From 673aca541f1342d6fd4fa0d9f768b329f291eb2b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 11 2008 22:54:33 +0000 Subject: - Allow fail2ban to create sock_files in /var/run --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 223995c..c35009f 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2926,7 +2926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te application_executable_file(gconfd_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc --- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-02-06 09:05:24.000000000 -0500 @@ -11,6 +11,7 @@ # /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2939,10 +2939,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc /usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0) +-/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) +-/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) - /usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0) -+ ++/usr/local/matlab/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) ++/usr/matlab(/.*)?/bin/(.*/)?MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) ++/opt/matlab(/.*)?/bin(/.*)?/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + +/usr/lib(64)?/openoffice\.org/program/soffice\.bin -- gen_context(system_u:object_r:java_exec_t,s0) @@ -3996,7 +3998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-02-11 14:27:53.000000000 -0500 @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4033,7 +4035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -126,10 +132,10 @@ +@@ -126,10 +132,11 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4043,10 +4045,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,9 +169,15 @@ +@@ -163,9 +170,15 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4063,7 +4066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -180,6 +192,7 @@ +@@ -180,6 +193,7 @@ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -4071,7 +4074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +272,23 @@ +@@ -259,3 +273,23 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4097,7 +4100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/lib/nspluginwrapper/npconfig -- gen_context(system_u:object_r:bin_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in 2008-02-11 14:37:53.000000000 -0500 @@ -903,9 +903,11 @@ interface(`corenet_udp_bind_generic_port',` gen_require(` @@ -4110,7 +4113,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ') ######################################## -@@ -1449,6 +1451,43 @@ +@@ -1386,10 +1388,11 @@ + # + interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute port_type; ++ type hi_reserved_port_t, reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; ++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind; + ') + + ######################################## +@@ -1404,10 +1407,11 @@ + # + interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute port_type; ++ type hi_reserved_port_t, reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind; + ') + + ######################################## +@@ -1449,6 +1453,43 @@ ######################################## ## @@ -4156,7 +4187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-01-22 09:06:06.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-11 16:24:42.000000000 -0500 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -4169,7 +4200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene # server_packet_t is the default type of IPv4 and IPv6 server packets. # type server_packet_t, packet_type, server_packet_type; -@@ -67,6 +72,7 @@ +@@ -67,11 +72,12 @@ network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -4177,6 +4208,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) network_port(auth, tcp,113,s0) + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) +-type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict ++type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strictx + network_port(clamd, tcp,3310,s0) + network_port(clockspeed, udp,4041,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -93,10 +99,11 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -4630,7 +4667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-01 23:39:13.000000000 -0500 @@ -6,6 +6,22 @@ # Declarations # @@ -4668,7 +4705,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Use trusted objects in /dev dev_rw_null(domain) -@@ -134,3 +154,32 @@ +@@ -129,8 +149,37 @@ + + # For /proc/pid + allow unconfined_domain_type domain:dir r_dir_perms; +-allow unconfined_domain_type domain:file