From b27150e8f0b7942f604933c3c6524afd96ec9c0f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 09 2009 19:53:39 +0000 Subject: - Allow unconfined_t to send dbus messages to setroubleshoot --- diff --git a/booleans-minimum.conf b/booleans-minimum.conf index c1d1539..3b04196 100644 --- a/booleans-minimum.conf +++ b/booleans-minimum.conf @@ -1,4 +1,4 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. + # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false diff --git a/modules-minimum.conf b/modules-minimum.conf index 664a9c8..fe466ef 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -757,6 +757,13 @@ kdump = module kdumpgui = module # Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services # Module: kerberos # # MIT Kerberos admin and KDC @@ -1548,6 +1555,13 @@ sysstat = module # tcpd = module +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + # Layer: system # Module: udev # @@ -1583,7 +1597,6 @@ ulogd = module # vhostmd = module - # Layer: apps # Module: wine # diff --git a/modules-mls.conf b/modules-mls.conf index 39f3cb8..9eaf94a 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1372,6 +1372,13 @@ sysstat = module # tcpd = module +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + # Layer: system # Module: udev # diff --git a/modules-targeted.conf b/modules-targeted.conf index 664a9c8..fe466ef 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -757,6 +757,13 @@ kdump = module kdumpgui = module # Layer: services +# Module: ksmtuned +# +# Kernel Samepage Merging (KSM) Tuning Daemon +# +ksmtuned = module + +# Layer: services # Module: kerberos # # MIT Kerberos admin and KDC @@ -1548,6 +1555,13 @@ sysstat = module # tcpd = module +# Layer: services +# Module: tgtd +# +# Linux Target Framework Daemon. +# +tgtd = module + # Layer: system # Module: udev # @@ -1583,7 +1597,6 @@ ulogd = module # vhostmd = module - # Layer: apps # Module: wine # diff --git a/policy-F12.patch b/policy-F12.patch index f13ab3d..f6f90cd 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -5539,7 +5539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-12-07 17:38:21.000000000 -0500 @@ -45,6 +45,7 @@ allow $1_screen_t self:capability { setuid setgid fsetid }; @@ -5568,6 +5568,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch($1_screen_t) auth_dontaudit_read_shadow($1_screen_t) auth_dontaudit_exec_utempter($1_screen_t) +@@ -134,6 +141,7 @@ + userdom_create_user_pty($1_screen_t) + userdom_user_home_domtrans($1_screen_t, $3) + userdom_setattr_user_ptys($1_screen_t) ++ userdom_setattr_user_ttys($1_screen_t) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc --- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc 2009-12-03 13:45:10.000000000 -0500 @@ -6011,7 +6019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.32/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/wine.te 2009-12-09 14:46:30.000000000 -0500 @@ -9,20 +9,46 @@ type wine_t; type wine_exec_t; @@ -6054,7 +6062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +optional_policy(` -+ unconfined_domain_noaudit(wine_t) ++ unconfined_domain(wine_t) +') + +optional_policy(` @@ -6225,7 +6233,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-12-09 09:43:30.000000000 -0500 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6253,7 +6261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(dccm, tcp,5679,s0, udp,5679,s0) -network_port(dhcpc, udp,68,s0) -network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) -+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,547,s0, tcp, 547,s0) ++network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,547,s0, tcp, 547,s0) +network_port(dhcpd, udp,67,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -8973,7 +8981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.32/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-06 09:58:03.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/roles/sysadm.te 2009-12-09 08:30:14.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -9089,16 +9097,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_run(sysadm_t, sysadm_r) ') -@@ -205,6 +171,8 @@ +@@ -205,6 +171,9 @@ ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) + ipsec_run_setkey(sysadm_t, sysadm_r) + ipsec_run_racoon(sysadm_t, sysadm_r) ++ ipsec_stream_connect_racoon(sysadm_t) ') optional_policy(` -@@ -212,11 +180,7 @@ +@@ -212,11 +181,7 @@ ') optional_policy(` @@ -9111,7 +9120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,10 +192,6 @@ +@@ -228,10 +193,6 @@ ') optional_policy(` @@ -9122,7 +9131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logrotate_run(sysadm_t, sysadm_r) ') -@@ -255,14 +215,6 @@ +@@ -255,14 +216,6 @@ ') optional_policy(` @@ -9137,7 +9146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_role(sysadm_r, sysadm_t) ') -@@ -290,11 +242,6 @@ +@@ -290,11 +243,6 @@ ') optional_policy(` @@ -9149,7 +9158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pcmcia_run_cardctl(sysadm_t, sysadm_r) ') -@@ -308,7 +255,7 @@ +@@ -308,7 +256,7 @@ ') optional_policy(` @@ -9158,7 +9167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -320,10 +267,6 @@ +@@ -320,10 +268,6 @@ ') optional_policy(` @@ -9169,7 +9178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domtrans_nfsd(sysadm_t) ') -@@ -332,10 +275,6 @@ +@@ -332,10 +276,6 @@ ') optional_policy(` @@ -9180,7 +9189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rsync_exec(sysadm_t) ') -@@ -345,10 +284,6 @@ +@@ -345,10 +285,6 @@ ') optional_policy(` @@ -9191,7 +9200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(sysadm_r) ') -@@ -358,35 +293,15 @@ +@@ -358,35 +294,15 @@ ') optional_policy(` @@ -9227,7 +9236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -394,18 +309,10 @@ +@@ -394,18 +310,10 @@ ') optional_policy(` @@ -9246,7 +9255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(sysadm_t) ') -@@ -418,17 +325,13 @@ +@@ -418,17 +326,13 @@ ') optional_policy(` @@ -9265,7 +9274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -440,13 +343,16 @@ +@@ -440,13 +344,16 @@ ') optional_policy(` @@ -9299,7 +9308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-12-03 13:45:10.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.if 2009-12-08 16:42:21.000000000 -0500 @@ -0,0 +1,667 @@ +## Unconfiend user role + @@ -9970,8 +9979,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-06 10:20:50.000000000 -0500 -@@ -0,0 +1,444 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-12-09 10:12:44.000000000 -0500 +@@ -0,0 +1,449 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -10136,11 +10145,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + setroubleshoot_dbus_chat(unconfined_usertype) ++ setroubleshoot_dbus_chat_fixit(unconfined_t) + ') + + optional_policy(` + sandbox_transition(unconfined_usertype, unconfined_r) + ') ++ ++ optional_policy(` ++ xserver_rw_shm(unconfined_usertype) ++ xserver_run_xauth(unconfined_usertype, unconfined_r) ++ ') +') + +ifdef(`distro_gentoo',` @@ -10340,8 +10355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_run(unconfined_t, unconfined_r) -+ xserver_rw_shm(unconfined_t) -+ xserver_run_xauth(unconfined_t, unconfined_r) +') + +######################################## @@ -10399,6 +10412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow unconfined_notrans_t self:process { execstack execmem }; +unconfined_domain_noaudit(unconfined_notrans_t) ++userdom_unpriv_usertype(unconfined, unconfined_notrans_t) +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) +# Allow SELinux aware applications to request rpm_script execution +rpm_transition_script(unconfined_notrans_t) @@ -11288,7 +11302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-12-04 08:24:12.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-12-09 09:34:01.000000000 -0500 @@ -1,12 +1,16 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -11323,12 +11337,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -32,12 +39,22 @@ +@@ -32,21 +39,36 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') +/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -11342,11 +11357,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) - /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -46,7 +63,9 @@ + /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) + /var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -11356,7 +11375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,13 +69,17 @@ +@@ -50,13 +72,17 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -11374,7 +11393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ') -@@ -64,11 +87,32 @@ +@@ -64,11 +90,32 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -12016,7 +12035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-07 16:00:19.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-12-09 08:13:29.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12926,7 +12945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-07 15:03:47.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2009-12-09 08:14:01.000000000 -0500 @@ -34,6 +34,8 @@ type asterisk_var_run_t; files_pid_file(asterisk_var_run_t) @@ -12941,7 +12960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; dontaudit asterisk_t self:capability sys_tty_config; -allow asterisk_t self:process { setsched signal_perms }; -+allow asterisk_t self:process { setsched signal_perms getcap setcap }; ++allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; allow asterisk_t self:sem create_sem_perms; allow asterisk_t self:shm create_shm_perms; @@ -12964,7 +12983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) -@@ -97,6 +103,7 @@ +@@ -97,16 +103,19 @@ corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) corenet_udp_bind_asterisk_port(asterisk_t) @@ -12972,7 +12991,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_asterisk_server_packets(asterisk_t) # for