From 3695b5fc875250df44fe12b1e14735cb27018e04 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 14 2007 17:16:05 +0000 Subject: - Allow cyrus to authenticate via sasl - Allow sshd to work in tunnel mode - Allow sshd to use -R - Allow ssh to read user homedirs - Add /var/lib/tftp to tftp.fc - Add labels for /dev/dmmdi and /dev/admmdi - Allow postmap to be run by unconfined_t - Allow dictd to write pid file - Allow bluetooth to connectto unix_stream_sockets --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 7f96006..07c58fb 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1160,7 +1160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.0.8/policy/modules/admin/brctl.te --- nsaserefpolicy/policy/modules/admin/brctl.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/brctl.te 2007-11-12 18:12:41.000000000 -0500 @@ -25,6 +25,7 @@ kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) @@ -1169,6 +1169,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t dev_rw_sysfs(brctl_t) # Init script handling +@@ -44,4 +45,5 @@ + + optional_policy(` + xen_append_log(brctl_t) ++ xen_dontaudit_rw_unix_stream_sockets(brctl_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-11-02 13:11:15.000000000 -0400 @@ -2016,7 +2022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-08 11:42:23.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-11-14 12:11:53.000000000 -0500 @@ -139,6 +139,7 @@ auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) @@ -3737,7 +3743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-11-14 10:48:41.000000000 -0500 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3763,15 +3769,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -164,6 +169,7 @@ +@@ -163,7 +168,10 @@ + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -180,6 +186,7 @@ +@@ -180,6 +188,7 @@ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -3779,7 +3789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +266,18 @@ +@@ -259,3 +268,18 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -3800,7 +3810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2007-11-13 15:03:55.000000000 -0500 @@ -903,9 +903,11 @@ interface(`corenet_udp_bind_generic_port',` gen_require(` @@ -3952,8 +3962,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-10 07:47:13.000000000 -0500 -@@ -20,6 +20,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-14 09:49:45.000000000 -0500 +@@ -4,6 +4,7 @@ + + /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) + /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -20,6 +21,7 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) @@ -3961,7 +3979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) -@@ -30,6 +31,7 @@ +@@ -30,6 +32,7 @@ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -3969,7 +3987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -@@ -49,6 +51,7 @@ +@@ -49,6 +52,7 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -3977,7 +3995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -98,6 +101,7 @@ +@@ -98,6 +102,7 @@ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -3987,7 +4005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 16:36:39.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-12 23:22:11.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -4295,7 +4313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-09 14:39:30.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2007-11-13 21:17:02.000000000 -0500 @@ -343,8 +343,7 @@ ######################################## @@ -4970,7 +4988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-11-12 23:22:11.000000000 -0500 @@ -352,6 +352,24 @@ ######################################## @@ -6652,7 +6670,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2007-11-14 11:40:47.000000000 -0500 +@@ -44,7 +44,7 @@ + allow bluetooth_t self:shm create_shm_perms; + allow bluetooth_t self:socket create_stream_socket_perms; + allow bluetooth_t self:unix_dgram_socket create_socket_perms; +-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; ++allow bluetooth_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow bluetooth_t self:tcp_socket create_stream_socket_perms; + allow bluetooth_t self:udp_socket create_socket_perms; + @@ -128,6 +128,8 @@ dbus_system_bus_client_template(bluetooth,bluetooth_t) dbus_connect_system_bus(bluetooth_t) @@ -6662,6 +6689,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc +--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-11-14 10:32:54.000000000 -0500 +@@ -13,8 +13,7 @@ + + /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) + +-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) +-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) + + /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2007-11-08 09:58:52.000000000 -0500 @@ -7252,7 +7292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`TODO',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/cups.fc 2007-11-14 10:50:26.000000000 -0500 @@ -8,17 +8,14 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -7293,12 +7333,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -51,4 +53,4 @@ +@@ -51,4 +53,5 @@ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/cups.if 2007-10-29 23:59:29.000000000 -0400 @@ -7623,7 +7664,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.0.8/policy/modules/services/cyrus.te --- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2007-11-08 13:33:33.