From 88e39245313de17b974b016ae0806d65104229fb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 13 2008 19:15:40 +0000 Subject: - Change default boolean settings for xguest - Allow mount to r/w image files - Fix labes for several libraries that need textrel_shlib_t - portreserve needs to be able to sendrecv unlabeled_t - Fix Kerberos labeling - Fix cups printing on hp printers - Allow relabeling on blk devices on the homedir - Allow nslpugin to r/w inodefs --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 8776a41..a0abb6e 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1705,3 +1705,8 @@ netlabel = module # zosremote = module +# Layer: services +# Module: pki +# +# +pki = module diff --git a/policy-20080710.patch b/policy-20080710.patch index a465d22..1a4a3d3 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1,6 +1,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.5.13/Makefile ---- nsaserefpolicy/Makefile 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.13/Makefile 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/Makefile 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/Makefile 2008-11-11 16:22:02.000000000 -0500 @@ -311,20 +311,22 @@ # parse-rolemap modulename,outputfile @@ -46,8 +46,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak @mkdir -p $(appdir) $(verbose) $(INSTALL) -m 644 $< $@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.5.13/Rules.modular ---- nsaserefpolicy/Rules.modular 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/Rules.modular 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/Rules.modular 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/Rules.modular 2008-11-11 16:22:02.000000000 -0500 @@ -73,8 +73,8 @@ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te @echo "Compliling $(NAME) $(@F) module" @@ -95,8 +95,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul # $(appdir)/customizable_types: $(base_conf) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.5.13/config/appconfig-mcs/default_contexts ---- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -119,24 +119,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context ---- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/failsafe_context 2008-11-11 16:22:02.000000000 -0500 @@ -1 +1 @@ -sysadm_r:sysadm_t:s0 +system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,6 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 -+system_r:initrc_su_t:s0 guest_r:guest_t:s0 -+guest_r:guest_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,11 +1,7 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 +system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -152,8 +142,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.5.13/config/appconfig-mcs/seusers ---- nsaserefpolicy/config/appconfig-mcs/seusers 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/seusers 2008-10-28 11:08:43.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/seusers 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/seusers 2008-11-11 16:22:02.000000000 -0500 @@ -1,3 +1,3 @@ system_u:system_u:s0-mcs_systemhigh -root:root:s0-mcs_systemhigh @@ -161,8 +151,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/staff_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,10 +1,12 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -178,8 +168,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/unconfined_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -6,4 +6,6 @@ system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 @@ -188,8 +178,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0 system_r:xdm_t:s0 unconfined_r:unconfined_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/user_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,8 +1,9 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -203,25 +193,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:initrc_su_t:s0 user_r:user_t:s0 +user_r:user_t:s0 user_r:user_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context ---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mcs/userhelper_context 2008-11-11 16:22:02.000000000 -0500 @@ -1 +1 @@ -system_u:sysadm_r:sysadm_t:s0 +system_u:system_r:unconfined_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts ---- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mls/default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,15 +1,6 @@ -system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0 -system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 @@ -243,17 +222,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 -user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0 +system_r:xdm_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,4 @@ -+system_r:local_login_t:s0 guest_r:guest_t:s0 -+system_r:remote_login_t:s0 guest_r:guest_t:s0 -+system_r:sshd_t:s0 guest_r:guest_t:s0 -+system_r:crond_t:s0 guest_r:guest_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts ---- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mls/root_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,11 +1,11 @@ -system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0 -system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 @@ -273,8 +244,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 +#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mls/staff_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mls/staff_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,7 +1,7 @@ system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 system_r:remote_login_t:s0 staff_r:staff_t:s0 @@ -285,8 +256,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-mls/user_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-mls/user_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,7 +1,7 @@ system_r:local_login_t:s0 user_r:user_t:s0 system_r:remote_login_t:s0 user_r:user_t:s0 @@ -296,28 +267,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con system_r:xdm_t:s0 user_r:user_t:s0 user_r:user_su_t:s0 user_r:user_t:s0 user_r:user_sudo_t:s0 user_r:user_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,7 @@ -+system_r:local_login_t xguest_r:xguest_t:s0 -+system_r:remote_login_t xguest_r:xguest_t:s0 -+system_r:sshd_t xguest_r:xguest_t:s0 -+system_r:crond_t xguest_r:xguest_t:s0 -+system_r:xdm_t xguest_r:xguest_t:s0 -+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0 -+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,4 @@ -+system_r:local_login_t guest_r:guest_t -+system_r:remote_login_t guest_r:guest_t -+system_r:sshd_t guest_r:guest_t -+system_r:crond_t guest_r:guest_crond_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts ---- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-standard/root_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,11 +1,7 @@ system_r:crond_t unconfined_r:unconfined_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t @@ -332,8 +284,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con -#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t +system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-standard/staff_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-standard/staff_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,7 +1,7 @@ system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t system_r:remote_login_t staff_r:staff_t @@ -344,8 +296,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/user_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/config/appconfig-standard/user_u_default_contexts 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/config/appconfig-standard/user_u_default_contexts 2008-11-11 16:22:02.000000000 -0500 @@ -1,7 +1,7 @@ system_r:local_login_t user_r:user_t system_r:remote_login_t user_r:user_t @@ -355,18 +307,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con system_r:xdm_t user_r:user_t user_r:user_su_t user_r:user_t user_r:user_sudo_t user_r:user_t -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts ---- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,5 @@ -+system_r:local_login_t xguest_r:xguest_t -+system_r:remote_login_t xguest_r:xguest_t -+system_r:sshd_t xguest_r:xguest_t -+system_r:crond_t xguest_r:xguest_crond_t -+system_r:xdm_t xguest_r:xguest_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8 +--- nsaserefpolicy/man/man8/samba_selinux.8 2008-10-17 08:49:10.000000000 -0400 ++++ serefpolicy-3.5.13/man/man8/samba_selinux.8 2008-11-13 08:44:53.000000000 -0500 +@@ -14,11 +14,17 @@ + .TP + chcon -t samba_share_t /var/eng + .TP +-If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file. ++To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration: ++.TP ++semanage fcontext -a -t samba_share_t "/var/eng(/.*)?" ++.TP ++This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: + .TP +-/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local +-.br + /var/eng(/.*)? system_u:object_r:samba_share_t ++.TP ++Run the restorecon command to apply the changes: ++.TP ++restorecon -R -v /var/eng/ + + .SH SHARING FILES + If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute: diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors ---- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400 -+++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/flask/access_vectors 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-11-11 16:22:02.000000000 -0500 @@ -616,6 +616,7 @@ nlmsg_write nlmsg_relay @@ -376,8 +343,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol class netlink_ip6fw_socket diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.13/policy/global_tunables ---- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/global_tunables 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/global_tunables 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/global_tunables 2008-11-11 16:22:02.000000000 -0500 @@ -34,7 +34,7 @@ ## @@ -417,8 +384,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.5.13/policy/mls ---- nsaserefpolicy/policy/mls 2008-09-24 09:07:29.000000000 -0400 -+++ serefpolicy-3.5.13/policy/mls 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/mls 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/mls 2008-11-11 16:22:02.000000000 -0500 @@ -381,11 +381,18 @@ ( t1 == mlsxwinread )); @@ -440,8 +407,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.5.13/policy/modules/admin/anaconda.te ---- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/anaconda.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/anaconda.te 2008-11-11 16:22:02.000000000 -0500 @@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) @@ -451,8 +418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unprivuser_home_dir_filetrans_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.13/policy/modules/admin/certwatch.te ---- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/certwatch.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te 2008-11-11 16:22:02.000000000 -0500 @@ -27,6 +27,8 @@ fs_list_inotifyfs(certwatch_t) @@ -463,8 +430,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_shared_libs(certwatch_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.5.13/policy/modules/admin/consoletype.te ---- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/consoletype.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/consoletype.te 2008-11-11 16:22:02.000000000 -0500 @@ -8,9 +8,11 @@ type consoletype_t; @@ -489,8 +456,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(consoletype_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te ---- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-14 11:58:10.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-11-03 14:20:02.000000000 -0500 +--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-11-11 16:22:02.000000000 -0500 @@ -26,10 +26,12 @@ # @@ -526,9 +493,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(kismet_t) files_read_etc_files(kismet_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.13/policy/modules/admin/logrotate.te +--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/logrotate.te 2008-11-13 14:10:06.000000000 -0500 +@@ -119,6 +119,7 @@ + seutil_dontaudit_read_config(logrotate_t) + + userdom_use_unpriv_users_fds(logrotate_t) ++userdom_list_sysadm_home_dirs(logrotate_t) + + cron_system_entry(logrotate_t, logrotate_exec_t) + cron_search_spool(logrotate_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te ---- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-11-11 16:22:02.000000000 -0500 @@ -54,18 +54,19 @@ domain_read_all_domains_state(logwatch_t) @@ -559,8 +537,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_share_files(logwatch_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.5.13/policy/modules/admin/netutils.te ---- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-14 11:58:10.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-10-29 09:05:23.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/netutils.te 2008-11-11 19:06:29.000000000 -0500 @@ -130,6 +130,8 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) @@ -570,7 +548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ping_t) libs_use_ld_so(ping_t) -@@ -149,6 +151,10 @@ +@@ -149,6 +151,14 @@ ') optional_policy(` @@ -578,12 +556,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ nagios_dontaudit_rw_pipes(ping_t) ++') ++ ++optional_policy(` pcmcia_use_cardmgr_fds(ping_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.5.13/policy/modules/admin/prelink.te ---- nsaserefpolicy/policy/modules/admin/prelink.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/prelink.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/prelink.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/prelink.te 2008-11-11 16:22:02.000000000 -0500 @@ -26,7 +26,7 @@ # Local policy # @@ -642,8 +624,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(prelink_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.5.13/policy/modules/admin/rpm.fc ---- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc 2008-11-03 11:39:36.000000000 -0500 +--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/rpm.fc 2008-11-11 16:22:02.000000000 -0500 @@ -11,7 +11,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -675,8 +657,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # SuSE ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.13/policy/modules/admin/rpm.if ---- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-03 17:02:00.000000000 -0500 +--- nsaserefpolicy/policy/modules/admin/rpm.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/rpm.if 2008-11-11 16:22:02.000000000 -0500 @@ -152,6 +152,24 @@ ######################################## @@ -1008,8 +990,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.5.13/policy/modules/admin/rpm.te ---- nsaserefpolicy/policy/modules/admin/rpm.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/rpm.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/rpm.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/rpm.te 2008-11-11 16:22:02.000000000 -0500 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1160,8 +1142,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` java_domtrans(rpm_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.5.13/policy/modules/admin/su.if ---- nsaserefpolicy/policy/modules/admin/su.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/su.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/su.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/su.if 2008-11-11 16:22:02.000000000 -0500 @@ -41,15 +41,13 @@ allow $2 $1_su_t:process signal; @@ -1318,8 +1300,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.5.13/policy/modules/admin/sudo.if ---- nsaserefpolicy/policy/modules/admin/sudo.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/sudo.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/sudo.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/sudo.if 2008-11-11 16:22:02.000000000 -0500 @@ -55,7 +55,7 @@ # @@ -1434,8 +1416,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + term_relabel_all_user_ptys($1_sudo_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te ---- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/tmpreaper.te 2008-11-11 16:22:02.000000000 -0500 @@ -22,12 +22,16 @@ dev_read_urand(tmpreaper_t) @@ -1481,8 +1463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(tmpreaper_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.5.13/policy/modules/admin/usermanage.te ---- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/usermanage.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/usermanage.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/usermanage.te 2008-11-11 16:22:02.000000000 -0500 @@ -97,6 +97,7 @@ # allow checking if a shell is executable @@ -1554,8 +1536,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(useradd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.if serefpolicy-3.5.13/policy/modules/admin/vbetool.if ---- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vbetool.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/vbetool.if 2008-11-11 16:22:02.000000000 -0500 @@ -18,3 +18,34 @@ corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) @@ -1592,8 +1574,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow vbetool_t $3:chr_file rw_term_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.13/policy/modules/admin/vbetool.te ---- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te 2008-11-11 16:22:02.000000000 -0500 @@ -23,6 +23,9 @@ dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) @@ -1615,8 +1597,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.13/policy/modules/admin/vpn.if ---- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/vpn.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/admin/vpn.if 2008-11-11 16:22:02.000000000 -0500 @@ -53,6 +53,24 @@ ######################################## @@ -1668,8 +1650,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Vpnc over dbus. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.13/policy/modules/apps/ethereal.fc ---- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc 2008-11-11 16:22:02.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) +HOME_DIR/\.ethereal(/.*)? gen_context(system_u:object_r:ethereal_home_t,s0) @@ -1677,8 +1659,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/ethereal.* -- gen_context(system_u:object_r:ethereal_exec_t,s0) /usr/sbin/tethereal.* -- gen_context(system_u:object_r:tethereal_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.5.13/policy/modules/apps/ethereal.if ---- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/ethereal.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/ethereal.if 2008-11-11 16:22:02.000000000 -0500 @@ -35,6 +35,7 @@ template(`ethereal_per_role_template',` @@ -1783,8 +1765,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.5.13/policy/modules/apps/ethereal.te ---- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/ethereal.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/ethereal.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/ethereal.te 2008-11-11 16:22:02.000000000 -0500 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1800,8 +1782,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # Tethereal policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.5.13/policy/modules/apps/games.if ---- nsaserefpolicy/policy/modules/apps/games.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/games.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/games.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/games.if 2008-11-11 16:22:02.000000000 -0500 @@ -130,10 +130,10 @@ sysnet_read_config($1_games_t) @@ -1842,8 +1824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.5.13/policy/modules/apps/gnome.fc ---- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.fc 2008-11-11 16:22:02.000000000 -0500 @@ -1,8 +1,10 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:ROLE_gnome_home_t,s0) -HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:ROLE_gconf_home_t,s0) @@ -1862,8 +1844,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +HOME_DIR/.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.5.13/policy/modules/apps/gnome.if ---- nsaserefpolicy/policy/modules/apps/gnome.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.if 2008-10-30 16:10:55.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.if 2008-11-11 16:22:02.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` type gconfd_exec_t, gconf_etc_t; @@ -2112,8 +2094,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te ---- nsaserefpolicy/policy/modules/apps/gnome.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gnome.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2008-11-11 16:22:02.000000000 -0500 @@ -8,8 +8,34 @@ attribute gnomedomain; @@ -2153,8 +2135,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.5.13/policy/modules/apps/gpg.fc ---- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gpg.fc 2008-11-11 16:22:02.000000000 -0500 @@ -1,9 +1,9 @@ -HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:ROLE_gpg_secret_t,s0) +HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) @@ -2170,8 +2152,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if ---- nsaserefpolicy/policy/modules/apps/gpg.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-11-11 16:22:02.000000000 -0500 @@ -37,6 +37,9 @@ template(`gpg_per_role_template',` gen_require(` @@ -2509,8 +2491,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.5.13/policy/modules/apps/gpg.te ---- nsaserefpolicy/policy/modules/apps/gpg.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gpg.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/gpg.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/gpg.te 2008-11-11 16:22:02.000000000 -0500 @@ -15,15 +15,255 @@ gen_tunable(gpg_agent_env_file, false) @@ -2772,8 +2754,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_stream_connect_xdm_xserver(gpg_pinentry_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc ---- nsaserefpolicy/policy/modules/apps/java.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-11-11 16:22:03.000000000 -0500 @@ -3,14 +3,15 @@ # /opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -2807,8 +2789,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) +/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.5.13/policy/modules/apps/java.if ---- nsaserefpolicy/policy/modules/apps/java.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/java.if 2008-11-11 16:22:03.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -3083,8 +3065,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.5.13/policy/modules/apps/java.te ---- nsaserefpolicy/policy/modules/apps/java.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/java.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/java.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/java.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,16 +6,10 @@ # Declarations # @@ -3134,105 +3116,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_xdm_xserver_shm(java_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc ---- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if ---- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,56 @@ -+ -+## policy for livecd -+ -+######################################## -+## -+## Execute a domain transition to run livecd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`livecd_domtrans',` -+ gen_require(` -+ type livecd_t; -+ type livecd_exec_t; -+ ') -+ -+ domtrans_pattern($1, livecd_exec_t, livecd_t) -+') -+ -+ -+######################################## -+## -+## Execute livecd in the livecd domain, and -+## allow the specified role the livecd domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the livecd domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`livecd_run',` -+ gen_require(` -+ type livecd_t; -+ ') -+ -+ livecd_domtrans($1) -+ role $2 types livecd_t; -+ allow livecd_t $3:chr_file rw_term_perms; -+ -+ seutil_run_setfiles_mac(livecd_t, $2, $3) -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te ---- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/livecd.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,26 @@ -+policy_module(livecd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type livecd_t; -+type livecd_exec_t; -+application_domain(livecd_t, livecd_exec_t) -+role system_r types livecd_t; -+ -+######################################## -+# -+# livecd local policy -+# -+dontaudit livecd_t self:capability2 mac_admin; -+ -+unconfined_domain_noaudit(livecd_t) -+domain_ptrace_all_domains(livecd_t) -+ -+optional_policy(` -+ hal_dbus_chat(livecd_t) -+') -+ -+seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.13/policy/modules/apps/loadkeys.te ---- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te 2008-11-11 16:22:03.000000000 -0500 @@ -32,7 +32,6 @@ term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -3250,8 +3136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +unprivuser_dontaudit_list_home_dirs(loadkeys_t) +sysadm_dontaudit_list_home_dirs(loadkeys_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.5.13/policy/modules/apps/mono.if ---- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mono.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mono.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mono.if 2008-11-11 16:22:03.000000000 -0500 @@ -21,7 +21,106 @@ ######################################## @@ -3370,8 +3256,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.5.13/policy/modules/apps/mono.te ---- nsaserefpolicy/policy/modules/apps/mono.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mono.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mono.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mono.te 2008-11-11 16:22:03.000000000 -0500 @@ -15,7 +15,7 @@ # Local policy # @@ -3390,8 +3276,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_xdm_xserver_shm(mono_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.5.13/policy/modules/apps/mozilla.fc ---- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mozilla.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,8 +1,8 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) -HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:ROLE_mozilla_home_t,s0) @@ -3421,8 +3307,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.5.13/policy/modules/apps/mozilla.if ---- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mozilla.if 2008-11-11 16:22:03.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3901,8 +3787,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $2 $1_mozilla_t:unix_stream_socket connectto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.5.13/policy/modules/apps/mozilla.te ---- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mozilla.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mozilla.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mozilla.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,15 +6,20 @@ # Declarations # @@ -3932,8 +3818,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias mozilla_home_t alias user_mozilla_home_t; +typealias mozilla_tmp_t alias user_mozilla_tmp_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.5.13/policy/modules/apps/mplayer.fc ---- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mplayer.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,13 +1,9 @@ # -# /etc @@ -3951,8 +3837,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:ROLE_mplayer_home_t,s0) +HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.5.13/policy/modules/apps/mplayer.if ---- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mplayer.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mplayer.if 2008-11-11 16:22:03.000000000 -0500 @@ -34,7 +34,8 @@ # template(`mplayer_per_role_template',` @@ -4096,8 +3982,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($2, mplayer_home_t, mplayer_home_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.5.13/policy/modules/apps/mplayer.te ---- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/mplayer.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/mplayer.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/mplayer.te 2008-11-11 16:22:03.000000000 -0500 @@ -22,3 +22,7 @@ type mplayer_exec_t; corecmd_executable_file(mplayer_exec_t) @@ -4106,76 +3992,140 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type mplayer_home_t alias user_mplayer_rw_t; +userdom_user_home_content(user, mplayer_home_t) + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc ---- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-10-28 10:57:58.000000000 -0400 -@@ -0,0 +1,11 @@ -+ -+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) -+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) -+ -+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if ---- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,297 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc +--- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc 2008-11-11 16:22:03.000000000 -0500 +@@ -1,2 +1,4 @@ + + /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) ++/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) ++/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if +--- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if 2008-11-11 16:22:03.000000000 -0500 +@@ -16,4 +16,38 @@ + ') + + domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) ++ allow $1 podsleuth_t:process signal; + ') + -+## policy for nsplugin + +######################################## +## -+## Create, read, write, and delete -+## nsplugin rw files. ++## Execute podsleuth in the podsleuth domain, and ++## allow the specified role the podsleuth domain. +## +## +## -+## Domain allowed access. ++## Domain allowed access +## +## -+# -+interface(`nsplugin_manage_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:file manage_file_perms; -+ allow $1 nsplugin_rw_t:dir rw_dir_perms; -+') -+ -+######################################## -+## -+## Manage nsplugin rw files. -+## -+## ++## +## -+## Domain allowed access. ++## The role to be allowed the podsleuth domain. ++## ++## ++## ++## ++## The type of the role's terminal. +## +## +# -+interface(`nsplugin_manage_rw',` ++interface(`podsleuth_run',` + gen_require(` -+ type nsplugin_rw_t; ++ type podsleuth_t; + ') + -+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) ++ podsleuth_domtrans($1) ++ role $2 types podsleuth_t; ++ dontaudit podsleuth_t $3:chr_file rw_term_perms; +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te +--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2008-11-11 16:22:03.000000000 -0500 +@@ -11,24 +11,55 @@ + application_domain(podsleuth_t, podsleuth_exec_t) + role system_r types podsleuth_t; + ++type podsleuth_tmp_t; ++files_tmp_file(podsleuth_tmp_t) ++ ++type podsleuth_cache_t; ++files_type(podsleuth_cache_t) ++ + ######################################## + # + # podsleuth local policy + # +- +-allow podsleuth_t self:process { signal getsched execheap execmem }; ++allow podsleuth_t self:capability { sys_admin sys_rawio }; ++allow podsleuth_t self:process { ptrace signal getsched execheap execmem }; + allow podsleuth_t self:fifo_file rw_file_perms; + allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; ++allow podsleuth_t self:sem create_sem_perms; ++allow podsleuth_t self:tcp_socket create_stream_socket_perms; ++allow podsleuth_t self:udp_socket create_socket_perms; + + kernel_read_system_state(podsleuth_t) + ++corecmd_exec_bin(podsleuth_t) ++corenet_tcp_connect_http_port(podsleuth_t) ++ + dev_read_urand(podsleuth_t) + + files_read_etc_files(podsleuth_t) + ++fs_mount_dos_fs(podsleuth_t) ++fs_unmount_dos_fs(podsleuth_t) ++fs_getattr_dos_fs(podsleuth_t) ++fs_read_dos_files(podsleuth_t) ++fs_search_dos(podsleuth_t) ++ ++allow podsleuth_t podsleuth_tmp_t:dir mounton; ++manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) ++files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) ++manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) ++ ++manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) ++manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) ++files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) ++ ++storage_raw_rw_fixed_disk(podsleuth_t) ++ + libs_use_ld_so(podsleuth_t) + libs_use_shared_libs(podsleuth_t) + ++sysnet_dns_name_resolve(podsleuth_t) ++ + miscfiles_read_localization(podsleuth_t) + + dbus_system_bus_client_template(podsleuth, podsleuth_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc +--- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc 2008-11-11 16:22:03.000000000 -0500 +@@ -1,2 +1,4 @@ + /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) ++ ++/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if +--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-11 16:22:03.000000000 -0500 +@@ -48,6 +48,91 @@ + allow qemu_t $3:chr_file rw_file_perms; + ') + +####################################### +## -+## The per role template for the nsplugin module. ++## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used -+## for nsplugin web browser. ++## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and @@ -4200,66 +4150,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`nsplugin_per_role_template_notrans',` ++template(`qemu_per_role_template_notrans',` + gen_require(` -+ type nsplugin_rw_t; -+ type nsplugin_home_t; -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; ++ type qemu_t; + ') + -+ role $3 types nsplugin_t; -+ role $3 types nsplugin_config_t; -+ -+ allow nsplugin_t $2:process signull; -+ -+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) -+ can_exec($2, nsplugin_rw_t) -+ -+ #Leaked File Descriptors -+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; -+ allow nsplugin_t $2:unix_stream_socket connectto; -+ dontaudit nsplugin_t $2:process ptrace; -+ -+ allow $2 nsplugin_t:process { getattr ptrace signal_perms }; -+ allow $2 nsplugin_t:unix_stream_socket connectto; -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2) -+ gnome_stream_connect(nsplugin_t, $2) -+ -+ userdom_use_user_terminals($1, nsplugin_t) -+ userdom_use_user_terminals($1, nsplugin_config_t) -+ userdom_dontaudit_setattr_user_home_content_files($1, nsplugin_t) -+ -+ optional_policy(` -+ dbus_dontaudit_connectto_user_bus($1, nsplugin_t) -+ ') ++ role $3 types qemu_t; + -+ xserver_common_app($1, nsplugin_t) ++ xserver_common_app($1, qemu_t) +') + +####################################### +##