r_file_perms; ++allow unconfined_domain_type domain:file rw_file_perms; + allow unconfined_domain_type domain:lnk_file r_file_perms; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -5574,8 +5617,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-01-17 09:03:07.000000000 -0500 -@@ -359,7 +359,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te 2008-02-06 16:44:55.000000000 -0500 +@@ -255,6 +255,8 @@ + fs_rw_tmpfs_chr_files(kernel_t) + ') + ++userdom_generic_user_home_dir_filetrans_generic_user_home_content(kernel_t, { file dir }) ++ + tunable_policy(`read_default_t',` + files_list_default(kernel_t) + files_read_default_files(kernel_t) +@@ -359,7 +361,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *; @@ -7775,8 +7827,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-01-31 15:35:05.000000000 -0500 -@@ -50,6 +50,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2008-02-02 00:06:32.000000000 -0500 +@@ -12,14 +12,6 @@ + + ## + ##

+-## Allow system cron jobs to relabel filesystem +-## for restoring file contexts. +-##

+-## +-gen_tunable(cron_can_relabel,false) +- +-## +-##

+ ## Enable extra rules in the cron domain + ## to support fcron. + ##

+@@ -50,6 +42,7 @@ type crond_tmp_t; files_tmp_file(crond_tmp_t) @@ -7784,7 +7851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron type crond_var_run_t; files_pid_file(crond_var_run_t) -@@ -71,6 +72,12 @@ +@@ -71,6 +64,12 @@ type system_crond_tmp_t; files_tmp_file(system_crond_tmp_t) @@ -7797,7 +7864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`enable_mcs',` init_ranged_daemon_domain(crond_t,crond_exec_t,s0 - mcs_systemhigh) ') -@@ -80,7 +87,7 @@ +@@ -80,7 +79,7 @@ # Cron Local policy # @@ -7806,7 +7873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -99,18 +106,20 @@ +@@ -99,18 +98,20 @@ allow crond_t crond_var_run_t:file manage_file_perms; files_pid_filetrans(crond_t,crond_var_run_t,file) @@ -7831,7 +7898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) -@@ -127,6 +136,8 @@ +@@ -127,6 +128,8 @@ # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -7840,7 +7907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron corecmd_exec_shell(crond_t) corecmd_list_bin(crond_t) -@@ -142,11 +153,14 @@ +@@ -142,11 +145,14 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -7855,7 +7922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -160,6 +174,16 @@ +@@ -160,6 +166,16 @@ mta_send_mail(crond_t) @@ -7872,7 +7939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ifdef(`distro_debian',` optional_policy(` # Debian logcheck has the home dir set to its cache -@@ -180,29 +204,34 @@ +@@ -180,29 +196,34 @@ locallogin_link_keys(crond_t) ') @@ -7915,7 +7982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -239,7 +268,6 @@ +@@ -239,7 +260,6 @@ allow system_crond_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file) @@ -7923,7 +7990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -249,6 +277,8 @@ +@@ -249,6 +269,8 @@ # for this purpose. allow system_crond_t system_cron_spool_t:file entrypoint; @@ -7932,7 +7999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron # Permit a transition from the crond_t domain to this domain. # The transition is requested explicitly by the modified crond # via setexeccon. There is no way to set up an automatic -@@ -270,9 +300,16 @@ +@@ -270,9 +292,16 @@ filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file }) files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) @@ -7950,7 +8017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) -@@ -326,7 +363,7 @@ +@@ -326,7 +355,7 @@ init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -7959,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron libs_use_ld_so(system_crond_t) libs_use_shared_libs(system_crond_t) -@@ -334,6 +371,7 @@ +@@ -334,6 +363,7 @@ libs_exec_ld_so(system_crond_t) logging_read_generic_logs(system_crond_t) @@ -7967,7 +8034,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron logging_send_syslog_msg(system_crond_t) miscfiles_read_localization(system_crond_t) -@@ -384,6 +422,14 @@ +@@ -349,18 +379,6 @@ + ') + ') + +-tunable_policy(`cron_can_relabel',` +- seutil_domtrans_setfiles(system_crond_t) +-',` +- selinux_get_fs_mount(system_crond_t) +- selinux_validate_context(system_crond_t) +- selinux_compute_access_vector(system_crond_t) +- selinux_compute_create_context(system_crond_t) +- selinux_compute_relabel_context(system_crond_t) +- selinux_compute_user_contexts(system_crond_t) +- seutil_read_file_contexts(system_crond_t) +-') +- + optional_policy(` + # Needed