From 9c0be6ae8401448f59f836dd74a56d528fcc1b02 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 31 2008 18:53:49 +0000 Subject: - Allow xdm to sys_ptrace --- diff --git a/policy-20070703.patch b/policy-20070703.patch index fe1da2b..4c2170a 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1553,8 +1553,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.0.8/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2008-01-17 09:03:07.000000000 -0500 -@@ -0,0 +1,58 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/kismet.te 2008-01-30 11:10:03.000000000 -0500 +@@ -0,0 +1,57 @@ +policy_module(kismet,1.0.0) + +######################################## @@ -1582,8 +1582,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +# kismet local policy +# + -+## internal communication is often done using fifo and unix sockets. -+#============= kismet_t ============== +allow kismet_t self:capability { net_admin setuid setgid }; + +corecmd_exec_bin(kismet_t) @@ -1595,12 +1593,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + +files_read_etc_files(kismet_t) + ++kernel_load_module(kismet_t) ++ +libs_use_ld_so(kismet_t) +libs_use_shared_libs(kismet_t) + +miscfiles_read_localization(kismet_t) + -+ +allow kismet_t kismet_var_run_t:file manage_file_perms; +allow kismet_t kismet_var_run_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t,kismet_var_run_t, { file dir }) @@ -2950,7 +2949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc +/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2008-01-28 10:57:36.000000000 -0500 @@ -32,7 +32,7 @@ ## ## @@ -3009,15 +3008,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if files_read_etc_files($1_javaplugin_t) files_read_usr_files($1_javaplugin_t) -@@ -122,6 +126,7 @@ +@@ -122,6 +126,9 @@ fs_getattr_xattr_fs($1_javaplugin_t) fs_dontaudit_rw_tmpfs_files($1_javaplugin_t) + fs_getattr_tmpfs($1_javaplugin_t) ++ ++ auth_use_nsswitch($1_javaplugin_t) libs_use_ld_so($1_javaplugin_t) libs_use_shared_libs($1_javaplugin_t) -@@ -134,6 +139,10 @@ +@@ -134,6 +141,10 @@ sysnet_read_config($1_javaplugin_t) @@ -3028,7 +3029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) -@@ -166,6 +175,62 @@ +@@ -166,6 +177,62 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -3091,7 +3092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +284,66 @@ +@@ -219,3 +286,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -3964,7 +3965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2008-01-30 09:40:50.000000000 -0500 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -3973,7 +3974,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ######################################## # -@@ -20,7 +21,12 @@ +@@ -17,10 +18,16 @@ + + optional_policy(` + allow wine_t self:process { execstack execmem execheap }; ++ domain_mmap_low(wine_t) unconfined_domain_noaudit(wine_t) files_execmod_all_files(wine_t) @@ -4257,19 +4262,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-01-17 09:03:07.000000000 -0500 -@@ -4,6 +4,7 @@ ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-01-24 14:07:04.000000000 -0500 +@@ -1,8 +1,9 @@ + /dev -d gen_context(system_u:object_r:device_t,s0) + /dev/.* gen_context(system_u:object_r:device_t,s0) +- ++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -14,22 +15,33 @@ +@@ -13,27 +14,42 @@ + /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) @@ -4281,8 +4293,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) @@ -4291,52 +4303,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh) ++/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) +/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -@@ -41,6 +53,11 @@ - /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) - /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/null -c gen_context(system_u:object_r:null_device_t,s0) -+ -+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) ++/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -44,6 +60,7 @@ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -@@ -49,6 +66,9 @@ ++/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) - /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) - /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) -+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) - /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) - /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) - /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -65,9 +85,11 @@ +@@ -65,9 +82,8 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) +-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) +-/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -+/dev/usb/.