-+## The per role template for the nsplugin module. ++## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used -+## for nsplugin web browser. ++## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and @@ -4284,821 +4192,70 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+template(`nsplugin_per_role_template',` ++template(`qemu_per_role_template',` + gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_config_exec_t; -+ type nsplugin_t; -+ type nsplugin_config_t; ++ type qemu_exec_t; + ') ++ ++ qemu_per_role_template_notrans($1, $2, $3) ++ ++ domtrans_pattern($2, qemu_exec_t, qemu_t) ++ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) ++ ') + -+ nsplugin_per_role_template_notrans($1, $2, $3) -+ -+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) -+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) + ######################################## + ##

+ ## Allow the domain to read state files in /proc. +@@ -68,6 +153,64 @@ + + ######################################## + ## ++## Set the schedule on qemu. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qemu_setsched',` ++ gen_require(` ++ type qemu_t; ++ ') ++ ++ allow $1 qemu_t:process setsched; +') + -+####################################### ++######################################## +## -+## The per role template for the nsplugin module. ++## Execute qemu_exec_t ++## in the specified domain but do not ++## do it automatically. This is an explicit ++## transition, requiring the caller to use setexeccon(). +## +## +##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. ++## Execute qemu_exec_t ++## in the specified domain. This allows ++## the specified domain to qemu programs ++## on these filesystems in the specified ++## domain. +##

+## -+## ++## +## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). ++## Domain allowed access. +## +## -+## ++## +## -+## The type of the user domain. ++## The type of the new process. +## +## +# -+interface(`nsplugin_domtrans_user',` ++interface(`qemu_spec_domtrans',` + gen_require(` -+ type nsplugin_exec_t; -+ type nsplugin_t; -+ ') -+ -+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) -+') -+####################################### -+## -+## The per role template for the nsplugin module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+# -+interface(`nsplugin_domtrans_user_config',` -+ gen_require(` -+ type nsplugin_config_exec_t; -+ type nsplugin_config_t; -+ ') -+ -+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) -+') -+ -+######################################## -+## -+## Search nsplugin rw directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_search_rw_dir',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ allow $1 nsplugin_rw_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Read nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_read_rw_files',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t) -+') -+ -+######################################## -+## -+## Exec nsplugin rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`nsplugin_rw_exec',` -+ gen_require(` -+ type nsplugin_rw_t; -+ ') -+ -+ can_exec($1, nsplugin_rw_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te ---- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-10 10:40:02.000000000 -0500 -@@ -0,0 +1,274 @@ -+ -+policy_module(nsplugin, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+## -+##

-+## Allow nsplugin code to execmem/execstack -+##

-+## -+gen_tunable(allow_nsplugin_execmem, false) -+ -+type nsplugin_exec_t; -+application_executable_file(nsplugin_exec_t) -+ -+type nsplugin_config_exec_t; -+application_executable_file(nsplugin_config_exec_t) -+ -+type nsplugin_rw_t; -+files_type(nsplugin_rw_t) -+ -+type nsplugin_tmp_t; -+files_tmp_file(nsplugin_tmp_t) -+ -+type nsplugin_home_t; -+files_poly_member(nsplugin_home_t) -+userdom_user_home_content(user, nsplugin_home_t) -+typealias nsplugin_home_t alias user_nsplugin_home_t; -+ -+type nsplugin_t; -+domain_type(nsplugin_t) -+domain_entry_file(nsplugin_t, nsplugin_exec_t) -+ -+type nsplugin_config_t; -+domain_type(nsplugin_config_t) -+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t) -+ -+application_executable_file(nsplugin_exec_t) -+application_executable_file(nsplugin_config_exec_t) -+ -+ -+######################################## -+# -+# nsplugin local policy -+# -+dontaudit nsplugin_t self:capability sys_tty_config; -+allow nsplugin_t self:fifo_file rw_file_perms; -+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; -+ -+allow nsplugin_t self:sem create_sem_perms; -+allow nsplugin_t self:shm create_shm_perms; -+allow nsplugin_t self:msgq create_msgq_perms; -+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow nsplugin_t self:unix_dgram_socket create_socket_perms; -+ -+tunable_policy(`allow_nsplugin_execmem',` -+ allow nsplugin_t self:process { execstack execmem }; -+ allow nsplugin_config_t self:process { execstack execmem }; -+') -+ -+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) -+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) -+userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir}) -+unprivuser_dontaudit_write_home_content_files(nsplugin_t) -+userdom_manage_tmpfs(nsplugin_t) -+ -+corecmd_exec_bin(nsplugin_t) -+corecmd_exec_shell(nsplugin_t) -+ -+corenet_all_recvfrom_unlabeled(nsplugin_t) -+corenet_all_recvfrom_netlabel(nsplugin_t) -+corenet_tcp_connect_flash_port(nsplugin_t) -+corenet_tcp_connect_streaming_port(nsplugin_t) -+corenet_tcp_connect_pulseaudio_port(nsplugin_t) -+corenet_tcp_connect_http_port(nsplugin_t) -+corenet_tcp_connect_http_cache_port(nsplugin_t) -+corenet_tcp_sendrecv_generic_if(nsplugin_t) -+corenet_tcp_sendrecv_all_nodes(nsplugin_t) -+corenet_tcp_connect_ipp_port(nsplugin_t) -+ -+domain_dontaudit_read_all_domains_state(nsplugin_t) -+ -+dev_read_rand(nsplugin_t) -+dev_read_sound(nsplugin_t) -+dev_write_sound(nsplugin_t) -+dev_read_video_dev(nsplugin_t) -+dev_write_video_dev(nsplugin_t) -+dev_getattr_dri_dev(nsplugin_t) -+dev_rwx_zero(nsplugin_t) -+ -+kernel_read_kernel_sysctls(nsplugin_t) -+kernel_read_system_state(nsplugin_t) -+ -+files_dontaudit_getattr_lost_found_dirs(nsplugin_t) -+files_dontaudit_list_home(nsplugin_t) -+files_read_usr_files(nsplugin_t) -+files_read_etc_files(nsplugin_t) -+files_read_config_files(nsplugin_t) -+ -+fs_list_inotifyfs(nsplugin_t) -+fs_getattr_tmpfs(nsplugin_t) -+fs_getattr_xattr_fs(nsplugin_t) -+fs_search_auto_mountpoints(nsplugin_t) -+fs_rw_anon_inodefs_files(nsplugin_t) -+ -+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) -+ -+term_dontaudit_getattr_all_user_ptys(nsplugin_t) -+term_dontaudit_getattr_all_user_ttys(nsplugin_t) -+ -+auth_use_nsswitch(nsplugin_t) -+ -+libs_use_ld_so(nsplugin_t) -+libs_use_shared_libs(nsplugin_t) -+libs_exec_ld_so(nsplugin_t) -+ -+miscfiles_read_localization(nsplugin_t) -+miscfiles_read_fonts(nsplugin_t) -+ -+unprivuser_manage_tmp_dirs(nsplugin_t) -+unprivuser_manage_tmp_files(nsplugin_t) -+unprivuser_manage_tmp_sockets(nsplugin_t) -+userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file }) -+unprivuser_read_tmpfs_files(nsplugin_t) -+unprivuser_rw_semaphores(nsplugin_t) -+unprivuser_delete_tmpfs_files(nsplugin_t) -+ -+unprivuser_read_home_content_symlinks(nsplugin_t) -+unprivuser_read_home_content_files(nsplugin_t) -+unprivuser_read_tmp_files(nsplugin_t) -+userdom_write_user_tmp_sockets(user, nsplugin_t) -+unprivuser_dontaudit_append_home_content_files(nsplugin_t) -+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t) -+userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t) -+ -+optional_policy(` -+ alsa_read_rw_config(nsplugin_t) -+') -+ -+optional_policy(` -+ cups_stream_connect(nsplugin_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client_template(nsplugin, nsplugin_t) -+') -+ -+optional_policy(` -+ gnome_exec_gconf(nsplugin_t) -+ gnome_manage_user_gnome_config(user, nsplugin_t) -+ gnome_read_gconf_home_files(nsplugin_t) -+ allow nsplugin_t gnome_home_t:sock_file write; -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_t) -+ mozilla_write_user_home_files(user, nsplugin_t) -+') -+ -+optional_policy(` -+ mplayer_exec(nsplugin_t) -+ mplayer_read_user_home_files(user, nsplugin_t) -+') -+ -+optional_policy(` -+ unconfined_execmem_signull(nsplugin_t) -+ unconfined_delete_tmpfs_files(nsplugin_t) -+') -+ -+optional_policy(` -+ xserver_stream_connect_xdm(nsplugin_t) -+ xserver_stream_connect_xdm_xserver(nsplugin_t) -+ xserver_rw_xdm_xserver_shm(nsplugin_t) -+ xserver_read_xdm_tmp_files(nsplugin_t) -+ xserver_read_xdm_pid(nsplugin_t) -+ xserver_read_user_xauth(user, nsplugin_t) -+ xserver_read_user_iceauth(user, nsplugin_t) -+ xserver_use_user_fonts(user, nsplugin_t) -+ xserver_manage_home_fonts(nsplugin_t) -+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t) -+') -+ -+######################################## -+# -+# nsplugin_config local policy -+# -+ -+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -+allow nsplugin_config_t self:process { setsched sigkill getsched execmem }; -+#execing pulseaudio -+dontaudit nsplugin_t self:process { getcap setcap }; -+ -+allow nsplugin_config_t self:fifo_file rw_file_perms; -+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; -+ -+fs_list_inotifyfs(nsplugin_config_t) -+fs_search_auto_mountpoints(nsplugin_config_t) -+ -+can_exec(nsplugin_config_t, nsplugin_rw_t) -+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) -+ -+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t) -+ -+corecmd_exec_bin(nsplugin_config_t) -+corecmd_exec_shell(nsplugin_config_t) -+ -+kernel_read_system_state(nsplugin_config_t) -+ -+files_read_etc_files(nsplugin_config_t) -+files_read_usr_files(nsplugin_config_t) -+files_dontaudit_search_home(nsplugin_config_t) -+files_list_tmp(nsplugin_config_t) -+ -+auth_use_nsswitch(nsplugin_config_t) -+ -+libs_use_ld_so(nsplugin_config_t) -+libs_use_shared_libs(nsplugin_config_t) -+ -+miscfiles_read_localization(nsplugin_config_t) -+miscfiles_read_fonts(nsplugin_config_t) -+ -+userdom_search_all_users_home_content(nsplugin_config_t) -+unprivuser_read_home_content_files(nsplugin_config_t) -+ -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(nsplugin_t) -+ fs_manage_nfs_files(nsplugin_t) -+ fs_read_nfs_symlinks(nsplugin_t) -+ fs_manage_nfs_named_pipes(nsplugin_t) -+ fs_manage_nfs_dirs(nsplugin_config_t) -+ fs_manage_nfs_files(nsplugin_config_t) -+ fs_manage_nfs_named_pipes(nsplugin_config_t) -+ fs_read_nfs_symlinks(nsplugin_config_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(nsplugin_t) -+ fs_manage_cifs_files(nsplugin_t) -+ fs_read_cifs_symlinks(nsplugin_t) -+ fs_manage_cifs_named_pipes(nsplugin_t) -+ fs_manage_cifs_dirs(nsplugin_config_t) -+ fs_manage_cifs_files(nsplugin_config_t) -+ fs_manage_cifs_named_pipes(nsplugin_config_t) -+ fs_read_cifs_symlinks(nsplugin_config_t) -+') -+ -+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t) -+ -+optional_policy(` -+ xserver_read_home_fonts(nsplugin_config_t) -+') -+ -+optional_policy(` -+ mozilla_read_user_home_files(user, nsplugin_config_t) -+') -+ -+optional_policy(` -+ gen_require(` -+ type unconfined_mono_t; -+ ') -+ allow nsplugin_t unconfined_mono_t:process signull; -+') -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc ---- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.13/policy/modules/apps/openoffice.if ---- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,106 @@ -+## Openoffice -+ -+####################################### -+## -+## The per role template for the openoffice module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for openoffice plugins that are executed by a browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+interface(`openoffice_plugin_per_role_template',` -+ gen_require(` -+ type openoffice_exec_t; -+ type $1_openoffice_t; -+ ') -+ -+ ######################################## -+ # -+ # Local policy -+ # -+ -+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) -+ allow $2 $1_openoffice_t:process { signal sigkill }; -+') -+ -+####################################### -+## -+## The per role template for the openoffice module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for openoffice applications. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`openoffice_per_role_template',` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ -+ type $1_openoffice_t; -+ domain_type($1_openoffice_t) -+ domain_entry_file($1_openoffice_t, openoffice_exec_t) -+ role $3 types $1_openoffice_t; -+ -+ domain_interactive_fd($1_openoffice_t) -+ -+ userdom_unpriv_usertype($1, $1_openoffice_t) -+ userdom_exec_user_home_content_files($1, $1_openoffice_t) -+ -+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; -+ -+ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; -+ allow $1_openoffice_t $2:tcp_socket { read write }; -+ -+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t) -+ -+ dev_read_urand($1_openoffice_t) -+ dev_read_rand($1_openoffice_t) -+ -+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t) -+ -+ allow $2 $1_openoffice_t:process { signal sigkill }; -+ allow $1_openoffice_t $2:unix_stream_socket connectto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.13/policy/modules/apps/openoffice.te ---- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/openoffice.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,14 @@ -+ -+policy_module(openoffice, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type openoffice_t; -+type openoffice_exec_t; -+application_domain(openoffice_t, openoffice_exec_t) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc ---- nsaserefpolicy/policy/modules/apps/podsleuth.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,2 +1,4 @@ - - /usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0) -+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if ---- nsaserefpolicy/policy/modules/apps/podsleuth.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if 2008-10-28 10:56:19.000000000 -0400 -@@ -16,4 +16,38 @@ - ') - - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) -+ allow $1 podsleuth_t:process signal; - ') -+ -+ -+######################################## -+## -+## Execute podsleuth in the podsleuth domain, and -+## allow the specified role the podsleuth domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the podsleuth domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`podsleuth_run',` -+ gen_require(` -+ type podsleuth_t; -+ ') -+ -+ podsleuth_domtrans($1) -+ role $2 types podsleuth_t; -+ dontaudit podsleuth_t $3:chr_file rw_term_perms; -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te ---- nsaserefpolicy/policy/modules/apps/podsleuth.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te 2008-10-28 10:56:19.000000000 -0400 -@@ -11,24 +11,55 @@ - application_domain(podsleuth_t, podsleuth_exec_t) - role system_r types podsleuth_t; - -+type podsleuth_tmp_t; -+files_tmp_file(podsleuth_tmp_t) -+ -+type podsleuth_cache_t; -+files_type(podsleuth_cache_t) -+ - ######################################## - # - # podsleuth local policy - # -- --allow podsleuth_t self:process { signal getsched execheap execmem }; -+allow podsleuth_t self:capability { sys_admin sys_rawio }; -+allow podsleuth_t self:process { ptrace signal getsched execheap execmem }; - allow podsleuth_t self:fifo_file rw_file_perms; - allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; -+allow podsleuth_t self:sem create_sem_perms; -+allow podsleuth_t self:tcp_socket create_stream_socket_perms; -+allow podsleuth_t self:udp_socket create_socket_perms; - - kernel_read_system_state(podsleuth_t) - -+corecmd_exec_bin(podsleuth_t) -+corenet_tcp_connect_http_port(podsleuth_t) -+ - dev_read_urand(podsleuth_t) - - files_read_etc_files(podsleuth_t) - -+fs_mount_dos_fs(podsleuth_t) -+fs_unmount_dos_fs(podsleuth_t) -+fs_getattr_dos_fs(podsleuth_t) -+fs_read_dos_files(podsleuth_t) -+fs_search_dos(podsleuth_t) -+ -+allow podsleuth_t podsleuth_tmp_t:dir mounton; -+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) -+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) -+ -+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) -+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) -+ -+storage_raw_rw_fixed_disk(podsleuth_t) -+ - libs_use_ld_so(podsleuth_t) - libs_use_shared_libs(podsleuth_t) - -+sysnet_dns_name_resolve(podsleuth_t) -+ - miscfiles_read_localization(podsleuth_t) - - dbus_system_bus_client_template(podsleuth, podsleuth_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc ---- nsaserefpolicy/policy/modules/apps/qemu.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -1,2 +1,4 @@ - /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -+ -+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if ---- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-10-28 10:56:19.000000000 -0400 -@@ -48,6 +48,91 @@ - allow qemu_t $3:chr_file rw_file_perms; - ') - -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`qemu_per_role_template_notrans',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ role $3 types qemu_t; -+ -+ xserver_common_app($1, qemu_t) -+') -+ -+####################################### -+## -+## The per role template for the qemu module. -+## -+## -+##

-+## This template creates a derived domains which are used -+## for qemu web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## -+## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The type of the user domain. -+## -+## -+## -+## -+## The role associated with the user domain. -+## -+## -+# -+template(`qemu_per_role_template',` -+ gen_require(` -+ type qemu_exec_t; -+ ') -+ -+ qemu_per_role_template_notrans($1, $2, $3) -+ -+ domtrans_pattern($2, qemu_exec_t, qemu_t) -+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) -+ ') -+ - ######################################## - ## - ## Allow the domain to read state files in /proc. -@@ -68,6 +153,64 @@ - - ######################################## - ## -+## Set the schedule on qemu. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`qemu_setsched',` -+ gen_require(` -+ type qemu_t; -+ ') -+ -+ allow $1 qemu_t:process setsched; -+') -+ -+######################################## -+## -+## Execute qemu_exec_t -+## in the specified domain but do not -+## do it automatically. This is an explicit -+## transition, requiring the caller to use setexeccon(). -+## -+## -+##