VOIP voice channels. corenet_tcp_bind_generic_port(asterisk_t) -@@ -107,6 +114,7 @@ + corenet_udp_bind_generic_port(asterisk_t) + corenet_dontaudit_udp_bind_all_ports(asterisk_t) + corenet_sendrecv_generic_server_packets(asterisk_t) ++corenet_tcp_connect_postgresql_port(asterisk_t) + dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -12980,7 +13003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(asterisk_t) -@@ -119,17 +127,17 @@ +@@ -119,17 +128,17 @@ fs_getattr_all_fs(asterisk_t) fs_search_auto_mountpoints(asterisk_t) @@ -13001,14 +13024,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -140,7 +148,3 @@ - udev_read_db(asterisk_t) +@@ -137,10 +146,10 @@ + ') + + optional_policy(` +- udev_read_db(asterisk_t) ++ postgresql_stream_connect(asterisk_t) ') -ifdef(`TODO',` -allow initrc_t asterisk_var_run_t:fifo_file unlink; -allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms }; --') ++optional_policy(` ++ udev_read_db(asterisk_t) + ') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.32/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/automount.te 2009-12-03 13:45:11.000000000 -0500 @@ -13327,6 +13357,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.32/policy/modules/services/certmaster.fc +--- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-09-16 10:01:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/certmaster.fc 2009-12-09 09:13:51.000000000 -0500 +@@ -3,5 +3,8 @@ + + /usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0) + ++/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0) ++ + /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) ++ + /var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.32/policy/modules/services/certmaster.te --- nsaserefpolicy/policy/modules/services/certmaster.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/certmaster.te 2009-12-03 13:45:11.000000000 -0500 @@ -14926,7 +14968,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-12-03 14:49:31.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-12-09 09:03:35.000000000 -0500 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -15009,18 +15051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -190,6 +201,10 @@ - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - dbus_read_config($1) -+ -+ optional_policy(` -+ rpm_script_dbus_chat($1) -+ ') - ') - - ####################################### -@@ -256,7 +271,7 @@ +@@ -256,7 +267,7 @@ ######################################## ## @@ -15029,16 +15060,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## for service (acquire_svc). ## ## -@@ -364,6 +379,8 @@ +@@ -364,6 +375,16 @@ dbus_system_bus_client($1) dbus_connect_system_bus($1) + userdom_dontaudit_search_admin_dir($1) + ++ optional_policy(` ++ rpm_script_dbus_chat($1) ++ ') ++ ++ optional_policy(` ++ unconfined_dbus_send($1) ++ ') ++ ifdef(`hide_broken_symptoms', ` dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') -@@ -405,3 +422,24 @@ +@@ -405,3 +426,24 @@ typeattribute $1 dbusd_unconfined; ') @@ -16684,6 +16723,145 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kerneloops_t self:fifo_file rw_file_perms; manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc +--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc 2009-12-09 12:13:54.000000000 -0500 +@@ -0,0 +1,5 @@ ++/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) ++ ++/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) ++ ++/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.6.32/policy/modules/services/ksmtuned.if +--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.if 2009-12-09 12:16:41.000000000 -0500 +@@ -0,0 +1,76 @@ ++ ++## policy for Kernel Samepage Merging (KSM) Tuning Daemon ++ ++######################################## ++## ++## Execute a domain transition to run ksmtuned. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ksmtuned_domtrans',` ++ gen_require(` ++ type ksmtuned_t, ksmtuned_exec_t; ++ ') ++ ++ domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) ++') ++ ++ ++######################################## ++## ++## Execute ksmtuned server in the ksmtuned domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ksmtuned_initrc_domtrans',` ++ gen_require(` ++ type ksmtuned_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ksmtuned environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ksmtuned_admin',` ++ gen_require(` ++ type ksmtuned_t, ksmtuned_var_run_t; ++ type ksmtuned_initrc_exec_t; ++ ') ++ ++ allow $1 ksmtuned_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, ksmtuned_t, ksmtuned_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, ksmtuned_var_run_t) ++ ++ # Allow ksmtuned_t to restart the apache service ++ ksmtuned_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 ksmtuned_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.6.32/policy/modules/services/ksmtuned.te +--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2009-12-09 12:17:04.000000000 -0500 +@@ -0,0 +1,46 @@ ++policy_module(ksmtuned,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ksmtuned_t; ++type ksmtuned_exec_t; ++init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) ++ ++permissive ksmtuned_t; ++ ++type ksmtuned_initrc_exec_t; ++init_script_file(ksmtuned_initrc_exec_t) ++ ++type ksmtuned_var_run_t; ++files_pid_file(ksmtuned_var_run_t) ++ ++######################################## ++# ++# ksmtuned local policy ++# ++allow ksmtuned_t self:capability sys_ptrace; ++ ++# Init script handling ++domain_use_interactive_fds(ksmtuned_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow ksmtuned_t self:fifo_file rw_file_perms; ++allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) ++files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) ++ ++kernel_read_system_state(ksmtuned_t) ++ ++dev_rw_sysfs(ksmtuned_t) ++ ++domain_read_all_domains_state(ksmtuned_t) ++ ++corecmd_exec_bin(ksmtuned_t) ++ ++files_read_etc_files(ksmtuned_t) ++ ++miscfiles_read_localization(ksmtuned_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.32/policy/modules/services/ktalk.te --- nsaserefpolicy/policy/modules/services/ktalk.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/ktalk.te 2009-12-03 13:45:11.000000000 -0500 @@ -18704,9 +18882,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.6.32/policy/modules/services/oddjob.te --- nsaserefpolicy/policy/modules/services/oddjob.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/oddjob.te 2009-12-03 13:45:11.000000000 -0500 -@@ -101,7 +101,5 @@ ++++ serefpolicy-3.6.32/policy/modules/services/oddjob.te 2009-12-09 09:46:22.000000000 -0500 +@@ -99,9 +99,8 @@ + seutil_read_default_contexts(oddjob_mkhomedir_t) + # Add/remove user home directories ++userdom_manage_user_home_dirs(oddjob_mkhomedir_t) userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) @@ -19377,7 +19558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-06 09:57:32.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-09 09:05:31.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -22893,7 +23074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-12-03 13:52:03.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-12-08 16:40:01.000000000 -0500 @@ -16,8 +16,8 @@ ') @@ -23033,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-12-09 09:06:40.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -23095,7 +23276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,76 @@ +@@ -94,23 +113,77 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -23173,6 +23354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + policykit_dbus_chat(setroubleshoot_fixit_t) ++ userdom_read_all_users_state(setroubleshoot_fixit_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-09-16 10:01:19.000000000 -0400 @@ -24642,6 +24824,118 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.fc serefpolicy-3.6.32/policy/modules/services/tgtd.fc +--- nsaserefpolicy/policy/modules/services/tgtd.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tgtd.fc 2009-12-09 11:49:22.000000000 -0500 +@@ -0,0 +1,3 @@ ++/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0) ++/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0) ++/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.6.32/policy/modules/services/tgtd.if +--- nsaserefpolicy/policy/modules/services/tgtd.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tgtd.if 2009-12-09 11:49:22.000000000 -0500 +@@ -0,0 +1,28 @@ ++## Linux Target Framework Daemon. ++## ++##

++## Linux target framework (tgt) aims to simplify various ++## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation ++## and maintenance. Our key goals are the clean integration into ++## the scsi-mid layer and implementing a great portion of tgt ++## in user space. ++##

++## ++ ++##################################### ++## ++## Allow read and write access to tgtd semaphores. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tgtd_rw_semaphores',` ++ gen_require(` ++ type tgtd_t; ++ ') ++ ++ allow $1 tgtd_t:sem { rw_sem_perms }; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.6.32/policy/modules/services/tgtd.te +--- nsaserefpolicy/policy/modules/services/tgtd.