From 65118eb58e09b62df302434dac8092153bc6c4ae Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 23 2007 20:07:20 +0000 Subject: - --- diff --git a/policy-20070501.patch b/policy-20070501.patch index d258fab..199ad94 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -1459,7 +1459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.6.4/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.if 2007-07-17 08:14:36.000000000 -0400 @@ -988,3 +988,23 @@ mmap_files_pattern($1,bin_t,exec_type) @@ -2161,8 +2161,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-13 13:11:46.000000000 -0400 -@@ -54,17 +54,29 @@ ++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te 2007-07-23 10:45:02.000000000 -0400 +@@ -43,6 +43,11 @@ + # + # Non-persistent/pseudo filesystems + # ++type anon_inodefs_t; ++fs_type(anon_inodefs_t) ++files_mountpoint(anon_inodefs_t) ++genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) ++ + type bdev_t; + fs_type(bdev_t) + genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) +@@ -54,17 +59,29 @@ type capifs_t; fs_type(capifs_t) @@ -2192,7 +2204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -83,6 +95,11 @@ +@@ -83,6 +100,11 @@ fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -2204,7 +2216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type nfsd_fs_t; fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) -@@ -105,6 +122,16 @@ +@@ -105,6 +127,16 @@ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) @@ -2518,7 +2530,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide manage_files_pattern(aide_t,aide_db_t,aide_db_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.6.4/policy/modules/services/amavis.if --- nsaserefpolicy/policy/modules/services/amavis.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/amavis.if 2007-07-18 09:59:37.000000000 -0400 +@@ -37,7 +37,7 @@ + ') + + files_search_spool($1) +- allow $1 amavis_spool_t:file { getattr read }; ++ read_files_pattern($1,amavis_spool_t, amavis_spool_t) + ') + + ######################################## @@ -167,3 +167,22 @@ allow $1 amavis_var_run_t:file setattr; files_search_pids($1) @@ -2539,7 +2560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav + type amavis_var_run_t; + ') + -+ allow $1 amavis_var_run_t:file create_file_perms; ++ manage_files_pattern($1,amavis_var_run_t,amavis_var_run_t) + files_search_pids($1) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.6.4/policy/modules/services/amavis.te @@ -2829,8 +2850,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-13 13:11:46.000000000 -0400 -@@ -47,6 +47,13 @@ ++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-07-23 10:49:04.000000000 -0400 +@@ -30,6 +30,13 @@ + + ## + ##

++## Allow Apache to communicate with avahi via dbus ++##

++## ++gen_tunable(allow_httpd_dbus_avahi,false) ++ ++## ++##

+ ## Allow Apache to use mod_auth_pam + ##

+ ## +@@ -47,6 +54,13 @@ ## Allow http daemon to tcp connect ##

## @@ -2844,7 +2879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac gen_tunable(httpd_can_network_connect,false) ## -@@ -106,6 +113,27 @@ +@@ -106,6 +120,27 @@ ## gen_tunable(httpd_unified,false) @@ -2872,7 +2907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac attribute httpdcontent; # domains that can exec all users scripts -@@ -215,7 +243,7 @@ +@@ -215,7 +250,7 @@ # Apache server local policy # @@ -2881,7 +2916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -257,6 +285,7 @@ +@@ -257,6 +292,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t) @@ -2889,7 +2924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -297,6 +326,7 @@ +@@ -297,6 +333,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -2897,7 +2932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_non_ipsec_sendrecv(httpd_t) corenet_tcp_sendrecv_all_if(httpd_t) -@@ -342,6 +372,9 @@ +@@ -342,6 +379,9 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -2907,7 +2942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -362,6 +395,10 @@ +@@ -362,6 +402,10 @@ mta_send_mail(httpd_t) @@ -2918,7 +2953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(httpd_t) term_dontaudit_use_generic_ptys(httpd_t) -@@ -382,6 +419,7 @@ +@@ -382,6 +426,7 @@ # tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) @@ -2926,7 +2961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -389,6 +427,14 @@ +@@ -389,6 +434,14 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -2941,7 +2976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -416,6 +462,10 @@ +@@ -416,6 +469,10 @@ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms; ') @@ -2952,7 +2987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -433,11 +483,21 @@ +@@ -433,11 +490,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -2974,7 +3009,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -668,6 +728,12 @@ +@@ -445,6 +512,11 @@ + allow httpd_sys_script_t httpd_t:process sigchld; + ') + ++tunable_policy(`allow_httpd_dbus_avahi',` ++ avahi_dbus_chat(httpd_t) ++ dbus_system_bus_client_template(httpd,httpd_t) ++') ++ + # When the admin starts the server, the server wants to access + # the TTY or PTY associated with the session. The httpd appears + # to run correctly without this permission, so the permission +@@ -668,6 +740,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -2987,7 +3034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -706,7 +772,8 @@ +@@ -706,7 +784,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -2997,7 +3044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -720,6 +787,8 @@ +@@ -720,6 +799,8 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -3006,7 +3053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file { getattr append }; ') -@@ -730,11 +799,21 @@ +@@ -730,11 +811,21 @@ ') ') @@ -3028,7 +3075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -788,3 +867,19 @@ +@@ -788,3 +879,19 @@ term_dontaudit_use_generic_ptys(httpd_rotatelogs_t) term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t) ') @@ -3336,7 +3383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind fs_getattr_xattr_fs(ndc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/clamav.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/clamav.te 2007-07-18 09:57:41.000000000 -0400 @@ -126,6 +126,7 @@ amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) @@ -3355,8 +3402,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam kernel_read_kernel_sysctls(clamscan_t) files_read_etc_files(clamscan_t) -@@ -230,3 +234,7 @@ +@@ -228,5 +232,13 @@ + clamav_stream_connect(clamscan_t) + optional_policy(` ++ amavis_read_spool_files(clamscan_t) ++') ++ ++optional_policy(` apache_read_sys_content(clamscan_t) ') + @@ -3805,7 +3858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-07-19 10:33:19.000000000 -0400 @@ -93,8 +93,6 @@ # generic socket here until appletalk socket is available in kernels allow cupsd_t self:socket create_socket_perms; @@ -3865,7 +3918,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_all_users_home_content(cupsd_t) -@@ -284,6 +288,10 @@ +@@ -233,6 +237,10 @@ + lpd_relabel_spool(cupsd_t) + ') + ++optional_policy(` ++ avahi_dbus_chat(cupsd_t) ++') ++ + ifdef(`targeted_policy',` + files_dontaudit_read_root_files(cupsd_t) + +@@ -284,6 +292,10 @@ ') optional_policy(` @@ -3876,7 +3940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups nscd_socket_use(cupsd_t) ') -@@ -294,6 +302,10 @@ +@@ -294,6 +306,10 @@ ') optional_policy(` @@ -3887,7 +3951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -587,7 +599,7 @@ +@@ -587,7 +603,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -4121,8 +4185,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.6.4/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-07-13 13:11:46.000000000 -0400 -@@ -17,10 +17,12 @@ ++++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-07-23 09:12:37.000000000 -0400 +@@ -17,16 +17,19 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -4135,6 +4199,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') # + # /var + # + /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + + /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-2.6.4/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/dovecot.if 2007-07-13 13:11:46.000000000 -0400 @@ -5283,16 +5354,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.6.4/policy/modules/services/ntp.te --- nsaserefpolicy/policy/modules/services/ntp.