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cyrus.te 2007-11-13 14:08:08.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(cyrus,1.4.0) ++policy_module(cyrus,1.4.1) + + ######################################## + # @@ -41,7 +41,6 @@ allow cyrus_t self:unix_stream_socket connectto; allow cyrus_t self:tcp_socket create_stream_socket_perms; @@ -7641,28 +7689,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru libs_use_ld_so(cyrus_t) libs_use_shared_libs(cyrus_t) libs_exec_lib_files(cyrus_t) -@@ -104,8 +105,6 @@ - miscfiles_read_localization(cyrus_t) - miscfiles_read_certs(cyrus_t) - --sysnet_read_config(cyrus_t) -- - userdom_dontaudit_use_unpriv_user_fds(cyrus_t) - userdom_dontaudit_search_sysadm_home_dirs(cyrus_t) - userdom_use_unpriv_users_fds(cyrus_t) -@@ -126,14 +125,6 @@ +@@ -122,14 +123,6 @@ ') optional_policy(` -- nis_use_ypbind(cyrus_t) +- ldap_stream_connect(cyrus_t) -') - -optional_policy(` -- sasl_connect(cyrus_t) +- nis_use_ypbind(cyrus_t) -') - -optional_policy(` - seutil_sigchld_newrole(cyrus_t) + sasl_connect(cyrus_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.0.8/policy/modules/services/dbskk.te @@ -7916,6 +7955,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + unconfined_use_terminals(system_dbusd_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc +--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2007-11-14 11:37:22.000000000 -0500 +@@ -4,3 +4,4 @@ + /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) + + /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) ++/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.0.8/policy/modules/services/dictd.te +--- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dictd.te 2007-11-14 11:32:53.000000000 -0500 +@@ -16,6 +16,9 @@ + type dictd_var_lib_t alias var_lib_dictd_t; + files_type(dictd_var_lib_t) + ++type dictd_var_run_t; ++files_pid_file(dictd_var_run_t) ++ + ######################################## + # + # Local policy +@@ -34,6 +37,9 @@ + allow dictd_t dictd_var_lib_t:dir list_dir_perms; + allow dictd_t dictd_var_lib_t:file read_file_perms; + ++manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t) ++files_pid_filetrans(dictd_t,dictd_var_run_t,file) ++ + kernel_read_system_state(dictd_t) + kernel_read_kernel_sysctls(dictd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-29 23:59:29.000000000 -0400 @@ -8004,7 +8074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-06 10:58:42.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-11-13 16:44:59.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -8151,7 +8221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') + +optional_policy(` -+ postfix_create_pivate_sockets(dovecot_auth_t) ++ postfix_manage_pivate_sockets(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) +') + @@ -10330,6 +10400,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open + unconfined_use_terminals(openvpn_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.0.8/policy/modules/services/pcscd.te +--- nsaserefpolicy/policy/modules/services/pcscd.te 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/pcscd.te 2007-11-13 17:01:41.000000000 -0500 +@@ -45,6 +45,7 @@ + files_read_etc_files(pcscd_t) + files_read_etc_runtime_files(pcscd_t) + ++term_use_unallocated_ttys(pcscd_t) + term_dontaudit_getattr_pty_dirs(pcscd_t) + + libs_use_ld_so(pcscd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.8/policy/modules/services/pegasus.if --- nsaserefpolicy/policy/modules/services/pegasus.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/pegasus.if 2007-10-29 23:59:29.000000000 -0400 @@ -10446,7 +10527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postfix.if 2007-11-13 16:45:23.000000000 -0500 @@ -41,6 +41,8 @@ allow postfix_$1_t self:unix_stream_socket connectto; @@ -10554,7 +10635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute postfix user mail programs ## in their respective domains. ## -@@ -450,3 +505,22 @@ +@@ -450,3 +505,41 @@ typeattribute $1 postfix_user_domtrans; ') @@ -10577,9 +10658,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post + allow $1 postfix_private_t:dir list_dir_perms; + create_sock_files_pattern($1,postfix_private_t,postfix_private_t) +') ++ ++######################################## ++## ++## Manage named socket in a postfix private directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_manage_pivate_sockets',` ++ gen_require(` ++ type postfix_private_t; ++ ') ++ ++ allow $1 postfix_private_t:dir list_dir_perms; ++ manage_sock_files_pattern($1,postfix_private_t,postfix_private_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-11-13 14:37:30.