-+## Execute qemu_exec_t -+## in the specified domain. This allows -+## the specified domain to qemu programs -+## on these filesystems in the specified -+## domain. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the new process. -+## -+## -+# -+interface(`qemu_spec_domtrans',` -+ gen_require(` -+ type qemu_exec_t; ++ type qemu_exec_t; + ') + + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) @@ -5328,8 +4485,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te ---- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-10 09:31:53.000000000 -0500 +--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -5473,87 +4630,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc ---- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500 -@@ -0,0 +1,4 @@ -+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0) -+ -+ -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if ---- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500 -@@ -0,0 +1,2 @@ -+## system-config-samba policy -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te ---- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500 -@@ -0,0 +1,60 @@ -+policy_module(sambagui,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sambagui_t; -+type sambagui_exec_t; -+ -+dbus_system_domain(sambagui_t, sambagui_exec_t) -+ -+######################################## -+# -+# system-config-samba local policy -+# -+ -+allow sambagui_t self:fifo_file rw_fifo_file_perms; -+ -+# handling with samba conf files -+samba_append_log(sambagui_t) -+samba_manage_config(sambagui_t) -+samba_manage_var_files(sambagui_t) -+samba_initrc_domtrans(sambagui_t) -+samba_domtrans_smb(sambagui_t) -+samba_domtrans_nmb(sambagui_t) -+ -+# execut apps of system-config-samba -+corecmd_exec_shell(sambagui_t) -+corecmd_exec_bin(sambagui_t) -+ -+files_read_etc_files(sambagui_t) -+files_search_var_lib(sambagui_t) -+files_search_usr(sambagui_t) -+ -+fs_list_inotifyfs(sambagui_t) -+ -+libs_use_ld_so(sambagui_t) -+libs_use_shared_libs(sambagui_t) -+ -+# reading shadow by pdbedit -+#auth_read_shadow(sambagui_t) -+ -+miscfiles_read_localization(sambagui_t) -+ -+# read meminfo -+kernel_read_system_state(sambagui_t) -+ -+dev_dontaudit_read_urand(sambagui_t) -+nscd_dontaudit_search_pid(sambagui_t) -+ -+optional_policy(` -+ consoletype_exec(sambagui_t) -+') -+ -+optional_policy(` -+ polkit_dbus_chat(sambagui_t) -+') -+ -+permissive sambagui_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc ---- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,7 +1,7 @@ # # /home @@ -5564,8 +4643,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if ---- nsaserefpolicy/policy/modules/apps/screen.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/screen.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/screen.if 2008-11-11 16:22:03.000000000 -0500 @@ -35,6 +35,7 @@ template(`screen_per_role_template',` gen_require(` @@ -5619,8 +4698,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state($1_screen_t) kernel_read_kernel_sysctls($1_screen_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te ---- nsaserefpolicy/policy/modules/apps/screen.te 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/screen.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/screen.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/screen.te 2008-11-11 16:22:03.000000000 -0500 @@ -11,3 +11,7 @@ type screen_exec_t; @@ -5629,9 +4708,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type user_screen_ro_home_t; +userdom_user_home_content(user, user_screen_ro_home_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.13/policy/modules/apps/slocate.te +--- nsaserefpolicy/policy/modules/apps/slocate.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/slocate.te 2008-11-13 11:45:45.000000000 -0500 +@@ -22,7 +22,7 @@ + # + + allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid }; +-allow locate_t self:process { execmem execheap execstack }; ++allow locate_t self:process { execmem execheap execstack signal }; + allow locate_t self:fifo_file rw_fifo_file_perms; + allow locate_t self:unix_stream_socket create_socket_perms; + +@@ -46,6 +46,8 @@ + + fs_getattr_all_fs(locate_t) + fs_getattr_all_files(locate_t) ++fs_getattr_all_pipes(locate_t) ++fs_getattr_all_symlinks(locate_t) + fs_list_all(locate_t) + fs_list_inotifyfs(locate_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc ---- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/thunderbird.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc 2008-11-11 16:22:03.000000000 -0500 @@ -3,4 +3,4 @@ # /usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0) @@ -5639,8 +4739,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:user_thunderbird_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if ---- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if 2008-11-11 16:22:03.000000000 -0500 @@ -43,9 +43,9 @@ application_domain($1_thunderbird_t, thunderbird_exec_t) role $3 types $1_thunderbird_t; @@ -5713,8 +4813,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir }) ',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te ---- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/thunderbird.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te 2008-11-11 16:22:03.000000000 -0500 @@ -8,3 +8,7 @@ type thunderbird_exec_t; @@ -5724,8 +4824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_user_home_content(user, user_thunderbird_home_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if ---- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/tvtime.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if 2008-11-11 16:22:03.000000000 -0500 @@ -35,6 +35,7 @@ template(`tvtime_per_role_template',` gen_require(` @@ -5794,8 +4894,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the user domain to signal/ps. ps_process_pattern($2,$1_tvtime_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te ---- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/tvtime.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te 2008-11-11 16:22:03.000000000 -0500 @@ -11,3 +11,9 @@ type tvtime_dir_t; @@ -5807,8 +4907,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type user_tvtime_tmp_t; +files_tmp_file(user_tvtime_tmp_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc ---- nsaserefpolicy/policy/modules/apps/uml.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/uml.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/uml.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/uml.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,7 +1,7 @@ # # HOME_DIR/ @@ -5819,8 +4919,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc ---- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/vmware.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,9 +1,9 @@ # # HOME_DIR/ @@ -5880,8 +4980,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if ---- nsaserefpolicy/policy/modules/apps/vmware.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/vmware.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/vmware.if 2008-11-11 16:22:03.000000000 -0500 @@ -47,11 +47,8 @@ domain_entry_file($1_vmware_t, vmware_exec_t) role $3 types $1_vmware_t; @@ -5912,8 +5012,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_vmware_t $1_vmware_tmp_t:file execute; manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te ---- nsaserefpolicy/policy/modules/apps/vmware.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/vmware.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/vmware.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/vmware.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type vmware_exec_t; corecmd_executable_file(vmware_exec_t) @@ -5957,27 +5057,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te ---- nsaserefpolicy/policy/modules/apps/webalizer.te 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te 2008-10-28 19:20:51.000000000 -0400 -@@ -68,6 +68,7 @@ +--- nsaserefpolicy/policy/modules/apps/webalizer.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te 2008-11-12 09:04:37.000000000 -0500 +@@ -68,6 +68,8 @@ fs_search_auto_mountpoints(webalizer_t) fs_getattr_xattr_fs(webalizer_t) +fs_rw_anon_inodefs_files(webalizer_t) ++fs_list_inotifyfs(webalizer_t) files_read_etc_files(webalizer_t) files_read_etc_runtime_files(webalizer_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc ---- nsaserefpolicy/policy/modules/apps/wine.fc 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/wine.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,3 +2,4 @@ /opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0) +/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if ---- nsaserefpolicy/policy/modules/apps/wine.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/wine.if 2008-11-11 16:22:03.000000000 -0500 @@ -49,3 +49,53 @@ role $2 types wine_t; allow wine_t $3:chr_file rw_term_perms; @@ -6033,252 +5134,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te ---- nsaserefpolicy/policy/modules/apps/wine.te 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wine.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/apps/wine.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/wine.te 2008-11-11 16:22:03.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) -+role system_r types wine_t; - - ######################################## - # -@@ -17,10 +18,17 @@ - - optional_policy(` - allow wine_t self:process { execstack execmem execheap }; -+ domain_mmap_low_type(wine_t) -+ domain_mmap_low(wine_t) - unconfined_domain_noaudit(wine_t) - files_execmod_all_files(wine_t) - -+') -+ - optional_policy(` - hal_dbus_chat(wine_t) - ') -+ -+optional_policy(` -+ xserver_rw_xdm_xserver_shm(wine_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if ---- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-08-07 11:15:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if 2008-10-28 10:56:19.000000000 -0400 -@@ -134,7 +134,7 @@ - - sysnet_read_config($1_wireshark_t) - -- userdom_manage_user_home_content_files($1, $1_wireshark_t) -+ unprivuser_manage_home_content_files($1_wireshark_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($1_wireshark_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.13/policy/modules/apps/wm.fc ---- nsaserefpolicy/policy/modules/apps/wm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0) -+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.13/policy/modules/apps/wm.if ---- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,178 @@ -+## Window Manager. -+ -+####################################### -+## -+## Template to create types and rules common to -+## any window manager domains. -+## -+## -+## -+## The prefix of the domain (e.g., user -+## is the prefix for user_t). -+## -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## -+# -+template(`wm_domain_template',` -+ gen_require(` -+ type wm_exec_t; -+ type xserver_exec_t; -+ type tmpfs_t; -+ type proc_t; -+ type security_t, selinux_config_t; -+ type $1_t; -+ type $1_tmp_t; -+ type info_xproperty_t, xselection_t; -+ type $2_t, $2_xproperty_t, $2_input_xevent_t, $2_manage_xevent_t, $2_property_xevent_t; -+ type $2_focus_xevent_t, $2_client_xevent_t; -+ type $2_rootwindow_t, $2_xserver_t, $2_xserver_tmp_t; -+ type $1_xproperty_t; -+ type memory_device_t; -+ type output_xext_t; -+ type security_xext_t; -+ type $1_home_t; -+ type $1_tty_device_t; -+ type shell_exec_t; -+ type default_t; -+ type home_root_t; -+ type $1_home_dir_t; -+ type $2_home_t; -+ -+ class x_colormap all_x_colormap_perms; -+ class x_device all_x_device_perms; -+ class x_drawable all_x_drawable_perms; -+ class x_property all_x_property_perms; -+ class x_server all_x_server_perms; -+ class x_resource all_x_resource_perms; -+ class x_screen all_x_screen_perms; -+ class x_synthetic_event all_x_synthetic_event_perms; -+ class x_event all_x_event_perms; -+ class x_selection all_x_selection_perms; -+ class x_extension all_x_extension_perms; -+ attribute $1_x_domain; -+ ') -+ -+ type $1_wm_t; -+ domain_type($1_wm_t) -+ domain_entry_file($1_wm_t,wm_exec_t) -+ role $1_r types $1_wm_t; -+ -+ domtrans_pattern($1_t, wm_exec_t, $1_wm_t) -+ -+ type $1_wm_tmpfs_t; -+# xserver_use($2, $1, $1_wm_t) -+ xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t) -+ -+ files_read_etc_files($1_wm_t) -+ -+ libs_use_ld_so($1_wm_t) -+ libs_use_shared_libs($1_wm_t) -+ -+ nscd_dontaudit_search_pid($1_wm_t) -+ -+ miscfiles_read_localization($1_wm_t) -+ -+ dev_read_urand($1_wm_t) -+ -+ files_list_tmp($1_wm_t) -+ -+ allow $1_wm_t proc_t:file { read getattr }; -+ -+ allow $1_wm_t info_xproperty_t:x_property { write create }; -+ -+ allow $1_wm_t self:process getsched; -+ allow $1_wm_t self:x_drawable blend; -+ -+ allow $1_wm_t tmpfs_t:file { read write }; -+ -+ allow $1_wm_t usr_t:file { read getattr }; -+ allow $1_wm_t usr_t:lnk_file read; -+ -+ allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name getattr add_name }; -+ allow $1_wm_t $1_tmp_t:sock_file { write create unlink }; -+ -+ allow $1_wm_t $1_t:unix_stream_socket connectto; -+ allow $1_wm_t self:fifo_file { write read }; -+ -+ -+ allow $1_wm_t $2_client_xevent_t:x_synthetic_event send; -+ allow $1_wm_t $2_focus_xevent_t:x_event receive; -+ allow $1_wm_t $2_input_xevent_t:x_event receive; -+ allow $1_wm_t $2_manage_xevent_t:x_event receive; -+ allow $1_wm_t $2_manage_xevent_t:x_synthetic_event { receive send }; -+ allow $1_wm_t $2_property_xevent_t:x_event receive; -+ allow $1_wm_t $2_xproperty_t:x_property { read write destroy }; -+ allow $1_wm_t $2_rootwindow_t:x_colormap { install uninstall use add_color remove_color read }; -+ allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override }; -+ allow $1_wm_t $2_xproperty_t:x_property { write read }; -+ allow $1_wm_t $2_xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write }; -+ allow $1_wm_t $2_xserver_t:x_resource { read write }; -+ allow $1_wm_t $2_xserver_t:x_screen setattr; -+ allow $1_wm_t xselection_t:x_selection setattr; -+ -+ allow $1_wm_t $2_t:x_drawable { get_property setattr show receive manage send read getattr list_child set_property }; -+ allow $1_wm_t $2_t:x_resource { read write }; -+ -+ ifdef(`enable_mls',` -+ mls_file_read_all_levels($1_wm_t) -+ mls_file_write_all_levels($1_wm_t) -+ -+ mls_xwin_read_all_levels($1_wm_t) -+ mls_xwin_write_all_levels($1_wm_t) -+ -+ mls_fd_use_all_levels($1_wm_t) -+ ') -+ -+ corecmd_exec_bin($1_wm_t) -+ can_exec($1_wm_t, { shell_exec_t }) -+ domtrans_pattern($1_wm_t,bin_t,$1_t) -+ -+ allow $1_t $1_wm_t:unix_stream_socket connectto; -+ allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child }; -+ -+ allow $1_t $1_wm_t:process signal; -+ -+ optional_policy(` -+ dbus_system_bus_client_template($1_wm,$1_wm_t) -+ dbus_user_bus_client_template($1,$1_wm,$1_wm_t) -+ ') -+ -+ allow $1_wm_t $1_home_t:dir { search getattr }; -+ allow $1_wm_t $1_tty_device_t:chr_file { write read }; -+ allow $1_wm_t $1_xproperty_t:x_property { read write destroy }; -+ allow $1_wm_t default_t:dir search; -+ allow $1_wm_t home_root_t:dir search; -+ allow $1_wm_t $1_home_dir_t:dir search; -+ allow $1_wm_t $2_xserver_tmp_t:dir search; -+ allow $1_wm_t $2_xserver_tmp_t:lnk_file read; -+ allow $1_wm_t $1_home_dir_t:dir search_dir_perms; -+ manage_files_pattern($1_wm_t,$1_tmp_t,$1_tmp_t) -+ allow $1_wm_t $2_home_t:file { write read getattr }; -+ allow $1_wm_t $2_xserver_t:unix_stream_socket connectto; -+ allow $1_wm_t $2_xserver_tmp_t:sock_file write; -+ manage_lnk_files_pattern($1_wm_t, $2_xserver_tmp_t, $2_xserver_tmp_t) -+ allow $1_wm_t security_xext_t:x_extension { query use }; -+') -+ -+######################################## -+## -+## Execute the wm program in the wm domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`wm_exec',` -+ gen_require(` -+ type wm_exec_t; -+ ') -+ -+ can_exec($1, wm_exec_t) ++role system_r types wine_t; + + ######################################## + # +@@ -17,10 +18,17 @@ + + optional_policy(` + allow wine_t self:process { execstack execmem execheap }; ++ domain_mmap_low_type(wine_t) ++ domain_mmap_low(wine_t) + unconfined_domain_noaudit(wine_t) + files_execmod_all_files(wine_t) + +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.13/policy/modules/apps/wm.te ---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/wm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,10 @@ -+policy_module(wm,0.0.4) -+ -+######################################## -+# -+# Declarations -+# + -+type wm_exec_t; + optional_policy(` + hal_dbus_chat(wine_t) + ') + -+wm_domain_template(user,xdm) ++optional_policy(` ++ xserver_rw_xdm_xserver_shm(wine_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if +--- nsaserefpolicy/policy/modules/apps/wireshark.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if 2008-11-11 16:22:03.000000000 -0500 +@@ -134,7 +134,7 @@ + + sysnet_read_config($1_wireshark_t) + +- userdom_manage_user_home_content_files($1, $1_wireshark_t) ++ unprivuser_manage_home_content_files($1_wireshark_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs($1_wireshark_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc ---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-11-11 16:22:03.000000000 -0500 @@ -129,6 +129,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -6317,8 +5215,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if ---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if 2008-11-11 16:22:03.000000000 -0500 @@ -894,6 +894,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -6328,8 +5226,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:09:14.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-11-11 16:22:03.000000000 -0500 @@ -1441,10 +1441,11 @@ # interface(`corenet_tcp_bind_all_unreserved_ports',` @@ -6359,9 +5257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in ---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500 -@@ -79,11 +79,13 @@ +--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-12 08:31:10.000000000 -0500 +@@ -79,26 +79,31 @@ network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict @@ -6375,7 +5273,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) network_port(dbskkd, tcp,1178,s0) -@@ -93,6 +95,7 @@ + network_port(dhcpc, udp,68,s0) +-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0) ++network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp 7911,s0) + network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) @@ -6383,7 +5284,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -117,6 +120,8 @@ + network_port(giftd, tcp,1213,s0) + network_port(gopher, tcp,70,s0, udp,70,s0) + network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy ++portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0) ++ + network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port + network_port(howl, tcp,5335,s0, udp,5353,s0) + network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) +@@ -117,6 +122,8 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -6392,7 +5301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -126,6 +131,7 @@ +@@ -126,6 +133,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -6400,7 +5309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -137,11 +143,13 @@ +@@ -137,11 +145,13 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -6414,7 +5323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -159,9 +167,10 @@ +@@ -159,9 +169,10 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -6426,7 +5335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -170,13 +179,16 @@ +@@ -170,13 +181,16 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -6445,8 +5354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc ---- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -6567,8 +5476,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/pts(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if ---- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-11-11 16:22:03.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) @@ -7037,8 +5946,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_chr_files_pattern($1, device_t, qemu_device_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te ---- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-08 21:42:58.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2008-11-11 16:22:03.000000000 -0500 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) @@ -7105,8 +6014,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type power_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if ---- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/domain.if 2008-11-11 16:22:03.000000000 -0500 @@ -1247,18 +1247,34 @@ ## ## @@ -7146,8 +6055,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te ---- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-11-11 16:22:03.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -7245,8 +6154,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc ---- nsaserefpolicy/policy/modules/kernel/files.fc 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.fc 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/files.fc 2008-11-11 16:22:03.000000000 -0500 @@ -32,6 +32,7 @@ /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found/.* <> @@ -7264,8 +6173,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if ---- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-11-10 15:37:12.000000000 -0500 +--- nsaserefpolicy/policy/modules/kernel/files.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-11-11 16:22:03.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -7671,8 +6580,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,var_run_t,var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te ---- nsaserefpolicy/policy/modules/kernel/files.te 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/files.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/files.te 2008-11-11 16:22:03.000000000 -0500 @@ -52,11 +52,14 @@ # # etc_t is the type of the system etc directories. @@ -7710,8 +6619,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if ---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-10-29 08:25:22.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if 2008-11-11 16:22:03.000000000 -0500 @@ -535,6 +535,24 @@ ######################################## @@ -8164,8 +7073,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 fusefs_t:file manage_file_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te ---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-11-11 16:22:03.000000000 -0500 @@ -21,7 +21,6 @@ # Use xattrs for the following filesystem types. @@ -8204,8 +7113,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if ---- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-11-11 16:22:03.000000000 -0500 @@ -1198,6 +1198,7 @@ ') @@ -8287,8 +7196,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te ---- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-11-11 16:22:03.000000000 -0500 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -8334,8 +7243,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_default(kernel_t) files_read_default_files(kernel_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if ---- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if 2008-11-11 16:22:03.000000000 -0500 @@ -164,6 +164,7 @@ type security_t; ') @@ -8427,8 +7336,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mls_trusted_object($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te ---- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-16 17:21:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/kernel/selinux.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,7 @@ attribute can_setenforce; attribute can_setsecparam; @@ -8450,322 +7359,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc ---- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-05 13:22:07.000000000 -0500 +--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-11 16:22:03.000000000 -0500 @@ -36,7 +36,7 @@ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) - /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) --/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - ifdef(`distro_redhat', ` - /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if ---- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if 2008-10-28 10:56:19.000000000 -0400 -@@ -250,9 +250,11 @@ - interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; -+ type tty_device_t; - ') - - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; -+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - ') - - ######################################## -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.13/policy/modules/roles/guest.fc ---- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.13/policy/modules/roles/guest.if ---- nsaserefpolicy/policy/modules/roles/guest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,161 @@ -+## Least privledge terminal user role -+ -+######################################## -+## -+## Change to the guest role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`guest_role_change_template',` -+ userdom_role_change_template($1, guest) -+') -+ -+######################################## -+## -+## Change from the guest role. -+## -+## -+##

-+## Change from the guest role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`guest_role_change_to_template',` -+ userdom_role_change_template(guest, $1) -+') -+ -+######################################## -+## -+## Search the guest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_search_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search the guest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`guest_dontaudit_search_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ dontaudit $1 guest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete guest -+## home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_manage_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Relabel to guest home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_relabelto_home_dirs',` -+ gen_require(` -+ type guest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 guest_home_dir_t:dir relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to append to the guest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`guest_dontaudit_append_home_content_files',` -+ gen_require(` -+ type guest_home_t; -+ ') -+ -+ dontaudit $1 guest_home_t:file append; -+') -+ -+######################################## -+## -+## Read files in the guest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`guest_read_home_content_files',` -+ gen_require(` -+ type guest_home_dir_t, guest_home_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 { guest_home_dir_t guest_home_t }:dir list_dir_perms; -+ read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) -+ read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.13/policy/modules/roles/guest.te ---- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/guest.te 2008-10-28 11:05:34.000000000 -0400 -@@ -0,0 +1,36 @@ -+ -+policy_module(guest, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_user_template(guest) -+ -+######################################## -+# -+# Local policy -+# -+ -+optional_policy(` -+ java_per_role_template(guest, guest_t, guest_r) -+') -+ -+optional_policy(` -+ mono_per_role_template(guest, guest_t, guest_r) -+') -+ -+ -+optional_policy(` -+ gen_require(` -+ type xguest_t; -+ role xguest_r; -+ ') -+ -+ mozilla_per_role_template(xguest, xguest_t, xguest_r) -+') -+ -+gen_user(guest_u, user, guest_r, s0, s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.13/policy/modules/roles/logadm.fc ---- nsaserefpolicy/policy/modules/roles/logadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.13/policy/modules/roles/logadm.if ---- nsaserefpolicy/policy/modules/roles/logadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,44 @@ -+## Audit administrator role -+ -+######################################## -+## -+## Change to the generic user role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`logadm_role_change_template',` -+ userdom_role_change_template($1, logadm) -+') -+ -+######################################## -+## -+## Change from the generic user role. -+## -+## -+##

-+## Change from the generic user role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`logadm_role_change_to_template',` -+ userdom_role_change_template(logadm, $1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.13/policy/modules/roles/logadm.te ---- nsaserefpolicy/policy/modules/roles/logadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/logadm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,20 @@ -+ -+policy_module(logadm, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+role logadm_r; -+ -+userdom_base_user_template(logadm) -+ -+######################################## -+# -+# logadmin local policy -+# -+ -+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t }) + /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + ifdef(`distro_redhat', ` + /dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if +--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if 2008-11-11 16:22:03.000000000 -0500 +@@ -250,9 +250,11 @@ + interface(`term_dontaudit_use_console',` + gen_require(` + type console_device_t; ++ type tty_device_t; + ') + + dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te ---- nsaserefpolicy/policy/modules/roles/staff.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2008-10-29 12:02:31.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/staff.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/staff.te 2008-11-11 16:22:03.000000000 -0500 @@ -4,27 +4,68 @@ ######################################## # @@ -8838,8 +7460,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if ---- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2008-10-28 11:21:02.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2008-11-11 16:22:03.000000000 -0500 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -9036,9 +7658,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te ---- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-11-03 17:03:51.000000000 -0500 -@@ -15,7 +14,7 @@ +--- nsaserefpolicy/policy/modules/roles/sysadm.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te 2008-11-11 16:22:03.000000000 -0500 +@@ -15,7 +15,7 @@ role sysadm_r; @@ -9047,7 +7669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`enable_mls',` userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) -@@ -110,10 +109,6 @@ +@@ -110,10 +110,6 @@ ') optional_policy(` @@ -9058,7 +7680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cvs_exec(sysadm_t) ') -@@ -171,6 +166,10 @@ +@@ -171,6 +167,10 @@ ') optional_policy(` @@ -9069,7 +7691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) ') -@@ -215,8 +214,8 @@ +@@ -215,8 +215,8 @@ optional_policy(` netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t }) @@ -9081,8 +7703,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if ---- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-10-30 13:58:02.000000000 -0400 +--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if 2008-11-11 16:22:03.000000000 -0500 @@ -62,6 +62,26 @@ files_home_filetrans($1, user_home_dir_t, dir) ') @@ -9707,433 +8329,89 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`unprivuser_dontaudit_read_home_content_files',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ dontaudit $1 user_home_type:dir list_dir_perms; -+ dontaudit $1 user_home_type:file read_file_perms; -+ dontaudit $1 user_home_type:file read_lnk_file_perms; -+ -+ tunable_policy(`use_nfs_home_dirs',` -+ fs_dontaudit_read_nfs_files($1) -+ ') -+ -+ tunable_policy(`use_samba_home_dirs',` -+ fs_dontaudit_read_cifs_files($1) -+ ') -+') -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te ---- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te 2008-10-28 19:21:12.000000000 -0400 -@@ -13,3 +13,18 @@ - - userdom_unpriv_user_template(user) - -+optional_policy(` -+ kerneloops_dontaudit_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ postgresql_userdom_template(user, user_t, user_r) -+') -+ -+optional_policy(` -+ rpm_dontaudit_dbus_chat(user_t) -+') -+ -+optional_policy(` -+ setroubleshoot_dontaudit_stream_connect(user_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc ---- nsaserefpolicy/policy/modules/roles/webadm.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# No webadm file contexts. -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.13/policy/modules/roles/webadm.if ---- nsaserefpolicy/policy/modules/roles/webadm.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,44 @@ -+## Policy for webadm role -+ -+######################################## -+## -+## Change to the generic user role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`webadm_role_change_template',` -+ userdom_role_change_template($1, webadm) -+') -+ -+######################################## -+## -+## Change from the generic user role. -+## -+## -+##

-+## Change from the generic user role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`webadm_role_change_to_template',` -+ userdom_role_change_template(webadm, $1) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.13/policy/modules/roles/webadm.te ---- nsaserefpolicy/policy/modules/roles/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/webadm.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,65 @@ -+ -+policy_module(webadm, 1.0.0) -+ -+## -+##

-+## Allow webadm to read files in users home directories -+##

-+## -+gen_tunable(webadm_read_user_files, false) -+ -+## -+##

-+## Allow webadm to manage files in users home directories -+##

-+## -+gen_tunable(webadm_manage_user_files, false) -+ -+######################################## -+# -+# Declarations -+# -+ -+role webadm_r; -+ -+userdom_base_user_template(webadm) -+ -+######################################## -+# -+# webadmin local policy -+# -+ -+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+ -+files_dontaudit_search_all_dirs(webadm_t) -+files_manage_generic_locks(webadm_t) -+files_list_var(webadm_t) -+ -+selinux_get_enforce_mode(webadm_t) -+seutil_domtrans_setfiles(webadm_t) -+ -+logging_send_syslog_msg(webadm_t) -+ -+unprivuser_dontaudit_search_home_dirs(webadm_t) -+ -+optional_policy(` -+ sysadm_role_change_template(webadm) -+ sysadm_dontaudit_read_home_content_files(webadm_t) -+') -+ -+apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t }) -+ -+optional_policy(` -+tunable_policy(`webadm_read_user_files',` -+ unprivuser_read_home_content_files(webadm_t) -+ unprivuser_read_tmp_files(webadm_t) -+') -+') -+ -+optional_policy(` -+tunable_policy(`webadm_manage_user_files',` -+ unprivuser_manage_home_content_dirs(webadm_t) -+ unprivuser_read_tmp_files(webadm_t) -+ unprivuser_write_tmp_files(webadm_t) -+') -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.13/policy/modules/roles/xguest.fc ---- nsaserefpolicy/policy/modules/roles/xguest.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1 @@ -+# file contexts handled by userdomain and genhomedircon -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.13/policy/modules/roles/xguest.if ---- nsaserefpolicy/policy/modules/roles/xguest.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,161 @@ -+## Least privledge X Windows user role -+ -+######################################## -+## -+## Change to the xguest role. -+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`xguest_role_change_template',` -+ userdom_role_change_template($1, xguest) -+') -+ -+######################################## -+## -+## Change from the xguest role. -+## -+## -+##

-+## Change from the xguest role to -+## the specified role. -+##

-+##

-+## This is a template to support third party modules -+## and its use is not allowed in upstream reference -+## policy. -+##

-+## -+## -+## -+## The prefix of the user role (e.g., user -+## is the prefix for user_r). -+## -+## -+## -+# -+template(`xguest_role_change_to_template',` -+ userdom_role_change_template(xguest, $1) -+') -+ -+######################################## -+## -+## Search the xguest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_search_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search the xguest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xguest_dontaudit_search_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ dontaudit $1 xguest_home_dir_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Create, read, write, and delete xguest -+## home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_manage_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Relabel to xguest home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_relabelto_home_dirs',` -+ gen_require(` -+ type xguest_home_dir_t; -+ ') -+ -+ files_search_home($1) -+ allow $1 xguest_home_dir_t:dir relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to append to the xguest -+## users home directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xguest_dontaudit_append_home_content_files',` -+ gen_require(` -+ type xguest_home_t; -+ ') -+ -+ dontaudit $1 xguest_home_t:file append; -+') -+ -+######################################## -+## -+## Read files in the xguest users home directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xguest_read_home_content_files',` ++interface(`unprivuser_dontaudit_read_home_content_files',` + gen_require(` -+ type xguest_home_dir_t, xguest_home_t; ++ attribute user_home_dir_type, user_home_type; + ') + + files_search_home($1) -+ allow $1 { xguest_home_dir_t xguest_home_t }:dir list_dir_perms; -+ read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) -+ read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te ---- nsaserefpolicy/policy/modules/roles/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/roles/xguest.te 2008-11-10 11:13:37.000000000 -0500 -@@ -0,0 +1,87 @@ -+ -+policy_module(xguest, 1.0.0) -+ -+## -+##