+ -c gen_context(system_u:object_r:usb_device_t,s0) ++/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -95,11 +117,21 @@ +@@ -94,12 +110,23 @@ + /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) @@ -4356,6 +4361,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> +@@ -113,14 +140,9 @@ + /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) + /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) + +-/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) +- +-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) ++/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) + +-ifdef(`distro_debian',` +-# used by udev init script as temporary mount point +-/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) +-') ++/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) + + ifdef(`distro_gentoo',` + # used by init scripts to initally populate udev /dev diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2008-01-17 09:03:07.000000000 -0500 @@ -5180,7 +5202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-24 15:47:50.000000000 -0500 @@ -271,45 +271,6 @@ ######################################## @@ -5329,7 +5351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## List all directories with a filesystem type. ## ## -@@ -3533,3 +3550,42 @@ +@@ -3533,3 +3550,62 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -5372,6 +5394,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t) +') + ++ ++######################################## ++## ++## Read and write files on hugetlbfs files ++## file systems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ++ ') ++ ++ rw_files_pattern($1,hugetlbfs_t,hugetlbfs_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-22 13:21:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2008-01-17 09:03:07.000000000 -0500 @@ -5426,7 +5468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy files_mountpoint(vxfs_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2008-01-17 13:25:01.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2008-01-30 11:09:40.000000000 -0500 @@ -352,6 +352,24 @@ ######################################## @@ -6300,7 +6342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-01-31 13:44:19.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(apache,1.7.1) @@ -6473,7 +6515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_use_ld_so(httpd_t) libs_use_shared_libs(httpd_t) -@@ -344,12 +383,8 @@ +@@ -344,29 +383,40 @@ seutil_dontaudit_search_config(httpd_t) @@ -6486,7 +6528,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`allow_httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') -@@ -358,8 +393,16 @@ + +-ifdef(`TODO', ` # # We need optionals to be able to be within booleans to make this work # @@ -6498,12 +6541,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +gen_tunable(allow_httpd_mod_auth_pam,false) + tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) -+ auth_domtrans_upd_passwd(httpd_t) - ') +- auth_domtrans_chk_passwd(httpd_t) +-') ++ auth_domtrans_chk_pwd(httpd_t) ') -@@ -367,6 +410,16 @@ + tunable_policy(`httpd_can_network_connect',` corenet_tcp_connect_all_ports(httpd_t) ') @@ -6520,7 +6563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect_db',` # allow httpd to connect to mysql/posgresql corenet_tcp_connect_postgresql_port(httpd_t) -@@ -387,6 +440,10 @@ +@@ -387,6 +437,10 @@ corenet_sendrecv_http_cache_client_packets(httpd_t) ') @@ -6531,7 +6574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) -@@ -404,11 +461,21 @@ +@@ -404,11 +458,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -6553,7 +6596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -430,6 +497,12 @@ +@@ -430,6 +494,12 @@ ') optional_policy(` @@ -6566,7 +6609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac calamaris_read_www_files(httpd_t) ') -@@ -442,8 +515,14 @@ +@@ -442,8 +512,14 @@ ') optional_policy(` @@ -6582,7 +6625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -457,11 +536,11 @@ +@@ -457,11 +533,11 @@ optional_policy(` mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) @@ -6595,7 +6638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -481,6 +560,7 @@ +@@ -481,6 +557,7 @@ ') optional_policy(` @@ -6603,7 +6646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -516,6 +596,13 @@ +@@ -516,6 +593,13 @@ userdom_use_sysadm_terms(httpd_helper_t) ') @@ -6617,7 +6660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -553,6 +640,7 @@ +@@ -553,6 +637,7 @@ optional_policy(` mysql_stream_connect(httpd_php_t) @@ -6625,7 +6668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -567,7 +655,6 @@ +@@ -567,7 +652,6 @@ allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; @@ -6633,7 +6676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -581,6 +668,10 @@ +@@ -581,6 +665,10 @@ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -6644,7 +6687,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -590,8 +681,7 @@ +@@ -590,8 +678,7 @@ fs_search_auto_mountpoints(httpd_suexec_t) # for shell scripts @@ -6654,7 +6697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -620,8 +710,6 @@ +@@ -620,8 +707,6 @@ corenet_udp_sendrecv_all_ports(httpd_suexec_t) corenet_tcp_connect_all_ports(httpd_suexec_t) corenet_sendrecv_all_client_packets(httpd_suexec_t) @@ -6663,7 +6706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -634,6 +722,12 @@ +@@ -634,6 +719,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -6676,7 +6719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -651,18 +745,6 @@ +@@ -651,18 +742,6 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -6695,7 +6738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -672,7 +754,8 @@ +@@ -672,7 +751,8 @@ dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6705,7 +6748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t) -@@ -686,15 +769,62 @@ +@@ -686,15 +766,62 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -6769,7 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -707,6 +837,7 @@ +@@ -707,6 +834,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -6777,7 +6820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -728,3 +859,46 @@ +@@ -728,3 +856,46 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -6918,8 +6961,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-01-17 09:03:07.000000000 -0500 -@@ -74,3 +74,21 @@ ++++ serefpolicy-3.0.8/policy/modules/services/automount.if 2008-01-30 09:23:53.000000000 -0500 +@@ -74,3 +74,39 @@ dontaudit $1 automount_tmp_t:dir getattr; ') @@ -6941,6 +6984,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto + + dontaudit $1 automount_t:fd use; +') ++######################################## ++## ++## Do not audit attempts to write automount daemon unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`automount_dontaudit_write_pipes',` ++ gen_require(` ++ type automount_t; ++ ') ++ ++ dontaudit $1 automount_t:fifo_file write; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/automount.te 2008-01-17 13:10:56.000000000 -0500 @@ -7026,7 +7087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind +/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.8/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/bind.te 2008-01-31 09:00:00.000000000 -0500 @@ -66,7 +66,6 @@ allow named_t self:unix_dgram_socket create_socket_perms; allow named_t self:tcp_socket create_stream_socket_perms; @@ -7035,16 +7096,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind allow named_t dnssec_t:file { getattr read }; -@@ -92,6 +91,8 @@ - manage_sock_files_pattern(named_t,named_var_run_t,named_var_run_t) - files_pid_filetrans(named_t,named_var_run_t,{ file sock_file }) +@@ -101,6 +100,8 @@ + kernel_read_system_state(named_t) + kernel_read_network_state(named_t) -+auth_use_nsswitch(named_t) ++corecmd_search_bin(named_t) + - # read zone files - allow named_t named_zone_t:dir list_dir_perms; - read_files_pattern(named_t,named_zone_t,named_zone_t) -@@ -119,6 +120,7 @@ + corenet_all_recvfrom_unlabeled(named_t) + corenet_all_recvfrom_netlabel(named_t) + corenet_tcp_sendrecv_all_if(named_t) +@@ -119,15 +120,11 @@ corenet_sendrecv_dns_client_packets(named_t) corenet_sendrecv_rndc_server_packets(named_t) corenet_sendrecv_rndc_client_packets(named_t) @@ -7052,7 +7113,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind dev_read_sysfs(named_t) dev_read_rand(named_t) -@@ -175,6 +177,10 @@ + +-fs_getattr_all_fs(named_t) +-fs_search_auto_mountpoints(named_t) +- +-corecmd_search_bin(named_t) +- + dev_read_urand(named_t) + + domain_use_interactive_fds(named_t) +@@ -135,6 +132,11 @@ + files_read_etc_files(named_t) + files_read_etc_runtime_files(named_t) + ++fs_getattr_all_fs(named_t) ++fs_search_auto_mountpoints(named_t) ++ ++auth_use_nsswitch(named_t) ++ + libs_use_ld_so(named_t) + libs_use_shared_libs(named_t) + +@@ -155,19 +157,12 @@ + ') + + optional_policy(` +- gen_require(` +- class dbus send_msg; +- ') +- +- allow named_t self:dbus