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tgtd.te 2009-12-09 11:50:43.000000000 -0500 +@@ -0,0 +1,69 @@ ++ ++policy_module(tgtd, 1.0.0) ++ ++######################################## ++# ++# TGTD personal declarations. ++# ++ ++type tgtd_t; ++type tgtd_exec_t; ++init_daemon_domain(tgtd_t, tgtd_exec_t) ++ ++permissive tgtd_t; ++ ++type tgtd_initrc_exec_t; ++init_script_file(tgtd_initrc_exec_t) ++ ++type tgtd_tmp_t; ++files_tmp_file(tgtd_tmp_t) ++ ++type tgtd_tmpfs_t; ++files_tmpfs_file(tgtd_tmpfs_t) ++ ++type tgtd_var_lib_t; ++files_type(tgtd_var_lib_t) ++ ++######################################## ++# ++# TGTD personal policy. ++# ++ ++allow tgtd_t self:capability sys_resource; ++allow tgtd_t self:process { setrlimit signal }; ++allow tgtd_t self:fifo_file rw_fifo_file_perms; ++allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++allow tgtd_t self:shm create_shm_perms; ++allow tgtd_t self:sem create_sem_perms; ++allow tgtd_t self:tcp_socket create_stream_socket_perms; ++allow tgtd_t self:udp_socket create_socket_perms; ++allow tgtd_t self:unix_dgram_socket create_socket_perms; ++ ++manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) ++files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file }) ++ ++manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) ++fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) ++ ++manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) ++manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) ++files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) ++ ++kernel_read_fs_sysctls(tgtd_t) ++ ++corenet_all_recvfrom_netlabel(tgtd_t) ++corenet_all_recvfrom_unlabeled(tgtd_t) ++corenet_tcp_sendrecv_generic_if(tgtd_t) ++corenet_tcp_sendrecv_generic_node(tgtd_t) ++corenet_tcp_sendrecv_iscsi_port(tgtd_t) ++corenet_tcp_bind_generic_node(tgtd_t) ++corenet_tcp_bind_iscsi_port(tgtd_t) ++corenet_sendrecv_iscsi_server_packets(tgtd_t) ++ ++files_read_etc_files(tgtd_t) ++ ++storage_getattr_fixed_disk_dev(tgtd_t) ++ ++logging_send_syslog_msg(tgtd_t) ++ ++miscfiles_read_localization(tgtd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.6.32/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/tor.te 2009-12-06 11:07:48.000000000 -0500 @@ -24942,8 +25236,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.6.32/policy/modules/services/vhostmd.if --- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/vhostmd.if 2009-12-06 11:17:52.000000000 -0500 -@@ -0,0 +1,191 @@ ++++ serefpolicy-3.6.32/policy/modules/services/vhostmd.if 2009-12-09 12:30:31.000000000 -0500 +@@ -0,0 +1,228 @@ + +## policy for vhostmd + @@ -25099,6 +25393,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) +') + ++######################################## ++## ++## Connect to vhostmd over an unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vhostmd_stream_connect',` ++ gen_require(` ++ type vhostmd_t, vhostmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) ++') ++ ++####################################### ++## ++## Dontaudit read and write to vhostmd ++## over an unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vhostmd_dontaudit_rw_stream_connect',` ++ gen_require(` ++ type vhostmd_t; ++ ') ++ ++ dontaudit $1 vhostmd_t:unix_stream_socket { read write }; ++') + +######################################## +## @@ -25137,8 +25468,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.6.32/policy/modules/services/vhostmd.te --- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/vhostmd.te 2009-12-06 11:17:52.000000000 -0500 -@@ -0,0 +1,79 @@ ++++ serefpolicy-3.6.32/policy/modules/services/vhostmd.te 2009-12-09 13:28:25.000000000 -0500 +@@ -0,0 +1,87 @@ + +policy_module(vhostmd,1.0.0) + @@ -25167,12 +25498,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# vhostmd local policy +# + -+allow vhostmd_t self:capability { setuid setgid }; ++allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:process { setsched getsched }; + +# internal communication is often done using fifo and unix sockets. +allow vhostmd_t self:fifo_file rw_file_perms; -+allow vhostmd_t self:unix_stream_socket create_stream_socket_perms; ++allow vhostmd_t self:unix_stream_socket { create_stream_socket_perms connectto}; + +manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) +manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) @@ -25187,6 +25518,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +kernel_read_system_state(vhostmd_t) +kernel_read_network_state(vhostmd_t) ++kernel_write_xen_state(vhostmd_t) ++ ++corenet_tcp_connect_soundd_port(vhostmd_t) + +files_read_etc_files(vhostmd_t) +files_read_usr_files(vhostmd_t) @@ -25198,6 +25532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +logging_send_syslog_msg(vhostmd_t) + ++libs_use_ld_so(vhostmd_t) ++libs_use_shared_libs(vhostmd_t) ++ +miscfiles_read_localization(vhostmd_t) + +optional_policy(` @@ -25216,6 +25553,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + xen_domtrans_xm(vhostmd_t) + xen_stream_connect(vhostmd_t) ++ xen_stream_connect_xenstore(vhostmd_t) ++ xen_stream_connect_xm(vhostmd_t) +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.32/policy/modules/services/virt.fc @@ -26901,7 +27240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-03 13:53:23.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-09 11:40:19.