From 3e5030027f76a7b5af17ce23c9761c1c043eface Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 16 2011 18:37:08 +0000 Subject: - Fixes for sandbox/seunshare policy - Add matahari policy - Allow shutdown setsched and sys_nice - Add port definition for dogtag, matahari, movaz ports - Add label for /etc/securetty - Fixes for pirahna-pulse policy - Fixes for radius, samba, dirsrv, kerberos policies - RHEL6 fixes for MLS policy bugs --- diff --git a/modules-mls.conf b/modules-mls.conf index b994d4d..1ff7437 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -2089,3 +2089,10 @@ shutdown = module # policy for namespace.init script # namespace = module + +# Layer: services +# Module: matahari +# +# Matahari system maangement tools +# +matahari = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 54d4a43..21189c8 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2244,3 +2244,10 @@ namespace = module # vdagent # vdagent = module + +# Layer: services +# Module: matahari +# +# Matahari system maangement tools +# +matahari = module diff --git a/policy-F13.patch b/policy-F13.patch index 969029f..7efbf39 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2970,7 +2970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-02-25 17:15:02.692365619 +0000 ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-03-16 13:24:10.175107001 +0000 @@ -0,0 +1,75 @@ +policy_module(shutdown,1.0.0) + @@ -2995,8 +2995,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +# shutdown local policy +# + -+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; -+allow shutdown_t self:process { fork signal signull }; ++allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; ++allow shutdown_t self:process { fork setsched signal signull }; + +allow shutdown_t self:fifo_file manage_fifo_file_perms; +allow shutdown_t self:unix_stream_socket create_stream_socket_perms; @@ -7988,8 +7988,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-04 14:39:39.566413002 +0000 -@@ -0,0 +1,475 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-16 09:27:13.618107000 +0000 +@@ -0,0 +1,477 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8126,6 +8126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); +manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); +manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t); ++dontaudit sandbox_domain sandbox_file_t:dir mounton; + +gen_require(` + type usr_t, lib_t, locale_t; @@ -8207,6 +8208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) ++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) +auth_dontaudit_write_login_records(sandbox_x_domain) @@ -8568,8 +8570,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-04 14:39:51.781413002 +0000 -@@ -1,45 +1,52 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-16 18:18:06.860851000 +0000 +@@ -1,45 +1,64 @@ - -policy_module(seunshare, 1.0.1) +policy_module(seunshare, 1.1.0) @@ -8629,6 +8631,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar -userdom_use_user_terminals(seunshare_t) +userdom_use_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_mounton_nfs(seunshare_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_mounton_cifs(seunshare_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_mounton_fusefs(seunshare_domain) ++') ifdef(`hide_broken_symptoms', ` - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) @@ -9780,7 +9794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-02-04 10:57:54.385796000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-03-16 14:25:07.223107001 +0000 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -9830,9 +9844,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -98,7 +104,9 @@ +@@ -97,8 +103,11 @@ + network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) ++network_port(dogtag, tcp,7390,s0) network_port(epmap, tcp,135,s0, udp,135,s0) +network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) @@ -9840,7 +9856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,7 +117,7 @@ +@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) @@ -9849,7 +9865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -@@ -124,40 +132,56 @@ +@@ -124,40 +133,58 @@ network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -9868,6 +9884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +network_port(luci, tcp,8084,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(mail, tcp,2000,s0, tcp,3905,s0) ++network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) @@ -9878,6 +9895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene -network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0) +network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) ++network_port(movaz_ssc, tcp,5252,s0) network_port(nessus, tcp,1241,s0) +network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -9908,7 +9926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,18 +201,22 @@ +@@ -177,18 +204,22 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -9932,7 +9950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,23 +229,23 @@ +@@ -201,23 +232,23 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -9962,7 +9980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## # -@@ -266,5 +294,5 @@ +@@ -266,5 +297,5 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -10041,7 +10059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-02-08 16:10:25.428796002 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-03-16 13:14:36.657107001 +0000 @@ -407,7 +407,7 @@ ######################################## @@ -10430,6 +10448,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of video4linux devices. ## ## +@@ -4068,6 +4312,24 @@ + allow $1 vmware_device_t:chr_file execute; + ') + ++####################################### ++## ++## Read to watchdog devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_watchdog',` ++ gen_require(` ++ type device_t, watchdog_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, watchdog_device_t) ++') ++ + ######################################## + ## + ## Write to watchdog devices. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.19/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2011-02-08 15:56:57.441796002 +0000 @@ -10745,7 +10788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-10-25 09:09:58.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2011-03-16 13:09:38.572107001 +0000 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -10768,8 +10811,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -62,6 +65,12 @@ +@@ -60,8 +63,15 @@ + /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0) @@ -10781,7 +10827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0) -@@ -71,8 +80,9 @@ +@@ -71,8 +81,9 @@ /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -10793,7 +10839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -93,7 +103,7 @@ +@@ -93,7 +104,7 @@ # HOME_ROOT # expanded by genhomedircon # @@ -10802,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -157,6 +167,12 @@ +@@ -157,6 +168,12 @@ /proc -d <> /proc/.