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ntp.te 2007-07-19 10:44:29.000000000 -0400 @@ -36,6 +36,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; -+allow ntpd_t self:shm rw_shm_perms; ++allow ntpd_t self:shm create_shm_perms; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; -@@ -137,6 +138,10 @@ +@@ -81,6 +82,8 @@ + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) ++# Necessary to communicate with gpsd devices ++fs_rw_tmpfs_files(ntpd_t) + + auth_use_nsswitch(ntpd_t) + +@@ -106,6 +109,8 @@ + + sysnet_read_config(ntpd_t) + ++term_use_ptmx(ntpd_t) ++ + userdom_dontaudit_use_unpriv_user_fds(ntpd_t) + userdom_list_sysadm_home_dirs(ntpd_t) + userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) +@@ -137,6 +142,10 @@ ') optional_policy(` @@ -5728,15 +5817,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-07-13 13:11:46.000000000 -0400 -@@ -124,6 +124,7 @@ - allow postfix_$1_t self:udp_socket create_socket_perms; ++++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-07-16 09:36:11.000000000 -0400 +@@ -41,6 +41,7 @@ + allow postfix_$1_t self:unix_stream_socket connectto; - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + allow postfix_master_t postfix_$1_t:process signal; + allow postfix_$1_t postfix_master_t:file read; - corenet_non_ipsec_sendrecv(postfix_$1_t) - corenet_tcp_sendrecv_all_if(postfix_$1_t) + allow postfix_$1_t postfix_etc_t:dir list_dir_perms; + read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t) @@ -137,10 +138,8 @@ corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) @@ -5843,7 +5932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-07-18 10:00:24.000000000 -0400 @@ -84,6 +84,12 @@ type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -5943,7 +6032,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -@@ -552,9 +580,45 @@ +@@ -536,6 +564,7 @@ + # + # Postfix smtpd local policy + # ++allow postfix_smtpd_t self:capability sys_chroot; + allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; + + # connect to master process +@@ -552,9 +581,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -6085,7 +6182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.6.4/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-07-13 13:11:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-07-23 10:49:13.000000000 -0400 @@ -81,6 +81,7 @@ auth_read_shadow(radiusd_t) @@ -6094,7 +6191,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) -@@ -130,3 +131,7 @@ +@@ -98,6 +99,7 @@ + logging_send_syslog_msg(radiusd_t) + + miscfiles_read_localization(radiusd_t) ++miscfiles_read_certs(radiusd_t) + + sysnet_read_config(radiusd_t) + +@@ -130,3 +132,7 @@ optional_policy(` udev_read_db(radiusd_t) ') @@ -6381,8 +6486,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-13 13:11:46.000000000 -0400 -@@ -79,6 +79,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2007-07-16 16:14:39.000000000 -0400 +@@ -59,6 +59,8 @@ + manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) + files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) + ++corecmd_exec_bin(rpcd_t) ++ + kernel_read_system_state(rpcd_t) + kernel_search_network_state(rpcd_t) + # for rpc.rquotad +@@ -79,6 +81,7 @@ optional_policy(` nis_read_ypserv_config(rpcd_t) @@ -6390,7 +6504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -91,6 +92,9 @@ +@@ -91,6 +94,9 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -6400,7 +6514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) -@@ -123,6 +127,7 @@ +@@ -123,6 +129,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -8074,8 +8188,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-13 13:11:47.000000000 -0400 -@@ -0,0 +1,44 @@ ++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-07-19 09:02:47.000000000 -0400 +@@ -0,0 +1,50 @@ +policy_module(brctl,1.0.0) + +######################################## @@ -8098,6 +8212,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +allow brctl_t self:tcp_socket create_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; + ++dev_search_sysfs(brctl_t) ++ +# Init script handling +domain_use_interactive_fds(brctl_t) + @@ -8120,6 +8236,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. + term_dontaudit_use_unallocated_ttys(brctl_t) + term_dontaudit_use_generic_ptys(brctl_t) +') ++ ++optional_policy(` ++ xen_append_log(brctl_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.6.4/policy/modules/system/clock.te --- nsaserefpolicy/policy/modules/system/clock.te 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/clock.te 2007-07-13 13:11:47.000000000 -0400 @@ -8185,7 +8305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/fstools.te 2007-07-14 08:55:01.000000000 -0400 @@ -9,6 +9,7 @@ type fsadm_t; type fsadm_exec_t; @@ -8194,6 +8314,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool role system_r