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -10606,7 +10706,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post type postfix_local_tmp_t; files_tmp_file(postfix_local_tmp_t) -@@ -83,6 +95,12 @@ +@@ -34,6 +46,7 @@ + type postfix_map_t; + type postfix_map_exec_t; + application_domain(postfix_map_t,postfix_map_exec_t) ++role system_r types postfix_map_t; + + type postfix_map_tmp_t; + files_tmp_file(postfix_map_tmp_t) +@@ -83,6 +96,12 @@ type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -10619,7 +10727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix master process local policy -@@ -93,6 +111,7 @@ +@@ -93,6 +112,7 @@ allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; @@ -10627,7 +10735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -164,10 +183,11 @@ +@@ -164,10 +184,11 @@ # postfix does a "find" on startup for some reason - keep it quiet seutil_dontaudit_search_config(postfix_master_t) @@ -10641,7 +10749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_master_t) -@@ -179,7 +199,11 @@ +@@ -179,7 +200,11 @@ ') optional_policy(` @@ -10654,7 +10762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ########################################################### -@@ -263,6 +287,8 @@ +@@ -263,6 +288,8 @@ files_read_etc_files(postfix_local_t) @@ -10663,7 +10771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -275,6 +301,7 @@ +@@ -275,6 +302,7 @@ optional_policy(` # for postalias mailman_manage_data_files(postfix_local_t) @@ -10671,16 +10779,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -336,8 +363,6 @@ +@@ -327,6 +355,8 @@ + files_read_etc_runtime_files(postfix_map_t) + files_dontaudit_search_var(postfix_map_t) + ++auth_use_nsswitch(postfix_map_t) ++ + libs_use_ld_so(postfix_map_t) + libs_use_shared_libs(postfix_map_t) - seutil_read_config(postfix_map_t) +@@ -334,10 +364,6 @@ + miscfiles_read_localization(postfix_map_t) + +-seutil_read_config(postfix_map_t) +- -sysnet_read_config(postfix_map_t) - tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -377,7 +402,7 @@ +@@ -350,10 +376,6 @@ + locallogin_dontaudit_use_fds(postfix_map_t) + ') + +-optional_policy(` +- nscd_socket_use(postfix_map_t) +-') +- + ######################################## + # + # Postfix pickup local policy +@@ -377,7 +399,7 @@ # Postfix pipe local policy # @@ -10689,7 +10819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) -@@ -386,6 +411,10 @@ +@@ -386,6 +408,10 @@ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) optional_policy(` @@ -10700,7 +10830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post procmail_domtrans(postfix_pipe_t) ') -@@ -394,6 +423,10 @@ +@@ -394,6 +420,10 @@ ') optional_policy(` @@ -10711,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -418,14 +451,17 @@ +@@ -418,14 +448,17 @@ term_dontaudit_use_all_user_ptys(postfix_postdrop_t) term_dontaudit_use_all_user_ttys(postfix_postdrop_t) @@ -10731,7 +10861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) -@@ -454,8 +490,6 @@ +@@ -454,8 +487,6 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -10740,7 +10870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix qmgr local policy -@@ -498,15 +532,11 @@ +@@ -498,15 +529,11 @@ term_use_all_user_ptys(postfix_showq_t) term_use_all_user_ttys(postfix_showq_t) @@ -10756,7 +10886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -514,6 +544,8 @@ +@@ -514,6 +541,8 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -10765,7 +10895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -538,9 +570,45 @@ +@@ -538,9 +567,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -12164,7 +12294,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.8/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-11-10 07:53:45.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sasl.te 2007-11-13 14:08:33.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(sasl,1.6.0) ++policy_module(sasl,1.6.1) + + ######################################## + # @@ -64,6 +64,7 @@ selinux_compute_access_vector(saslauthd_t) @@ -12173,7 +12310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl auth_use_nsswitch(saslauthd_t) domain_use_interactive_fds(saslauthd_t) -@@ -98,6 +99,10 @@ +@@ -107,6 +108,10 @@ ') optional_policy(` @@ -12181,7 +12318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl +') + +optional_policy(` - kerberos_read_keytab(saslauthd_t) + seutil_sigchld_newrole(saslauthd_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.0.8/policy/modules/services/sendmail.if @@ -12725,7 +12862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.0.8/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.if 2007-11-14 09:59:47.000000000 -0500 @@ -202,6 +202,7 @@ # template(`ssh_per_role_template',` @@ -12734,7 +12871,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. type ssh_agent_exec_t, ssh_keysign_exec_t; ') -@@ -450,6 +451,7 @@ +@@ -443,13 +444,14 @@ + type $1_var_run_t; + files_pid_file($1_var_run_t) + +- allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; ++ allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:process { signal setsched setrlimit setexec }; + allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; @@ -12742,7 +12887,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -512,6 +514,7 @@ +@@ -478,7 +480,11 @@ + corenet_udp_bind_all_nodes($1_t) + corenet_tcp_bind_ssh_port($1_t) + corenet_tcp_connect_all_ports($1_t) ++ corenet_tcp_bind_all_unreserved_ports($1_t) ++ # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) ++ # tunnel feature and -w (net_admin capability also) ++ corenet_rw_tun_tap_dev($1_t) + + fs_dontaudit_getattr_all_fs($1_t) + +@@ -494,6 +500,8 @@ + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) ++ # Required for FreeNX ++ files_read_var_lib_symlinks($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) +@@ -506,12 +514,14 @@ + + userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) + userdom_search_all_users_home_dirs($1_t) ++ userdom_read_all_users_home_content_files($1_t) + + # Allow checking users mail at login + mta_getattr_spool($1_t) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) @@ -12750,7 +12923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') tunable_policy(`use_samba_home_dirs',` -@@ -520,6 +523,7 @@ +@@ -520,6 +530,7 @@ optional_policy(` kerberos_use($1_t) @@ -12758,7 +12931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') optional_policy(` -@@ -708,3 +712,42 @@ +@@ -708,3 +719,42 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -13013,6 +13186,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln -# Allow krb5 telnetd to use fork and open /dev/tty for use -allow telnetd_t userpty_type:chr_file setattr; -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.0.8/policy/modules/services/tftp.fc +--- nsaserefpolicy/policy/modules/services/tftp.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2007-11-14 10:08:35.000000000 -0500 +@@ -4,3 +4,4 @@ + + /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) + /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) ++/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-10-29 23:59:29.000000000 -0400 @@ -13682,7 +13863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-12 11:58:08.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-14 11:22:16.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -13726,7 +13907,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -132,15 +145,20 @@ +@@ -110,6 +123,7 @@ + allow xdm_t self:key { search link write }; + + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++read_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) + + # Allow gdm to run gdm-binary + can_exec(xdm_t, xdm_exec_t) +@@ -132,15 +146,20 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -13748,7 +13937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +203,7 @@ +@@ -185,6 +204,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -13756,7 +13945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -197,6 +216,7 @@ +@@ -197,6 +217,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -13764,7 +13953,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -246,6 +266,7 @@ +@@ -209,8 +230,8 @@ + dev_setattr_video_dev(xdm_t) + dev_getattr_scanner_dev(xdm_t) + dev_setattr_scanner_dev(xdm_t) +-dev_getattr_sound_dev(xdm_t) +-dev_setattr_sound_dev(xdm_t) ++dev_read_sound(xdm_t) ++dev_write_sound(xdm_t) + dev_getattr_power_mgmt_dev(xdm_t) + dev_setattr_power_mgmt_dev(xdm_t) + +@@ -246,6 +267,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -13772,7 +13972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,6 +278,7 @@ +@@ -257,6 +279,7 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -13780,7 +13980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -268,9 +290,14 @@ +@@ -268,9 +291,14 @@ userdom_create_all_users_keys(xdm_t) # for .dmrc userdom_read_unpriv_users_home_content_files(xdm_t) @@ -13795,7 +13995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +333,11 @@ +@@ -306,6 +334,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -13807,7 +14007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -348,12 +380,8 @@ +@@ -348,12 +381,8 @@ ') optional_policy(` @@ -13821,7 +14021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +413,7 @@ +@@ -385,7 +414,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -13830,7 +14030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +425,15 @@ +@@ -397,6 +426,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -13846,7 +14046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -425,6 +462,14 @@ +@@ -425,6 +463,14 @@ ') optional_policy(` @@ -13861,7 +14061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +479,26 @@ +@@ -434,47 +480,26 @@ ') optional_policy(` @@ -14378,7 +14578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-11-13 17:09:13.000000000 -0500 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -14429,7 +14629,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) -@@ -149,6 +167,8 @@ +@@ -111,6 +129,7 @@ + logging_send_syslog_msg(pam_t) + + userdom_use_unpriv_users_fds(pam_t) ++userdom_write_unpriv_users_tmp_files(pam_t) + + optional_policy(` + locallogin_use_fds(pam_t) +@@ -149,6 +168,8 @@ dev_setattr_apm_bios_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) @@ -14438,7 +14646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_framebuffer_dev(pam_console_t) dev_setattr_framebuffer_dev(pam_console_t) dev_getattr_generic_usb_dev(pam_console_t) -@@ -159,6 +179,8 @@ +@@ -159,6 +180,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -14447,7 +14655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -200,6 +222,7 @@ +@@ -200,6 +223,7 @@ fs_list_auto_mountpoints(pam_console_t) fs_list_noxattr_fs(pam_console_t) @@ -14455,7 +14663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_use_fds(pam_console_t) init_use_script_ptys(pam_console_t) -@@ -236,7 +259,7 @@ +@@ -236,7 +260,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -14464,7 +14672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -302,3 +325,28 @@ +@@ -302,3 +326,28 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -15301,7 +15509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-08 16:05:08.