for certwatch + apache_exec_modules(system_crond_t) +@@ -384,6 +402,14 @@ ') optional_policy(` @@ -7982,7 +8068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron mrtg_append_create_logs(system_crond_t) ') -@@ -424,8 +470,7 @@ +@@ -424,8 +450,7 @@ ') optional_policy(` @@ -7992,7 +8078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') optional_policy(` -@@ -433,15 +478,12 @@ +@@ -433,15 +458,12 @@ ') optional_policy(` @@ -9583,16 +9669,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-01-17 09:03:07.000000000 -0500 -@@ -1,3 +1,4 @@ ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-02-01 10:04:19.000000000 -0500 +@@ -1,3 +1,5 @@ +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) ++/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-01-21 13:49:36.000000000 -0500 -@@ -55,6 +55,8 @@ ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-02-01 07:42:49.000000000 -0500 +@@ -33,8 +33,9 @@ + logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) + + # pid file ++manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) + manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) +-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file) ++files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file }) + + kernel_read_system_state(fail2ban_t) + +@@ -55,6 +56,8 @@ miscfiles_read_localization(fail2ban_t) @@ -10386,7 +10484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-01-21 13:47:32.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2008-02-11 17:49:24.000000000 -0500 @@ -87,6 +87,8 @@ # It wants to check for nscd files_dontaudit_search_pids($1_mail_t) @@ -10427,6 +10525,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### +@@ -210,9 +207,9 @@ + userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file) + # for reading .forward - maybe we need a new type for it? + # also for delivering mail to maildir +- userdom_manage_user_home_content_dirs($1,mailserver_delivery) +- userdom_manage_user_home_content_files($1,mailserver_delivery) +- userdom_manage_user_home_content_symlinks($1,mailserver_delivery) ++ userdom_manage_all_users_home_content_dirs(mailserver_delivery) ++ userdom_manage_all_users_home_content_files(mailserver_delivery) ++ userdom_manage_all users_home_content_symlinks($1,mailserver_delivery) + userdom_manage_user_home_content_pipes($1,mailserver_delivery) + userdom_manage_user_home_content_sockets($1,mailserver_delivery) + userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) @@ -228,6 +225,11 @@ fs_manage_cifs_symlinks($1_mail_t) ') @@ -12700,16 +12811,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. allow pptp_t self:fifo_file { read write }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-01-17 12:36:50.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-02-04 13:40:59.000000000 -0500 @@ -1,2 +1,4 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) -+/var/log/procmail\.log -- gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.0.8/policy/modules/services/procmail.if --- nsaserefpolicy/policy/modules/services/procmail.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2008-01-17 12:45:51.000000000 -0500 -@@ -39,3 +39,22 @@ ++++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2008-02-06 10:22:52.000000000 -0500 +@@ -39,3 +39,41 @@ corecmd_search_bin($1) can_exec($1,procmail_exec_t) ') @@ -12732,6 +12843,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; +') ++ ++######################################## ++## ++## Read/write procmail tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`procmail_rw_tmp_files',` ++ gen_require(` ++ type procmail_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-31 12:57:41.000000000 -0500 @@ -12887,6 +13017,166 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/q serefpolicy-3.0.8/policy/modules/services/q +--- nsaserefpolicy/policy/modules/services/q 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/q 2008-02-04 13:55:48.000000000 -0500 +@@ -0,0 +1,156 @@ ++seinfo(1) seinfo(1) ++ ++ ++ ++NNAAMMEE ++ seinfo - SELinux policy query tool ++ ++SSYYNNOOPPSSIISS ++ sseeiinnffoo [OPTIONS] [EXPRESSION] [POLICY ...] ++ ++DDEESSCCRRIIPPTTIIOONN ++ sseeiinnffoo allows the user to query the components of a SELinux policy. ++ ++PPOOLLIICCYY ++ sseeiinnffoo supports loading a SELinux policy in one of four formats. ++ ++ source A single text file containing policy source for versions 12 ++ through 21. This file is usually named policy.conf. ++ ++ binary A single file containing a monolithic