types fsadm_t; type fsadm_log_t; +@@ -184,3 +185,8 @@ + fs_dontaudit_write_ramfs_pipes(fsadm_t) + rhgb_stub(fsadm_t) + ') ++ ++optional_policy(` ++ xen_append_log(fsadm_t) ++ xen_rw_image_files(udev_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.4/policy/modules/system/fusermount.fc --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/system/fusermount.fc 2007-07-13 13:11:47.000000000 -0400 @@ -8570,8 +8699,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.6.4/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/iptables.te 2007-07-13 13:11:47.000000000 -0400 -@@ -56,11 +56,13 @@ ++++ serefpolicy-2.6.4/policy/modules/system/iptables.te 2007-07-19 09:15:31.000000000 -0400 +@@ -36,6 +36,8 @@ + allow iptables_t iptables_tmp_t:file manage_file_perms; + files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + ++auth_use_nsswitch(iptables_t) ++ + kernel_read_system_state(iptables_t) + kernel_read_network_state(iptables_t) + kernel_read_kernel_sysctls(iptables_t) +@@ -56,11 +58,13 @@ domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) @@ -8585,7 +8723,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl libs_use_ld_so(iptables_t) libs_use_shared_libs(iptables_t) -@@ -112,3 +114,7 @@ +@@ -93,15 +97,6 @@ + ') + + optional_policy(` +- # for iptables -L +- nis_use_ypbind(iptables_t) +-') +- +-optional_policy(` +- nscd_socket_use(iptables_t) +-') +- +-optional_policy(` + ppp_dontaudit_use_fds(iptables_t) + ') + +@@ -112,3 +107,7 @@ optional_policy(` udev_read_db(iptables_t) ') @@ -8644,7 +8798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar # vmware diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-07-18 09:35:12.000000000 -0400 @@ -62,7 +62,8 @@ manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -8655,17 +8809,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar manage_lnk_files_pattern(ldconfig_t,lib_t,lib_t) -@@ -99,8 +100,7 @@ +@@ -99,8 +100,9 @@ ifdef(`targeted_policy',` allow ldconfig_t lib_t:file read_file_perms; files_read_generic_tmp_symlinks(ldconfig_t) - term_dontaudit_use_generic_ptys(ldconfig_t) -- term_dontaudit_use_unallocated_ttys(ldconfig_t) + files_read_generic_tmp_files(ldconfig_t) + term_dontaudit_use_unallocated_ttys(ldconfig_t) ++ term_dontaudit_use_generic_ptys(ldconfig_t) ') optional_policy(` -@@ -113,4 +113,6 @@ +@@ -113,4 +115,6 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) @@ -9722,7 +9877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-07-14 08:51:16.000000000 -0400 @@ -18,11 +18,6 @@ type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -9937,7 +10092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-07-16 13:04:12.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -10772,7 +10927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.6.4/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-07-14 08:55:51.000000000 -0400 @@ -72,12 +72,34 @@ ') @@ -10808,7 +10963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if ## Do not audit attempts to read and write ## Xen unix domain stream sockets. These ## are leaked file descriptors. -@@ -151,3 +173,25 @@ +@@ -151,3 +173,46 @@ domtrans_pattern($1,xm_exec_t,xm_t) ') @@ -10834,9 +10989,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if + read_files_pattern($1,xen_image_t,xen_image_t) +') + ++######################################## ++## ++## Allow the specified domain to read/write ++## xend image files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`xen_rw_image_files',` ++ gen_require(` ++ type xen_image_t, xend_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 xend_var_lib_t:dir search_dir_perms; ++ rw_files_pattern($1,xen_image_t,xen_image_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.6.4/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-07-13 13:11:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/xen.te 2007-07-18 16:21:40.000000000 -0400 @@ -25,6 +25,10 @@ domain_type(xend_t) init_daemon_domain(xend_t, xend_exec_t) @@ -10952,7 +11128,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te kernel_read_system_state(xm_t) kernel_read_kernel_sysctls(xm_t) -@@ -352,3 +373,17 @@ +@@ -324,6 +345,7 @@ + kernel_write_xen_state(xm_t) + + corecmd_exec_bin(xm_t) ++corecmd_exec_shell(xm_t) + + corenet_tcp_sendrecv_generic_if(xm_t) + corenet_tcp_sendrecv_all_nodes(xm_t) +@@ -352,3 +374,17 @@ xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t)