-+## Allow xguest users to mount removable media -+##

-+## -+gen_tunable(xguest_mount_media, true) -+ -+## -+##

-+## Allow xguest to configure Network Manager -+##

-+## -+gen_tunable(xguest_connect_network, true) -+ -+## -+##

-+## Allow xguest to use blue tooth devices -+##

-+## -+gen_tunable(xguest_use_bluetooth, true) -+ -+######################################## -+# -+# Declarations -+# -+ -+role xguest_r; -+ -+userdom_restricted_xwindows_user_template(xguest) -+ -+######################################## -+# -+# Local policy -+# ++ dontaudit $1 user_home_type:dir list_dir_perms; ++ dontaudit $1 user_home_type:file read_file_perms; ++ dontaudit $1 user_home_type:file read_lnk_file_perms; + -+#optional_policy(` -+# mozilla_per_role_template(xguest, xguest_t, xguest_r) -+#') ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_read_nfs_files($1) ++ ') + -+optional_policy(` -+ java_per_role_template(xguest, xguest_t, xguest_r) ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_read_cifs_files($1) ++ ') +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te +--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te 2008-11-11 16:22:03.000000000 -0500 +@@ -13,3 +13,18 @@ + + userdom_unpriv_user_template(user) + +optional_policy(` -+ mono_per_role_template(xguest, xguest_t, xguest_r) ++ kerneloops_dontaudit_dbus_chat(user_t) +') + +optional_policy(` -+ nsplugin_per_role_template($1, $1_usertype, $1_r) ++ postgresql_userdom_template(user, user_t, user_r) +') + -+# Allow mounting of file systems +optional_policy(` -+ tunable_policy(`xguest_mount_media',` -+ hal_dbus_chat(xguest_t) -+ init_read_utmp(xguest_t) -+ auth_list_pam_console_data(xguest_t) -+ kernel_read_fs_sysctls(xguest_t) -+ files_dontaudit_getattr_boot_dirs(xguest_t) -+ files_search_mnt(xguest_t) -+ fs_manage_noxattr_fs_files(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_manage_noxattr_fs_dirs(xguest_t) -+ fs_getattr_noxattr_fs(xguest_t) -+ fs_read_noxattr_fs_symlinks(xguest_t) -+ ') ++ rpm_dontaudit_dbus_chat(user_t) +') + +optional_policy(` -+ hal_dbus_chat(xguest_t) ++ setroubleshoot_dontaudit_stream_connect(user_t) +') -+ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te +--- nsaserefpolicy/policy/modules/roles/xguest.te 2008-11-07 08:30:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/roles/xguest.te 2008-11-11 16:22:03.000000000 -0500 +@@ -6,21 +6,21 @@ + ## Allow xguest users to mount removable media + ##

+ ## +-gen_tunable(xguest_mount_media, false) ++gen_tunable(xguest_mount_media, true) + + ## + ##

+ ## Allow xguest to configure Network Manager + ##

+ ## +-gen_tunable(xguest_connect_network, false) ++gen_tunable(xguest_connect_network, true) + + ## + ##

+ ## Allow xguest to use blue tooth devices + ##

+ ## +-gen_tunable(xguest_use_bluetooth, false) ++gen_tunable(xguest_use_bluetooth, true) + + ######################################## + # +@@ -48,6 +48,10 @@ + mono_per_role_template(xguest, xguest_t, xguest_r) + ') + +optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ networkmanager_dbus_chat(xguest_t) -+ ') ++ nsplugin_per_role_template($1, $1_usertype, $1_r) +') + -+optional_policy(` -+ tunable_policy(`xguest_use_bluetooth',` -+ bluetooth_dbus_chat(xguest_t) -+ ') -+') -+gen_user(xguest_u, user, xguest_r, s0, s0) + # Allow mounting of file systems + optional_policy(` + tunable_policy(`xguest_mount_media',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.13/policy/modules/services/aide.if ---- nsaserefpolicy/policy/modules/services/aide.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/aide.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/aide.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/aide.if 2008-11-11 16:22:03.000000000 -0500 @@ -70,9 +70,11 @@ allow $1 aide_t:process { ptrace signal_perms }; ps_process_pattern($1, aide_t) @@ -10149,8 +8427,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, aide_log_t, aide_log_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc ---- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-03 11:12:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -10233,8 +8511,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.13/policy/modules/services/apache.if ---- nsaserefpolicy/policy/modules/services/apache.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/apache.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.if 2008-11-11 16:22:03.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -10895,9 +9173,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + typeattribute $1 httpd_rw_content; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te ---- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-11-06 08:30:48.000000000 -0500 -@@ -20,6 +19,8 @@ +--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-11-11 19:06:29.000000000 -0500 +@@ -20,6 +20,8 @@ # Declarations # @@ -10906,7 +9184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