kernel binary policy for ++ versions 15 through 21. This file is usually named by version - ++ for example, policy.20. ++ ++ modular ++ A list of policy packages each containing a loadable policy mod- ++ ule. The first module listed must be a base module. ++ ++ policy list ++ A single text file containing all the information needed to load ++ a policy, usually exported by SETools graphical utilities. ++ ++ If no policy file is provided, sseeiinnffoo will search for the system ++ default policy: checking first for a source policy, next for a binary ++ policy matching the running kernel’s preferred version, and finally for ++ the highest version that can be found. If no policy can be found, ++ sseeiinnffoo will print an error message and exit. ++ ++EEXXPPRREESSSSIIOONNSS ++ One or more of the following component types can be queried. Each ++ option may only be specified once. If an option is provided multiple ++ times, the last instance will be used. Some components support the -x ++ flag to print expanded information about that component; if a particu- ++ lar component specified does not support expanded information, the flag ++ will be ignored for that component (see -x below). If no expressions ++ are provided, policy statistics will be printed (see --stats below). ++ ++ -c[NAME], --class[=NAME] ++ Print a list of object classes or, if NAME is provided, print ++ the object class NAME. With -x, print a list of permissions for ++ each displayed object class. ++ ++ --sensitivity[=NAME] ++ Print a list of sensitivities or, if NAME is provided, print the ++ sensitivity NAME. With -x, print the corresponding level state- ++ ment for each displayed sensitivity. ++ ++ --category[=NAME] ++ Print a list of categories or, if NAME is provided, print the ++ category NAME. With -x, print a list of sensitivities with ++ which each displayed category may be associated. ++ ++ -t[NAME], --type[=NAME] ++ Print a list of types (not including aliases or attributes) or, ++ if NAME is provided, print the type NAME. With -x, print a list ++ of attributes which include each displayed type. ++ ++ -a[NAME], --attribute[=NAME] ++ Print a list of type attributes or, if NAME is provided, print ++ the attribute NAME. With -x, print a list of types assigned to ++ each displayed attribute. ++ ++ -r[NAME], --role[=NAME] ++ Print a list of roles or, if NAME is provided, print the role ++ NAME. With -x, print a list of types assigned to each displayed ++ role. ++ ++ -u[NAME], --user[=NAME] ++ Print a list of users or, if NAME is provided, print the user ++ NAME. With -x, print a list of roles assigned to each displayed ++ user. ++ ++ -b[NAME], --bool[=NAME] ++ Print a list of conditional booleans or, if NAME is provided, ++ print the boolean NAME. With -x, print the default state of ++ each displayed conditional boolean. ++ ++ --initialsid[=NAME] ++ Print a list of initial SIDs or, if NAME is provided, print the ++ initial SID NAME. With -x, print the context assigned to each ++ displayed SID. ++ ++ --fs_use[=TYPE] ++ Print a list of fs_use statements or, if TYPE is provided, print ++ the statement for filesystem TYPE. There is no expanded infor- ++ mation for this component. ++ ++ --genfscon[=TYPE] ++ Print a list of genfscon statements or, if TYPE is provided, ++ print the statement for the filesystem TYPE. There is no ++ expanded information for this component. ++ ++ --netifcon[=NAME] ++ Print a list of netif contexts or, if NAME is provided, print ++ the statement for interface NAME. There is no expanded informa- ++ tion for this component. ++ ++ --nodecon[=ADDR] ++ Print a list of node contexts or, if ADDR is provided, print the ++ statement for the node with address ADDR. There is no expanded ++ information for this component. ++ ++ --portcon[=PORT] ++ Print a list of port contexts or, if PORT is provided, print the ++ statement for port PORT. There is no expanded information for ++ this component. ++ ++ --protocol=PROTO ++ Print only portcon statements for the protocol PROTO. This ++ option is ignored if portcon statements are not printed or if no ++ statement exists for the requested port. ++ ++ --all Print all components. ++ ++OOPPTTIIOONNSS ++ -x, --expand ++ Print additional details for each component matching the expres- ++ sion. These details include the types assigned to an attribute ++ or role and the permissions for an object class. This option is ++ not available for all component types; see the description of ++ each component for the details this option will provide. ++ ++ --stats ++ Print policy statistics including policy type and version infor- ++ mation and counts of all components and rules. ++ ++ -h, --help ++ Print help information and exit. ++ ++ -V, --version ++ Print version information and exit. ++ ++AAUUTTHHOORR ++ This manual page was written by Jeremy A. Mowery . ++ ++CCOOPPYYRRIIGGHHTT ++ Copyright(C) 2003-2007 Tresys Technology, LLC ++ ++BBUUGGSS ++ Please report bugs via an email to setools-bugs@tresys.com. ++ ++SSEEEE AALLSSOO ++ sesearch(1), apol(1) ++ ++ ++ ++ seinfo(1) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc --- nsaserefpolicy/policy/modules/services/radius.