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-14 10:14:51.000000000 -0500 @@ -65,11 +65,13 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15317,15 +15525,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`distro_gentoo',` # despite the extensions, they are actually libs -@@ -112,6 +114,7 @@ +@@ -95,8 +97,8 @@ + # + # /usr + # +-/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(.*/)?HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(.*/)?RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +@@ -111,7 +113,10 @@ + /usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/virtualbox/components/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/VBox[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -135,6 +138,8 @@ +@@ -135,6 +140,8 @@ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15334,7 +15556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -236,6 +241,8 @@ +@@ -236,6 +243,8 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -15343,7 +15565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +291,9 @@ +@@ -284,3 +293,10 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -15353,6 +15575,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) +/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-10-29 23:59:29.000000000 -0400 @@ -17425,7 +17648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-12 17:22:08.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-14 09:50:10.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -17498,7 +17721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ######################################## ## ## Connect to the unconfined domain using -@@ -437,6 +441,26 @@ +@@ -437,6 +441,25 @@ ######################################## ## @@ -17519,13 +17742,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + allow $1 unconfined_t:unix_stream_socket { read write }; +') + -+ +######################################## +## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## -@@ -558,7 +582,7 @@ +@@ -558,7 +581,7 @@ ') files_search_home($1) @@ -17534,7 +17756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) ') -@@ -601,3 +625,216 @@ +@@ -601,3 +624,216 @@ allow $1 unconfined_tmp_t:file { getattr write append }; ') @@ -17753,7 +17975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-12 10:02:10.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-13 14:37:46.000000000 -0500 @@ -5,36 +5,52 @@ # # Declarations @@ -17897,23 +18119,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` - modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) --') -- --optional_policy(` -- mono_domtrans(unconfined_t) + mono_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ') - optional_policy(` +- mono_domtrans(unconfined_t) +-') +- +-optional_policy(` - mta_per_role_template(unconfined,unconfined_t,unconfined_r) + modutils_run_update_mods(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` -@@ -155,32 +168,23 @@ +@@ -154,33 +167,20 @@ + ') optional_policy(` - postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) +- postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -') @@ -17926,9 +18149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) - ') - - optional_policy(` +-') +- +-optional_policy(` rpm_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -17947,22 +18170,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +209,22 @@ +@@ -205,11 +205,22 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) ++') ++ ++optional_policy(` ++ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) ++ unconfined_domain(unconfined_mozilla_t) ++ allow unconfined_mozilla_t self:process { execstack execmem }; ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) -+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) -+ unconfined_domain(unconfined_mozilla_t) -+ allow unconfined_mozilla_t self:process { execstack execmem }; -+') -+ -+optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) +') + @@ -17972,7 +18195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +234,28 @@ +@@ -219,14 +230,28 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -19718,7 +19941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +files_type(virt_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.8/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/xen.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/xen.if 2007-11-12 23:22:11.000000000 -0500 @@ -191,3 +191,24 @@ domtrans_pattern($1,xm_exec_t,xm_t)