## Allow Apache to modify public files -@@ -31,10 +32,17 @@ +@@ -31,10 +33,17 @@ ## ##

@@ -10926,7 +9204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

-@@ -45,7 +53,14 @@ +@@ -45,7 +54,14 @@ ## ##

@@ -10942,7 +9220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

## gen_tunable(httpd_can_network_connect, false) -@@ -109,14 +124,35 @@ +@@ -109,14 +125,35 @@ ## gen_tunable(httpd_unified, false) @@ -10980,7 +9258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # user script domains attribute httpd_script_domains; -@@ -141,6 +177,9 @@ +@@ -141,6 +178,9 @@ domain_entry_file(httpd_helper_t, httpd_helper_exec_t) role system_r types httpd_helper_t; @@ -10990,7 +9268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -181,6 +220,10 @@ +@@ -181,6 +221,10 @@ # setup the system domain for system CGI scripts apache_content_template(sys) @@ -11001,7 +9279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -202,12 +245,16 @@ +@@ -202,12 +246,16 @@ prelink_object_file(httpd_modules_t) ') @@ -11019,7 +9297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit httpd_t self:capability { net_admin sys_tty_config }; allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; -@@ -249,6 +296,7 @@ +@@ -249,6 +297,7 @@ allow httpd_t httpd_modules_t:dir list_dir_perms; mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -11027,7 +9305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol apache_domtrans_rotatelogs(httpd_t) # Apache-httpd needs to be able to send signals to the log rotate procs. -@@ -260,9 +308,9 @@ +@@ -260,9 +309,9 @@ allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -11040,7 +9318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -278,6 +326,7 @@ +@@ -278,6 +327,7 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file) @@ -11048,7 +9326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file }) -@@ -289,6 +338,7 @@ +@@ -289,6 +339,7 @@ kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -11056,7 +9334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -299,6 +349,7 @@ +@@ -299,6 +350,7 @@ corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_all_nodes(httpd_t) @@ -11064,7 +9342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_http_port(httpd_t) corenet_tcp_bind_http_cache_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) -@@ -312,12 +363,11 @@ +@@ -312,12 +364,11 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -11079,7 +9357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(httpd_t) -@@ -335,6 +385,10 @@ +@@ -335,6 +386,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -11090,7 +9368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -351,18 +405,33 @@ +@@ -351,18 +406,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -11128,7 +9406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -370,20 +439,54 @@ +@@ -370,20 +440,54 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -11184,7 +9462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -394,20 +497,26 @@ +@@ -394,20 +498,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -11198,6 +9476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_t) + fs_manage_nfs_files(httpd_t) + fs_manage_nfs_symlinks(httpd_t) +') @@ -11208,6 +9487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) +') @@ -11215,7 +9495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +550,13 @@ +@@ -441,8 +553,13 @@ ') optional_policy(` @@ -11231,7 +9511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,18 +568,13 @@ +@@ -454,18 +571,13 @@ ') optional_policy(` @@ -11251,7 +9531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -475,6 +584,12 @@ +@@ -475,6 +587,12 @@ openca_kill(httpd_t) ') @@ -11264,7 +9544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +597,7 @@ +@@ -482,6 +600,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -11272,7 +9552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -490,6 +606,7 @@ +@@ -490,6 +609,7 @@ ') optional_policy(` @@ -11280,7 +9560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +636,28 @@ +@@ -519,9 +639,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -11309,7 +9589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -551,22 +687,27 @@ +@@ -551,22 +690,27 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11343,7 +9623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -584,12 +725,14 @@ +@@ -584,12 +728,14 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -11359,7 +9639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -598,9 +741,7 @@ +@@ -598,9 +744,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) @@ -11370,7 +9650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -633,12 +774,25 @@ +@@ -633,12 +777,25 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -11399,7 +9679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +801,12 @@ +@@ -647,6 +804,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -11412,7 +9692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,20 +824,20 @@ +@@ -664,20 +827,20 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11438,7 +9718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +851,15 @@ +@@ -691,12 +854,16 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11451,12 +9731,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -tunable_policy(`httpd_enable_homedirs',` - userdom_read_unpriv_users_home_content_files(httpd_sys_script_t) +tunable_policy(`httpd_use_nfs',` ++ fs_manage_nfs_dirs(httpd_sys_script_t) + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +867,30 @@ +@@ -704,6 +871,31 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11480,6 +9761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + +tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) +') @@ -11487,7 +9769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +903,10 @@ +@@ -716,10 +908,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11502,7 +9784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -727,6 +914,8 @@ +@@ -727,6 +919,8 @@ # httpd_rotatelogs local policy # @@ -11511,7 +9793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +930,66 @@ +@@ -741,3 +935,66 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -11579,16 +9861,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.fc serefpolicy-3.5.13/policy/modules/services/arpwatch.fc ---- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/arpwatch.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/arpwatch.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.5.13/policy/modules/services/arpwatch.if ---- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/arpwatch.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/arpwatch.if 2008-11-11 16:22:03.000000000 -0500 @@ -90,3 +90,45 @@ dontaudit $1 arpwatch_t:packet_socket { read write }; @@ -11636,8 +9918,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, arpwatch_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.5.13/policy/modules/services/arpwatch.te ---- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/arpwatch.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/arpwatch.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/arpwatch.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type arpwatch_data_t; files_type(arpwatch_data_t) @@ -11649,8 +9931,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_file(arpwatch_tmp_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.fc serefpolicy-3.5.13/policy/modules/services/asterisk.fc ---- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/asterisk.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/asterisk.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,5 @@ /etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0) +/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0) @@ -11658,8 +9940,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.5.13/policy/modules/services/asterisk.if ---- nsaserefpolicy/policy/modules/services/asterisk.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/asterisk.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/asterisk.if 2008-11-11 16:22:03.000000000 -0500 @@ -1 +1,54 @@ ## Asterisk IP telephony server + @@ -11716,8 +9998,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.5.13/policy/modules/services/asterisk.te ---- nsaserefpolicy/policy/modules/services/asterisk.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/asterisk.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/asterisk.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/asterisk.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type asterisk_etc_t; files_config_file(asterisk_etc_t) @@ -11729,8 +10011,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_log_file(asterisk_log_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.fc serefpolicy-3.5.13/policy/modules/services/audioentropy.fc ---- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/audioentropy.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/audioentropy.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,3 +2,5 @@ # /usr # @@ -11738,8 +10020,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audioentropy.te serefpolicy-3.5.13/policy/modules/services/audioentropy.te ---- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/audioentropy.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/audioentropy.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/audioentropy.te 2008-11-11 16:22:03.000000000 -0500 @@ -35,6 +35,7 @@ dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) @@ -11749,8 +10031,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te ---- nsaserefpolicy/policy/modules/services/automount.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/automount.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/automount.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/automount.te 2008-11-11 16:22:03.000000000 -0500 @@ -71,6 +71,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -11777,8 +10059,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kerberos_dontaudit_write_config(automount_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.5.13/policy/modules/services/avahi.fc ---- nsaserefpolicy/policy/modules/services/avahi.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/avahi.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/avahi.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,5 +1,9 @@ +/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) @@ -11790,8 +10072,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.5.13/policy/modules/services/avahi.if ---- nsaserefpolicy/policy/modules/services/avahi.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/avahi.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/avahi.if 2008-11-11 16:22:03.000000000 -0500 @@ -2,6 +2,103 @@ ######################################## @@ -11936,8 +10218,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, avahi_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.5.13/policy/modules/services/avahi.te ---- nsaserefpolicy/policy/modules/services/avahi.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/avahi.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/avahi.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/avahi.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,12 @@ type avahi_exec_t; init_daemon_domain(avahi_t, avahi_exec_t) @@ -11988,8 +10270,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.5.13/policy/modules/services/bind.fc ---- nsaserefpolicy/policy/modules/services/bind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bind.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bind.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -11997,8 +10279,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.5.13/policy/modules/services/bind.if ---- nsaserefpolicy/policy/modules/services/bind.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bind.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bind.if 2008-11-11 16:22:03.000000000 -0500 @@ -38,6 +38,42 @@ ######################################## @@ -12124,8 +10406,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, named_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te ---- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-11-11 16:22:03.000000000 -0500 @@ -247,6 +247,8 @@ sysnet_read_config(ndc_t) sysnet_dns_name_resolve(ndc_t) @@ -12136,8 +10418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow ndc_t named_conf_t:dir search; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc ---- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc 2008-11-11 16:22:03.000000000 -0500 @@ -3,6 +3,9 @@ # /etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0) @@ -12161,8 +10443,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.5.13/policy/modules/services/bluetooth.if ---- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bluetooth.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.if 2008-11-11 16:22:03.000000000 -0500 @@ -226,3 +226,56 @@ dontaudit $1 bluetooth_helper_domain:dir search; dontaudit $1 bluetooth_helper_domain:file { read getattr }; @@ -12221,8 +10503,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, bluetooth_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-28 10:58:41.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,9 @@ type bluetooth_helper_exec_t; application_executable_file(bluetooth_helper_exec_t) @@ -12240,296 +10522,66 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; - allow bluetooth_t self:process { getsched signal_perms }; - allow bluetooth_t self:fifo_file rw_fifo_file_perms; - allow bluetooth_t self:shm create_shm_perms; - allow bluetooth_t self:socket create_stream_socket_perms; - allow bluetooth_t self:unix_dgram_socket create_socket_perms; --allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; -+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow bluetooth_t self:tcp_socket create_stream_socket_perms; - allow bluetooth_t self:udp_socket create_socket_perms; - -@@ -92,6 +95,7 @@ - dev_rw_usbfs(bluetooth_t) - dev_rw_generic_usb_dev(bluetooth_t) - dev_read_urand(bluetooth_t) -+dev_rw_input_dev(bluetooth_t) - - fs_getattr_all_fs(bluetooth_t) - fs_search_auto_mountpoints(bluetooth_t) -@@ -110,6 +114,8 @@ - files_read_etc_runtime_files(bluetooth_t) - files_read_usr_files(bluetooth_t) - -+auth_use_nsswitch(bluetooth_t) -+ - libs_use_ld_so(bluetooth_t) - libs_use_shared_libs(bluetooth_t) - -@@ -117,11 +123,9 @@ - - miscfiles_read_localization(bluetooth_t) - miscfiles_read_fonts(bluetooth_t) -- --sysnet_read_config(bluetooth_t) -+miscfiles_read_hwdata(bluetooth_t) - - userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) -- - sysadm_dontaudit_use_ptys(bluetooth_t) - sysadm_dontaudit_search_home_dirs(bluetooth_t) - -@@ -128,10 +132,15 @@ - optional_policy(` - dbus_system_bus_client_template(bluetooth, bluetooth_t) - dbus_connect_system_bus(bluetooth_t) -+ dbus_system_domain(bluetooth_t, bluetooth_exec_t) -+ -+ optional_policy(` -+ cups_dbus_chat(bluetooth_t) - ') - - optional_policy(` -- nis_use_ypbind(bluetooth_t) -+ hal_dbus_chat(bluetooth_t) -+ ') - ') - - optional_policy(` -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc ---- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500 -@@ -0,0 +1,9 @@ -+ -+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0) -+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) -+ -+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0) -+ -+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) -+ -+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if ---- nsaserefpolicy/policy/modules/services/certmaster.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.if 2008-11-03 17:32:32.000000000 -0500 -@@ -0,0 +1,128 @@ -+## policy for certmaster -+ -+######################################## -+## -+## Execute a domain transition to run certmaster. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`certmaster_domtrans',` -+ gen_require(` -+ type certmaster_t, certmaster_exec_t; -+ ') -+ -+ domain_auto_trans($1,certmaster_exec_t,certmaster_t) -+ -+ allow certmaster_t $1:fd use; -+ allow certmaster_t $1:fifo_file rw_file_perms; -+ allow certmaster_t $1:process sigchld; -+') -+ -+####################################### -+## -+## read -+## certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_read_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+####################################### -+## -+## Append to certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_append_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+####################################### -+## -+## Create, read, write, and delete -+## certmaster logs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`certmaster_manage_log',` -+ gen_require(` -+ type certmaster_var_log_t; -+ ') -+ -+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an snort environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+# -+interface(`certmaster_admin',` -+ gen_require(` -+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; -+ type certmaster_etc_rw_t, certmaster_var_log_t; -+ type certmaster_initrc_exec_t; -+ ') -+ -+ allow $1 certmaster_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, certmaster_t) -+ -+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 certmaster_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ miscfiles_manage_cert_dirs($1) -+ miscfiles_manage_cert_files($1) -+ -+ admin_pattern($1, certmaster_etc_rw_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, certmaster_var_run_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, certmaster_var_log_t) -+ -+ files_list_var_lib($1) -+ admin_pattern($1, certmaster_var_lib_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te ---- nsaserefpolicy/policy/modules/services/certmaster.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/certmaster.te 2008-11-03 17:19:28.000000000 -0500 -@@ -0,0 +1,81 @@ -+policy_module(certmaster,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+# type and domain for certmaster -+type certmaster_t; -+type certmaster_exec_t; -+init_daemon_domain(certmaster_t, certmaster_exec_t) -+ -+type certmaster_initrc_exec_t; -+init_script_file(certmaster_initrc_exec_t) -+ -+# var/lib files -+type certmaster_var_lib_t; -+files_type(certmaster_var_lib_t) -+ -+# config files -+type certmaster_etc_rw_t; -+files_config_file(certmaster_etc_rw_t) -+ -+# log files -+type certmaster_var_log_t; -+logging_log_file(certmaster_var_log_t) -+ -+# pid files -+type certmaster_var_run_t; -+files_pid_file(certmaster_var_run_t) -+ -+########################################### -+# -+# certmaster local policy -+# -+ -+allow certmaster_t self:tcp_socket create_stream_socket_perms; -+ -+# config files -+list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t) -+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t) -+ -+# var/lib files for certmaster -+manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t) -+files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir }) -+ -+# log files -+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) -+logging_log_filetrans(certmaster_t,certmaster_var_log_t, file ) -+ -+# pid file -+manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t) -+files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file }) -+ -+corecmd_search_bin(certmaster_t) -+corecmd_getattr_bin_files(certmaster_t) -+ -+# network -+corenet_tcp_bind_inaddr_any_node(certmaster_t) -+corenet_tcp_bind_certmaster_port(certmaster_t) -+ -+files_search_etc(certmaster_t) -+files_list_var(certmaster_t) -+files_search_var_lib(certmaster_t) -+ -+# read meminfo -+kernel_read_system_state(certmaster_t) -+ -+auth_use_nsswitch(certmaster_t) -+ -+libs_use_ld_so(certmaster_t) -+libs_use_shared_libs(certmaster_t) -+ -+miscfiles_read_localization(certmaster_t) + allow bluetooth_t self:process { getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; + allow bluetooth_t self:shm create_shm_perms; + allow bluetooth_t self:socket create_stream_socket_perms; + allow bluetooth_t self:unix_dgram_socket create_socket_perms; +-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; ++allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow bluetooth_t self:tcp_socket create_stream_socket_perms; + allow bluetooth_t self:udp_socket create_socket_perms; + +@@ -92,6 +95,7 @@ + dev_rw_usbfs(bluetooth_t) + dev_rw_generic_usb_dev(bluetooth_t) + dev_read_urand(bluetooth_t) ++dev_rw_input_dev(bluetooth_t) + + fs_getattr_all_fs(bluetooth_t) + fs_search_auto_mountpoints(bluetooth_t) +@@ -110,6 +114,8 @@ + files_read_etc_runtime_files(bluetooth_t) + files_read_usr_files(bluetooth_t) + ++auth_use_nsswitch(bluetooth_t) + -+miscfiles_manage_cert_dirs(certmaster_t) -+miscfiles_manage_cert_files(certmaster_t) + libs_use_ld_so(bluetooth_t) + libs_use_shared_libs(bluetooth_t) + +@@ -117,11 +123,9 @@ + + miscfiles_read_localization(bluetooth_t) + miscfiles_read_fonts(bluetooth_t) +- +-sysnet_read_config(bluetooth_t) ++miscfiles_read_hwdata(bluetooth_t) + + userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +- + sysadm_dontaudit_use_ptys(bluetooth_t) + sysadm_dontaudit_search_home_dirs(bluetooth_t) + +@@ -128,10 +132,15 @@ + optional_policy(` + dbus_system_bus_client_template(bluetooth, bluetooth_t) + dbus_connect_system_bus(bluetooth_t) ++ dbus_system_domain(bluetooth_t, bluetooth_exec_t) + -+permissive certmaster_t; ++ optional_policy(` ++ cups_dbus_chat(bluetooth_t) + ') + + optional_policy(` +- nis_use_ypbind(bluetooth_t) ++ hal_dbus_chat(bluetooth_t) ++ ') + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc ---- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/clamav.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,20 +1,22 @@ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0) +/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0) @@ -12559,8 +10611,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.5.13/policy/modules/services/clamav.if ---- nsaserefpolicy/policy/modules/services/clamav.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clamav.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/clamav.if 2008-11-11 16:22:03.000000000 -0500 @@ -38,6 +38,27 @@ ######################################## @@ -12678,8 +10730,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te ---- nsaserefpolicy/policy/modules/services/clamav.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/clamav.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,7 +13,10 @@ # configuration files @@ -12770,8 +10822,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mailscanner_manage_spool(clamscan_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.5.13/policy/modules/services/consolekit.fc ---- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/consolekit.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/consolekit.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,6 @@ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) @@ -12780,8 +10832,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if ---- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-11 16:22:03.000000000 -0500 @@ -38,3 +38,24 @@ allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; @@ -12808,8 +10860,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.5.13/policy/modules/services/consolekit.te ---- nsaserefpolicy/policy/modules/services/consolekit.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/consolekit.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/consolekit.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/consolekit.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -12924,8 +10976,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.5.13/policy/modules/services/courier.fc ---- nsaserefpolicy/policy/modules/services/courier.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/courier.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/courier.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/courier.fc 2008-11-11 16:22:03.000000000 -0500 @@ -19,5 +19,5 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) @@ -12934,8 +10986,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) +/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.5.13/policy/modules/services/courier.te ---- nsaserefpolicy/policy/modules/services/courier.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/courier.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/courier.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/courier.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,7 @@ type courier_etc_t; @@ -12955,8 +11007,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # Calendar (PCP) local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc ---- nsaserefpolicy/policy/modules/services/cron.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-03 11:38:06.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/cron.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-11 16:22:03.000000000 -0500 @@ -17,6 +17,8 @@ /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -12976,8 +11028,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if ---- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-29 11:57:59.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cron.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-11-11 16:22:03.000000000 -0500 @@ -35,39 +35,24 @@ # template(`cron_per_role_template',` @@ -13347,8 +11399,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te ---- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cron.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cron.te 2008-11-11 16:22:03.000000000 -0500 @@ -12,14 +12,6 @@ ## @@ -13621,8 +11673,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc ---- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-11-11 16:22:03.000000000 -0500 @@ -8,24 +8,35 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -13692,8 +11744,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if ---- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-11-06 12:45:55.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/cups.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,30 @@ ######################################## @@ -13819,8 +11871,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, hplip_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te ---- nsaserefpolicy/policy/modules/services/cups.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-11-10 14:07:38.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,12 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -14214,8 +12266,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +sysadm_dontaudit_read_home_content_files(cups_pdf_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.5.13/policy/modules/services/cvs.te ---- nsaserefpolicy/policy/modules/services/cvs.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cvs.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/cvs.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cvs.te 2008-11-11 16:22:03.000000000 -0500 @@ -115,4 +115,5 @@ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -14223,8 +12275,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc ---- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-05 15:12:14.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1 +1,6 @@ /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) + @@ -14233,8 +12285,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc ---- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-11-11 16:22:03.000000000 -0500 @@ -4,6 +4,9 @@ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) @@ -14246,8 +12298,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if ---- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-29 11:24:31.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dbus.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-11-11 16:22:03.000000000 -0500 @@ -53,19 +53,19 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -14598,8 +12650,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te ---- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2008-11-11 16:22:03.000000000 -0500 @@ -9,9 +9,11 @@ # # Delcarations @@ -14723,8 +12775,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.5.13/policy/modules/services/dcc.if ---- nsaserefpolicy/policy/modules/services/dcc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dcc.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dcc.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dcc.if 2008-11-11 16:22:03.000000000 -0500 @@ -72,6 +72,24 @@ ######################################## @@ -14751,8 +12803,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## allow the specified role the dcc_client domain. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te ---- nsaserefpolicy/policy/modules/services/dcc.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dcc.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2008-11-11 16:22:03.000000000 -0500 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) @@ -14923,16 +12975,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.fc serefpolicy-3.5.13/policy/modules/services/dhcp.fc ---- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dhcp.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dhcp.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.5.13/policy/modules/services/dhcp.if ---- nsaserefpolicy/policy/modules/services/dhcp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dhcp.if 2008-11-11 16:22:03.000000000 -0500 @@ -19,3 +19,63 @@ sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr; @@ -14998,8 +13050,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, dhcpd_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.5.13/policy/modules/services/dhcp.te ---- nsaserefpolicy/policy/modules/services/dhcp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dhcp.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dhcp.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dhcp.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type dhcpd_exec_t; init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -15066,8 +13118,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc ---- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,7 @@ +/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) + @@ -15077,8 +13129,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if ---- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-11-11 16:22:03.000000000 -0500 @@ -1 +1,175 @@ ## dnsmasq DNS forwarder and DHCP server + @@ -15256,8 +13308,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, dnsmasq_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te ---- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-11-10 10:52:53.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type dnsmasq_exec_t; init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) @@ -15330,8 +13382,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + virt_manage_lib_files(dnsmasq_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.5.13/policy/modules/services/dovecot.fc ---- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dovecot.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dovecot.fc 2008-11-11 16:22:03.000000000 -0500 @@ -6,6 +6,7 @@ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) @@ -15370,8 +13422,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.5.13/policy/modules/services/dovecot.if ---- nsaserefpolicy/policy/modules/services/dovecot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dovecot.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dovecot.if 2008-11-11 16:22:03.000000000 -0500 @@ -21,7 +21,46 @@ ######################################## @@ -15482,8 +13534,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.5.13/policy/modules/services/dovecot.te ---- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dovecot.te 2008-11-11 16:22:03.000000000 -0500 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -15654,8 +13706,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.5.13/policy/modules/services/exim.if ---- nsaserefpolicy/policy/modules/services/exim.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/exim.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/exim.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/exim.if 2008-11-11 16:22:03.000000000 -0500 @@ -97,6 +97,26 @@ ######################################## @@ -15708,8 +13760,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_spool($1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.5.13/policy/modules/services/exim.te ---- nsaserefpolicy/policy/modules/services/exim.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/exim.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/exim.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/exim.te 2008-11-11 16:22:03.000000000 -0500 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -15877,8 +13929,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + spamassassin_exec_client(exim_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.13/policy/modules/services/fetchmail.if ---- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/fetchmail.if 2008-11-11 16:22:03.000000000 -0500 @@ -21,10 +21,10 @@ ps_process_pattern($1, fetchmail_t) @@ -15886,326 +13938,71 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - manage_files_pattern($1, fetchmail_etc_t, fetchmail_etc_t) + admin_pattern($1, fetchmail_etc_t) -- manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t) -+ admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) -- manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t) -+ admin_pattern($1, fetchmail_var_run_t) - ') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.13/policy/modules/services/fetchmail.te ---- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/fetchmail.te 2008-10-28 10:56:19.000000000 -0400 -@@ -91,6 +91,10 @@ - ') - - optional_policy(` -+ sendmail_manage_log(fetchmail_t) -+') -+ -+optional_policy(` - seutil_sigchld_newrole(fetchmail_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te ---- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2008-10-28 10:56:19.000000000 -0400 -@@ -226,6 +226,11 @@ - userdom_manage_all_users_home_content_dirs(ftpd_t) - userdom_manage_all_users_home_content_files(ftpd_t) - userdom_manage_all_users_home_content_symlinks(ftpd_t) -+ auth_manage_all_files_except_shadow(ftpd_t) -+ -+ auth_read_all_dirs_except_shadow(ftpd_t) -+ auth_read_all_files_except_shadow(ftpd_t) -+ auth_read_all_symlinks_except_shadow(ftpd_t) - ') - - tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -261,7 +266,9 @@ - ') - - optional_policy(` -- kerberos_read_keytab(ftpd_t) -+ kerberos_keytab_template(ftpd, ftpd_t) -+ kerberos_manage_host_rcache(ftpd_t) -+ selinux_validate_context(ftpd_t) - ') - - optional_policy(` -@@ -273,6 +280,14 @@ - ') - - optional_policy(` -+ dbus_system_bus_client_template(notused, ftpd_t) -+ optional_policy(` -+ oddjob_dbus_chat(ftpd_t) -+ oddjob_domtrans_mkhomedir(ftpd_t) -+ ') -+') -+ -+optional_policy(` - seutil_sigchld_newrole(ftpd_t) - ') - -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.13/policy/modules/services/gamin.fc ---- nsaserefpolicy/policy/modules/services/gamin.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.13/policy/modules/services/gamin.if ---- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,57 @@ -+ -+## policy for gamin -+ -+######################################## -+## -+## Execute a domain transition to run gamin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gamin_domtrans',` -+ gen_require(` -+ type gamin_t; -+ type gamin_exec_t; -+ ') -+ -+ domtrans_pattern($1, gamin_exec_t, gamin_t) -+') -+ -+######################################## -+## -+## Execute gamin. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gamin_exec',` -+ gen_require(` -+ type gamin_exec_t; -+ ') -+ -+ can_exec($1, gamin_exec_t) -+') -+ -+######################################## -+## -+## Connect to gamin over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gamin_stream_connect',` -+ gen_require(` -+ type gamin_t; -+ ') -+ -+ allow $1 gamin_t:unix_stream_socket connectto; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.13/policy/modules/services/gamin.te ---- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gamin.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,39 @@ -+policy_module(gamin, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type gamin_t; -+type gamin_exec_t; -+application_domain(gamin_t, gamin_exec_t) -+role system_r types gamin_t; -+ -+######################################## -+# -+# gamin local policy -+# -+ -+# Init script handling -+domain_use_interactive_fds(gamin_t) -+allow gamin_t self:capability sys_ptrace; -+ -+# internal communication is often done using fifo and unix sockets. -+allow gamin_t self:fifo_file rw_file_perms; -+allow gamin_t self:unix_stream_socket create_stream_socket_perms; -+ -+files_read_etc_files(gamin_t) -+files_read_etc_runtime_files(gamin_t) -+files_list_all(gamin_t) -+files_getattr_all_files(gamin_t) -+ -+fs_list_inotifyfs(gamin_t) -+domain_read_all_domains_state(gamin_t) -+domain_dontaudit_ptrace_all_domains(gamin_t) -+ -+libs_use_ld_so(gamin_t) -+libs_use_shared_libs(gamin_t) -+ -+miscfiles_read_localization(gamin_t) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc ---- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,3 @@ -+ -+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.13/policy/modules/services/gnomeclock.if ---- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,75 @@ -+ -+## policy for gnomeclock -+ -+######################################## -+## -+## Execute a domain transition to run gnomeclock. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`gnomeclock_domtrans',` -+ gen_require(` -+ type gnomeclock_t; -+ type gnomeclock_exec_t; -+ ') -+ -+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) -+') -+ -+ -+######################################## -+## -+## Execute gnomeclock in the gnomeclock domain, and -+## allow the specified role the gnomeclock domain. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the gnomeclock domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`gnomeclock_run',` -+ gen_require(` -+ type gnomeclock_t; -+ ') -+ -+ gnomeclock_domtrans($1) -+ role $2 types gnomeclock_t; -+ dontaudit gnomeclock_t $3:chr_file rw_term_perms; -+') -+ -+ -+######################################## -+## -+## Send and receive messages from -+## gnomeclock over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnomeclock_dbus_chat',` -+ gen_require(` -+ type gnomeclock_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 gnomeclock_t:dbus send_msg; -+ allow gnomeclock_t $1:dbus send_msg; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.13/policy/modules/services/gnomeclock.te ---- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,55 @@ -+policy_module(gnomeclock, 1.0.0) -+######################################## -+# -+# Declarations -+# -+ -+type gnomeclock_t; -+type gnomeclock_exec_t; -+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) -+ -+######################################## -+# -+# gnomeclock local policy -+# -+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -+allow gnomeclock_t self:process { getattr getsched }; -+ -+# internal communication is often done using fifo and unix sockets. -+allow gnomeclock_t self:fifo_file rw_file_perms; -+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; -+ -+corecmd_exec_bin(gnomeclock_t) -+ -+userdom_ptrace_all_users(gnomeclock_t) -+ -+files_read_etc_files(gnomeclock_t) -+files_read_usr_files(gnomeclock_t) -+ -+miscfiles_manage_localization(gnomeclock_t) -+miscfiles_etc_filetrans_localization(gnomeclock_t) -+ -+fs_list_inotifyfs(gnomeclock_t) -+ -+auth_use_nsswitch(gnomeclock_t) -+ -+libs_use_ld_so(gnomeclock_t) -+libs_use_shared_libs(gnomeclock_t) -+ -+miscfiles_read_localization(gnomeclock_t) -+ -+userdom_read_all_users_state(gnomeclock_t) -+ -+optional_policy(` -+ consolekit_dbus_chat(gnomeclock_t) +- manage_files_pattern($1, fetchmail_uidl_cache_t, fetchmail_uidl_cache_t) ++ admin_pattern($1, fetchmail_uidl_cache_t) + + files_list_pids($1) +- manage_files_pattern($1, fetchmail_var_run_t, fetchmail_var_run_t) ++ admin_pattern($1, fetchmail_var_run_t) + ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.5.13/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/fetchmail.te 2008-11-11 16:22:03.000000000 -0500 +@@ -91,6 +91,10 @@ + ') + + optional_policy(` ++ sendmail_manage_log(fetchmail_t) +') + +optional_policy(` -+ clock_domtrans(gnomeclock_t) -+') + seutil_sigchld_newrole(fetchmail_t) + ') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te +--- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2008-11-11 16:22:03.000000000 -0500 +@@ -226,6 +226,11 @@ + userdom_manage_all_users_home_content_dirs(ftpd_t) + userdom_manage_all_users_home_content_files(ftpd_t) + userdom_manage_all_users_home_content_symlinks(ftpd_t) ++ auth_manage_all_files_except_shadow(ftpd_t) + -+optional_policy(` -+ polkit_domtrans_auth(gnomeclock_t) -+ polkit_read_lib(gnomeclock_t) ++ auth_read_all_dirs_except_shadow(ftpd_t) ++ auth_read_all_files_except_shadow(ftpd_t) ++ auth_read_all_symlinks_except_shadow(ftpd_t) + ') + + tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` +@@ -261,7 +266,9 @@ + ') + + optional_policy(` +- kerberos_read_keytab(ftpd_t) ++ kerberos_keytab_template(ftpd, ftpd_t) ++ kerberos_manage_host_rcache(ftpd_t) ++ selinux_validate_context(ftpd_t) + ') + + optional_policy(` +@@ -273,6 +280,14 @@ + ') + + optional_policy(` ++ dbus_system_bus_client_template(notused, ftpd_t) ++ optional_policy(` ++ oddjob_dbus_chat(ftpd_t) ++ oddjob_domtrans_mkhomedir(ftpd_t) ++ ') +') + ++optional_policy(` + seutil_sigchld_newrole(ftpd_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc ---- nsaserefpolicy/policy/modules/services/hal.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/hal.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-11-11 16:22:03.000000000 -0500 @@ -9,6 +9,7 @@ /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -16224,8 +14021,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.5.13/policy/modules/services/hal.if ---- nsaserefpolicy/policy/modules/services/hal.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/hal.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/hal.if 2008-11-11 16:22:03.000000000 -0500 @@ -302,3 +302,42 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; @@ -16270,8 +14067,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 hald_t:process ptrace; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te ---- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-11-04 13:26:50.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-11-11 16:22:03.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -16392,8 +14189,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#cron_read_system_job_lib_files(hald_t) +cron_read_system_job_lib_files(hald_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.13/policy/modules/services/inetd.fc ---- nsaserefpolicy/policy/modules/services/inetd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/inetd.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/inetd.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/inetd.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,6 +1,8 @@ /usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0) @@ -16404,8 +14201,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) /usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.5.13/policy/modules/services/inetd.te ---- nsaserefpolicy/policy/modules/services/inetd.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/inetd.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/inetd.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/inetd.te 2008-11-11 16:22:03.000000000 -0500 @@ -136,6 +136,7 @@ domain_use_interactive_fds(inetd_t) @@ -16423,8 +14220,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(inetd_child_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.13/policy/modules/services/kerberos.fc ---- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc 2008-11-10 14:48:44.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc 2008-11-11 16:22:03.000000000 -0500 @@ -20,7 +20,7 @@ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) @@ -16435,8 +14232,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.13/policy/modules/services/kerberos.te ---- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2008-11-11 16:22:03.000000000 -0500 @@ -298,6 +298,7 @@ corenet_tcp_sendrecv_all_nodes(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) @@ -16446,8 +14243,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(kpropd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.5.13/policy/modules/services/kerneloops.if ---- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerneloops.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/kerneloops.if 2008-11-11 16:22:03.000000000 -0500 @@ -63,6 +63,25 @@ ######################################## @@ -16491,8 +14288,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.5.13/policy/modules/services/kerneloops.te ---- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/kerneloops.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/kerneloops.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/kerneloops.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -16514,8 +14311,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Init script handling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.5.13/policy/modules/services/ldap.te ---- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ldap.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ldap.te 2008-11-11 16:22:03.000000000 -0500 @@ -121,7 +121,7 @@ sysadm_dontaudit_search_home_dirs(slapd_t) @@ -16526,8 +14323,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.5.13/policy/modules/services/lpd.fc ---- nsaserefpolicy/policy/modules/services/lpd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/lpd.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/lpd.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/lpd.fc 2008-11-11 16:22:03.000000000 -0500 @@ -3,6 +3,8 @@ # /dev/printer -s gen_context(system_u:object_r:printer_t,s0) @@ -16554,16 +14351,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.5.13/policy/modules/services/mailman.fc ---- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mailman.fc 2008-11-11 16:22:03.000000000 -0500 @@ -31,3 +31,4 @@ /var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0) /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.13/policy/modules/services/mailman.if ---- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mailman.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mailman.if 2008-11-11 16:22:03.000000000 -0500 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -16612,8 +14409,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.13/policy/modules/services/mailman.te ---- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mailman.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mailman.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mailman.te 2008-11-11 19:06:29.000000000 -0500 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -16627,7 +14424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -65,16 +64,19 @@ +@@ -65,15 +64,22 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; @@ -16643,19 +14440,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -- ++mta_dontaudit_rw_queue(mailman_mail_t) + -ifdef(`TODO',` --optional_policy(` + optional_policy(` - allow mailman_mail_t qmail_spool_t:file { read ioctl getattr }; - # do we really need this? - allow mailman_mail_t qmail_lspawn_t:fifo_file write; -') --') -+mta_dontaudit_rw_queue(mailman_mail_t) ++ postfix_search_spool(mailman_mail_t) + ') ######################################## - # -@@ -104,6 +106,11 @@ +@@ -104,6 +110,11 @@ # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes sysadm_search_home_dirs(mailman_queue_t) @@ -16667,87 +14464,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cron_system_entry(mailman_queue_t, mailman_queue_exec_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.13/policy/modules/services/mailscanner.fc ---- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mailscanner_spool_t,s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.13/policy/modules/services/mailscanner.if ---- nsaserefpolicy/policy/modules/services/mailscanner.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,59 @@ -+## Anti-Virus and Anti-Spam Filter -+ -+######################################## -+## -+## Search mailscanner spool directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_search_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ allow $1 mailscanner_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## read mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_read_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## mailscanner spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mailscanner_manage_spool',` -+ gen_require(` -+ type mailscanner_spool_t; -+ ') -+ -+ files_search_spool($1) -+ manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.13/policy/modules/services/mailscanner.te ---- nsaserefpolicy/policy/modules/services/mailscanner.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/mailscanner.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,5 @@ -+ -+policy_module(mailscanner, 1.0.0) -+ -+type mailscanner_spool_t; -+files_type(mailscanner_spool_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc ---- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-11-11 16:22:03.000000000 -0500 @@ -22,7 +22,3 @@ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) @@ -16757,8 +14476,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if ---- nsaserefpolicy/policy/modules/services/mta.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-11-11 16:22:03.000000000 -0500 @@ -133,6 +133,15 @@ sendmail_create_log($1_mail_t) ') @@ -16836,8 +14555,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## mail queue files. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.13/policy/modules/services/mta.te ---- nsaserefpolicy/policy/modules/services/mta.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mta.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mta.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mta.te 2008-11-11 16:22:03.000000000 -0500 @@ -39,34 +39,50 @@ # @@ -16971,8 +14690,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.5.13/policy/modules/services/munin.fc ---- nsaserefpolicy/policy/modules/services/munin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/munin.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,5 @@ /etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) +/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) @@ -16991,8 +14710,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.5.13/policy/modules/services/munin.if ---- nsaserefpolicy/policy/modules/services/munin.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/munin.if 2008-11-11 16:22:03.000000000 -0500 @@ -80,3 +80,76 @@ dontaudit $1 munin_var_lib_t:dir search_dir_perms; @@ -17071,8 +14790,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te ---- nsaserefpolicy/policy/modules/services/munin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-10-28 19:45:12.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -17201,8 +14920,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.5.13/policy/modules/services/mysql.fc ---- nsaserefpolicy/policy/modules/services/mysql.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mysql.fc 2008-11-11 16:22:03.000000000 -0500 @@ -5,6 +5,7 @@ # /etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -17212,8 +14931,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.5.13/policy/modules/services/mysql.if ---- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mysql.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mysql.if 2008-11-11 16:22:03.000000000 -0500 @@ -53,9 +53,11 @@ interface(`mysql_stream_connect',` gen_require(` @@ -17284,8 +15003,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, mysqld_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.5.13/policy/modules/services/mysql.te ---- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/mysql.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/mysql.te 2008-11-11 16:22:03.000000000 -0500 @@ -19,6 +19,9 @@ type mysqld_etc_t alias etc_mysqld_t; files_config_file(mysqld_etc_t) @@ -17313,8 +15032,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(mysqld_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.5.13/policy/modules/services/nagios.fc ---- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nagios.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,16 +1,19 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) @@ -17340,8 +15059,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.5.13/policy/modules/services/nagios.if ---- nsaserefpolicy/policy/modules/services/nagios.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nagios.if 2008-11-11 19:06:29.000000000 -0500 @@ -44,7 +44,7 @@ ######################################## @@ -17351,7 +15070,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## a domain transition. ## ## -@@ -53,29 +53,62 @@ +@@ -53,29 +53,82 @@ ## ## # @@ -17370,6 +15089,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## -## Execute the nagios NRPE with -## a domain transition. ++## Do not audit attempts to read and write ++## NAGIOS unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`nagios_dontaudit_rw_pipes',` ++ ++ gen_require(` ++ type nagios_t; ++ ') ++ ++ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an nagios environment ## @@ -17423,8 +15162,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, nrpe_etc_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.5.13/policy/modules/services/nagios.te ---- nsaserefpolicy/policy/modules/services/nagios.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nagios.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nagios.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nagios.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -17524,8 +15263,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc ---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,8 +1,12 @@ +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) + @@ -17545,8 +15284,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if ---- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-11-11 16:22:03.000000000 -0500 @@ -118,6 +118,24 @@ ######################################## @@ -17573,8 +15312,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te ---- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-30 11:44:48.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-11 16:22:03.000000000 -0500 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -17772,8 +15511,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.5.13/policy/modules/services/nis.fc ---- nsaserefpolicy/policy/modules/services/nis.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.fc 2008-11-03 13:40:14.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/nis.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nis.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,9 +1,13 @@ - +/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0) @@ -17790,8 +15529,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.5.13/policy/modules/services/nis.if ---- nsaserefpolicy/policy/modules/services/nis.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-03 17:06:55.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/nis.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nis.if 2008-11-11 16:22:03.000000000 -0500 @@ -28,7 +28,7 @@ type var_yp_t; ') @@ -17944,8 +15683,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.5.13/policy/modules/services/nis.te ---- nsaserefpolicy/policy/modules/services/nis.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nis.te 2008-11-03 13:39:45.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/nis.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nis.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -18025,16 +15764,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.5.13/policy/modules/services/nscd.fc ---- nsaserefpolicy/policy/modules/services/nscd.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/nscd.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nscd.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,4 @@ +/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if ---- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-11-03 13:42:37.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/nscd.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-11-11 16:22:03.000000000 -0500 @@ -2,7 +2,27 @@ ######################################## @@ -18224,8 +15963,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.5.13/policy/modules/services/nscd.te ---- nsaserefpolicy/policy/modules/services/nscd.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/nscd.te 2008-11-03 13:39:13.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/nscd.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/nscd.te 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,9 @@ type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) @@ -18324,8 +16063,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + samba_read_var_files(nscd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.5.13/policy/modules/services/ntp.if ---- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ntp.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ntp.if 2008-11-11 16:22:03.000000000 -0500 @@ -56,6 +56,24 @@ ######################################## @@ -18352,8 +16091,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## an ntp environment ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.5.13/policy/modules/services/ntp.te ---- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ntp.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ntp.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ntp.te 2008-11-11 16:22:03.000000000 -0500 @@ -42,6 +42,7 @@ dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; @@ -18372,8 +16111,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(ntpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.5.13/policy/modules/services/oddjob.fc ---- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/oddjob.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,4 @@ -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) @@ -18381,8 +16120,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.5.13/policy/modules/services/oddjob.if ---- nsaserefpolicy/policy/modules/services/oddjob.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/oddjob.if 2008-11-11 16:22:03.000000000 -0500 @@ -44,6 +44,7 @@ ') @@ -18427,8 +16166,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit oddjob_mkhomedir_t $3:chr_file rw_term_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.5.13/policy/modules/services/oddjob.te ---- nsaserefpolicy/policy/modules/services/oddjob.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/oddjob.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/oddjob.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/oddjob.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,14 +10,21 @@ type oddjob_exec_t; domain_type(oddjob_t) @@ -18488,9 +16227,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Add/remove user home directories unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.5.13/policy/modules/services/openvpn.fc +--- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/openvpn.fc 2008-11-13 11:40:40.000000000 -0500 +@@ -2,6 +2,7 @@ + # /etc + # + /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) ++/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + + # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.if serefpolicy-3.5.13/policy/modules/services/openvpn.if ---- nsaserefpolicy/policy/modules/services/openvpn.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/openvpn.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/openvpn.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/openvpn.if 2008-11-11 16:22:03.000000000 -0500 @@ -52,6 +52,24 @@ ######################################## @@ -18542,9 +16292,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## OpenVPN configuration files. ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.5.13/policy/modules/services/openvpn.te ---- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/openvpn.te 2008-10-28 10:56:19.000000000 -0400 -@@ -117,3 +117,11 @@ +--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/openvpn.te 2008-11-13 11:41:11.000000000 -0500 +@@ -22,6 +22,9 @@ + type openvpn_etc_t; + files_config_file(openvpn_etc_t) + ++type openvpn_etc_rw_t; ++files_config_file(openvpn_etc_rw_t) ++ + type openvpn_initrc_exec_t; + init_script_file(openvpn_initrc_exec_t) + +@@ -47,10 +50,11 @@ + allow openvpn_t self:tcp_socket server_stream_socket_perms; + allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; + +-allow openvpn_t openvpn_etc_t:dir list_dir_perms; +-can_exec(openvpn_t, openvpn_etc_t) ++manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t) + read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) + read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) ++filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file) ++can_exec(openvpn_t,openvpn_etc_t) + + allow openvpn_t openvpn_var_log_t:file manage_file_perms; + logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +@@ -117,3 +121,11 @@ networkmanager_dbus_chat(openvpn_t) ') @@ -18556,111 +16330,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_use_terms(openvpn_t) +') + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.13/policy/modules/services/pads.fc ---- nsaserefpolicy/policy/modules/services/pads.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,12 @@ -+ -+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0) -+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0) -+ -+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0) -+ -+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0) -+ -+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0) -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.13/policy/modules/services/pads.if ---- nsaserefpolicy/policy/modules/services/pads.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,10 @@ -+## SELinux policy for PADS daemon. -+## -+##

-+## PADS is a libpcap based detection engine used to -+## passively detect network assets. It is designed to -+## complement IDS technology by providing context to IDS -+## alerts. -+##