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2008-01-17 09:03:07.000000000 -0500 @@ -13673,7 +13963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-31 11:27:27.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-02-06 08:56:20.000000000 -0500 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -13703,7 +13993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_proc_symlinks(samba_net_t) corenet_all_recvfrom_unlabeled(samba_net_t) -@@ -190,8 +196,7 @@ +@@ -190,19 +196,15 @@ miscfiles_read_localization(samba_net_t) @@ -13712,8 +14002,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +samba_read_var_files(samba_net_t) userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) ++userdom_list_all_users_home_dirs(samba_net_t) -@@ -199,10 +204,6 @@ + optional_policy(` kerberos_use(samba_net_t) ') @@ -13724,7 +14015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbd Local policy -@@ -217,19 +218,16 @@ +@@ -217,19 +219,16 @@ allow smbd_t self:msgq create_msgq_perms; allow smbd_t self:sem create_sem_perms; allow smbd_t self:shm create_shm_perms; @@ -13747,7 +14038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t samba_net_tmp_t:file getattr; -@@ -239,6 +237,7 @@ +@@ -239,6 +238,7 @@ manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) manage_files_pattern(smbd_t,samba_share_t,samba_share_t) manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) @@ -13755,7 +14046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) manage_files_pattern(smbd_t,samba_var_t,samba_var_t) -@@ -256,7 +255,7 @@ +@@ -256,7 +256,7 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) @@ -13764,7 +14055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -292,12 +291,13 @@ +@@ -292,12 +292,13 @@ fs_getattr_all_fs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) @@ -13780,7 +14071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -321,12 +321,12 @@ +@@ -321,12 +322,12 @@ miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -13795,7 +14086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -347,6 +347,17 @@ +@@ -347,6 +348,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -13813,7 +14104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -398,7 +409,7 @@ +@@ -398,7 +410,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -13822,7 +14113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -410,8 +421,7 @@ +@@ -410,8 +422,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -13832,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -421,6 +431,8 @@ +@@ -421,6 +432,8 @@ allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -13841,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -446,6 +458,7 @@ +@@ -446,6 +459,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -13849,7 +14140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -462,17 +475,11 @@ +@@ -462,17 +476,11 @@ miscfiles_read_localization(nmbd_t) @@ -13867,7 +14158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(nmbd_t) ') -@@ -506,6 +513,8 @@ +@@ -506,6 +514,8 @@ manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) files_list_var_lib(smbmount_t) @@ -13876,7 +14167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_system_state(smbmount_t) corenet_all_recvfrom_unlabeled(smbmount_t) -@@ -533,6 +542,7 @@ +@@ -533,6 +543,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -13884,7 +14175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -553,16 +563,11 @@ +@@ -553,16 +564,11 @@ logging_search_logs(smbmount_t) @@ -13903,7 +14194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -570,24 +575,28 @@ +@@ -570,24 +576,28 @@ # SWAT Local policy # @@ -13940,7 +14231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -597,7 +606,11 @@ +@@ -597,7 +607,11 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -13953,7 +14244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,23 +635,24 @@ +@@ -622,23 +636,24 @@ dev_read_urand(swat_t) @@ -13980,7 +14271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -652,13 +666,16 @@ +@@ -652,13 +667,16 @@ kerberos_use(swat_t) ') @@ -14003,7 +14294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -672,7 +689,6 @@ +@@ -672,7 +690,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -14011,7 +14302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +725,8 @@ +@@ -709,6 +726,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -14020,7 +14311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +751,9 @@ +@@ -733,7 +752,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -14030,7 +14321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +766,6 @@ +@@ -746,9 +767,6 @@ miscfiles_read_localization(winbind_t) @@ -14040,7 +14331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +775,6 @@ +@@ -758,10 +776,6 @@ ') optional_policy(` @@ -14051,7 +14342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -784,6 +797,8 @@ +@@ -784,6 +798,8 @@ allow winbind_helper_t samba_var_t:dir search; files_list_var_lib(winbind_helper_t) @@ -14060,7 +14351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) -@@ -804,6 +819,7 @@ +@@ -804,6 +820,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -14068,7 +14359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -828,3 +844,37 @@ +@@ -828,3 +845,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -14226,7 +14517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-01-17 12:46:27.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-02-06 10:23:01.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -14327,7 +14618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send optional_policy(` procmail_domtrans(sendmail_t) -+ procmail_read_tmp_files(sendmail_t) ++ procmail_rw_tmp_files(sendmail_t) +') + +optional_policy(` @@ -14432,6 +14723,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr + dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.8/policy/modules/services/smartmon.te +--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/smartmon.te 2008-02-01 08:42:06.000000000 -0500 +@@ -49,6 +49,7 @@ + corenet_udp_sendrecv_all_ports(fsdaemon_t) + + dev_read_sysfs(fsdaemon_t) ++dev_read_urand(fsdaemon_t) + + domain_use_interactive_fds(fsdaemon_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.0.8/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/snmp.te 2008-01-17 09:03:07.000000000 -0500 @@ -16771,7 +17073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-31 11:32:52.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-02-11 17:22:41.000000000 -0500 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -16822,13 +17124,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo term_use_all_user_ttys(pam_t) term_use_all_user_ptys(pam_t) -@@ -111,19 +129,15 @@ +@@ -111,19 +129,16 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) -+userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) +userdom_unlink_unpriv_users_tmp_files(pam_t) ++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) ++userdom_dontaudit_write_user_home_content_files(user, pam_t) +userdom_append_unpriv_users_home_content_files(pam_t) optional_policy(` @@ -16846,7 +17149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM console local policy -@@ -149,6 +163,8 @@ +@@ -149,6 +164,8 @@ dev_setattr_apm_bios_dev(pam_console_t) dev_getattr_dri_dev(pam_console_t) dev_setattr_dri_dev(pam_console_t) @@ -16855,7 +17158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_framebuffer_dev(pam_console_t) dev_setattr_framebuffer_dev(pam_console_t) dev_getattr_generic_usb_dev(pam_console_t) -@@ -159,6 +175,8 @@ +@@ -159,6 +176,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -16864,7 +17167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -200,6 +218,7 @@ +@@ -200,6 +219,7 @@ fs_list_auto_mountpoints(pam_console_t) fs_list_noxattr_fs(pam_console_t) @@ -16872,7 +17175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo init_use_fds(pam_console_t) init_use_script_ptys(pam_console_t) -@@ -236,7 +255,7 @@ +@@ -236,7 +256,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -16881,7 +17184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -256,6 +275,7 @@ +@@ -256,6 +276,7 @@ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) @@ -16889,7 +17192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # -@@ -302,3 +322,29 @@ +@@ -302,3 +323,31 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -16913,6 +17216,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +auth_use_nsswitch(updpwd_t) + +term_dontaudit_use_console(updpwd_t) ++term_dontaudit_use_all_user_ptys(updpwd_t) ++term_dontaudit_use_all_user_ttys(updpwd_t) +term_dontaudit_use_unallocated_ttys(updpwd_t) +term_dontaudit_use_generic_ptys(updpwd_t) + @@ -17779,7 +18084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-02-11 16:25:54.