* <> @@ -10815,7 +10861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # # /selinux # -@@ -170,12 +186,6 @@ +@@ -170,12 +187,6 @@ /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -10828,7 +10874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -205,15 +215,19 @@ +@@ -205,15 +216,19 @@ /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/local/lost\+found/.* <> @@ -10848,7 +10894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> -@@ -229,6 +243,8 @@ +@@ -229,6 +244,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -10857,7 +10903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -254,3 +270,5 @@ +@@ -254,3 +271,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -12000,7 +12046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-02-04 09:52:43.632796001 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-03-16 18:17:00.451851001 +0000 @@ -559,6 +559,24 @@ ######################################## @@ -12039,10 +12085,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## list dirs on cgroup -## file systems. -## @@ -12059,11 +12106,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -12255,7 +12301,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1790,6 +1897,25 @@ +@@ -1672,6 +1779,24 @@ + allow $1 fusefs_t:filesystem unmount; + ') + ++ ####################################### ++ ## ++ ## Mounton a FUSEFS filesystem. ++ ## ++ ## ++ ## ++ ## Domain allowed access. ++ ## ++ ## ++ # ++interface(`fs_mounton_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir mounton; ++') ++ + ######################################## + ## + ## Search directories +@@ -1790,6 +1915,25 @@ manage_files_pattern($1, fusefs_t, fusefs_t) ') @@ -12281,7 +12352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Do not audit attempts to create, -@@ -1831,6 +1957,25 @@ +@@ -1831,6 +1975,25 @@ ######################################## ## @@ -12307,7 +12378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write hugetlbfs files. ## ## -@@ -1847,6 +1992,42 @@ +@@ -1847,6 +2010,42 @@ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -12350,7 +12421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. -@@ -1899,6 +2080,7 @@ +@@ -1899,6 +2098,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -12358,7 +12429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2477,25 @@ +@@ -2295,6 +2495,25 @@ ######################################## ## @@ -12384,7 +12455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2333,6 +2534,24 @@ +@@ -2333,6 +2552,24 @@ dontaudit $1 nfs_t:file append_file_perms; ') @@ -12409,7 +12480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Do not audit attempts to read or -@@ -2349,7 +2568,7 @@ +@@ -2349,7 +2586,7 @@ type nfs_t; ') @@ -12418,7 +12489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2756,24 @@ +@@ -2537,6 +2774,24 @@ ######################################## ## @@ -12443,7 +12514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2982,7 @@ +@@ -2745,7 +3000,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -12452,7 +12523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3812,6 +4049,24 @@ +@@ -3812,6 +4067,24 @@ rw_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -12477,7 +12548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Read tmpfs link files. -@@ -3870,6 +4125,24 @@ +@@ -3870,6 +4143,24 @@ ######################################## ## @@ -12502,7 +12573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4705,44 @@ +@@ -4432,6 +4723,44 @@ ######################################## ## @@ -12547,7 +12618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4860,24 @@ +@@ -4549,3 +4878,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -17030,7 +17101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-02-04 10:58:08.393796000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-03-16 13:04:07.336107002 +0000 @@ -19,11 +19,13 @@ # Declarations # @@ -17319,7 +17390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -470,11 +576,25 @@ +@@ -470,11 +576,27 @@ userdom_read_user_home_content_files(httpd_t) ') @@ -17332,11 +17403,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(httpd_t) fs_read_nfs_files(httpd_t) fs_read_nfs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_nfs',` ++ fs_list_auto_mountpoints(httpd_t) + fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) @@ -17345,7 +17418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,9 +604,23 @@ +@@ -484,9 +606,23 @@ # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -17369,7 +17442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -500,8 +634,13 @@ +@@ -500,8 +636,13 @@ # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -17383,7 +17456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -514,6 +653,12 @@ +@@ -514,6 +655,12 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -17396,7 +17469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -528,7 +673,18 @@ +@@ -528,7 +675,18 @@ daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -17416,7 +17489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +693,12 @@ +@@ -537,8 +695,12 @@ ') optional_policy(` @@ -17430,7 +17503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -556,7 +716,13 @@ +@@ -556,7 +718,13 @@ ') optional_policy(` @@ -17444,7 +17517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +733,7 @@ +@@ -567,6 +735,7 @@ optional_policy(` nagios_read_config(httpd_t) @@ -17452,7 +17525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -577,12 +744,29 @@ +@@ -577,12 +746,29 @@ ') optional_policy(` @@ -17482,7 +17555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -591,6 +775,11 @@ +@@ -591,6 +777,11 @@ ') optional_policy(` @@ -17494,7 +17567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -618,6 +807,10 @@ +@@ -618,6 +809,10 @@ userdom_use_user_terminals(httpd_helper_t) @@ -17505,7 +17578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -667,6 +860,17 @@ +@@ -667,6 +862,17 @@ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) corenet_tcp_connect_mssql_port(httpd_suexec_t) corenet_sendrecv_mssql_client_packets(httpd_suexec_t) @@ -17523,7 +17596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -699,17 +903,18 @@ +@@ -699,17 +905,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -17545,7 +17618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +945,21 @@ +@@ -740,13 +947,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -17568,7 +17641,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +985,12 @@ ++ fs_list_auto_mountpoints(httpd_suexec_t) + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) +@@ -769,6 +988,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -17581,7 +17658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -791,10 +1013,15 @@ +@@ -791,10 +1016,15 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -17597,7 +17674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1030,28 @@ +@@ -803,6 +1033,30 @@ mta_send_mail(httpd_sys_script_t) ') @@ -17612,11 +17689,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +fs_nfs_entry_type(httpd_sys_script_t) + +tunable_policy(`httpd_use_nfs',` ++ fs_list_auto_mountpoints(httpd_sys_script_t) + fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) + fs_exec_nfs_files(httpd_sys_script_t) + ++ fs_list_auto_mountpoints(httpd_suexec_t) + fs_manage_nfs_dirs(httpd_suexec_t) + fs_manage_nfs_files(httpd_suexec_t) + fs_manage_nfs_symlinks(httpd_suexec_t) @@ -17626,7 +17705,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1079,16 @@ +@@ -826,10 +1080,21 @@ + ') + + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(httpd_sys_script_t) + fs_read_nfs_files(httpd_sys_script_t) fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -17643,7 +17727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1101,7 @@ +@@ -842,6 +1107,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -17651,7 +17735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1151,33 @@ +@@ -891,11 +1157,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -19126,8 +19210,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te --- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-04 14:00:18.904413000 +0000 -@@ -0,0 +1,95 @@ ++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-15 20:36:12.127107001 +0000 +@@ -0,0 +1,96 @@ +policy_module(certmonger,1.0.0) + +######################################## @@ -19176,6 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert +corenet_tcp_sendrecv_generic_node(certmonger_t) +corenet_tcp_sendrecv_all_ports(certmonger_t) +corenet_tcp_connect_certmaster_port(certmonger_t) ++corenet_tcp_connect_http_port(certmonger_t) + +dev_read_urand(certmonger_t) + @@ -19703,7 +19788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-12-09 11:46:16.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2011-03-16 13:22:27.646107001 +0000 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -19736,7 +19821,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam # log files manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -@@ -167,9 +178,15 @@ +@@ -104,6 +115,7 @@ + corenet_tcp_bind_clamd_port(clamd_t) + corenet_tcp_bind_generic_port(clamd_t) + corenet_tcp_connect_generic_port(clamd_t) ++corenet_tcp_connect_clamd_port(clamd_t) + corenet_sendrecv_clamd_server_packets(clamd_t) + + dev_read_rand(clamd_t) +@@ -167,9 +179,15 @@ # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) allow freshclam_t freshclam_var_log_t:dir setattr; @@ -19753,7 +19846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -177,8 +194,11 @@ +@@ -177,8 +195,11 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -19765,7 +19858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) -@@ -189,14 +209,24 @@ +@@ -189,14 +210,24 @@ auth_use_nsswitch(freshclam_t) @@ -19790,7 +19883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # clamscam local policy -@@ -228,9 +258,11 @@ +@@ -228,9 +259,11 @@ corenet_tcp_sendrecv_generic_node(clamscan_t) corenet_tcp_sendrecv_all_ports(clamscan_t) corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -19802,7 +19895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -245,6 +277,17 @@ +@@ -245,6 +278,17 @@ clamav_stream_connect(clamscan_t) mta_send_mail(clamscan_t) @@ -23366,8 +23459,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te --- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-02-03 10:11:55.317796001 +0000 -@@ -0,0 +1,185 @@ ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-03-16 13:34:01.046107000 +0000 +@@ -0,0 +1,187 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -23451,6 +23544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs + +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) +manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) ++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + +manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) @@ -23467,6 +23561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +corenet_tcp_sendrecv_all_ports(dirsrv_t) +corenet_tcp_bind_all_nodes(dirsrv_t) +corenet_tcp_bind_ldap_port(dirsrv_t) ++corenet_tcp_bind_dogtag_port(dirsrv_t) +corenet_tcp_bind_all_rpc_ports(dirsrv_t) +corenet_udp_bind_all_rpc_ports(dirsrv_t) +corenet_tcp_connect_all_ports(dirsrv_t) @@ -24280,8 +24375,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.19/policy/modules/services/ftp.if --- nsaserefpolicy/policy/modules/services/ftp.if 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2010-05-28 07:42:00.000000000 +0000 -@@ -115,6 +115,44 @@ ++++ serefpolicy-3.7.19/policy/modules/services/ftp.if 2011-03-16 14:35:12.605107001 +0000 +@@ -1,5 +1,43 @@ + ## File transfer protocol service + ++##################################### ++## ++## Execute a domain transition to run ftpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ftp_domtrans',` ++ gen_require(` ++ type ftpd_t, ftpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1,ftpd_exec_t, ftpd_t) ++ ++') ++ ++###################################### ++## ++## Execute ftpd server in the ftpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ftp_initrc_domtrans',` ++ gen_require(` ++ type ftp_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ftp_initrc_exec_t) ++') ++ + ######################################## + ## + ## Use ftp by connecting over TCP. (Deprecated) +@@ -115,6 +153,44 @@ role $2 types ftpdctl_t; ') @@ -25992,7 +26131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-01-27 14:25:40.043455001 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-16 13:57:42.672107002 +0000 @@ -74,7 +74,7 @@ ') @@ -26013,6 +26152,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb tunable_policy(`allow_kerberos',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; +@@ -103,7 +107,7 @@ + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) + +- allow $1 krb5_host_rcache_t:file getattr; ++ allow $1 krb5_host_rcache_t:file getattr_file_perms; + ') + + optional_policy(` @@ -212,6 +216,25 @@ allow $1 krb5_keytab_t:file rw_file_perms; ') @@ -26039,18 +26187,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ######################################## ## ## Create a derived type for kerberos keytab +@@ -374,3 +397,22 @@ + + admin_pattern($1, krb5kdc_var_run_t) + ') ++ ++####################################### ++## ++## Type transition files created in /tmp ++## to the krb5_host_rcache type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_tmp_filetrans_host_rcache',` ++ gen_require(` ++ type krb5_host_rcache_t; ++ ') ++ ++ files_tmp_filetrans($1, krb5_host_rcache_t, file) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-01-20 11:02:37.000000000 +0000 -@@ -36,6 +36,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-03-16 13:51:14.123107002 +0000 +@@ -36,12 +36,12 @@ domain_obj_id_change_exemption(kpropd_t) type krb5_conf_t; +-files_type(krb5_conf_t) +files_config_file(krb5_conf_t) - files_type(krb5_conf_t) type krb5_home_t; -@@ -50,10 +51,10 @@ + userdom_user_home_content(krb5_home_t) + +-type krb5_host_rcache_t; ++type krb5_host_rcache_t alias saslauthd_tmp_t; + files_tmp_file(krb5_host_rcache_t) + + # types for general configuration files in /etc +@@ -50,10 +50,10 @@ # types for KDC configs and principal file(s) type krb5kdc_conf_t; @@ -26063,7 +26241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb # types for KDC principal file(s) type krb5kdc_principal_t; -@@ -94,9 +95,9 @@ +@@ -94,9 +94,9 @@ dontaudit kadmind_t krb5_conf_t:file write; read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) @@ -26075,7 +26253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow kadmind_t krb5kdc_principal_t:file manage_file_perms; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) -@@ -112,6 +113,7 @@ +@@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) @@ -26083,7 +26261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb kernel_read_proc_symlinks(kadmind_t) kernel_read_system_state(kadmind_t) -@@ -126,10 +128,13 @@ +@@ -126,10 +127,13 @@ corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) corenet_tcp_bind_kerberos_admin_port(kadmind_t) @@ -26097,7 +26275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb dev_read_sysfs(kadmind_t) dev_read_rand(kadmind_t) -@@ -149,6 +154,7 @@ +@@ -149,6 +153,7 @@ logging_send_syslog_msg(kadmind_t) @@ -26105,7 +26283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) -@@ -160,6 +166,14 @@ +@@ -160,6 +165,14 @@ userdom_dontaudit_search_user_home_dirs(kadmind_t) optional_policy(` @@ -26120,7 +26298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb nis_use_ypbind(kadmind_t) ') -@@ -193,13 +207,12 @@ +@@ -193,13 +206,12 @@ read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -26136,7 +26314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -249,6 +262,7 @@ +@@ -249,6 +261,7 @@ logging_send_syslog_msg(krb5kdc_t) @@ -26144,7 +26322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) -@@ -260,6 +274,14 @@ +@@ -260,6 +273,14 @@ userdom_dontaudit_search_user_home_dirs(krb5kdc_t) optional_policy(` @@ -26159,7 +26337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb nis_use_ypbind(krb5kdc_t) ') -@@ -283,7 +305,7 @@ +@@ -283,7 +304,7 @@ allow kpropd_t self:unix_stream_socket create_stream_socket_perms; allow kpropd_t self:tcp_socket create_stream_socket_perms; @@ -26498,6 +26676,370 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail -') \ No newline at end of file +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.fc serefpolicy-3.7.19/policy/modules/services/matahari.fc +--- nsaserefpolicy/policy/modules/services/matahari.fc 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/matahari.fc 2011-03-16 14:17:03.980107001 +0000 +@@ -0,0 +1,15 @@ ++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++ ++/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) ++ ++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) ++ ++/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0) ++ ++/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) ++ ++/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.if serefpolicy-3.7.19/policy/modules/services/matahari.if +--- nsaserefpolicy/policy/modules/services/matahari.if 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/matahari.if 2011-03-16 14:17:03.980107001 +0000 +@@ -0,0 +1,220 @@ ++## policy for matahari ++ ++######################################## ++## ++## Search matahari lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_search_lib',` ++ gen_require(` ++ type matahari_var_lib_t; ++ ') ++ ++ allow $1 matahari_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read matahari lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_read_lib_files',` ++ gen_require(` ++ type matahari_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## matahari lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_manage_lib_files',` ++ gen_require(` ++ type matahari_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t) ++') ++ ++######################################## ++## ++## Manage matahari lib dirs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_manage_lib_dirs',` ++ gen_require(` ++ type matahari_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read matahari PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_read_pid_files',` ++ gen_require(` ++ type matahari_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 matahari_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read matahari PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_manage_pid_files',` ++ gen_require(` ++ type matahari_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run matahari_hostd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_hostd_domtrans',` ++ gen_require(` ++ type matahari_hostd_t, matahari_hostd_exec_t; ++ ') ++ ++ domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run matahari_netd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_netd_domtrans',` ++ gen_require(` ++ type matahari_netd_t, matahari_netd_exec_t; ++ ') ++ ++ domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run matahari_serviced. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`matahari_serviced_domtrans',` ++ gen_require(` ++ type matahari_serviced_t, matahari_serviced_exec_t; ++ ') ++ ++ domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an matahari environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`matahari_admin',` ++ gen_require(` ++ type matahari_inirc_exec_t; ++ type matahari_hostd_t; ++ type matahari_netd_t; ++ type matahari_serviced_t; ++ type matahari_var_lib_t; ++ type matahari_var_run_t; ++ ') ++ ++ init_labeled_script_domtrans($1, matahari_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 matahari_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ allow $1 matahari_netd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, matahari_netd_t) ++ ++ allow $1 matahari_hostd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, matahari_hostd_t) ++ ++ allow $1 matahari_serviced_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, matahari_serviced_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, matahari_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, matahari_var_run_t) ++ ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/matahari.te serefpolicy-3.7.19/policy/modules/services/matahari.te +--- nsaserefpolicy/policy/modules/services/matahari.te 1970-01-01 00:00:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/matahari.te 2011-03-16 14:17:03.980107001 +0000 +@@ -0,0 +1,117 @@ ++policy_module(matahari,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type matahari_hostd_t; ++type matahari_hostd_exec_t; ++init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t) ++ ++type matahari_netd_t; ++type matahari_netd_exec_t; ++init_daemon_domain(matahari_netd_t, matahari_netd_exec_t) ++ ++type matahari_serviced_t; ++type matahari_serviced_exec_t; ++init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t) ++ ++type matahari_initrc_exec_t; ++init_script_file(matahari_initrc_exec_t) ++ ++permissive matahari_serviced_t; ++permissive matahari_hostd_t; ++permissive matahari_netd_t; ++ ++type matahari_var_lib_t; ++files_type(matahari_var_lib_t) ++ ++type matahari_var_run_t; ++files_pid_file(matahari_var_run_t) ++ ++######################################## ++# ++# matahari_hostd local policy ++# ++allow matahari_hostd_t self:capability sys_ptrace; ++allow matahari_hostd_t self:process { signal }; ++ ++allow matahari_hostd_t self:fifo_file rw_fifo_file_perms; ++allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_network_state(matahari_hostd_t) ++kernel_read_system_state(matahari_hostd_t) ++ ++corenet_tcp_connect_matahari_port(matahari_hostd_t) ++ ++dev_read_sysfs(matahari_hostd_t) ++dev_read_urand(matahari_hostd_t) ++dev_read_mtrr(matahari_hostd_t) ++dev_write_mtrr(matahari_hostd_t) ++ ++domain_use_interactive_fds(matahari_hostd_t) ++domain_read_all_domains_state(matahari_hostd_t) ++ ++files_read_etc_files(matahari_hostd_t) ++ ++logging_send_syslog_msg(matahari_hostd_t) ++ ++miscfiles_read_localization(matahari_hostd_t) ++ ++sysnet_dns_name_resolve(matahari_hostd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(matahari_hostd_t) ++') ++ ++######################################## ++# ++# matahari_netd local policy ++# ++allow matahari_netd_t self:process { signal }; ++ ++allow matahari_netd_t self:fifo_file rw_fifo_file_perms; ++allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(matahari_netd_t) ++ ++corenet_tcp_connect_matahari_port(matahari_netd_t) ++ ++dev_read_urand(matahari_netd_t) ++ ++domain_use_interactive_fds(matahari_netd_t) ++ ++files_read_etc_files(matahari_netd_t) ++ ++logging_send_syslog_msg(matahari_netd_t) ++ ++miscfiles_read_localization(matahari_netd_t) ++ ++sysnet_dns_name_resolve(matahari_netd_t) ++ ++######################################## ++# ++# matahari_serviced local policy ++# ++allow matahari_serviced_t self:process { signal }; ++ ++allow matahari_serviced_t self:fifo_file rw_fifo_file_perms; ++allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_system_state(matahari_serviced_t) ++ ++corenet_tcp_connect_matahari_port(matahari_serviced_t) ++ ++dev_read_urand(matahari_serviced_t) ++ ++domain_use_interactive_fds(matahari_serviced_t) ++ ++files_read_etc_files(matahari_serviced_t) ++ ++logging_send_syslog_msg(matahari_serviced_t) ++ ++miscfiles_read_localization(matahari_serviced_t) ++ ++sysnet_dns_name_resolve(matahari_serviced_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if --- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-09-16 12:51:54.000000000 +0000 @@ -26597,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.7.19/policy/modules/services/milter.te --- nsaserefpolicy/policy/modules/services/milter.te 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/milter.te 2010-09-09 08:52:57.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/milter.te 2011-03-16 13:20:25.652107002 +0000 @@ -10,6 +10,13 @@ attribute milter_domains; attribute milter_data_type; @@ -26636,7 +27178,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt ######################################## # # milter-greylist local policy -@@ -81,13 +105,11 @@ +@@ -39,6 +63,12 @@ + + kernel_read_kernel_sysctls(greylist_milter_t) + ++corecmd_exec_bin(greylist_milter_t) ++corecmd_exec_shell(greylist_milter_t) ++ ++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) ++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) ++ + # Allow the milter to read a GeoIP database in /usr/share + files_read_usr_files(greylist_milter_t) + # The milter runs from /var/lib/milter-greylist and maintains files there +@@ -81,13 +111,11 @@ allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; files_search_var_lib(spamass_milter_t) @@ -30278,6 +30833,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads + files_search_etc($1) admin_pattern($1, pads_config_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.7.19/policy/modules/services/pads.te +--- nsaserefpolicy/policy/modules/services/pads.te 2010-04-13 18:44:37.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/pads.te 2011-03-16 13:25:26.960107001 +0000 +@@ -49,6 +49,7 @@ + + dev_read_rand(pads_t) + dev_read_urand(pads_t) ++dev_read_sysfs(pads_t) + + files_read_etc_files(pads_t) + files_search_spool(pads_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/passenger.fc serefpolicy-3.7.19/policy/modules/services/passenger.fc --- nsaserefpolicy/policy/modules/services/passenger.fc 1970-01-01 00:00:00.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/passenger.fc 2010-12-21 07:32:58.000000000 +0000 @@ -30451,8 +31017,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pass +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 13:11:28.000000000 +0000 -@@ -42,6 +42,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2011-03-16 13:35:33.824107001 +0000 +@@ -26,6 +26,7 @@ + allow pcscd_t self:unix_stream_socket create_stream_socket_perms; + allow pcscd_t self:unix_dgram_socket create_socket_perms; + allow pcscd_t self:tcp_socket create_stream_socket_perms; ++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) + manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +@@ -42,6 +43,7 @@ corenet_tcp_sendrecv_all_ports(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) @@ -30460,6 +31034,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc dev_rw_generic_usb_dev(pcscd_t) dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) +@@ -78,3 +80,7 @@ + optional_policy(` + rpm_use_script_fds(pcscd_t) + ') ++ ++optional_policy(` ++ udev_read_db(pcscd_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.19/policy/modules/services/pegasus.te --- nsaserefpolicy/policy/modules/services/pegasus.te 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-05-28 07:42:00.000000000 +0000 @@ -30746,8 +31328,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.7.19/policy/modules/services/piranha.te --- nsaserefpolicy/policy/modules/services/piranha.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2010-09-09 11:14:39.000000000 +0000 -@@ -0,0 +1,230 @@ ++++ serefpolicy-3.7.19/policy/modules/services/piranha.te 2011-03-16 13:12:36.310107001 +0000 +@@ -0,0 +1,308 @@ + +policy_module(piranha,1.0.0) + @@ -30850,6 +31432,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t) +fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file }) + ++#cjp: adds luci.ini file ++#bug: 684198 ++create_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t) ++ +piranha_pulse_initrc_domtrans(piranha_web_t) + +kernel_read_kernel_sysctls(piranha_web_t) @@ -30900,6 +31486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +# needed by nanny +corenet_tcp_connect_ftp_port(piranha_lvs_t) +corenet_tcp_connect_http_port(piranha_lvs_t) ++corenet_tcp_connect_smtp_port(piranha_lvs_t) + +sysnet_dns_name_resolve(piranha_lvs_t) + @@ -30918,6 +31505,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +# piranha-pulse local policy +# + ++allow piranha_pulse_t self:capability net_admin; ++ +allow piranha_pulse_t self:packet_socket create_socket_perms; + +# pulse starts fos and lvs daemon @@ -30927,18 +31516,89 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira +domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t) +allow piranha_pulse_t piranha_lvs_t:process signal; + ++kernel_read_kernel_sysctls(piranha_pulse_t) ++kernel_read_rpc_sysctls(piranha_pulse_t) ++kernel_read_system_state(piranha_pulse_t) ++kernel_rw_rpc_sysctls(piranha_pulse_t) ++kernel_search_debugfs(piranha_pulse_t) ++kernel_search_network_state(piranha_pulse_t) ++ ++corecmd_exec_bin(piranha_pulse_t) ++corecmd_exec_shell(piranha_pulse_t) ++consoletype_exec(piranha_pulse_t) ++ +corenet_udp_bind_apertus_ldp_port(piranha_pulse_t) + ++domain_read_all_domains_state(piranha_pulse_t) ++domain_getattr_all_domains(piranha_pulse_t) ++#domain_dontaudit_ptrace_all_domains(piranha_pulse_t) ++ ++fs_getattr_all_fs(piranha_pulse_t) ++ +sysnet_dns_name_resolve(piranha_pulse_t) + ++auth_use_nsswitch(piranha_pulse_t) ++ ++logging_send_syslog_msg(piranha_pulse_t) ++ ++miscfiles_read_localization(piranha_pulse_t) ++ ++optional_policy(` ++ apache_domtrans(piranha_pulse_t) ++ apache_signal(piranha_pulse_t) ++') ++ ++optional_policy(` ++ ftp_domtrans(piranha_pulse_t) ++ ftp_initrc_domtrans(piranha_pulse_t) ++') ++ ++optional_policy(` ++ hostname_exec(piranha_pulse_t) ++') ++ ++optional_policy(` ++ ldap_initrc_domtrans(piranha_pulse_t) ++ ldap_domtrans(piranha_pulse_t) ++') ++ ++optional_policy(` ++ mysql_domtrans_mysql_safe(piranha_pulse_t) ++ mysql_stream_connect(piranha_pulse_t) ++') ++ ++optional_policy(` ++ netutils_domtrans(piranha_pulse_t) ++ netutils_domtrans_ping(piranha_pulse_t) ++') ++ ++optional_policy(` ++ postgresql_domtrans(piranha_pulse_t) ++ postgresql_signal(piranha_pulse_t) ++') ++ +optional_policy(` -+ netutils_domtrans_ping(piranha_pulse_t) ++ samba_initrc_domtrans(piranha_pulse_t) ++ samba_domtrans_smbd(piranha_pulse_t) ++ samba_domtrans_nmbd(piranha_pulse_t) ++ samba_manage_var_files(piranha_pulse_t) ++ samba_rw_config(piranha_pulse_t) ++ samba_signal_smbd(piranha_pulse_t) ++ samba_signal_nmbd(piranha_pulse_t) +') + +optional_policy(` + sysnet_domtrans_ifconfig(piranha_pulse_t) +') + ++optional_policy(` ++ udev_read_db(piranha_pulse_t) ++') ++ ++#optional_policy(` ++# unconfined_domain(piranha_pulse_t) ++#') ++ +#################################### +# +# piranha domains common policy @@ -34255,7 +34915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi init_labeled_script_domtrans($1, radiusd_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-01-03 09:47:38.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2011-03-16 14:38:53.600107001 +0000 @@ -37,7 +37,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; @@ -34265,7 +34925,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; -@@ -79,6 +79,7 @@ +@@ -60,8 +60,9 @@ + manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) + + manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) ++manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) + manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +-files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) ++files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) + + kernel_read_kernel_sysctls(radiusd_t) + kernel_read_system_state(radiusd_t) +@@ -79,6 +80,7 @@ corenet_udp_bind_radius_port(radiusd_t) corenet_tcp_connect_mysqld_port(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) @@ -34273,14 +34944,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corenet_sendrecv_radius_server_packets(radiusd_t) corenet_sendrecv_radacct_server_packets(radiusd_t) corenet_sendrecv_mysqld_client_packets(radiusd_t) -@@ -131,6 +132,7 @@ +@@ -130,6 +132,7 @@ + ') optional_policy(` - samba_read_var_files(radiusd_t) + samba_domtrans_winbind_helper(radiusd_t) + samba_read_var_files(radiusd_t) ') - optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.19/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/razor.fc 2010-05-28 07:42:00.000000000 +0000 @@ -34393,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.7.19/policy/modules/services/remotelogin.te --- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2010-11-08 14:03:03.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2011-03-16 13:26:33.488107001 +0000 @@ -50,6 +50,7 @@ fs_search_auto_mountpoints(remote_login_t) @@ -34402,6 +35073,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) +@@ -88,6 +89,7 @@ + # since very weak authentication is used. + userdom_signal_unpriv_users(remote_login_t) + userdom_spec_domtrans_unpriv_users(remote_login_t) ++userdom_rw_user_tmp_files(remote_login_t) + + # Search for mail spool file. + mta_getattr_spool(remote_login_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/resmgr.if serefpolicy-3.7.19/policy/modules/services/resmgr.if --- nsaserefpolicy/policy/modules/services/resmgr.if 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/resmgr.if 2010-09-16 13:29:11.000000000 +0000 @@ -36522,7 +37201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-02-25 12:35:52.540685721 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-03-16 14:07:00.624107001 +0000 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -36537,6 +37216,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t, nmbd_exec_t) +@@ -146,8 +153,8 @@ + type winbind_log_t; + logging_log_file(winbind_log_t) + +-type winbind_tmp_t; +-files_tmp_file(winbind_tmp_t) ++#type winbind_tmp_t; ++#files_tmp_file(winbind_tmp_t) + + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) @@ -156,7 +163,7 @@ # # Samba net local policy @@ -36565,7 +37255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` pcscd_read_pub_files(samba_net_t) -@@ -216,13 +225,14 @@ +@@ -216,13 +225,15 @@ optional_policy(` kerberos_use(samba_net_t) @@ -36577,11 +37267,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # smbd Local policy # -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner setgid setuid sys_admin sys_nice sys_resource kill lease dac_override dac_read_search }; ++ ++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -255,7 +265,7 @@ +@@ -255,7 +266,7 @@ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -36590,7 +37281,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) manage_files_pattern(smbd_t, samba_var_t, samba_var_t) -@@ -275,6 +285,8 @@ +@@ -271,10 +282,14 @@ + manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +-files_pid_filetrans(smbd_t, smbd_var_run_t, file) ++files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) ++ ++allow smbd_t swat_t:process signal; allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; @@ -36599,7 +37297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) -@@ -306,16 +318,23 @@ +@@ -306,16 +321,23 @@ dev_read_urand(smbd_t) dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) @@ -36623,7 +37321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -325,6 +344,9 @@ +@@ -325,6 +347,9 @@ files_read_etc_runtime_files(smbd_t) files_read_usr_files(smbd_t) files_search_spool(smbd_t) @@ -36633,7 +37331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -337,10 +359,13 @@ +@@ -337,10 +362,13 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -36648,7 +37346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -352,19 +377,19 @@ +@@ -352,19 +380,19 @@ ') tunable_policy(`samba_domain_controller',` @@ -36674,7 +37372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') # Support Samba sharing of NFS mount points -@@ -376,6 +401,15 @@ +@@ -376,6 +404,15 @@ fs_manage_nfs_named_sockets(smbd_t) ') @@ -36690,7 +37388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -391,6 +425,11 @@ +@@ -391,6 +428,11 @@ ') optional_policy(` @@ -36702,7 +37400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rpc_search_nfs_state_data(smbd_t) ') -@@ -405,13 +444,15 @@ +@@ -405,13 +447,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -36719,7 +37417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_read_all_files_except_shadow(nmbd_t) ') -@@ -420,8 +461,8 @@ +@@ -420,8 +464,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -36729,7 +37427,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -518,13 +559,13 @@ +@@ -442,8 +486,9 @@ + allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + ++manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) + manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) ++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file }) + + read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) + read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -518,13 +563,13 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -36747,7 +37456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -532,10 +573,14 @@ +@@ -532,10 +577,14 @@ domain_use_interactive_fds(smbcontrol_t) @@ -36762,7 +37471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -618,7 +663,7 @@ +@@ -618,7 +667,7 @@ # SWAT Local policy # @@ -36771,41 +37480,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +671,25 @@ +@@ -626,38 +675,49 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; +-allow swat_t nmbd_t:process { signal signull }; +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; +allow smbd_t swat_t:process signal; -+ -+samba_domtrans_nmbd(swat_t) - allow swat_t nmbd_t:process { signal signull }; -+allow nmbd_t swat_t:process signal; -allow swat_t nmbd_exec_t:file mmap_file_perms; -can_exec(swat_t, nmbd_exec_t) -+allow swat_t smbd_var_run_t:file { lock unlink }; ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; -allow swat_t nmbd_var_run_t:file { lock read unlink }; -+allow swat_t smbd_port_t:tcp_socket name_bind; ++allow swat_t nmbd_var_run_t:file read_file_perms; -samba_domtrans_smbd(swat_t) -allow swat_t smbd_t:process { signal signull }; -+allow swat_t nmbd_port_t:udp_socket name_bind; ++allow swat_t smbd_port_t:tcp_socket name_bind; -allow swat_t smbd_var_run_t:file { lock unlink }; -+allow swat_t nmbd_var_run_t:file read_file_perms; ++allow swat_t nmbd_port_t:udp_socket name_bind; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) -append_files_pattern(swat_t, samba_log_t, samba_log_t) -- ++manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) ++manage_files_pattern(swat_t, samba_log_t, samba_log_t) ++ ++manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) ++ ++manage_files_pattern(swat_t, samba_var_t, samba_var_t) ++files_list_var_lib(swat_t) + allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,11 +704,14 @@ + + allow swat_t smbd_var_run_t:file read_file_perms; ++allow swat_t smbd_var_run_t:file { lock unlink }; + + manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) + manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) + files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) + ++read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) + manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -36815,13 +37539,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; +@@ -694,12 +754,17 @@ + auth_domtrans_chk_passwd(swat_t) + auth_use_nsswitch(swat_t) -+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) ++init_read_utmp(swat_t) ++init_dontaudit_write_utmp(swat_t) + - kernel_read_kernel_sysctls(swat_t) - kernel_read_system_state(swat_t) - kernel_read_network_state(swat_t) -@@ -700,6 +750,8 @@ + logging_send_syslog_msg(swat_t) + logging_send_audit_msgs(swat_t) + logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -36830,23 +37557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +765,23 @@ - kerberos_use(swat_t) - ') - -+init_read_utmp(swat_t) -+init_dontaudit_write_utmp(swat_t) -+ -+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -+manage_files_pattern(swat_t, samba_log_t, samba_log_t) -+ -+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) -+ -+manage_files_pattern(swat_t, samba_var_t, samba_var_t) -+files_list_var_lib(swat_t) -+ - ######################################## - # +@@ -718,7 +783,7 @@ # Winbind local policy # @@ -36855,7 +37566,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -763,6 +826,7 @@ +@@ -752,17 +817,22 @@ + allow winbind_t winbind_log_t:file manage_file_perms; + logging_log_filetrans(winbind_t, winbind_log_t, file) + +-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) ++#manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) ++#manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) ++#manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) ++#files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) ++userdom_manage_user_tmp_dirs(winbind_t) ++userdom_manage_user_tmp_files(winbind_t) ++userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) + ++manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) +-files_pid_filetrans(winbind_t, winbind_var_run_t, file) ++files_pid_filetrans(winbind_t, winbind_var_run_t, { dir file }) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) @@ -36863,7 +37594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_exec_bin(winbind_t) -@@ -779,6 +843,9 @@ +@@ -779,6 +849,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -36873,7 +37604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +855,7 @@ +@@ -788,7 +861,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -36882,7 +37613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +933,18 @@ +@@ -866,6 +939,18 @@ # optional_policy(` @@ -36901,7 +37632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +955,12 @@ +@@ -876,9 +961,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -36926,8 +37657,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.if serefpolicy-3.7.19/policy/modules/services/sasl.if --- nsaserefpolicy/policy/modules/services/sasl.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2010-09-16 14:45:19.000000000 +0000 -@@ -42,7 +42,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/sasl.if 2011-03-16 13:51:30.211107002 +0000 +@@ -38,11 +38,11 @@ + # + interface(`sasl_admin',` + gen_require(` +- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t; ++ type saslauthd_t, saslauthd_var_run_t; type saslauthd_initrc_exec_t; ') @@ -36936,9 +37672,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl ps_process_pattern($1, saslauthd_t) init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) +@@ -50,9 +50,6 @@ + role_transition $2 saslauthd_initrc_exec_t system_r; + allow $2 system_r; + +- files_list_tmp($1) +- admin_pattern($1, saslauthd_tmp_t) +- + files_list_pids($1) + admin_pattern($1, saslauthd_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.19/policy/modules/services/sasl.te --- nsaserefpolicy/policy/modules/services/sasl.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2010-05-28 07:42:00.