($1) + @@ -19189,12 +19363,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + # Stat lost+found. + files_getattr_lost_found_dirs($1_usertype) ++ files_dontaudit_list_default($1_usertype) ++ files_dontaudit_read_default_files($1_usertype) + + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) -+ + fs_rw_anon_inodefs_files($1_usertype) + + # Stop warnings about access to /dev/console @@ -19213,12 +19388,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + seutil_read_config($1_usertype) + -+ files_dontaudit_list_default($1_usertype) -+ files_dontaudit_read_default_files($1_usertype) -+ -+ userdom_poly_home_template($1) -+ userdom_poly_tmp_template($1) -+ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -19276,7 +19445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -977,23 +1054,51 @@ +@@ -977,23 +1052,51 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -19339,7 +19508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,23 +1134,14 @@ +@@ -1029,42 +1132,22 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -19352,24 +19521,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + hal_dbus_chat($1_t) ') -- optional_policy(` ++ # Run pppd in pppd_t by default for user + optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') + + optional_policy(` +- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ setroubleshoot_stream_connect($1_t) + ') + +- # Run pppd in pppd_t by default for user +- optional_policy(` +- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- setroubleshoot_stream_connect($1_t) - ') - -- # Run pppd in pppd_t by default for user -+ # Run pppd in pppd_t by default for user - optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - ') -@@ -1054,17 +1150,6 @@ - setroubleshoot_stream_connect($1_t) - ') - - ifdef(`TODO',` - ifdef(`xdm.te', ` - # this should cause the .xsession-errors file to be written to /tmp @@ -19384,7 +19556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1187,8 @@ +@@ -1102,6 +1185,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -19393,7 +19565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1214,7 @@ +@@ -1127,7 +1212,7 @@ # $1_t local policy # @@ -19402,7 +19574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1226,11 @@ +@@ -1139,7 +1224,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -19415,7 +19587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1277,6 +1368,7 @@ +@@ -1277,6 +1366,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -19423,7 +19595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1642,9 +1734,13 @@ +@@ -1642,9 +1732,13 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -19437,7 +19609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1990,46 @@ +@@ -1894,10 +1988,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -19485,7 +19657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2994,6 +3126,25 @@ +@@ -2994,6 +3124,25 @@ ######################################## ## @@ -19511,7 +19683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. -@@ -3078,7 +3229,7 @@ +@@ -3078,7 +3227,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -19520,7 +19692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4410,6 +4561,7 @@ +@@ -4410,6 +4559,7 @@ ') dontaudit $1 sysadm_home_dir_t:dir getattr; @@ -19528,6 +19700,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## +@@ -4444,9 +4594,11 @@ + interface(`userdom_dontaudit_search_sysadm_home_dirs',` + gen_require(` + type sysadm_home_dir_t; ++ type admin_home_t; + ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; ++ dontaudit $1 admindif_home_dir_t:dir search_dir_perms; + ') + + ######################################## @@ -4574,6 +4726,7 @@ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 67ca98c..f2f291a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 62%{?dist} +Release: 63%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -303,8 +303,8 @@ fi exit 0 -%triggerpostun targeted -- selinux-policy-targeted =< 3.0.8-59-1 -semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null +%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-63-1 +semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null semanage login -m -r s0-s0:c0.c1023 __default__ 2> /dev/null exit 0 @@ -381,6 +381,9 @@ exit 0 %endif %changelog +* Wed Nov 28 2007 Dan Walsh 3.0.8-63 +- Change labeling on hpijs + * Mon Nov 26 2007 Dan Walsh 3.0.8-62 - Allow xend to create xend_var_log_t directories - dontaudit setfiles relabel of /proc /sys caused by named-chroot