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -17857,7 +18162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +299,15 @@ +@@ -284,3 +299,16 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -17873,6 +18178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2008-01-17 09:03:07.000000000 -0500 @@ -19348,7 +19654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2008-01-21 15:06:05.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2008-02-02 00:06:45.000000000 -0500 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -19627,7 +19933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') +optional_policy(` -+ cron_rw_pipes(setfiles_t) ++ cron_system_entry(setfiles_t, setfiles_exec_t) +') + +optional_policy(` @@ -20515,7 +20821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-02-11 17:21:49.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -21521,7 +21827,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2066,7 +2193,7 @@ +@@ -2034,6 +2161,10 @@ + ') + + dontaudit $2 $1_home_t:file write; ++ fs_dontaudit_list_nfs($2) ++ fs_dontaudit_rw_nfs_files($2) ++ fs_dontaudit_list_cifs($2) ++ fs_dontaudit_rw_cifs_files($2) + ') + + ######################################## +@@ -2066,7 +2197,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21530,7 +21847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_lnk_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2100,7 +2227,7 @@ +@@ -2100,7 +2231,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21539,7 +21856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo exec_files_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ') -@@ -2169,7 +2296,7 @@ +@@ -2169,7 +2300,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21548,7 +21865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2241,7 +2368,7 @@ +@@ -2241,7 +2372,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21557,7 +21874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_lnk_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2278,7 +2405,7 @@ +@@ -2278,7 +2409,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21566,7 +21883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_fifo_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2315,7 +2442,7 @@ +@@ -2315,7 +2446,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21575,7 +21892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 $1_home_dir_t:dir search_dir_perms; manage_sock_files_pattern($2,$1_home_t,$1_home_t) ') -@@ -2365,7 +2492,7 @@ +@@ -2365,7 +2496,7 @@ type $1_home_dir_t; ') @@ -21584,7 +21901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_dir_t,$3,$4) ') -@@ -2414,7 +2541,7 @@ +@@ -2414,7 +2545,7 @@ type $1_home_t; ') @@ -21593,7 +21910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_t,$3,$4) ') -@@ -2458,7 +2585,7 @@ +@@ -2458,7 +2589,7 @@ type $1_home_dir_t, $1_home_t; ') @@ -21602,7 +21919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($2,$1_home_dir_t,$1_home_t,$3) ') -@@ -2994,6 +3121,25 @@ +@@ -2994,6 +3125,25 @@ ######################################## ## @@ -21628,7 +21945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. -@@ -3078,7 +3224,7 @@ +@@ -3078,7 +3228,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -21637,7 +21954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -3086,11 +3232,11 @@ +@@ -3086,11 +3236,11 @@ ######################################## ## @@ -21651,7 +21968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ##

##

## This is a templated interface, and should only -@@ -3122,6 +3268,42 @@ +@@ -3122,6 +3272,42 @@ ######################################## ##

@@ -21694,7 +22011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## List users untrusted directories. ## ## -@@ -4089,7 +4271,7 @@ +@@ -4089,7 +4275,7 @@ type staff_home_dir_t; ') @@ -21703,7 +22020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir search_dir_perms; ') -@@ -4128,7 +4310,7 @@ +@@ -4128,7 +4314,7 @@ type staff_home_dir_t; ') @@ -21712,7 +22029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir manage_dir_perms; ') -@@ -4147,7 +4329,7 @@ +@@ -4147,7 +4333,7 @@ type staff_home_dir_t; ') @@ -21721,7 +22038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 