-+## -+ -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te ---- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,68 @@ -+ -+policy_module(pads, 0.0.1) -+ -+######################################## -+# -+# Declarations -+# -+ -+type pads_t; -+type pads_exec_t; -+init_daemon_domain(pads_t, pads_exec_t) -+role system_r types pads_t; -+ -+type pads_initrc_exec_t; -+init_script_file(pads_initrc_exec_t) -+ -+type pads_config_t; -+files_config_file(pads_config_t) -+ -+type pads_var_run_t; -+files_pid_file(pads_var_run_t) -+ -+######################################## -+# -+# Declarations -+# -+ -+allow pads_t self:capability { dac_override net_raw }; -+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; -+allow pads_t self:packet_socket { ioctl setopt getopt read bind create }; -+allow pads_t self:udp_socket { create ioctl }; -+allow pads_t self:unix_dgram_socket { write create connect }; -+ -+allow pads_t pads_config_t:file manage_file_perms; -+files_etc_filetrans(pads_t, pads_config_t, file) -+ -+allow pads_t pads_var_run_t:file manage_file_perms; -+files_pid_filetrans(pads_t, pads_var_run_t, file) -+ -+corecmd_search_bin(pads_t) -+ -+corenet_all_recvfrom_unlabeled(pads_t) -+corenet_all_recvfrom_netlabel(pads_t) -+corenet_tcp_sendrecv_all_if(pads_t) -+corenet_tcp_sendrecv_all_nodes(pads_t) -+ -+corenet_tcp_connect_prelude_port(pads_t) -+ -+dev_read_rand(pads_t) -+dev_read_urand(pads_t) -+ -+kernel_read_sysctl(pads_t) -+ -+files_read_etc_files(pads_t) -+files_search_spool(pads_t) -+ -+libs_use_ld_so(pads_t) -+libs_use_shared_libs(pads_t) -+ -+miscfiles_read_localization(pads_t) -+ -+logging_send_syslog_msg(pads_t) -+ -+sysnet_dns_name_resolve(pads_t) -+ -+optional_policy(` -+ prelude_manage_spool(pads_t) -+') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te ---- nsaserefpolicy/policy/modules/services/pcscd.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pcscd.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pcscd.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,7 @@ type pcscd_exec_t; domain_type(pcscd_t) @@ -18685,8 +16357,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(pcscd_t) openct_signull(pcscd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te ---- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te 2008-11-04 12:06:18.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/pegasus.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pegasus.te 2008-11-11 16:22:03.000000000 -0500 @@ -30,7 +30,7 @@ # Local policy # @@ -18758,134 +16430,314 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc ---- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,9 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.5.13/policy/modules/services/pki.fc +--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/pki.fc 2008-11-13 13:57:43.000000000 -0500 +@@ -0,0 +1,66 @@ + -+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) -+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) -+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0) -+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) ++/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0) + -+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0) -+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if ---- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500 -@@ -0,0 +1,233 @@ ++/etc/init.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0) + -+## policy for polkit_auth ++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) ++/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0) + -+######################################## -+## -+## Execute a domain transition to run polkit_auth. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`polkit_domtrans_auth',` -+ gen_require(` -+ type polkit_auth_t; -+ type polkit_auth_exec_t; -+ ') ++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0) + -+ domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t) -+') ++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0) ++ ++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0) ++ ++/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0) ++ ++/etc/init.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0) ++ ++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) ++/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0) ++ ++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0) ++ ++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0) ++ ++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0) ++ ++/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0) ++ ++/etc/init.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0) ++ ++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) ++/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0) ++ ++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0) ++ ++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) ++ ++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0) ++ ++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) ++/etc/init.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0) ++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) ++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) ++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) ++ ++ ++/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0) ++ ++/etc/init.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0) ++ ++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) ++/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0) ++ ++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0) ++ ++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0) ++ ++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0) ++ ++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) ++/etc/init.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0) ++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) ++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) ++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.5.13/policy/modules/services/pki.if +--- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/pki.if 2008-11-13 13:57:43.000000000 -0500 +@@ -0,0 +1,643 @@ ++ ++## policy for pki + +######################################## +## -+## Search polkit lib directories. ++## Execute pki_ca server in the pki_ca domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`polkit_search_lib',` ++interface(`pki_ca_script_domtrans',` + gen_require(` -+ type polkit_var_lib_t; ++ attribute pki_ca_script; + ') + -+ allow $1 polkit_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) ++ init_script_domtrans_spec($1,pki_ca_script) +') + +######################################## +## -+## read polkit lib files ++## Create a set of derived types for apache ++## web content. +## -+## ++## +## -+## Domain allowed access. ++## The prefix to be used for deriving type names. +## +## +# -+interface(`polkit_read_lib',` ++template(`pki_ca_template',` + gen_require(` -+ type polkit_var_lib_t; ++ attribute pki_ca_process; ++ attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run; ++ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; ++ type pki_ca_tomcat_exec_t; ++ type $1_port_t; + ') ++ ######################################## ++ # ++ # Declarations ++ # + -+ files_search_var_lib($1) -+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++ type $1_t, pki_ca_process; ++ type $1_exec_t, pki_ca_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ type $1_script_exec_t, pki_ca_script; ++ init_script_file($1_script_exec_t) ++ ++ type $1_etc_rw_t, pki_ca_config; ++ files_type($1_etc_rw_t) ++ ++ type $1_var_run_t, pki_ca_var_run; ++ files_pid_file($1_var_run_t) ++ ++ type $1_var_lib_t, pki_ca_var_lib; ++ files_type($1_var_lib_t) ++ ++ type $1_log_t, pki_ca_var_log; ++ logging_log_file($1_log_t) ++ ++ ######################################## ++ # ++ # $1 local policy ++ # ++ ++ # Execstack/execmem caused by java app. ++ allow $1_t self:process { execstack execmem getsched setsched }; ++ ++ ## internal communication is often done using fifo and unix sockets. ++ allow $1_t self:fifo_file rw_file_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_t self:tcp_socket create_stream_socket_perms; ++ allow $1_t self:process signull; ++ ++ allow $1_t $1_port_t:tcp_socket {name_bind name_connect}; ++ ++ corenet_all_recvfrom_unlabeled($1_t) ++ corenet_tcp_sendrecv_all_if($1_t) ++ corenet_tcp_sendrecv_all_nodes($1_t) ++ corenet_tcp_sendrecv_all_ports($1_t) ++ ++ corenet_tcp_bind_all_nodes($1_t) ++ corenet_tcp_bind_ocsp_port($1_t) ++ corenet_tcp_connect_ocsp_port($1_t) ++ ++ # This is for /etc/$1/tomcat.conf: ++ can_exec($1_t, pki_ca_tomcat_exec_t) ++ ++ # Init script handling ++ domain_use_interactive_fds($1_t) ++ ++ files_read_etc_files($1_t) ++ ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t,$1_var_run_t, { file dir }) ++ ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) ++ ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) ++ ++ corecmd_exec_bin($1_t) ++ corecmd_read_bin_symlinks($1_t) ++ corecmd_exec_shell($1_t) ++ ++ dev_list_sysfs($1_t) ++ dev_read_rand($1_t) ++ dev_read_urand($1_t) ++ ++ # Java is looking in /tmp for some reason...: ++ files_manage_generic_tmp_dirs($1_t) ++ files_manage_generic_tmp_files($1_t) ++ files_read_usr_files($1_t) ++ files_read_usr_symlinks($1_t) ++ # These are used to read tomcat class files in /var/lib/tomcat ++ files_read_var_lib_files($1_t) ++ files_read_var_lib_symlinks($1_t) ++ ++ kernel_read_network_state($1_t) ++ kernel_read_system_state($1_t) ++ kernel_search_network_state($1_t) ++ # audit2allow ++ kernel_signull_unlabeled($1_t) ++ ++ auth_use_nsswitch($1_t) ++ ++ init_dontaudit_write_utmp($1_t) ++ ++ libs_use_ld_so($1_t) ++ libs_use_shared_libs($1_t) ++ ++ miscfiles_read_localization($1_t) ++ ++ ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys($1_t) ++ term_dontaudit_use_generic_ptys($1_t) ++ ') ++ ++#This is broken in selinux-policy we need java_exec defined, Will add to policy ++ gen_require(` ++ type java_exec_t; ++ ') ++ can_exec($1_t, java_exec_t) + -+ # Broken placement -+ cron_read_system_job_lib_files($1) +') + +######################################## +## -+## Execute a domain transition to run polkit_grant. ++## All of the rules required to administrate ++## an pki_ca environment +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## +## ++## +# -+interface(`polkit_domtrans_grant',` ++interface(`pki_ca_admin',` + gen_require(` -+ type polkit_grant_t; -+ type polkit_grant_exec_t; ++ type pki_ca_tomcat_exec_t; ++ attribute pki_ca_process; ++ attribute pki_ca_config; ++ attribute pki_ca_executable; ++ attribute pki_ca_var_lib; ++ attribute pki_ca_var_log; ++ attribute pki_ca_var_run; ++ attribute pki_ca_pidfiles; ++ attribute pki_ca_script; + ') + -+ domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t) ++ allow $1 pki_ca_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ca_t) ++ ++ # Allow pki_ca_t to restart the service ++ pki_ca_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ca_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_ca_config) ++ manage_all_pattern($1, pki_ca_var_run) ++ manage_all_pattern($1, pki_ca_var_lib) ++ manage_all_pattern($1, pki_ca_var_log) ++ manage_all_pattern($1, pki_ca_config) ++ manage_all_pattern($1, pki_ca_tomcat_exec_t) +') + +######################################## +## -+## Execute a domain transition to run polkit_resolve. ++## Execute pki_kra server in the pki_kra domain. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`polkit_domtrans_resolve',` ++interface(`pki_kra_script_domtrans',` + gen_require(` -+ type polkit_resolve_t; -+ type polkit_resolve_exec_t; ++ attribute pki_kra_script; + ') + -+ domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t) -+ -+ allow polkit_resolve_t $1:dir list_dir_perms; -+ read_files_pattern(polkit_resolve_t, $1, $1) -+ read_lnk_files_pattern(polkit_resolve_t, $1, $1) -+ allow polkit_resolve_t $1:process getattr; ++ init_script_domtrans_spec($1,pki_kra_script) +') + +######################################## +## -+## Execute a policy_grant in the policy_grant domain, and -+## allow the specified role the policy_grant domain, -+## and use the caller's terminal. ++## All of the rules required to administrate ++## an pki_kra environment +## +## +## @@ -18894,519 +16746,528 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +## -+## The role to be allowed the load_policy domain. ++## The role to be allowed to manage the syslog domain. +## +## +## +## -+## The type of the terminal allow the load_policy domain to use. ++## The type of the user terminal. +## +## +## +# -+interface(`polkit_run_grant',` ++interface(`pki_kra_admin',` + gen_require(` -+ type polkit_grant_t; ++ type pki_kra_tomcat_exec_t; ++ attribute pki_kra_process; ++ attribute pki_kra_config; ++ attribute pki_kra_executable; ++ attribute pki_kra_var_lib; ++ attribute pki_kra_var_log; ++ attribute pki_kra_var_run; ++ attribute pki_kra_pidfiles; ++ attribute pki_kra_script; + ') + -+ polkit_domtrans_grant($1) -+ role $2 types polkit_grant_t; -+ allow polkit_grant_t $3:chr_file rw_term_perms; -+ allow $1 polkit_grant_t:process signal; -+ read_files_pattern(polkit_grant_t, $1, $1) -+ allow polkit_grant_t $1:process getattr; ++ allow $1 pki_kra_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_kra_t) ++ ++ # Allow pki_kra_t to restart the service ++ pki_kra_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_kra_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_kra_config) ++ manage_all_pattern($1, pki_kra_var_run) ++ manage_all_pattern($1, pki_kra_var_lib) ++ manage_all_pattern($1, pki_kra_var_log) ++ manage_all_pattern($1, pki_kra_config) ++ manage_all_pattern($1, pki_kra_tomcat_exec_t) +') + +######################################## +## -+## Execute a policy_auth in the policy_auth domain, and -+## allow the specified role the policy_auth domain, -+## and use the caller's terminal. ++## Execute pki_ocsp server in the pki_ocsp domain. +## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed the load_policy domain. -+## -+## -+## -+## -+## The type of the terminal allow the load_policy domain to use. ++## The type of the process performing this action. +## +## +# -+interface(`polkit_run_auth',` ++interface(`pki_ocsp_script_domtrans',` + gen_require(` -+ type polkit_auth_t; ++ attribute pki_ocsp_script; + ') + -+ polkit_domtrans_auth($1) -+ role $2 types polkit_auth_t; -+ allow polkit_auth_t $3:chr_file rw_term_perms; ++ init_script_domtrans_spec($1,pki_ocsp_script) +') + -+####################################### ++ ++######################################## +## -+## The per role template for the nsplugin module. ++## All of the rules required to administrate ++## an pki_ocsp environment +## -+## -+##

-+## This template creates a derived domains which are used -+## for nsplugin web browser. -+##

-+##

-+## This template is invoked automatically for each user, and -+## generally does not need to be invoked directly -+## by policy writers. -+##