send_msg; +- + init_dbus_chat_script(named_t) + + sysnet_dbus_chat_dhcpc(named_t) + + dbus_system_bus_client_template(named,named_t) + dbus_connect_system_bus(named_t) +- dbus_send_system_bus(named_t) + + optional_policy(` + networkmanager_dbus_chat(named_t) +@@ -175,6 +170,10 @@ ') optional_policy(` @@ -7063,7 +7165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind # this seems like fds that arent being # closed. these should probably be # dontaudits instead. -@@ -184,14 +190,6 @@ +@@ -184,14 +183,6 @@ ') optional_policy(` @@ -7078,14 +7180,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind seutil_sigchld_newrole(named_t) ') -@@ -232,6 +230,7 @@ +@@ -232,15 +223,16 @@ corenet_tcp_sendrecv_all_nodes(ndc_t) corenet_tcp_sendrecv_all_ports(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) +corenet_tcp_bind_all_nodes(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) - fs_getattr_xattr_fs(ndc_t) +-fs_getattr_xattr_fs(ndc_t) +- + domain_use_interactive_fds(ndc_t) + + files_read_etc_files(ndc_t) + files_search_pids(ndc_t) + ++fs_getattr_xattr_fs(ndc_t) ++ + init_use_fds(ndc_t) + init_use_script_ptys(ndc_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc --- nsaserefpolicy/policy/modules/services/bitlbee.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc 2008-01-17 09:03:07.000000000 -0500 @@ -7206,8 +7319,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue +/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2008-01-17 09:03:07.000000000 -0500 -@@ -44,7 +44,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te 2008-01-31 11:16:03.000000000 -0500 +@@ -37,14 +37,14 @@ + # Bluetooth services local policy + # + +-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; + dontaudit bluetooth_t self:capability sys_tty_config; + allow bluetooth_t self:process { getsched signal_perms }; + allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; @@ -7216,10 +7337,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; -@@ -128,6 +128,8 @@ - dbus_system_bus_client_template(bluetooth,bluetooth_t) - dbus_connect_system_bus(bluetooth_t) - dbus_send_system_bus(bluetooth_t) +@@ -110,6 +110,8 @@ + files_read_etc_runtime_files(bluetooth_t) + files_read_usr_files(bluetooth_t) + ++auth_use_nsswitch(bluetooth_t) ++ + libs_use_ld_so(bluetooth_t) + libs_use_shared_libs(bluetooth_t) + +@@ -118,20 +120,20 @@ + miscfiles_read_localization(bluetooth_t) + miscfiles_read_fonts(bluetooth_t) + +-sysnet_read_config(bluetooth_t) +- + userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) + userdom_dontaudit_use_sysadm_ptys(bluetooth_t) + userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t) + + optional_policy(` +- dbus_system_bus_client_template(bluetooth,bluetooth_t) +- dbus_connect_system_bus(bluetooth_t) +- dbus_send_system_bus(bluetooth_t) ++ cups_dbus_chat(bluetooth_t) + ') + + optional_policy(` +- nis_use_ypbind(bluetooth_t) ++ dbus_system_bus_client_template(bluetooth,bluetooth_t) ++ dbus_connect_system_bus(bluetooth_t) ++ dbus_send_system_bus(bluetooth_t) + allow bluetooth_t self:dbus send_msg; + dbus_system_domain(bluetooth_t,bluetooth_exec_t) ') @@ -7919,7 +8067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.0.8/policy/modules/services/cups.if --- nsaserefpolicy/policy/modules/services/cups.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/cups.if 2008-01-30 11:15:10.000000000 -0500 @@ -247,3 +247,4 @@ files_search_pids($1) stream_connect_pattern($1,ptal_var_run_t,ptal_var_run_t,ptal_t) @@ -8631,7 +8779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2008-01-30 11:52:20.000000000 -0500 @@ -124,7 +124,7 @@ # dcc procmail interface local policy # @@ -8641,7 +8789,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow dcc_client_t self:unix_dgram_socket create_socket_perms; allow dcc_client_t self:udp_socket create_socket_perms; -@@ -148,6 +148,10 @@ +@@ -141,6 +141,7 @@ + + corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) ++corenet_udp_bind_all_nodes(dcc_client_t) + corenet_udp_sendrecv_generic_if(dcc_client_t) + corenet_udp_sendrecv_all_nodes(dcc_client_t) + corenet_udp_sendrecv_all_ports(dcc_client_t) +@@ -148,6 +149,10 @@ files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) @@ -8652,6 +8808,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dcc_client_t) libs_use_shared_libs(dcc_client_t) +@@ -155,11 +160,8 @@ + + miscfiles_read_localization(dcc_client_t) + +-sysnet_read_config(dcc_client_t) +-sysnet_dns_name_resolve(dcc_client_t) +- + optional_policy(` +- nscd_socket_use(dcc_client_t) ++ spamassassin_read_spamd_tmp_files(dcc_client_t) + ') + + ######################################## +@@ -335,6 +337,8 @@ + fs_getattr_all_fs(dccifd_t) + fs_search_auto_mountpoints(dccifd_t) + ++auth_use_nsswitch(dcc_client_t) ++ + libs_use_ld_so(dccifd_t) + libs_use_shared_libs(dccifd_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.8/policy/modules/services/dhcp.te +--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dhcp.te 2008-01-29 08:02:45.000000000 -0500 +@@ -24,7 +24,7 @@ + # Local policy + # + +-allow dhcpd_t self:capability net_raw; ++allow dhcpd_t self:capability { sys_resource net_raw }; + dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; + allow dhcpd_t self:process signal_perms; + allow dhcpd_t self:fifo_file { read write getattr }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2008-01-17 09:03:07.000000000 -0500 @@ -10082,7 +10272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-01-29 09:37:33.000000000 -0500 @@ -55,6 +55,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -10092,10 +10282,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail optional_policy(` nscd_socket_use(mailman_cgi_t) -@@ -67,6 +69,14 @@ +@@ -67,6 +69,15 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; ++allow mailman_mail_t self:process signal; +allow mailman_mail_t initrc_t:process signal; +allow mailman_mail_t self:capability { setuid setgid }; + @@ -10107,7 +10298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) -@@ -96,6 +106,7 @@ +@@ -96,6 +107,7 @@ kernel_read_proc_symlinks(mailman_queue_t) auth_domtrans_chk_passwd(mailman_queue_t) @@ -10392,7 +10583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2008-01-31 11:46:14.000000000 -0500 @@ -1,11 +1,13 @@ -policy_module(mta,1.7.1) @@ -10416,8 +10607,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -40,27 +43,40 @@ - allow system_mail_t self:capability { dac_override }; +@@ -37,30 +40,43 @@ + # + + # newalias required this, not sure if it is needed in 'if' file +-allow system_mail_t self:capability { dac_override }; ++allow system_mail_t self:capability { dac_override fowner }; read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) @@ -10768,7 +10963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2008-01-24 15:47:33.000000000 -0500 @@ -25,6 +25,9 @@ type mysqld_tmp_t; files_tmp_file(mysqld_tmp_t) @@ -10789,6 +10984,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq allow mysqld_t self:unix_stream_socket create_stream_socket_perms; allow mysqld_t self:tcp_socket create_stream_socket_perms; allow mysqld_t self:udp_socket create_socket_perms; +@@ -79,6 +83,7 @@ + + fs_getattr_all_fs(mysqld_t) + fs_search_auto_mountpoints(mysqld_t) ++fs_rw_hugetlbfs_files(mysqld_t) + + domain_use_interactive_fds(mysqld_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2008-01-17 09:03:07.000000000 -0500 @@ -12199,7 +12402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.0.8/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/postgresql.te 2008-01-24 15:47:19.000000000 -0500 @@ -27,6 +27,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) @@ -12218,7 +12421,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t) -@@ -118,6 +120,8 @@ +@@ -101,6 +103,7 @@ + + fs_getattr_all_fs(postgresql_t) + fs_search_auto_mountpoints(postgresql_t) ++fs_rw_hugetlbfs_files(postgresql_t) + + term_use_controlling_term(postgresql_t) + +@@ -118,6 +121,8 @@ init_read_utmp(postgresql_t) @@ -12227,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post libs_use_ld_so(postgresql_t) libs_use_shared_libs(postgresql_t) -@@ -127,9 +131,6 @@ +@@ -127,9 +132,6 @@ seutil_dontaudit_search_config(postgresql_t) @@ -12237,7 +12448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) userdom_dontaudit_use_sysadm_ttys(postgresql_t) userdom_dontaudit_use_unpriv_user_fds(postgresql_t) -@@ -158,10 +159,6 @@ +@@ -158,10 +160,6 @@ ') optional_policy(` @@ -12248,10 +12459,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post seutil_sigchld_newrole(postgresql_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.0.8/policy/modules/services/postgrey.fc +--- nsaserefpolicy/policy/modules/services/postgrey.fc 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/postgrey.fc 2008-01-30 11:29:05.000000000 -0500 +@@ -7,3 +7,5 @@ + + /var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) + /var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) ++ ++/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te --- nsaserefpolicy/policy/modules/services/postgrey.