From 5ea3f10caf39bb59b188d6c423f6e31abab7a627 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 20 2008 16:11:16 +0000 Subject: - Allow stunnel to transition to inetd children domains - Make unconfined_dbusd_t an unconfined domain --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 0118935..be59a68 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1961,7 +1961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.3.1/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-12-19 05:32:18.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/prelink.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/admin/prelink.te 2008-03-20 11:58:33.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -2021,15 +2021,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.3.1/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc 2008-02-26 08:29:22.000000000 -0500 -@@ -11,6 +11,7 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc 2008-03-19 15:20:22.000000000 -0400 +@@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +- +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - ++/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) + ifdef(`distro_redhat', ` @@ -21,6 +22,9 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -8187,7 +8189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-03-05 15:44:05.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-03-20 09:37:55.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10551,8 +10553,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +/etc/rc.d/init.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.3.1/policy/modules/services/clamav.if --- nsaserefpolicy/policy/modules/services/clamav.if 2007-01-02 12:57:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-03-17 09:22:39.000000000 -0400 -@@ -91,3 +91,116 @@ ++++ serefpolicy-3.3.1/policy/modules/services/clamav.if 2008-03-20 09:40:34.000000000 -0400 +@@ -38,6 +38,27 @@ + + ######################################## + ## ++## Allow the specified domain to append ++## to clamav log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clamav_append_log',` ++ gen_require(` ++ type clamav_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 clamav_log_t:dir list_dir_perms; ++ append_files_pattern($1,clamav_log_t,clamav_log_t) ++') ++ ++######################################## ++## + ## Read clamav configuration files. + ## + ## +@@ -91,3 +112,116 @@ domtrans_pattern($1,clamscan_exec_t,clamscan_t) ') @@ -12669,7 +12699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-17 09:13:14.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-19 14:48:13.000000000 -0400 @@ -9,6 +9,7 @@ # # Delcarations @@ -12747,7 +12777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus libs_use_ld_so(system_dbusd_t) libs_use_shared_libs(system_dbusd_t) -@@ -121,9 +139,20 @@ +@@ -121,9 +139,26 @@ ') optional_policy(` @@ -12767,6 +12797,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + consolekit_dbus_chat(system_dbusd_t) +') + ++optional_policy(` ++ gen_require(` ++ type unconfined_dbusd_t; ++ ') ++ unconfined_domain(unconfined_dbusd_t) ++') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if --- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400 @@ -14739,7 +14775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-02-27 16:57:40.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-03-20 09:19:51.000000000 -0400 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -14785,7 +14821,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_t) libs_use_shared_libs(hald_t) libs_exec_ld_so(hald_t) -@@ -265,6 +273,11 @@ +@@ -244,6 +252,10 @@ + ') + + optional_policy(` ++ gpm_dontaudit_getattr_gpmctl(hald_t) ++') ++ ++optional_policy(` + hotplug_read_config(hald_t) + ') + +@@ -265,6 +277,11 @@ ') optional_policy(` @@ -14797,7 +14844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. rpc_search_nfs_state_data(hald_t) ') -@@ -291,7 +304,8 @@ +@@ -291,7 +308,8 @@ # allow hald_acl_t self:capability { dac_override fowner }; @@ -14807,7 +14854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) allow hald_t hald_acl_t:process signal; -@@ -304,6 +318,7 @@ +@@ -304,6 +322,7 @@ corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) @@ -14815,7 +14862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_getattr_generic_usb_dev(hald_acl_t) dev_getattr_video_dev(hald_acl_t) dev_setattr_video_dev(hald_acl_t) -@@ -325,6 +340,11 @@ +@@ -325,6 +344,11 @@ miscfiles_read_localization(hald_acl_t) @@ -14827,7 +14874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ######################################## # # Local hald mac policy -@@ -338,10 +358,14 @@ +@@ -338,10 +362,14 @@ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -14842,7 +14889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -391,3 +415,7 @@ +@@ -391,3 +419,7 @@ libs_use_shared_libs(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -15904,6 +15951,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + +type mailscanner_spool_t; +files_type(mailscanner_spool_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc +--- nsaserefpolicy/policy/modules/services/mta.fc 2006-11-16 17:15:21.