-+## -+## ++## +## -+## The prefix of the user domain (e.g., user -+## is the prefix for user_t). ++## Domain allowed access. +## +## -+## ++## +## -+## The type of the user domain. ++## The role to be allowed to manage the syslog domain. +## +## -+## ++## +## -+## The role associated with the user domain. ++## The type of the user terminal. +## +## +## +# -+template(`polkit_per_role_template',` -+ polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t }) -+ polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t }) -+ polkit_read_lib($2) ++interface(`pki_ocsp_admin',` ++ gen_require(` ++ type pki_ocsp_tomcat_exec_t; ++ attribute pki_ocsp_process; ++ attribute pki_ocsp_config; ++ attribute pki_ocsp_executable; ++ attribute pki_ocsp_var_lib; ++ attribute pki_ocsp_var_log; ++ attribute pki_ocsp_var_run; ++ attribute pki_ocsp_pidfiles; ++ attribute pki_ocsp_script; ++ ') ++ ++ allow $1 pki_ocsp_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ocsp_t) ++ ++ # Allow pki_ocsp_t to restart the service ++ pki_ocsp_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ocsp_script system_r; ++ allow $2 system_r; ++ ++ manage_all_pattern($1, pki_ocsp_config) ++ manage_all_pattern($1, pki_ocsp_var_run) ++ manage_all_pattern($1, pki_ocsp_var_lib) ++ manage_all_pattern($1, pki_ocsp_var_log) ++ manage_all_pattern($1, pki_ocsp_config) ++ manage_all_pattern($1, pki_ocsp_tomcat_exec_t) +') + +######################################## +## -+## Send and receive messages from -+## polkit over dbus. ++## Execute pki_ra server in the pki_ra domain. +## +## +## -+## Domain allowed access. ++## The type of the process performing this action. +## +## +# -+interface(`polkit_dbus_chat',` ++interface(`pki_ra_script_domtrans',` + gen_require(` -+ type polkit_t; -+ class dbus send_msg; ++ attribute pki_ra_script; + ') + -+ allow $1 polkit_t:dbus send_msg; -+ allow polkit_t $1:dbus send_msg; ++ init_script_domtrans_spec($1,pki_ra_script) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te ---- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-05 11:49:03.000000000 -0500 -@@ -0,0 +1,232 @@ -+policy_module(polkit_auth, 1.0.0) + +######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## +# -+# Declarations -+# -+ -+type polkit_t; -+type polkit_exec_t; -+init_daemon_domain(polkit_t, polkit_exec_t) -+ -+type polkit_grant_t; -+type polkit_grant_exec_t; -+init_system_domain(polkit_grant_t, polkit_grant_exec_t) ++template(`pki_ra_template',` ++ gen_require(` ++ attribute pki_ra_process; ++ attribute pki_ra_config, pki_ra_var_lib; ++ attribute pki_ra_executable, pki_ra_script, pki_ra_var_log; ++ ') ++ ######################################## ++ # ++ # Declarations ++ # + -+type polkit_resolve_t; -+type polkit_resolve_exec_t; -+init_system_domain(polkit_resolve_t, polkit_resolve_exec_t) ++ type $1_t, pki_ra_process; ++ type $1_exec_t, pki_ra_executable; ++ domain_type($1_t) ++ init_daemon_domain($1_t, $1_exec_t) + -+type polkit_auth_t; -+type polkit_auth_exec_t; -+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) ++ type $1_script_exec_t, pki_ra_script; ++ init_script_file($1_script_exec_t) + -+type polkit_var_lib_t; -+files_type(polkit_var_lib_t) ++ type $1_etc_rw_t, pki_ra_config; ++ files_type($1_etc_rw_t) + -+type polkit_var_run_t; -+files_pid_file(polkit_var_run_t) ++ type $1_var_lib_t, pki_ra_var_lib; ++ files_type($1_var_lib_t) + -+######################################## -+# -+# polkit local policy -+# ++ type $1_log_t, pki_ra_var_log; ++ logging_log_file($1_log_t) + -+allow polkit_t self:capability { setgid setuid }; -+allow polkit_t self:process getattr; ++ ######################################## ++ # ++ # $1 local policy ++ # + -+allow polkit_t self:unix_dgram_socket create_socket_perms; -+allow polkit_t self:fifo_file rw_file_perms; -+allow polkit_t self:unix_stream_socket create_stream_socket_perms; ++ ## internal communication is often done using fifo and unix sockets. ++ allow $1_t self:fifo_file rw_file_perms; ++ allow $1_t self:unix_stream_socket create_stream_socket_perms; + -+polkit_domtrans_auth(polkit_t) -+polkit_domtrans_resolve(polkit_t) ++ # Init script handling ++ domain_use_interactive_fds($1_t) + -+can_exec(polkit_t, polkit_exec_t) -+corecmd_exec_bin(polkit_t) ++ files_read_etc_files($1_t) + -+domain_use_interactive_fds(polkit_t) ++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) ++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + -+files_read_etc_files(polkit_t) -+files_read_usr_files(polkit_t) ++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) + -+fs_list_inotifyfs(polkit_t) ++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t) ++ manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ logging_log_filetrans($1_t, $1_log_t, { file dir } ) + -+kernel_read_kernel_sysctls(polkit_t) ++ init_dontaudit_write_utmp($1_t) + -+auth_use_nsswitch(polkit_t) ++ libs_use_ld_so($1_t) ++ libs_use_shared_libs($1_t) + -+libs_use_ld_so(polkit_t) -+libs_use_shared_libs(polkit_t) ++ miscfiles_read_localization($1_t) + -+miscfiles_read_localization(polkit_t) ++ ifdef(`targeted_policy',` ++ term_dontaudit_use_unallocated_ttys($1_t) ++ term_dontaudit_use_generic_ptys($1_t) ++ ') + -+logging_send_syslog_msg(polkit_t) ++ gen_require(` ++ type httpd_t; ++ ') + -+manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t) ++ allow httpd_t pki_ra_etc_rw_t:file { read getattr }; ++ allow httpd_t pki_ra_log_t:file read; ++ allow httpd_t pki_ra_var_lib_t:lnk_file read; + -+# pid file -+manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir }) + -+optional_policy(` -+ dbus_system_domain(polkit_t, polkit_exec_t) -+ optional_policy(` -+ consolekit_dbus_chat(polkit_t) -+ ') +') + +######################################## ++## ++## All of the rules required to administrate ++## an pki_ra environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## +# -+# polkit_auth local policy -+# -+ -+allow polkit_auth_t self:capability setgid; -+allow polkit_auth_t self:process { getattr }; -+ -+allow polkit_auth_t self:unix_dgram_socket create_socket_perms; -+allow polkit_auth_t self:fifo_file rw_file_perms; -+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_auth_t, polkit_auth_exec_t) -+corecmd_search_bin(polkit_auth_t) -+ -+domain_use_interactive_fds(polkit_auth_t) -+ -+files_read_etc_files(polkit_auth_t) -+files_read_usr_files(polkit_auth_t) -+ -+auth_use_nsswitch(polkit_auth_t) -+ -+libs_use_ld_so(polkit_auth_t) -+libs_use_shared_libs(polkit_auth_t) -+ -+miscfiles_read_localization(polkit_auth_t) -+ -+logging_send_syslog_msg(polkit_auth_t) -+ -+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+# pid file -+manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t) -+files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir }) -+ -+userdom_read_all_users_state(polkit_t) -+ -+unprivuser_append_home_content_files(polkit_auth_t) -+unprivuser_dontaudit_read_home_content_files(polkit_auth_t) ++interface(`pki_ra_admin',` ++ gen_require(` ++ attribute pki_ra_process; ++ attribute pki_ra_config; ++ attribute pki_ra_executable; ++ attribute pki_ra_var_lib; ++ attribute pki_ra_var_log; ++ attribute pki_ra_script; ++ ') + -+optional_policy(` -+ cron_read_system_job_lib_files(polkit_t) -+') ++ allow $1 pki_ra_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_ra_t) + -+optional_policy(` -+ dbus_system_bus_client_template(polkit_auth, polkit_auth_t) -+ consolekit_dbus_chat(polkit_auth_t) -+ dbus_system_domain(polkit_exec_t, polkit_t) -+') ++ # Allow pki_ra_t to restart the service ++ pki_ra_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_ra_script system_r; ++ allow $2 system_r; + -+optional_policy(` -+ hal_getattr(polkit_auth_t) -+ hal_read_state(polkit_auth_t) ++ manage_all_pattern($1, pki_ra_config) ++ manage_all_pattern($1, pki_ra_var_lib) ++ manage_all_pattern($1, pki_ra_var_log) ++ manage_all_pattern($1, pki_ra_config) +') + +######################################## ++## ++## Execute pki_tks server in the pki_tks domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## +# -+# polkit_grant local policy -+# -+ -+allow polkit_grant_t self:capability setuid; -+allow polkit_grant_t self:process getattr; -+ -+allow polkit_grant_t self:unix_dgram_socket create_socket_perms; -+allow polkit_grant_t self:fifo_file rw_file_perms; -+allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; -+ -+can_exec(polkit_grant_t, polkit_grant_exec_t) -+corecmd_search_bin(polkit_grant_t) -+ -+files_read_etc_files(polkit_grant_t) -+files_read_usr_files(polkit_grant_t) -+ -+auth_use_nsswitch(polkit_grant_t) -+auth_domtrans_chk_passwd(polkit_grant_t) -+ -+libs_use_ld_so(polkit_grant_t) -+libs_use_shared_libs(polkit_grant_t) -+ -+miscfiles_read_localization(polkit_grant_t) -+ -+logging_send_syslog_msg(polkit_grant_t) -+ -+polkit_domtrans_auth(polkit_grant_t) -+polkit_domtrans_resolve(polkit_grant_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t) -+ -+manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) -+userdom_read_all_users_state(polkit_grant_t) -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_grant, polkit_grant_t) -+ consolekit_dbus_chat(polkit_grant_t) -+') ++interface(`pki_tks_script_domtrans',` ++ gen_require(` ++ attribute pki_tks_script; ++ ') + -+gen_require(` -+ type system_crond_var_lib_t; ++ init_script_domtrans_spec($1,pki_tks_script) +') + -+manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) + +######################################## ++## ++## All of the rules required to administrate ++## an pki_tks environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## +# -+# polkit_resolve local policy -+# -+ -+allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -+allow polkit_resolve_t self:process getattr; -+ -+allow polkit_resolve_t self:unix_dgram_socket create_socket_perms; -+allow polkit_resolve_t self:fifo_file rw_file_perms; -+allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms; -+ -+read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t) -+ -+can_exec(polkit_resolve_t, polkit_resolve_exec_t) -+corecmd_search_bin(polkit_resolve_t) -+ -+polkit_domtrans_auth(polkit_resolve_t) -+ -+files_read_etc_files(polkit_resolve_t) -+files_read_usr_files(polkit_resolve_t) -+ -+auth_use_nsswitch(polkit_resolve_t) -+ -+libs_use_ld_so(polkit_resolve_t) -+libs_use_shared_libs(polkit_resolve_t) -+ -+miscfiles_read_localization(polkit_resolve_t) -+ -+logging_send_syslog_msg(polkit_resolve_t) -+ -+userdom_read_all_users_state(polkit_resolve_t) -+userdom_ptrace_all_users(polkit_resolve_t) -+mcs_ptrace_all(polkit_resolve_t) -+ -+optional_policy(` -+ dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t) -+ optional_policy(` -+ consolekit_dbus_chat(polkit_resolve_t) ++interface(`pki_tks_admin',` ++ gen_require(` ++ type pki_tks_tomcat_exec_t; ++ attribute pki_tks_process; ++ attribute pki_tks_config; ++ attribute pki_tks_executable; ++ attribute pki_tks_var_lib; ++ attribute pki_tks_var_log; ++ attribute pki_tks_var_run; ++ attribute pki_tks_pidfiles; ++ attribute pki_tks_script; + ') -+') -+ -+optional_policy(` -+ hal_getattr(polkit_resolve_t) -+ hal_read_state(polkit_resolve_t) -+') -+ -+optional_policy(` -+ unconfined_ptrace(polkit_resolve_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te ---- nsaserefpolicy/policy/modules/services/portmap.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/portmap.te 2008-10-28 10:56:19.000000000 -0400 -@@ -41,6 +41,7 @@ - manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) - files_pid_filetrans(portmap_t, portmap_var_run_t, file) - -+kernel_read_system_state(portmap_t) - kernel_read_kernel_sysctls(portmap_t) - kernel_list_proc(portmap_t) - kernel_read_proc_symlinks(portmap_t) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.5.13/policy/modules/services/portreserve.fc ---- nsaserefpolicy/policy/modules/services/portreserve.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,12 @@ -+# portreserve executable will have: -+# label: system_u:object_r:portreserve_exec_t -+# MLS sensitivity: s0 -+# MCS categories: -+ -+#exec -+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) + -+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) ++ allow $1 pki_tks_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_tks_t) + -+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) ++ # Allow pki_tks_t to restart the service ++ pki_tks_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_tks_script system_r; ++ allow $2 system_r; + -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.5.13/policy/modules/services/portreserve.if ---- nsaserefpolicy/policy/modules/services/portreserve.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,70 @@ -+## policy for portreserve ++ manage_all_pattern($1, pki_tks_config) ++ manage_all_pattern($1, pki_tks_var_run) ++ manage_all_pattern($1, pki_tks_var_lib) ++ manage_all_pattern($1, pki_tks_var_log) ++ manage_all_pattern($1, pki_tks_config) ++ manage_all_pattern($1, pki_tks_tomcat_exec_t) ++') + +######################################## +## -+## Execute a domain transition to run portreserve. ++## Execute pki_tps server in the pki_tps domain. +## +## -+## -+## Domain allowed to transition. -+## ++## ++## The type of the process performing this action. ++## +## +# -+interface(`portreserve_domtrans',` ++interface(`pki_tps_script_domtrans',` + gen_require(` -+ type portreserve_t, portreserve_exec_t; ++ attribute pki_tps_script; + ') + -+ domain_auto_trans($1,portreserve_exec_t,portreserve_t) -+ -+ allow portreserve_t $1:fd use; -+ allow portreserve_t $1:fifo_file rw_file_perms; -+ allow portreserve_t $1:process sigchld; ++ init_script_domtrans_spec($1,pki_tps_script) +') + -+####################################### ++ ++######################################## +## -+## Allow the specified domain to read -+## portreserve etcuration files. ++## All of the rules required to administrate ++## an pki_tps environment +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## +## +## -+## +# -+interface(`portreserve_read_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') ++interface(`pki_tps_admin',` ++ gen_require(` ++ attribute pki_tps_process; ++ attribute pki_tps_config; ++ attribute pki_tps_executable; ++ attribute pki_tps_var_lib; ++ attribute pki_tps_var_log; ++ attribute pki_tps_script; ++ ') + -+ files_search_etc($1) -+ allow $1 portreserve_etc_t:dir list_dir_perms; -+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+') ++ allow $1 pki_tps_process:process { ptrace signal_perms }; ++ ps_process_pattern($1, pki_tps_t) + -+####################################### -+## -+## Allow the specified domain to manage -+## portreserve etcuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`portreserve_manage_etc',` -+ gen_require(` -+ type portreserve_etc_t; -+ ') ++ # Allow pki_tps_t to restart the service ++ pki_tps_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 pki_tps_script system_r; ++ allow $2 system_r; + -+ files_search_etc($1) -+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) -+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) ++ manage_all_pattern($1, pki_tps_config) ++ manage_all_pattern($1, pki_tps_var_lib) ++ manage_all_pattern($1, pki_tps_var_log) ++ manage_all_pattern($1, pki_tps_config) +') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te ---- nsaserefpolicy/policy/modules/services/portreserve.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-11-10 11:16:45.000000000 -0500 -@@ -0,0 +1,55 @@ -+policy_module(portreserve,1.0.0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.5.13/policy/modules/services/pki.te +--- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/pki.te 2008-11-13 13:57:43.000000000 -0500 +@@ -0,0 +1,91 @@ ++policy_module(pki,1.0.0) + -+######################################## -+# -+# Declarations -+# ++attribute pki_ca_config; ++attribute pki_ca_executable; ++attribute pki_ca_var_lib; ++attribute pki_ca_var_log; ++attribute pki_ca_var_run; ++attribute pki_ca_pidfiles; ++attribute pki_ca_script; ++attribute pki_ca_process; + -+type portreserve_t; -+type portreserve_exec_t; -+init_daemon_domain(portreserve_t, portreserve_exec_t) ++type pki_ca_tomcat_exec_t; ++files_type(pki_ca_tomcat_exec_t) + -+type portreserve_etc_t; -+files_type(portreserve_etc_t) ++pki_ca_template(pki_ca) + -+type portreserve_var_run_t; -+files_pid_file(portreserve_var_run_t) ++attribute pki_kra_config; ++attribute pki_kra_executable; ++attribute pki_kra_var_lib; ++attribute pki_kra_var_log; ++attribute pki_kra_var_run; ++attribute pki_kra_pidfiles; ++attribute pki_kra_script; ++attribute pki_kra_process; + -+######################################## -+# -+# Portreserve local policy -+# -+allow portreserve_t self:fifo_file rw_fifo_file_perms; -+allow portreserve_t self:unix_stream_socket create_stream_socket_perms; -+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow portreserve_t self:tcp_socket create_socket_perms; -+allow portreserve_t self:udp_socket create_socket_perms; ++type pki_kra_tomcat_exec_t; ++files_type(pki_kra_tomcat_exec_t) + -+# Read etc files -+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) -+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) ++pki_ca_template(pki_kra) + -+# Manage /var/run/portreserve/* -+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -+files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) + -+corenet_sendrecv_unlabeled_packets(portreserve_t) -+corenet_all_recvfrom_netlabel(portreserve_t) -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_all_ports(portreserve_t) -+corenet_udp_bind_all_nodes(portreserve_t) -+corenet_udp_bind_all_ports(portreserve_t) -+corenet_tcp_bind_inaddr_any_node(portreserve_t) -+corenet_udp_bind_inaddr_any_node(portreserve_t) ++attribute pki_ocsp_config; ++attribute pki_ocsp_executable; ++attribute pki_ocsp_var_lib; ++attribute pki_ocsp_var_log; ++attribute pki_ocsp_var_run; ++attribute pki_ocsp_pidfiles; ++attribute pki_ocsp_script; ++attribute pki_ocsp_process; + -+files_read_etc_files(portreserve_t) ++type pki_ocsp_tomcat_exec_t; ++files_type(pki_ocsp_tomcat_exec_t) + -+libs_use_ld_so(portreserve_t) -+libs_use_shared_libs(portreserve_t) ++pki_ca_template(pki_ocsp) + -+# Init script handling -+#init_use_fds(portreserve_t) -+#init_use_script_ptys(portreserve_t) -+#domain_use_interactive_fds(portreserve_t) ++ ++attribute pki_ra_config; ++attribute pki_ra_executable; ++attribute pki_ra_var_lib; ++attribute pki_ra_var_log; ++attribute pki_ra_var_run; ++attribute pki_ra_pidfiles; ++attribute pki_ra_script; ++attribute pki_ra_process; ++ ++type pki_ra_tomcat_exec_t; ++files_type(pki_ra_tomcat_exec_t) ++ ++pki_ra_template(pki_ra) ++ ++ ++attribute pki_tks_config; ++attribute pki_tks_executable; ++attribute pki_tks_var_lib; ++attribute pki_tks_var_log; ++attribute pki_tks_var_run; ++attribute pki_tks_pidfiles; ++attribute pki_tks_script; ++attribute pki_tks_process; ++ ++type pki_tks_tomcat_exec_t; ++files_type(pki_tks_tomcat_exec_t) ++ ++pki_ca_template(pki_tks) ++ ++ ++attribute pki_tps_config; ++attribute pki_tps_executable; ++attribute pki_tps_var_lib; ++attribute pki_tps_var_log; ++attribute pki_tps_var_run; ++attribute pki_tps_pidfiles; ++attribute pki_tps_script; ++attribute pki_tps_process; ++ ++type pki_tps_tomcat_exec_t; ++files_type(pki_tps_tomcat_exec_t) ++ ++pki_ra_template(pki_tps) ++ ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te +--- nsaserefpolicy/policy/modules/services/portmap.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/portmap.te 2008-11-11 16:22:03.000000000 -0500 +@@ -41,6 +41,7 @@ + manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) + files_pid_filetrans(portmap_t, portmap_var_run_t, file) + ++kernel_read_system_state(portmap_t) + kernel_read_kernel_sysctls(portmap_t) + kernel_list_proc(portmap_t) + kernel_read_proc_symlinks(portmap_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te +--- nsaserefpolicy/policy/modules/services/portreserve.te 2008-11-07 08:30:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/portreserve.te 2008-11-11 16:22:03.000000000 -0500 +@@ -35,6 +35,8 @@ + manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) + files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file }) + ++corenet_sendrecv_unlabeled_packets(portreserve_t) ++corenet_all_recvfrom_netlabel(portreserve_t) + corenet_tcp_bind_all_ports(portreserve_t) + corenet_tcp_bind_all_ports(portreserve_t) + corenet_udp_bind_all_nodes(portreserve_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc ---- nsaserefpolicy/policy/modules/services/postfix.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-11-11 16:22:03.000000000 -0500 @@ -29,12 +29,10 @@ /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) @@ -19421,8 +17282,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if ---- nsaserefpolicy/policy/modules/services/postfix.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-11-11 16:22:03.000000000 -0500 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -19521,8 +17382,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te ---- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-06 13:11:09.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-11 19:06:29.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -19584,15 +17445,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -170,6 +187,7 @@ +@@ -170,6 +187,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) +files_search_var_lib(postfix_master_t) ++files_search_tmp(postfix_master_t) term_dontaudit_search_ptys(postfix_master_t) -@@ -181,15 +199,14 @@ +@@ -181,15 +200,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -19612,7 +17474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -202,9 +219,29 @@ +@@ -202,9 +220,29 @@ ') optional_policy(` @@ -19642,7 +17504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix bounce local policy -@@ -245,6 +282,10 @@ +@@ -245,6 +283,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -19653,7 +17515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -270,18 +311,25 @@ +@@ -270,18 +312,25 @@ files_read_etc_files(postfix_local_t) @@ -19679,7 +17541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +340,7 @@ +@@ -292,8 +341,7 @@ # # Postfix map local policy # @@ -19689,7 +17551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -343,8 +390,6 @@ +@@ -343,8 +391,6 @@ miscfiles_read_localization(postfix_map_t) @@ -19698,7 +17560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -357,6 +402,11 @@ +@@ -357,6 +403,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -19710,7 +17572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -381,6 +431,7 @@ +@@ -381,6 +432,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -19718,7 +17580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -388,6 +439,12 @@ +@@ -388,6 +440,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -19731,7 +17593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -397,6 +454,15 @@ +@@ -397,6 +455,15 @@ ') optional_policy(` @@ -19747,7 +17609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -433,8 +499,11 @@ +@@ -433,8 +500,11 @@ ') optional_policy(` @@ -19761,7 +17623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -460,6 +529,15 @@ +@@ -460,6 +530,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -19777,7 +17639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -543,6 +621,10 @@ +@@ -543,6 +622,10 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -19788,7 +17650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -569,7 +651,7 @@ +@@ -569,7 +652,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -19798,8 +17660,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.5.13/policy/modules/services/postgresql.fc ---- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-14 13:08:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgresql.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,6 +2,7 @@ # /etc # @@ -19809,8 +17671,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.5.13/policy/modules/services/postgresql.if ---- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgresql.if 2008-11-11 16:22:03.000000000 -0500 @@ -372,3 +372,46 @@ typeattribute $1 sepgsql_unconfined_type; @@ -19859,8 +17721,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, postgresql_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te ---- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-11-06 08:49:50.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-11-11 16:22:03.000000000 -0500 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -19915,8 +17777,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.5.13/policy/modules/services/postgrey.fc ---- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgrey.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,5 +1,7 @@ /etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0) @@ -19932,8 +17794,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.13/policy/modules/services/postgrey.if ---- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgrey.if 2008-11-11 16:22:03.000000000 -0500 @@ -12,10 +12,73 @@ # interface(`postgrey_stream_connect',` @@ -20011,8 +17873,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.5.13/policy/modules/services/postgrey.te ---- nsaserefpolicy/policy/modules/services/postgrey.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postgrey.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/postgrey.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postgrey.te 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,12 @@ type postgrey_etc_t; files_config_file(postgrey_etc_t) @@ -20062,8 +17924,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.5.13/policy/modules/services/ppp.fc ---- nsaserefpolicy/policy/modules/services/ppp.fc 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ppp.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ppp.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,8 +1,6 @@ # # /etc @@ -20086,8 +17948,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /sbin diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.13/policy/modules/services/ppp.if ---- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ppp.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ppp.if 2008-11-11 16:22:03.000000000 -0500 @@ -58,6 +58,25 @@ ######################################## @@ -20192,8 +18054,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, pptp_var_run_t, pptp_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.5.13/policy/modules/services/ppp.te ---- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-10-30 15:01:10.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ppp.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ppp.te 2008-11-11 16:22:03.000000000 -0500 @@ -37,8 +37,8 @@ type pppd_etc_rw_t; files_type(pppd_etc_rw_t) @@ -20317,8 +18179,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# FIXME: -domtrans_pattern(pppd_t, pppd_script_exec_t, initrc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.5.13/policy/modules/services/prelude.fc ---- nsaserefpolicy/policy/modules/services/prelude.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/prelude.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/prelude.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,9 @@ +/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0) + @@ -20346,8 +18208,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.5.13/policy/modules/services/prelude.if ---- nsaserefpolicy/policy/modules/services/prelude.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/prelude.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/prelude.if 2008-11-11 16:22:03.000000000 -0500 @@ -6,7 +6,7 @@ ## ## @@ -20461,8 +18323,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, prelude_lml_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te ---- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-11-06 13:23:25.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/prelude.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-11-11 19:06:29.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -20573,14 +18435,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -117,15 +161,140 @@ +@@ -117,15 +161,142 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) +kernel_read_sysctl(prelude_audisp_t) ++kernel_read_system_state(prelude_audisp_t) + files_read_etc_files(prelude_audisp_t) +files_read_etc_runtime_files(prelude_audisp_t) ++files_search_tmp(prelude_audisp_t) libs_use_ld_so(prelude_audisp_t) libs_use_shared_libs(prelude_audisp_t) @@ -20714,7 +18578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -134,6 +303,20 @@ +@@ -134,6 +305,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) @@ -20736,8 +18600,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_search_db(httpd_prewikka_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.5.13/policy/modules/services/privoxy.fc ---- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/privoxy.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/privoxy.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,5 +1,7 @@ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) @@ -20747,8 +18611,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.if serefpolicy-3.5.13/policy/modules/services/privoxy.if ---- nsaserefpolicy/policy/modules/services/privoxy.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/privoxy.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/privoxy.if 2008-11-11 16:22:03.000000000 -0500 @@ -16,17 +16,23 @@ gen_require(` type privoxy_t, privoxy_log_t; @@ -20777,8 +18641,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, privoxy_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.13/policy/modules/services/privoxy.te ---- nsaserefpolicy/policy/modules/services/privoxy.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/privoxy.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/privoxy.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/privoxy.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type privoxy_exec_t; init_daemon_domain(privoxy_t, privoxy_exec_t) @@ -20798,8 +18662,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_http_cache_client_packets(privoxy_t) corenet_sendrecv_http_cache_server_packets(privoxy_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.13/policy/modules/services/procmail.fc ---- nsaserefpolicy/policy/modules/services/procmail.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/procmail.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/procmail.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,2 +1,5 @@ /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) @@ -20807,8 +18671,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.5.13/policy/modules/services/procmail.if ---- nsaserefpolicy/policy/modules/services/procmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/procmail.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/procmail.if 2008-11-11 16:22:03.000000000 -0500 @@ -39,3 +39,41 @@ corecmd_search_bin($1) can_exec($1, procmail_exec_t) @@ -20852,8 +18716,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.5.13/policy/modules/services/procmail.te ---- nsaserefpolicy/policy/modules/services/procmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/procmail.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/procmail.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/procmail.te 2008-11-11 16:22:03.000000000 -0500 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -20932,8 +18796,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mailscanner_read_spool(procmail_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.5.13/policy/modules/services/pyzor.fc ---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pyzor.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,6 +1,8 @@ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) @@ -20945,8 +18809,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.5.13/policy/modules/services/pyzor.if ---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pyzor.if 2008-11-11 16:22:03.000000000 -0500 @@ -25,16 +25,16 @@ # template(`pyzor_per_role_template',` @@ -21023,8 +18887,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te ---- nsaserefpolicy/policy/modules/services/pyzor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,6 +6,37 @@ # Declarations # @@ -21111,8 +18975,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.5.13/policy/modules/services/qmail.te ---- nsaserefpolicy/policy/modules/services/qmail.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/qmail.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/qmail.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/qmail.te 2008-11-11 16:22:03.000000000 -0500 @@ -124,6 +124,10 @@ qmail_domtrans_queue(qmail_local_t) @@ -21136,8 +19000,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.13/policy/modules/services/radius.te ---- nsaserefpolicy/policy/modules/services/radius.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/radius.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/radius.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/radius.te 2008-11-11 16:22:03.000000000 -0500 @@ -59,8 +59,9 @@ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) @@ -21150,8 +19014,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.5.13/policy/modules/services/razor.fc ---- nsaserefpolicy/policy/modules/services/razor.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/razor.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:ROLE_razor_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) @@ -21159,8 +19023,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.5.13/policy/modules/services/razor.if ---- nsaserefpolicy/policy/modules/services/razor.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/razor.if 2008-11-11 16:22:03.000000000 -0500 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -21281,8 +19145,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.5.13/policy/modules/services/razor.te ---- nsaserefpolicy/policy/modules/services/razor.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/razor.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/razor.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/razor.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,21 +6,51 @@ # Declarations # @@ -21339,8 +19203,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.13/policy/modules/services/ricci.te ---- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-11-11 16:22:03.000000000 -0500 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -21404,8 +19268,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #Needed for editing /etc/fstab files_manage_etc_files(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.13/policy/modules/services/rlogin.te ---- nsaserefpolicy/policy/modules/services/rlogin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rlogin.te 2008-11-05 17:20:28.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/rlogin.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rlogin.te 2008-11-11 16:22:03.000000000 -0500 @@ -94,10 +94,22 @@ remotelogin_signal(rlogind_t) @@ -21432,8 +19296,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_symlinks(rlogind_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.fc serefpolicy-3.5.13/policy/modules/services/roundup.fc ---- nsaserefpolicy/policy/modules/services/roundup.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/roundup.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/roundup.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0) + @@ -21441,8 +19305,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.if serefpolicy-3.5.13/policy/modules/services/roundup.if ---- nsaserefpolicy/policy/modules/services/roundup.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/roundup.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/roundup.if 2008-11-11 16:22:03.000000000 -0500 @@ -1 +1,39 @@ ## Roundup Issue Tracking System policy + @@ -21484,8 +19348,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, roundup_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roundup.te serefpolicy-3.5.13/policy/modules/services/roundup.te ---- nsaserefpolicy/policy/modules/services/roundup.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/roundup.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/roundup.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/roundup.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type roundup_exec_t; init_daemon_domain(roundup_t, roundup_exec_t) @@ -21497,8 +19361,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_file(roundup_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.5.13/policy/modules/services/rpc.fc ---- nsaserefpolicy/policy/modules/services/rpc.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rpc.fc 2008-11-11 16:22:03.000000000 -0500 @@ -13,6 +13,7 @@ # /usr # @@ -21508,8 +19372,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0) /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.5.13/policy/modules/services/rpc.if ---- nsaserefpolicy/policy/modules/services/rpc.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rpc.if 2008-11-11 16:22:03.000000000 -0500 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -21572,8 +19436,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te ---- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2008-11-11 16:22:03.000000000 -0500 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -21633,8 +19497,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.5.13/policy/modules/services/rpcbind.fc ---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,4 @@ -/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0) @@ -21642,8 +19506,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.5.13/policy/modules/services/rpcbind.te ---- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rpcbind.te 2008-11-11 16:22:03.000000000 -0500 @@ -60,6 +60,7 @@ domain_use_interactive_fds(rpcbind_t) @@ -21653,8 +19517,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(rpcbind_t) libs_use_shared_libs(rpcbind_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.5.13/policy/modules/services/rshd.te ---- nsaserefpolicy/policy/modules/services/rshd.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rshd.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rshd.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rshd.te 2008-11-11 16:22:03.000000000 -0500 @@ -16,7 +16,7 @@ # # Local policy @@ -21717,8 +19581,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_signal(rshd_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.13/policy/modules/services/rsync.fc ---- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rsync.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rsync.fc 2008-11-11 16:22:03.000000000 -0500 @@ -3,4 +3,4 @@ /var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0) @@ -21726,8 +19590,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0) +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.13/policy/modules/services/rsync.te ---- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2008-11-11 16:22:03.000000000 -0500 @@ -45,7 +45,7 @@ # Local policy # @@ -21738,8 +19602,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.5.13/policy/modules/services/samba.fc ---- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/samba.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/samba.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,6 +2,9 @@ # # /etc @@ -21767,8 +19631,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if ---- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 11:57:02.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/samba.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-11 16:22:03.000000000 -0500 @@ -44,6 +44,44 @@ ######################################## @@ -22160,8 +20024,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te ---- nsaserefpolicy/policy/modules/services/samba.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-05 12:55:21.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-11 16:22:03.