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-01-18 15:22:00.000000000 -0500 -@@ -24,7 +24,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-01-30 11:30:51.000000000 -0500 +@@ -13,6 +13,9 @@ + type postgrey_etc_t; + files_config_file(postgrey_etc_t) + ++type postgrey_spool_t; ++files_type(postgrey_spool_t) ++ + type postgrey_var_lib_t; + files_type(postgrey_var_lib_t) + +@@ -24,15 +27,20 @@ # Local policy # @@ -12260,7 +12490,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:tcp_socket create_stream_socket_perms; -@@ -68,6 +68,8 @@ ++allow postgrey_t self:fifo_file create_fifo_file_perms; + + allow postgrey_t postgrey_etc_t:dir list_dir_perms; + read_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) + read_lnk_files_pattern(postgrey_t,postgrey_etc_t,postgrey_etc_t) + ++manage_dirs_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t) ++manage_files_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t) ++manage_fifo_files_pattern(postgrey_master_t,postgrey_spool_t,postgrey_spool_t) ++ + manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t) + files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) + +@@ -68,6 +76,8 @@ fs_getattr_all_fs(postgrey_t) fs_search_auto_mountpoints(postgrey_t) @@ -12269,7 +12512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post libs_use_ld_so(postgrey_t) libs_use_shared_libs(postgrey_t) -@@ -75,13 +77,12 @@ +@@ -75,13 +85,12 @@ miscfiles_read_localization(postgrey_t) @@ -12386,7 +12629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-18 16:11:49.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2008-01-31 12:57:41.000000000 -0500 @@ -14,6 +14,10 @@ type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -12587,7 +12830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corecmd_exec_shell(radiusd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.0.8/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/razor.if 2008-01-18 16:14:03.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/razor.if 2008-01-31 12:58:30.000000000 -0500 @@ -218,3 +218,41 @@ domtrans_pattern($1, razor_exec_t, razor_t) @@ -12628,8 +12871,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + files_search_home($2) + allow $2 $1_home_dir_t:dir search_dir_perms; + manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t) ++ read_lnk_files_pattern($2,$1_razor_home_t,$1_razor_home_t) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if --- nsaserefpolicy/policy/modules/services/remotelogin.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if 2008-01-17 09:03:07.000000000 -0500 @@ -12884,7 +13127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2008-01-30 09:24:12.000000000 -0500 @@ -59,10 +59,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -12901,7 +13144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) -@@ -73,12 +77,21 @@ +@@ -73,12 +77,22 @@ # cjp: this should really have its own type files_manage_mounttab(rpcd_t) @@ -12920,10 +13163,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. +# automount -> mount -> rpcd +optional_policy(` + automount_dontaudit_use_fds(rpcd_t) ++ automount_dontaudit_write_pipes(rpcd_t) ') ######################################## -@@ -91,9 +104,15 @@ +@@ -91,9 +105,15 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -12939,7 +13183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +142,7 @@ +@@ -123,6 +143,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -12947,7 +13191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +163,9 @@ +@@ -143,6 +164,9 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -12957,7 +13201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -158,6 +181,9 @@ +@@ -158,6 +182,9 @@ miscfiles_read_certs(gssd_t) @@ -13324,7 +13568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-01-31 11:27:27.000000000 -0500 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -13431,7 +13675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -321,8 +321,6 @@ +@@ -321,12 +321,12 @@ miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -13440,7 +13684,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) -@@ -347,6 +345,17 @@ + ++term_use_ptmx(smbd_t) ++ + ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) +@@ -347,6 +347,17 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -13458,7 +13708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -398,7 +407,7 @@ +@@ -398,7 +409,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -13467,7 +13717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -410,8 +419,7 @@ +@@ -410,8 +421,7 @@ read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) @@ -13477,7 +13727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -421,6 +429,8 @@ +@@ -421,6 +431,8 @@ allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -13486,7 +13736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -446,6 +456,7 @@ +@@ -446,6 +458,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -13494,7 +13744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -462,17 +473,11 @@ +@@ -462,17 +475,11 @@ miscfiles_read_localization(nmbd_t) @@ -13512,7 +13762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(nmbd_t) ') -@@ -506,6 +511,8 @@ +@@ -506,6 +513,8 @@ manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) files_list_var_lib(smbmount_t) @@ -13521,7 +13771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_system_state(smbmount_t) corenet_all_recvfrom_unlabeled(smbmount_t) -@@ -533,6 +540,7 @@ +@@ -533,6 +542,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -13529,7 +13779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -553,16 +561,11 @@ +@@ -553,16 +563,11 @@ logging_search_logs(smbmount_t) @@ -13548,7 +13798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -570,24 +573,28 @@ +@@ -570,24 +575,28 @@ # SWAT Local policy # @@ -13585,7 +13835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -597,7 +604,11 @@ +@@ -597,7 +606,11 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -13598,7 +13848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,23 +633,24 @@ +@@ -622,23 +635,24 @@ dev_read_urand(swat_t) @@ -13625,7 +13875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -652,13 +664,16 @@ +@@ -652,13 +666,16 @@ kerberos_use(swat_t) ') @@ -13648,7 +13898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -672,7 +687,6 @@ +@@ -672,7 +689,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -13656,7 +13906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +723,8 @@ +@@ -709,6 +725,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -13665,7 +13915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +749,9 @@ +@@ -733,7 +751,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -13675,7 +13925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +764,6 @@ +@@ -746,9 +766,6 @@ miscfiles_read_localization(winbind_t) @@ -13685,7 +13935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +773,6 @@ +@@ -758,10 +775,6 @@ ') optional_policy(` @@ -13696,7 +13946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -784,6 +795,8 @@ +@@ -784,6 +797,8 @@ allow winbind_helper_t samba_var_t:dir search; files_list_var_lib(winbind_helper_t) @@ -13705,7 +13955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) -@@ -804,6 +817,7 @@ +@@ -804,6 +819,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -13713,7 +13963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -828,3 +842,37 @@ +@@ -828,3 +844,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -14263,7 +14513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-18 16:13:02.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-31 12:58:08.000000000 -0500 @@ -286,6 +286,12 @@ userdom_manage_user_home_content_symlinks($1,spamd_t) ') @@ -14483,7 +14733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2008-01-25 09:45:37.000000000 -0500 @@ -36,7 +36,7 @@ # Local policy # @@ -14502,7 +14752,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi # Grant permissions to create, access, and delete cache files. manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t) manage_files_pattern(squid_t,squid_cache_t,squid_cache_t) -@@ -92,10 +94,12 @@ +@@ -85,6 +87,7 @@ + corenet_udp_sendrecv_all_ports(squid_t) + corenet_tcp_bind_all_nodes(squid_t) + corenet_udp_bind_all_nodes(squid_t) ++corenet_tcp_bind_http_port(squid_t) + corenet_tcp_bind_http_cache_port(squid_t) + corenet_udp_bind_http_cache_port(squid_t) + corenet_tcp_bind_ftp_port(squid_t) +@@ -92,10 +95,12 @@ corenet_udp_bind_gopher_port(squid_t) corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) @@ -14515,7 +14773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi corenet_sendrecv_http_client_packets(squid_t) corenet_sendrecv_ftp_client_packets(squid_t) corenet_sendrecv_gopher_client_packets(squid_t) -@@ -109,6 +113,8 @@ +@@ -109,6 +114,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) @@ -14524,7 +14782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi selinux_dontaudit_getattr_dir(squid_t) -@@ -137,9 +143,6 @@ +@@ -137,9 +144,6 @@ miscfiles_read_certs(squid_t) miscfiles_read_localization(squid_t) @@ -14534,7 +14792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_use_unpriv_user_fds(squid_t) userdom_dontaudit_search_sysadm_home_dirs(squid_t) -@@ -149,19 +152,7 @@ +@@ -149,19 +153,7 @@ ') optional_policy(` @@ -14555,7 +14813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi ') optional_policy(` -@@ -176,7 +167,12 @@ +@@ -176,7 +168,12 @@ udev_read_db(squid_t) ') @@ -15602,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-24 13:40:36.