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-03-19 08:31:31.000000000 -0400 +@@ -11,6 +11,7 @@ + /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.3.1/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/mta.if 2008-02-26 08:29:22.000000000 -0500 @@ -16078,7 +16136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-03-06 11:55:52.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-03-20 09:45:38.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -16096,7 +16154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -37,30 +40,47 @@ +@@ -37,30 +40,49 @@ # # newalias required this, not sure if it is needed in 'if' file @@ -16122,6 +16180,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + init_use_script_ptys(system_mail_t) ++logging_append_all_logs(system_mail_t) ++ +files_dontaudit_search_home(system_mail_t) userdom_use_sysadm_terms(system_mail_t) userdom_dontaudit_search_sysadm_home_dirs(system_mail_t) @@ -16145,7 +16205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +93,7 @@ +@@ -73,6 +95,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -16153,7 +16213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') -@@ -81,6 +102,11 @@ +@@ -81,6 +104,11 @@ ') optional_policy(` @@ -16165,11 +16225,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +162,37 @@ +@@ -136,11 +164,38 @@ ') optional_policy(` + clamav_stream_connect(system_mail_t) ++ clamav_append_log(system_mail_t) +') + +optional_policy(` @@ -16204,7 +16265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +206,4 @@ +@@ -154,3 +209,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -17168,13 +17229,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_tcp_connect_all_ports(ypxfr_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.3.1/policy/modules/services/nscd.fc --- nsaserefpolicy/policy/modules/services/nscd.fc 2006-11-16 17:15:20.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/nscd.fc 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/nscd.fc 2008-03-19 17:31:12.000000000 -0400 @@ -9,3 +9,5 @@ /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) + -+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) ++/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.3.1/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-03-26 10:39:04.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/nscd.if 2008-02-26 08:29:22.000000000 -0500 @@ -27503,7 +27564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-12 15:39:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-19 15:31:11.000000000 -0400 @@ -61,10 +61,24 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) @@ -27537,7 +27598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) -@@ -158,6 +173,7 @@ +@@ -158,9 +173,12 @@ mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory @@ -27545,7 +27606,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin seutil_dontaudit_read_config(auditd_t) -@@ -171,6 +187,10 @@ ++sysnet_dns_name_resolve(auditd_t) ++ + userdom_dontaudit_use_unpriv_user_fds(auditd_t) + userdom_dontaudit_search_sysadm_home_dirs(auditd_t) + +@@ -171,6 +189,10 @@ ') optional_policy(` @@ -27556,7 +27622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin seutil_sigchld_newrole(auditd_t) ') -@@ -208,6 +228,7 @@ +@@ -208,6 +230,7 @@ fs_getattr_all_fs(klogd_t) fs_search_auto_mountpoints(klogd_t) @@ -27564,7 +27630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin domain_use_interactive_fds(klogd_t) -@@ -252,7 +273,6 @@ +@@ -252,7 +275,6 @@ dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog allow syslogd_t self:process { signal_perms setpgid }; @@ -27572,7 +27638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -262,7 +282,7 @@ +@@ -262,7 +284,7 @@ allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -27581,7 +27647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; files_pid_filetrans(syslogd_t,devlog_t,sock_file) -@@ -274,6 +294,9 @@ +@@ -274,6 +296,9 @@ # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; @@ -27591,7 +27657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # manage temporary files manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) -@@ -295,6 +318,7 @@ +@@ -295,6 +320,7 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) @@ -27599,7 +27665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin dev_filetrans(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) -@@ -327,6 +351,8 @@ +@@ -327,6 +353,8 @@ # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) @@ -27608,7 +27674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) -@@ -339,19 +365,20 @@ +@@ -339,19 +367,20 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -27631,25 +27697,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -@@ -380,15 +407,11 @@ +@@ -380,15 +409,11 @@ ') optional_policy(` - nis_use_ypbind(syslogd_t) --') -- --optional_policy(` -- nscd_socket_use(syslogd_t) + seutil_sigchld_newrole(syslogd_t) ') optional_policy(` +- nscd_socket_use(syslogd_t) +-') +- +-optional_policy(` - seutil_sigchld_newrole(syslogd_t) + postgresql_stream_connect(syslogd_t) ') optional_policy(` -@@ -399,3 +422,37 @@ +@@ -399,3 +424,37 @@ # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -27963,7 +28029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-03-10 12:26:24.