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -27040,7 +27379,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,25 +269,33 @@ +@@ -236,6 +255,7 @@ + fs_search_auto_mountpoints(iceauth_t) + + userdom_use_user_terminals(iceauth_t) ++userdom_read_user_tmp_files(iceauth_t) + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files(iceauth_t) +@@ -250,25 +270,33 @@ # Xauth local policy # @@ -27078,7 +27425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -278,6 +305,12 @@ +@@ -278,6 +306,12 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -27091,7 +27438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_xdm_tmp_files(xauth_t) -@@ -289,6 +322,16 @@ +@@ -289,6 +323,16 @@ fs_manage_cifs_files(xauth_t) ') @@ -27108,7 +27455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -300,20 +343,31 @@ +@@ -300,20 +344,31 @@ # XDM Local policy # @@ -27143,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +379,43 @@ +@@ -325,26 +380,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -27194,7 +27541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +429,7 @@ +@@ -358,6 +430,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -27202,7 +27549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +438,14 @@ +@@ -366,10 +439,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27218,7 +27565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +465,13 @@ +@@ -389,11 +466,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27232,7 +27579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +479,7 @@ +@@ -401,6 +480,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27240,7 +27587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +492,17 @@ +@@ -413,14 +493,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -27260,12 +27607,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +513,13 @@ +@@ -431,9 +514,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) +files_dontaudit_getattr_boot_dirs(xdm_t) +files_dontaudit_write_usr_files(xdm_t) ++files_dontaudit_getattr_all_dirs(xdm_t) ++files_dontaudit_getattr_all_symlinks(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) @@ -27274,7 +27623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +528,7 @@ +@@ -442,6 +531,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -27282,7 +27631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +537,7 @@ +@@ -450,6 +540,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -27290,7 +27639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +548,12 @@ +@@ -460,10 +551,12 @@ logging_read_generic_logs(xdm_t) @@ -27305,7 +27654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +562,10 @@ +@@ -472,6 +565,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -27316,7 +27665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +598,12 @@ +@@ -504,10 +601,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -27329,7 +27678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +611,47 @@ +@@ -515,12 +614,47 @@ ') optional_policy(` @@ -27377,7 +27726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -535,6 +666,7 @@ +@@ -535,6 +669,7 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -27385,7 +27734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -542,6 +674,38 @@ +@@ -542,6 +677,38 @@ ') optional_policy(` @@ -27424,7 +27773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +714,9 @@ +@@ -550,8 +717,9 @@ ') optional_policy(` @@ -27436,7 +27785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +725,6 @@ +@@ -560,7 +728,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -27444,7 +27793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +735,10 @@ +@@ -571,6 +738,10 @@ ') optional_policy(` @@ -27455,7 +27804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +755,9 @@ +@@ -587,10 +758,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -27467,7 +27816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +769,12 @@ +@@ -602,9 +772,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -27480,7 +27829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +786,14 @@ +@@ -616,13 +789,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -27496,7 +27845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +806,19 @@ +@@ -635,9 +809,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -27516,7 +27865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +852,6 @@ +@@ -671,7 +855,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -27524,7 +27873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +861,12 @@ +@@ -681,9 +864,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -27538,7 +27887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +881,12 @@ +@@ -698,8 +884,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -27551,7 +27900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +908,7 @@ +@@ -721,6 +911,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -27559,7 +27908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +931,7 @@ +@@ -743,7 +934,7 @@ ') ifdef(`enable_mls',` @@ -27568,7 +27917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +963,20 @@ +@@ -775,12 +966,20 @@ ') optional_policy(` @@ -27590,7 +27939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +1003,12 @@ +@@ -807,12 +1006,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -27607,7 +27956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1024,14 @@ +@@ -828,9 +1027,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27622,7 +27971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1046,14 @@ +@@ -845,11 +1049,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -27638,7 +27987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1086,8 @@ +@@ -882,6 +1089,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -27647,7 +27996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1112,8 @@ +@@ -906,6 +1115,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -27656,7 +28005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1181,49 @@ +@@ -973,17 +1184,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -29129,8 +29478,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.32/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.if 2009-12-03 13:45:11.000000000 -0500 -@@ -229,3 +229,28 @@ ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.if 2009-12-09 08:32:17.000000000 -0500 +@@ -39,6 +39,26 @@ + + ######################################## + ## ++## Connect to racoon using a unix domain stream socket. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ipsec_stream_connect_racoon',` ++ gen_require(` ++ type racoon_t, ipsec_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) ++') ++ ++ ++######################################## ++## + ## Get the attributes of an IPSEC key socket. + ## + ## +@@ -229,3 +249,28 @@ ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -29614,7 +29990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2009-12-09 11:50:12.000000000 -0500 @@ -55,6 +55,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) @@ -29623,7 +29999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -68,11 +69,12 @@ +@@ -68,11 +69,16 @@ dev_rw_sysfs(iscsid_t) domain_use_interactive_fds(iscsid_t) @@ -29633,11 +30009,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(iscsid_t) --miscfiles_read_localization(iscsid_t) +auth_use_nsswitch(iscsid_t) ++ + miscfiles_read_localization(iscsid_t) -sysnet_dns_name_resolve(iscsid_t) -+miscfiles_read_localization(iscsid_t) ++optional_policy(` ++ tgtd_rw_semaphores(iscsid_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.32/policy/modules/system/kdump.te --- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-16 10:01:19.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/kdump.te 2009-12-03 13:45:11.000000000 -0500 @@ -33459,7 +33838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-03 17:55:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-09 09:27:20.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -35939,7 +36318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.32/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.if 2009-12-03 13:45:11.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/xen.if 2009-12-09 13:27:42.000000000 -0500 @@ -71,6 +71,8 @@ ') @@ -35949,7 +36328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t) ') -@@ -167,11 +169,14 @@ +@@ -167,11 +169,33 @@ # interface(`xen_stream_connect',` gen_require(` @@ -35962,10 +36341,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_var_lib($1) + stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) ++') ++ ++######################################## ++## ++## Connect to xm over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xen_stream_connect_xm',` ++ gen_require(` ++ type xm_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) ') ######################################## -@@ -191,3 +196,24 @@ +@@ -191,3 +215,24 @@ domtrans_pattern($1, xm_exec_t, xm_t) ') @@ -35992,7 +36390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-06 11:17:52.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-09 12:33:06.000000000 -0500 @@ -6,6 +6,13 @@ # Declarations # @@ -36219,7 +36617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_runtime_files(xm_t) files_read_usr_files(xm_t) -@@ -339,15 +392,74 @@ +@@ -339,15 +392,76 @@ storage_raw_read_fixed_disk(xm_t) @@ -36243,7 +36641,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_stream_connect_xenstore(xm_t) + +optional_policy(` -+ vhostmd_rw_tmpfs_files(xm_t) ++ vhostmd_rw_tmpfs_files(xm_t) ++ vhostmd_stream_connect(xm_t) ++ vhostmd_dontaudit_rw_stream_connect(xm_t) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 68e5148..7c4e142 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 56%{?dist} +Release: 57%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Wed Dec 9 2009 Dan Walsh 3.6.32-57 +- Allow unconfined_t to send dbus messages to setroubleshoot + * Mon Dec 7 2009 Dan Walsh 3.6.32-56 - Dontaudit exec of fusermount from xguest - Allow licrd to use mouse_device