staff_home_dir_t:dir relabelto; ') -@@ -4185,7 +4367,7 @@ +@@ -4185,7 +4371,7 @@ type staff_home_dir_t, staff_home_t; ') @@ -21730,7 +22047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 { staff_home_dir_t staff_home_t }:dir list_dir_perms; read_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) read_lnk_files_pattern($1,{ staff_home_dir_t staff_home_t },staff_home_t) -@@ -4410,6 +4592,7 @@ +@@ -4410,6 +4596,7 @@ ') dontaudit $1 sysadm_home_dir_t:dir getattr; @@ -21738,7 +22055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4444,9 +4627,11 @@ +@@ -4444,9 +4631,11 @@ interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; @@ -21750,7 +22067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4570,10 +4755,11 @@ +@@ -4570,10 +4759,11 @@ type sysadm_home_dir_t, sysadm_home_t; ') @@ -21763,7 +22080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4609,11 +4795,29 @@ +@@ -4609,11 +4799,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -21794,7 +22111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4837,14 @@ +@@ -4633,6 +4841,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -21809,7 +22126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4895,7 +5107,7 @@ +@@ -4895,7 +5111,7 @@ type user_home_dir_t, user_home_t; ') @@ -21818,7 +22135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo filetrans_pattern($1,user_home_dir_t,user_home_t,$2) ') -@@ -4933,7 +5145,7 @@ +@@ -4933,7 +5149,7 @@ type user_home_dir_t; ') @@ -21827,7 +22144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_t:dir manage_dir_perms; ') -@@ -4954,7 +5166,7 @@ +@@ -4954,7 +5170,7 @@ type user_home_t; ') @@ -21836,7 +22153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_dirs_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -4973,7 +5185,7 @@ +@@ -4973,7 +5189,7 @@ type staff_home_dir_t; ') @@ -21845,7 +22162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_t:dir relabelto; ') -@@ -4992,7 +5204,7 @@ +@@ -4992,7 +5208,7 @@ type user_home_t, user_home_dir_t; ') @@ -21854,7 +22171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_t:dir list_dir_perms; read_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5013,7 +5225,7 @@ +@@ -5013,7 +5229,7 @@ type user_home_t; ') @@ -21863,7 +22180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_t:file execute; ') -@@ -5033,7 +5245,7 @@ +@@ -5033,7 +5249,7 @@ type user_home_dir_t, user_home_t; ') @@ -21872,7 +22189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5072,7 +5284,7 @@ +@@ -5072,7 +5288,7 @@ type user_home_t; ') @@ -21881,7 +22198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_lnk_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5092,7 +5304,7 @@ +@@ -5092,7 +5308,7 @@ type user_home_t; ') @@ -21890,7 +22207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_fifo_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5112,7 +5324,7 @@ +@@ -5112,7 +5328,7 @@ type user_home_t; ') @@ -21899,7 +22216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_sock_files_pattern($1,{ user_home_dir_t user_home_t },user_home_t) ') -@@ -5131,7 +5343,7 @@ +@@ -5131,7 +5347,7 @@ attribute user_home_dir_type; ') @@ -21908,7 +22225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_dir_type:dir search_dir_perms; ') -@@ -5151,7 +5363,7 @@ +@@ -5151,7 +5367,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -21917,7 +22234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1 user_home_type:dir list_dir_perms; read_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) read_lnk_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) -@@ -5173,7 +5385,7 @@ +@@ -5173,7 +5389,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -21926,7 +22243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') -@@ -5193,7 +5405,7 @@ +@@ -5193,7 +5409,7 @@ attribute user_home_dir_type, user_home_type; ') @@ -21935,7 +22252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ') -@@ -5323,7 +5535,7 @@ +@@ -5323,7 +5539,7 @@ attribute user_tmpfile; ') @@ -21944,7 +22261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5346,6 +5558,25 @@ +@@ -5346,6 +5562,25 @@ ######################################## ## @@ -21970,7 +22287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all unprivileged users files in /tmp ## ## -@@ -5529,6 +5760,24 @@ +@@ -5529,6 +5764,24 @@ ######################################## ## @@ -21995,7 +22312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5808,419 @@ +@@ -5559,3 +5812,419 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')