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -22562,8 +20426,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow smbcontrol_t nmbd_var_run_t:file { read lock }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.5.13/policy/modules/services/sasl.te ---- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sasl.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sasl.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/sasl.te 2008-11-11 16:22:03.000000000 -0500 @@ -111,6 +111,10 @@ ') @@ -22576,8 +20440,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.13/policy/modules/services/sendmail.if ---- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/sendmail.if 2008-11-11 16:22:03.000000000 -0500 @@ -89,7 +89,7 @@ type sendmail_t; ') @@ -22693,8 +20557,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 sendmail_t:fifo_file rw_fifo_file_perms; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te ---- nsaserefpolicy/policy/modules/services/sendmail.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2008-11-11 16:22:03.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -22855,8 +20719,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc ---- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,5 @@ +/etc/rc\.d/init\.d/setroubleshoot -- gen_context(system_u:object_r:setroubleshoot_initrc_exec_t,s0) + @@ -22864,8 +20728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if ---- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.if 2008-11-11 16:22:03.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -22928,8 +20792,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, setroubleshoot_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te ---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2008-11-11 16:22:03.000000000 -0500 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -23016,8 +20880,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.13/policy/modules/services/smartmon.te ---- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/smartmon.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/smartmon.te 2008-11-11 16:22:03.000000000 -0500 @@ -19,6 +19,10 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -23076,8 +20940,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.13/policy/modules/services/snmp.fc ---- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) +/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0) @@ -23094,8 +20958,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.13/policy/modules/services/snmp.if ---- nsaserefpolicy/policy/modules/services/snmp.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snmp.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/snmp.if 2008-11-11 16:22:03.000000000 -0500 @@ -95,23 +95,34 @@ ## Domain allowed access. ## @@ -23135,8 +20999,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, snmpd_var_run_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.13/policy/modules/services/snmp.te ---- nsaserefpolicy/policy/modules/services/snmp.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snmp.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-11-13 13:38:51.000000000 -0500 @@ -9,6 +9,9 @@ type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -23152,13 +21016,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Local policy # -allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; -+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace }; ++allow snmpd_t self:capability { dac_override ipc_lock kill net_admin sys_nice sys_tty_config sys_ptrace }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -@@ -45,6 +49,7 @@ +@@ -45,10 +49,13 @@ kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) @@ -23166,7 +21030,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) -@@ -76,13 +81,14 @@ + kernel_read_network_state(snmpd_t) ++kernel_read_xen_state(snmpd_t) ++kernel_write_xen_state(snmpd_t) + + corecmd_exec_bin(snmpd_t) + corecmd_exec_shell(snmpd_t) +@@ -76,13 +83,14 @@ domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) @@ -23183,7 +21053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) -@@ -94,6 +100,8 @@ +@@ -94,6 +102,8 @@ init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -23192,7 +21062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(snmpd_t) libs_use_shared_libs(snmpd_t) -@@ -121,7 +129,7 @@ +@@ -121,7 +131,7 @@ ') optional_policy(` @@ -23201,9 +21071,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -152,3 +162,12 @@ + optional_policy(` + udev_read_db(snmpd_t) + ') ++ ++optional_policy(` ++ virt_stream_connect(snmpd_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(snmpd_t) ++ xen_stream_connect_xenstore(snmpd_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.if serefpolicy-3.5.13/policy/modules/services/snort.if ---- nsaserefpolicy/policy/modules/services/snort.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snort.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snort.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/snort.if 2008-11-11 16:22:03.000000000 -0500 @@ -30,7 +30,7 @@ ## ## @@ -23227,8 +21110,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + admin_pattern($1, snort_log_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.5.13/policy/modules/services/snort.te ---- nsaserefpolicy/policy/modules/services/snort.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snort.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/snort.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/snort.te 2008-11-11 16:22:03.000000000 -0500 @@ -56,6 +56,7 @@ files_pid_filetrans(snort_t, snort_var_run_t, file) @@ -23260,8 +21143,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(snort_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.13/policy/modules/services/spamassassin.fc ---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,16 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -23294,8 +21177,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.5.13/policy/modules/services/spamassassin.if ---- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.if 2008-11-11 16:22:03.000000000 -0500 @@ -37,7 +37,8 @@ gen_require(` @@ -23825,8 +21708,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + razor_manage_user_home_files(user, $1) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te ---- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-10-29 17:13:04.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-11-11 16:22:03.000000000 -0500 @@ -21,16 +21,24 @@ gen_tunable(spamd_enable_home_dirs, true) @@ -24121,8 +22004,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + sendmail_rw_pipes(spamc_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.13/policy/modules/services/squid.te ---- nsaserefpolicy/policy/modules/services/squid.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/squid.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/squid.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/squid.te 2008-11-11 16:22:03.000000000 -0500 @@ -118,6 +118,8 @@ fs_getattr_all_fs(squid_t) @@ -24142,8 +22025,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.5.13/policy/modules/services/ssh.fc ---- nsaserefpolicy/policy/modules/services/ssh.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0) +HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) @@ -24151,8 +22034,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if ---- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-11-11 16:22:03.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -24435,8 +22318,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + delete_files_pattern($1, ssh_tmp_t, ssh_tmp_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te ---- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-11-11 16:22:03.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -24507,8 +22390,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_shared_libs(ssh_keygen_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc ---- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,5 +2,6 @@ /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) @@ -24517,8 +22400,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.5.13/policy/modules/services/stunnel.te ---- nsaserefpolicy/policy/modules/services/stunnel.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/stunnel.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/stunnel.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/stunnel.te 2008-11-11 16:22:03.000000000 -0500 @@ -54,6 +54,8 @@ kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) @@ -24537,8 +22420,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.5.13/policy/modules/services/sysstat.te ---- nsaserefpolicy/policy/modules/services/sysstat.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/sysstat.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/sysstat.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/sysstat.te 2008-11-11 16:22:03.000000000 -0500 @@ -47,6 +47,7 @@ files_read_etc_files(sysstat_t) @@ -24548,8 +22431,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_console(sysstat_t) term_use_all_terms(sysstat_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.5.13/policy/modules/services/telnet.te ---- nsaserefpolicy/policy/modules/services/telnet.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/telnet.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/telnet.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/telnet.te 2008-11-11 16:22:03.000000000 -0500 @@ -90,8 +90,8 @@ userdom_search_unpriv_users_home_dirs(telnetd_t) @@ -24562,8 +22445,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.5.13/policy/modules/services/tftp.te ---- nsaserefpolicy/policy/modules/services/tftp.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/tftp.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tftp.te 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/tftp.te 2008-11-11 16:22:03.000000000 -0500 @@ -75,6 +75,7 @@ domain_use_interactive_fds(tftpd_t) @@ -24573,8 +22456,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te ---- nsaserefpolicy/policy/modules/services/tor.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/tor.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/tor.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/tor.te 2008-11-11 16:22:03.000000000 -0500 @@ -34,7 +34,7 @@ # tor local policy # @@ -24584,212 +22467,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc ---- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,10 @@ -+ -+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) -+ -+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) -+ -+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -+ -+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) -+ -+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if ---- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.if 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,127 @@ -+## policy for ulogd -+ -+######################################## -+## -+## Execute a domain transition to run ulogd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`ulogd_domtrans',` -+ gen_require(` -+ type ulogd_t, ulogd_exec_t; -+ ') -+ -+ domtrans_pattern($1,ulogd_exec_t,ulogd_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read -+## ulogd configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_config',` -+ gen_require(` -+ type ulogd_etc_t; -+ ') -+ -+ files_search_etc($1) -+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to read ulogd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_read_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) -+') -+ -+######################################## -+## -+## Allow the specified domain to append to ulogd's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+# -+interface(`ulogd_append_log',` -+ gen_require(` -+ type ulogd_var_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 ulogd_var_log_t:dir list_dir_perms; -+ allow $1 ulogd_var_log_t:file append_file_perms; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an ulogd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the syslog domain. -+## -+## -+## -+# -+interface(`ulogd_admin',` -+ gen_require(` -+ type ulogd_t, ulogd_etc_t; -+ type ulogd_var_log_t, ulogd_initrc_exec_t; -+ type ulogd_modules_t; -+ ') -+ -+ allow $1 ulogd_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, ulogd_t) -+ -+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t) -+ domain_system_change_exemption($1) -+ role_transition $2 ulogd_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_etc($1) -+ admin_pattern($1, ulogd_etc_t) -+ -+ logging_list_logs($1) -+ admin_pattern($1, ulogd_var_log_t) -+ -+ files_search_usr($1) -+ admin_pattern($1, ulogd_modules_t) -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te ---- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/ulogd.te 2008-11-05 12:14:57.000000000 -0500 -@@ -0,0 +1,54 @@ -+policy_module(ulogd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type ulogd_t; -+type ulogd_exec_t; -+init_daemon_domain(ulogd_t, ulogd_exec_t) -+ -+type ulogd_initrc_exec_t; -+init_script_file(ulogd_initrc_exec_t) -+ -+# /usr/lib files -+type ulogd_modules_t; -+files_type(ulogd_modules_t) -+ -+# config files -+type ulogd_etc_t; -+files_type(ulogd_etc_t) -+ -+# log files -+type ulogd_var_log_t; -+logging_log_file(ulogd_var_log_t) -+ -+######################################## -+ -+# -+# ulogd local policy -+# -+ -+allow ulogd_t self:capability net_admin; -+allow ulogd_t self:netlink_nflog_socket create_socket_perms; -+ -+# config files -+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -+ -+# modules for ulogd -+list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t) -+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) -+ -+# log files -+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) -+logging_log_filetrans(ulogd_t,ulogd_var_log_t, file ) -+ -+files_search_etc(ulogd_t) -+ -+libs_use_ld_so(ulogd_t) -+libs_use_shared_libs(ulogd_t) -+ -+miscfiles_read_localization(ulogd_t) -+ -+permissive ulogd_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc ---- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/virt.fc 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,6 +2,7 @@ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -24799,9 +22479,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if ---- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.if 2008-11-04 11:58:23.000000000 -0500 -@@ -41,6 +41,27 @@ +--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/virt.if 2008-11-11 19:06:29.000000000 -0500 +@@ -18,6 +18,25 @@ + domtrans_pattern($1, virtd_exec_t, virtd_t) + ') + ++####################################### ++## ++## Connect to virt over an unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_stream_connect',` ++ gen_require(` ++ type virt_t, virt_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1,virt_var_run_t,virt_var_run_t,virt_t) ++') ++ + ######################################## + ## + ## Read virt config files. +@@ -41,6 +60,27 @@ ######################################## ## @@ -24829,7 +22535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read virt PID files. ## ## -@@ -78,6 +99,24 @@ +@@ -78,6 +118,24 @@ ######################################## ## @@ -24854,7 +22560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search virt lib directories. ## ## -@@ -196,6 +235,35 @@ +@@ -196,6 +254,35 @@ ######################################## ## @@ -24890,7 +22596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow domain to manage virt image files ## ## -@@ -214,6 +282,7 @@ +@@ -214,6 +301,7 @@ manage_dirs_pattern($1, virt_image_t, virt_image_t) manage_files_pattern($1, virt_image_t, virt_image_t) read_lnk_files_pattern($1, virt_image_t, virt_image_t) @@ -24898,7 +22604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -243,11 +312,17 @@ +@@ -243,11 +331,17 @@ interface(`virt_admin',` gen_require(` type virtd_t; @@ -24917,8 +22623,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol virt_manage_lib_files($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.5.13/policy/modules/services/virt.te ---- nsaserefpolicy/policy/modules/services/virt.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/virt.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/virt.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/virt.te 2008-11-11 16:22:03.000000000 -0500 @@ -5,6 +5,7 @@ # # Declarations @@ -25051,8 +22757,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(virtd_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.5.13/policy/modules/services/w3c.te ---- nsaserefpolicy/policy/modules/services/w3c.te 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/w3c.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/w3c.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/w3c.te 2008-11-11 16:22:03.000000000 -0500 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -25073,8 +22779,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc ---- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-11-03 11:42:39.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,13 +1,15 @@ # # HOME_DIR @@ -25161,8 +22867,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if ---- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-04 13:27:32.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-11 16:22:03.000000000 -0500 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26434,8 +24140,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 xdm_xproperty_t:x_property { write read }; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te ---- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-05 15:24:47.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-11 16:22:03.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -27006,8 +24712,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow xdm_t self:process { execstack execmem }; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.5.13/policy/modules/services/zebra.te ---- nsaserefpolicy/policy/modules/services/zebra.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/zebra.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/services/zebra.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/zebra.te 2008-11-11 16:22:03.000000000 -0500 @@ -41,7 +41,7 @@ allow zebra_t self:capability { setgid setuid net_admin net_raw }; dontaudit zebra_t self:capability sys_tty_config; @@ -27017,111 +24723,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow zebra_t self:unix_dgram_socket create_socket_perms; allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.13/policy/modules/services/zosremote.fc ---- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,2 @@ -+ -+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.13/policy/modules/services/zosremote.if ---- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.if 2008-10-28 10:56:19.000000000 -0400 -@@ -0,0 +1,52 @@ -+## policy for z/OS Remote-services Audit dispatcher plugin -+ -+######################################## -+## -+## Execute a domain transition to run audispd-zos-remote. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`zos_remote_domtrans',` -+ gen_require(` -+ type zos_remote_t; -+ type zos_remote_exec_t; -+ ') -+ -+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) -+') -+ -+######################################## -+## -+## Allow specified type and role to transition and -+## run in the zos_remote_t domain. Allow specified type -+## to use zos_remote_t terminal. -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the zos_remote domain. -+## -+## -+## -+## -+## The type of the role's terminal. -+## -+## -+# -+interface(`zos_remote_run',` -+ gen_require(` -+ type zos_remote_t; -+ ') -+ -+ zos_remote_domtrans($1) -+ role $2 types zos_remote_t; -+ dontaudit zos_remote_t $3:chr_file rw_term_perms; -+') -diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.13/policy/modules/services/zosremote.te ---- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/zosremote.te 2008-10-28 11:20:11.000000000 -0400 -@@ -0,0 +1,36 @@ -+policy_module(zosremote,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type zos_remote_t; -+type zos_remote_exec_t; -+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) -+ -+init_system_domain(zos_remote_t, zos_remote_exec_t) -+ -+role system_r types zos_remote_t; -+ -+ -+######################################## -+# -+# zos_remote local policy -+# -+ -+allow zos_remote_t self:fifo_file rw_file_perms; -+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; -+ -+allow zos_remote_t self:process signal; -+ -+files_read_etc_files(zos_remote_t) -+ -+auth_use_nsswitch(zos_remote_t); -+ -+libs_use_ld_so(zos_remote_t) -+libs_use_shared_libs(zos_remote_t) -+ -+miscfiles_read_localization(zos_remote_t) -+ -+logging_send_syslog_msg(zos_remote_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.13/policy/modules/system/application.te ---- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/application.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/application.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/application.te 2008-11-11 16:22:03.000000000 -0500 @@ -7,6 +7,12 @@ # Executables to be run by user attribute application_exec_type; @@ -27136,8 +24740,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.5.13/policy/modules/system/authlogin.fc ---- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/authlogin.fc 2008-11-11 16:22:03.000000000 -0500 @@ -7,12 +7,10 @@ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -27165,8 +24769,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if ---- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-11-11 16:22:03.000000000 -0500 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -27437,8 +25041,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_files_pattern($1, auth_cache_t, auth_cache_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.13/policy/modules/system/authlogin.te ---- nsaserefpolicy/policy/modules/system/authlogin.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/authlogin.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/authlogin.te 2008-11-11 16:22:03.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -27539,8 +25143,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_xdm_pipes(utempter_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.5.13/policy/modules/system/fstools.fc ---- nsaserefpolicy/policy/modules/system/fstools.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/fstools.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/fstools.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/fstools.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,3 @@ -/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -27555,8 +25159,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.5.13/policy/modules/system/fstools.te ---- nsaserefpolicy/policy/modules/system/fstools.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/fstools.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/fstools.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/fstools.te 2008-11-11 16:22:03.000000000 -0500 @@ -97,6 +97,10 @@ fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -27579,8 +25183,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(fsadm_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.5.13/policy/modules/system/hostname.te ---- nsaserefpolicy/policy/modules/system/hostname.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/hostname.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/hostname.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/hostname.te 2008-11-11 16:22:03.000000000 -0500 @@ -8,7 +8,9 @@ type hostname_t; @@ -27593,8 +25197,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.5.13/policy/modules/system/init.fc ---- nsaserefpolicy/policy/modules/system/init.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/init.fc 2008-11-11 16:22:03.000000000 -0500 @@ -4,8 +4,7 @@ /etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -27615,8 +25219,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /var # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.13/policy/modules/system/init.if ---- nsaserefpolicy/policy/modules/system/init.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/init.if 2008-11-11 16:22:03.000000000 -0500 @@ -278,6 +278,27 @@ kernel_dontaudit_use_fds($1) ') @@ -27814,8 +25418,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow init_t $1:unix_dgram_socket sendto; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te ---- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-29 14:03:43.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/init.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-11-11 16:22:03.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -28075,8 +25679,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_rw_xdm_home_files(daemon) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc ---- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-05 10:40:04.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-11 16:22:03.000000000 -0500 @@ -26,6 +26,7 @@ /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -28086,8 +25690,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te ---- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2008-11-11 16:22:03.000000000 -0500 @@ -55,11 +55,12 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -28209,8 +25813,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t ipsec_conf_file_t:dir list_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.5.13/policy/modules/system/iscsi.te ---- nsaserefpolicy/policy/modules/system/iscsi.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/iscsi.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/iscsi.te 2008-11-11 16:22:03.000000000 -0500 @@ -28,7 +28,7 @@ # iscsid local policy # @@ -28230,8 +25834,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc ---- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-10 09:54:43.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-13 08:39:45.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -28336,7 +25940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +330,18 @@ +@@ -310,3 +330,20 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -28355,9 +25959,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/sse2/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te ---- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-11-11 16:22:03.000000000 -0500 @@ -52,11 +52,11 @@ # ldconfig local policy # @@ -28415,8 +26021,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(ldconfig_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.5.13/policy/modules/system/locallogin.te ---- nsaserefpolicy/policy/modules/system/locallogin.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/locallogin.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/locallogin.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/locallogin.te 2008-11-11 16:22:03.000000000 -0500 @@ -67,6 +67,7 @@ dev_setattr_power_mgmt_dev(local_login_t) dev_getattr_sound_dev(local_login_t) @@ -28494,8 +26100,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - nscd_socket_use(sulogin_t) -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.13/policy/modules/system/logging.fc ---- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-11-07 08:13:26.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/logging.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-11-11 16:22:03.000000000 -0500 @@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -28520,8 +26126,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.13/policy/modules/system/logging.if ---- nsaserefpolicy/policy/modules/system/logging.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.if 2008-11-06 13:16:14.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/logging.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/logging.if 2008-11-11 16:22:03.000000000 -0500 @@ -451,7 +451,7 @@ ') @@ -28548,8 +26154,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + logging_admin_syslog($1, $2, $3) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.13/policy/modules/system/logging.te ---- nsaserefpolicy/policy/modules/system/logging.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-11-06 13:13:09.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/logging.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-11-11 16:22:03.000000000 -0500 @@ -129,7 +129,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -28594,8 +26200,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow syslogd_t self:tcp_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.5.13/policy/modules/system/lvm.fc ---- nsaserefpolicy/policy/modules/system/lvm.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/lvm.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/lvm.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/lvm.fc 2008-11-11 16:22:03.000000000 -0500 @@ -55,6 +55,7 @@ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -28610,8 +26216,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.5.13/policy/modules/system/lvm.te ---- nsaserefpolicy/policy/modules/system/lvm.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/lvm.te 2008-11-05 16:20:42.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/lvm.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/lvm.te 2008-11-11 16:22:03.000000000 -0500 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -28808,8 +26414,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xen_dontaudit_rw_unix_stream_sockets(lvm_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.5.13/policy/modules/system/miscfiles.if ---- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-11-03 17:18:22.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/miscfiles.if 2008-11-11 16:22:03.000000000 -0500 @@ -23,6 +23,45 @@ ######################################## @@ -28857,8 +26463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.13/policy/modules/system/modutils.te ---- nsaserefpolicy/policy/modules/system/modutils.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/modutils.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/modutils.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/modutils.te 2008-11-11 16:22:03.000000000 -0500 @@ -42,7 +42,7 @@ # insmod local policy # @@ -28989,8 +26595,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ################################# diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.5.13/policy/modules/system/mount.fc ---- nsaserefpolicy/policy/modules/system/mount.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/mount.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/mount.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,6 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -29000,8 +26606,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.5.13/policy/modules/system/mount.if ---- nsaserefpolicy/policy/modules/system/mount.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/mount.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/mount.if 2008-11-11 16:22:03.000000000 -0500 @@ -49,6 +49,8 @@ mount_domtrans($1) role $2 types mount_t; @@ -29012,8 +26618,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` samba_run_smbmount($1, $2, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te ---- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-10 15:37:25.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/mount.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-11 16:22:03.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -29187,8 +26793,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.5.13/policy/modules/system/raid.te ---- nsaserefpolicy/policy/modules/system/raid.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/raid.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/raid.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/raid.te 2008-11-11 16:22:03.000000000 -0500 @@ -39,6 +39,7 @@ dev_dontaudit_getattr_generic_files(mdadm_t) dev_dontaudit_getattr_generic_chr_files(mdadm_t) @@ -29198,8 +26804,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc ---- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.fc 2008-11-11 16:22:03.000000000 -0500 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -29222,8 +26828,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.5.13/policy/modules/system/selinuxutil.if ---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-10 15:53:03.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.if 2008-11-11 16:22:03.000000000 -0500 @@ -555,6 +555,59 @@ ######################################## @@ -29656,8 +27262,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.5.13/policy/modules/system/selinuxutil.te ---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.te 2008-11-10 12:22:40.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/selinuxutil.te 2008-11-11 16:22:03.000000000 -0500 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -30013,8 +27619,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(setfiles_mac_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.5.13/policy/modules/system/setrans.if ---- nsaserefpolicy/policy/modules/system/setrans.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/setrans.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/setrans.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/setrans.if 2008-11-11 16:22:03.000000000 -0500 @@ -21,3 +21,23 @@ stream_connect_pattern($1,setrans_var_run_t,setrans_var_run_t,setrans_t) files_list_pids($1) @@ -30040,8 +27646,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc ---- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2008-11-11 16:22:03.000000000 -0500 @@ -11,6 +11,7 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -30065,8 +27671,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if ---- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-11 16:22:03.000000000 -0500 @@ -553,6 +553,7 @@ type net_conf_t; ') @@ -30146,8 +27752,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role_transition $1 dhcpc_exec_t system_r; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te ---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-03 13:42:28.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -30327,8 +27933,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(ifconfig_t) xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc ---- nsaserefpolicy/policy/modules/system/udev.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-03 11:39:49.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/udev.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-11 16:22:03.000000000 -0500 @@ -13,8 +13,11 @@ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -30342,8 +27948,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if ---- nsaserefpolicy/policy/modules/system/udev.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/udev.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-11-11 16:22:03.000000000 -0500 @@ -96,6 +96,24 @@ ######################################## @@ -30398,8 +28004,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 udev_tbl_t:file rw_file_perms; ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.5.13/policy/modules/system/udev.te ---- nsaserefpolicy/policy/modules/system/udev.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.te 2008-11-03 11:41:29.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/udev.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/udev.te 2008-11-11 16:22:03.000000000 -0500 @@ -83,6 +83,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) @@ -30457,8 +28063,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_read_xdm_pid(udev_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc ---- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-11-06 13:03:04.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-11-11 16:22:03.000000000 -0500 @@ -2,15 +2,29 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -30499,8 +28105,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if ---- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-10-29 13:21:22.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-11-11 16:22:03.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -30830,8 +28436,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te ---- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-28 11:00:08.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,35 +6,76 @@ # Declarations # @@ -31190,8 +28796,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc ---- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-11-11 16:22:03.000000000 -0500 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -31203,8 +28809,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if ---- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-10 11:10:03.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-13 14:05:51.000000000 -0500 @@ -28,10 +28,14 @@ class context contains; ') @@ -33933,8 +31539,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te ---- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-11-11 16:22:03.000000000 -0500 @@ -8,13 +8,6 @@ ## @@ -34054,8 +31660,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc ---- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/xen.fc 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-11-11 16:22:03.000000000 -0500 @@ -20,6 +20,7 @@ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) @@ -34065,8 +31671,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if ---- nsaserefpolicy/policy/modules/system/xen.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2008-11-04 11:36:33.000000000 -0500 +--- nsaserefpolicy/policy/modules/system/xen.if 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/xen.if 2008-11-11 16:22:03.000000000 -0500 @@ -155,7 +155,7 @@ stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t) ') @@ -34118,8 +31724,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rw_files_pattern($1, xen_image_t, xen_image_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te ---- nsaserefpolicy/policy/modules/system/xen.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/modules/system/xen.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/xen.te 2008-11-11 16:22:03.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -34344,8 +31950,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(xend_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/policy_capabilities serefpolicy-3.5.13/policy/policy_capabilities ---- nsaserefpolicy/policy/policy_capabilities 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/policy_capabilities 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/policy_capabilities 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/policy_capabilities 2008-11-11 16:22:03.000000000 -0500 @@ -29,4 +29,4 @@ # chr_file: open # blk_file: open @@ -34353,8 +31959,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -policycap open_perms; +#policycap open_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.5.13/policy/support/obj_perm_sets.spt ---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/support/obj_perm_sets.spt 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/support/obj_perm_sets.spt 2008-11-11 16:22:03.000000000 -0500 @@ -59,22 +59,22 @@ # # Permissions for executing files. @@ -34503,8 +32109,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +define(`manage_key_perms', `{ create link read search setattr view write } ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.13/policy/users ---- nsaserefpolicy/policy/users 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/users 2008-10-28 19:21:24.000000000 -0400 +--- nsaserefpolicy/policy/users 2008-10-17 08:49:11.000000000 -0400 ++++ serefpolicy-3.5.13/policy/users 2008-11-11 16:22:03.000000000 -0500 @@ -25,11 +25,8 @@ # permit any access to such users, then remove this entry. # @@ -34530,8 +32136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel ---- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-28 10:56:19.000000000 -0400 +--- nsaserefpolicy/support/Makefile.devel 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/support/Makefile.devel 2008-11-11 16:22:03.000000000 -0500 @@ -181,8 +181,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"