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -15637,11 +15895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Type for the executable used to start the X server, e.g. Xwrapper. type xserver_exec_t; corecmd_executable_file(xserver_exec_t) -@@ -96,7 +109,7 @@ +@@ -95,8 +108,8 @@ + # XDM Local policy # - allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; ++allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +allow xdm_t self:process { setexec setpgid getsched ptrace setsched setrlimit signal_perms setkeycreate }; allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; @@ -15929,7 +16189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-29 09:14:26.000000000 -0500 @@ -14,6 +14,7 @@ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -15938,8 +16198,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') -@@ -40,3 +41,6 @@ +@@ -38,5 +39,9 @@ + /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) ++/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -15947,7 +16210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-01-21 14:40:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-01-31 13:45:27.000000000 -0500 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -16106,10 +16369,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +408,37 @@ +@@ -347,6 +408,58 @@ ######################################## ## ++## Run unix_chkpwd to check a password. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_domtrans_chkpwd',` ++ gen_require(` ++ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ++ ') ++ ++ corecmd_search_sbin($1) ++ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) ++ dontaudit $1 shadow_t:file { getattr read }; ++ auth_domtrans_upd_passwd($1) ++') ++ ++######################################## ++## +## Execute chkpwd programs in the chkpwd domain. +## +## @@ -16144,7 +16428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +787,24 @@ +@@ -695,6 +808,24 @@ ######################################## ## @@ -16169,7 +16453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,16 +1428,14 @@ +@@ -1318,16 +1449,14 @@ ## # interface(`auth_use_nsswitch',` @@ -16189,7 +16473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo miscfiles_read_certs($1) sysnet_dns_name_resolve($1) -@@ -1347,6 +1455,8 @@ +@@ -1347,6 +1476,8 @@ optional_policy(` samba_stream_connect_winbind($1) @@ -16198,7 +16482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1381,3 +1491,181 @@ +@@ -1381,3 +1512,181 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -16382,7 +16666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2008-01-31 11:32:52.000000000 -0500 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -16500,7 +16784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # -@@ -302,3 +322,28 @@ +@@ -302,3 +322,29 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -16525,6 +16809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + +term_dontaudit_use_console(updpwd_t) +term_dontaudit_use_unallocated_ttys(updpwd_t) ++term_dontaudit_use_generic_ptys(updpwd_t) + +files_manage_etc_files(updpwd_t) +kernel_read_system_state(updpwd_t) @@ -17368,7 +17653,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-01-29 09:44:14.000000000 -0500 +@@ -29,7 +29,7 @@ + # + + allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource }; +-allow iscsid_t self:process setsched; ++allow iscsid_t self:process { setrlimit setsched }; + allow iscsid_t self:fifo_file { read write }; + allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow iscsid_t self:unix_dgram_socket create_socket_perms; @@ -68,6 +68,8 @@ files_read_etc_files(iscsid_t) @@ -18442,12 +18736,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ################################# diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.8/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2008-01-17 09:03:07.000000000 -0500 -@@ -1,4 +1,2 @@ ++++ serefpolicy-3.0.8/policy/modules/system/mount.fc 2008-01-29 09:05:35.000000000 -0500 +@@ -1,4 +1,4 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) ++/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) ++/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/mount.te 2008-01-17 09:03:07.000000000 -0500