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/sasl.te 2011-03-16 13:52:02.396107002 +0000 +@@ -20,8 +20,8 @@ + type saslauthd_initrc_exec_t; + init_script_file(saslauthd_initrc_exec_t) + +-type saslauthd_tmp_t; +-files_tmp_file(saslauthd_tmp_t) ++#type saslauthd_tmp_t; ++#files_tmp_file(saslauthd_tmp_t) + + type saslauthd_var_run_t; + files_pid_file(saslauthd_var_run_t) +@@ -39,9 +39,9 @@ + allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; + allow saslauthd_t self:tcp_socket create_socket_perms; + +-allow saslauthd_t saslauthd_tmp_t:dir setattr; +-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) +-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) ++#allow saslauthd_t saslauthd_tmp_t:dir setattr; ++#manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) ++#files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) + + manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) + manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) @@ -50,6 +50,9 @@ kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) @@ -36949,6 +37719,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) +@@ -95,6 +98,7 @@ + + optional_policy(` + kerberos_keytab_template(saslauthd, saslauthd_t) ++ kerberos_manage_host_rcache(saslauthd_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.fc serefpolicy-3.7.19/policy/modules/services/sendmail.fc --- nsaserefpolicy/policy/modules/services/sendmail.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/sendmail.fc 2010-05-28 07:42:00.000000000 +0000 @@ -38734,7 +39512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-08 14:38:01.609413002 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-16 12:45:02.432107002 +0000 @@ -34,13 +34,12 @@ ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -38977,7 +39755,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ifdef(`TODO',` tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd -@@ -376,6 +360,10 @@ +@@ -368,6 +352,7 @@ + # ssh_keygen_t is the type of the ssh-keygen program when run at install time + # and by sysadm_t + ++allow ssh_keygen_t self:capability dac_override; + dontaudit ssh_keygen_t self:capability sys_tty_config; + allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; + +@@ -376,6 +361,10 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms; files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) @@ -38988,7 +39774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -384,6 +372,7 @@ +@@ -384,6 +373,7 @@ dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) @@ -38996,7 +39782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. domain_use_interactive_fds(ssh_keygen_t) -@@ -397,6 +386,11 @@ +@@ -397,6 +387,11 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -39645,8 +40431,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.7.19/policy/modules/services/vdagent.te --- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-09 15:08:02.121980002 +0000 -@@ -0,0 +1,57 @@ ++++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-14 13:29:28.840107001 +0000 +@@ -0,0 +1,58 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -39656,6 +40442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdag + +type vdagent_t; +type vdagent_exec_t; ++init_daemon_domain(vdagent_t, vdagent_exec_t) +udev_system_domain(vdagent_t, vdagent_exec_t) + +type vdagent_var_run_t; @@ -42439,7 +43226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.19/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2010-11-10 14:15:13.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.fc 2011-03-10 01:21:39.821980001 +0000 @@ -10,6 +10,7 @@ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) @@ -42452,13 +43239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) -+/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-01-14 13:33:19.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2011-03-16 12:49:39.669107002 +0000 @@ -41,7 +41,6 @@ ## # @@ -42467,7 +43254,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for encrypted homedir -@@ -91,9 +90,12 @@ +@@ -66,6 +65,11 @@ + optional_policy(` + consolekit_dbus_chat($1) + ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1) ++ ') ++ + ') + + optional_policy(` +@@ -91,9 +95,12 @@ interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -42480,7 +43279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -107,6 +109,7 @@ +@@ -107,6 +114,7 @@ allow $1 self:capability ipc_lock; allow $1 self:process setkeycreate; allow $1 self:key manage_key_perms; @@ -42488,15 +43287,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) manage_files_pattern($1, var_auth_t, var_auth_t) -@@ -141,6 +144,7 @@ +@@ -141,6 +149,8 @@ mls_process_set_level($1) mls_fd_share_all_levels($1) ++ auth_manage_faillog($1) + auth_manage_pam_pid($1) auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +155,43 @@ +@@ -151,8 +161,43 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -42542,7 +43342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -365,13 +404,21 @@ +@@ -365,13 +410,21 @@ ') optional_policy(` @@ -42565,7 +43365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -418,6 +465,7 @@ +@@ -418,6 +471,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -42573,7 +43373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -694,7 +742,7 @@ +@@ -694,7 +748,7 @@ ') files_search_etc($1) @@ -42582,7 +43382,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -1500,6 +1548,8 @@ +@@ -738,6 +792,27 @@ + + ####################################### + ## ++## Manage the login failure log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_faillog',` ++ gen_require(` ++ type faillog_t; ++ ') ++ ++ files_search_pids($1) ++ logging_search_logs($1) ++ allow $1 faillog_t:dir manage_dir_perms; ++ allow $1 faillog_t:file manage_file_perms; ++') ++ ++####################################### ++## + ## Read the last logins log. + ## + ## +@@ -1500,6 +1575,8 @@ # interface(`auth_use_nsswitch',` @@ -42591,7 +43419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1581,15 @@ +@@ -1531,7 +1608,15 @@ ') optional_policy(` @@ -44180,7 +45008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-09-09 11:43:36.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2011-03-14 09:35:38.335980000 +0000 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -44236,7 +45064,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) - files_read_etc_runtime_files(iptables_t) +-files_read_etc_runtime_files(iptables_t) ++files_rw_etc_runtime_files(iptables_t) +files_read_usr_files(iptables_t) auth_use_nsswitch(iptables_t) @@ -50972,7 +51801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-01-19 16:11:07.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2011-03-16 14:09:58.953107001 +0000 @@ -29,18 +29,18 @@ ## @@ -51035,7 +51864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ubac_constrained(user_devpts_t) -type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; -+type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t }; ++type user_tmp_t alias { winbind_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0e66624..9f951f3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 100%{?dist} +Release: 101%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,16 @@ exit 0 %endif %changelog +* Wed Mar 16 2011 Miroslav Grepl 3.7.19-101 +- Fixes for sandbox/seunshare policy +- Add matahari policy +- Allow shutdown setsched and sys_nice +- Add port definition for dogtag, matahari, movaz ports +- Add label for /etc/securetty +- Fixes for pirahna-pulse policy +- Fixes for radius, samba, dirsrv, kerberos policies +- RHEL6 fixes for MLS policy bugs + * Wed Mar 9 2011 Miroslav Grepl 3.7.19-100 - Add other fixes for spice - Add label for dev/hpilo/*