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-03-20 12:07:47.000000000 -0400 @@ -22,6 +22,8 @@ type insmod_exec_t; application_domain(insmod_t,insmod_exec_t) @@ -27982,7 +28048,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -63,6 +65,7 @@ +@@ -55,6 +57,7 @@ + + kernel_load_module(insmod_t) + kernel_read_system_state(insmod_t) ++kernel_read_network_state(insmod_t) + kernel_write_proc_files(insmod_t) + kernel_mount_debugfs(insmod_t) + kernel_mount_kvmfs(insmod_t) +@@ -63,6 +66,7 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) @@ -27990,7 +28064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) -@@ -76,9 +79,7 @@ +@@ -76,9 +80,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -28001,16 +28075,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(insmod_t) -@@ -101,6 +102,7 @@ +@@ -101,6 +103,8 @@ init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) +init_spec_domtrans_script(insmod_t) ++init_rw_script_tmp_files(insmod_t) libs_use_ld_so(insmod_t) libs_use_shared_libs(insmod_t) -@@ -118,11 +120,28 @@ - ') +@@ -112,17 +116,32 @@ + + seutil_read_file_contexts(insmod_t) + +-ifdef(`distro_ubuntu',` +- optional_policy(` +- unconfined_domain(insmod_t) +- ') ++optional_policy(` ++ unconfined_domain(insmod_t) ') +term_dontaudit_use_unallocated_ttys(insmod_t) @@ -29837,7 +29920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-18 09:14:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-19 14:42:24.000000000 -0400 @@ -6,35 +6,67 @@ # Declarations # @@ -30117,7 +30200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +278,41 @@ +@@ -219,14 +278,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -30125,13 +30208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` - dbus_stub(unconfined_execmem_t) -+ gen_require(` -+ type unconfined_dbusd_t; -+ ') -+ unconfined_domain(unconfined_dbusd_t) -+') - -+optional_policy(` +- init_dbus_chat_script(unconfined_execmem_t) + dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) @@ -30178,7 +30255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-18 14:56:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-18 17:07:34.000000000 -0400 @@ -29,9 +29,14 @@ ') @@ -33545,8 +33622,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-17 17:37:52.000000000 -0400 -@@ -0,0 +1,179 @@ ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-19 14:54:18.000000000 -0400 +@@ -0,0 +1,173 @@ + +policy_module(virt,1.0.0) + @@ -33571,7 +33648,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t + +type virtd_t; +type virtd_exec_t; -+domain_type(virtd_t) +init_daemon_domain(virtd_t, virtd_exec_t) + +type virtd_script_exec_t; @@ -33721,11 +33797,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) +') -+ -+allow virtd_t unconfined_t:dir { getattr search }; -+allow virtd_t unconfined_t:file read; -+allow virtd_t unconfined_t:process getattr; -+allow virtd_t usr_t:file read; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-02-26 08:29:22.000000000 -0500 @@ -34129,8 +34200,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-02-26 08:29:22.000000000 -0500 -@@ -0,0 +1,11 @@ ++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-03-19 11:13:19.000000000 -0400 +@@ -0,0 +1,18 @@ +policy_module(staff,1.0.1) +userdom_admin_login_user_template(staff) + @@ -34142,6 +34213,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t + xserver_domtrans_xdm_xserver(staff_t) +') + ++ifndef(`enable_mls',` ++optional_policy(` ++userdom_role_change_template(staff, unconfined) ++') ++') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.3.1/policy/modules/users/user.fc --- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/user.fc 2008-02-26 08:29:22.000000000 -0500 @@ -34185,8 +34263,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.3.1/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/users/webadm.te 2008-02-26 08:29:22.000000000 -0500 -@@ -0,0 +1,42 @@ ++++ serefpolicy-3.3.1/policy/modules/users/webadm.te 2008-03-19 11:13:33.000000000 -0400 +@@ -0,0 +1,41 @@ +policy_module(webadm,1.0.0) + +######################################## @@ -34227,8 +34305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +gen_require(` + type staff_t; +') -+allow staff_t webadm_t:process transition; -+allow webadm_t staff_t:dir getattr; ++userdom_role_change_template(staff, webadm) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.3.1/policy/modules/users/xguest.fc --- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/users/xguest.fc 2008-02-26 08:29:22.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index b6953dc..e0994d9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -388,6 +388,8 @@ exit 0 %changelog * Tue Mar 18 2008 Dan Walsh 3.3.1-22 +- Allow stunnel to transition to inetd children domains +- Make unconfined_dbusd_t an unconfined domain * Mon Mar 17 2008 Dan Walsh 3.3.1-21 - Fixes for qemu/virtd